2627
Views

Many Operators Open to Simple Cyber Attack

keyboard grenade

Published Jun 10, 2015 8:34 PM by Wendy Laursen

Software security company CyberKeel evaluated the top 50 container carriers’ websites in 2014 and found:

•    37 of 50 appear completely open to simple attacks towards back-end systems
•    six allow harvesting of usernames
•    eight carriers, controlling 38 percent of global trade, allow “password” as a password to access sensitive eCommerce applications
•    two carriers allow “x” as password

When chartering vessels, the operating company is often seen not to have specific cyber security requirements, says CEO Lars Jensen. A vessel and its equipment has to be considered as being just accessible as any land-based computer, he says.

The maritime industry will remain vulnerable to cyber-crime unless it develops a better awareness of ICT security and adopts security best practice, warns ESC Global Security’s head of cyber security division, Joseph Carson. “Certainly there is the possibility for AIS, GNSS, ENC and ECDIS charts to disappear from bridge screens or be modified, but the issue today is that most adversaries want to obtain data for financial gain or criminal activities.”

He says that payment systems, for example, can be easily attacked using phishing scams to raise fake invoices or even to change shipping manifests in order to transport illicit goods, drugs and weapons.

Echoing comments made by World Economic Forum managing director Espen Barth Eide at Nor-Shipping last week, that “every conflict we see in the future will be a cyber-conflict,” Carson says that while the threat is indeed a real one, greater computer literacy and security awareness can reduce the risk of maritime cyber-crime by as much as 25 percent.

“The biggest risk is from human operators not understanding how to deal with or identify a possible security breach. Almost 70 percent of malware is manually shared through social media, so awareness and continuous training can have a tangible impact.”

Carson points out that the maritime industry is operating computer systems that remain unpatched for long periods, but continuous updating can prevent vulnerabilities in software from being exposed and used by adversaries.

“Approximately 99 percent of all cyber-security breaches are from known vulnerabilities with the common vulnerabilities and exposures listed in the National Vulnerability Database. About 90 percent of these breaches, however, have patches [software updates] available containing the required security fixes,” he says.

Cyber Attacks on ECDIS, AIS

According to Tor Svensen, maritime CEO at DNV GL, the industry has already seen its first cyber events including the manipulation of AIS, ECDIS and GPS data. Just last year, more than 50 cyber security incidents were detected in the Norwegian energy and oil and gas sector, he says.

“Ships and offshore structures are becoming more and more interconnected,” says Svensen. “In theory, all programmable components may be exposed to cyber threats, be it machinery, navigation or communication systems.”

A report last year by Marsh and McLennan notes that because it doesn’t have an inbuilt mechanism to encrypt or authenticate signals, AIS is considered to be a soft target for cyber-attack, which was demonstrated in 2013 by cybersecurity firm, Trend Micro2. The firm was able to show how AIS could be compromised by preventing a ship from providing movement information, by making phantom vessels or structures appear, by staging fake emergencies, and by making it appear to other AIS users that a ship was in a false location. The online services that monitor AIS data to track the position of vessels were also misled by the efforts of Trend Micro.

If, for example, a cyber-attack disabled a vessel transiting the Panama Canal resulting in
blockage of the channel, it would have significant economic impact around the globe, states the report.

Russian Maritime Register of Shipping highlights that research workers from Texas University have already demonstrated the potential for changing a ship’s direction using GPS signal jamming to give false interpretations of course parameters to its navigation systems. 

In Africa, an unknown hacker made an intrusion into the positioning system of a floating production platform which brought about an impermissible heel and interrupted work. In another instance, unknown hackers made an intrusion into the computer network of a port to find containers to target for theft.

Last year, a research team from software security consultants NCC Group discovered several weaknesses within an ECDIS demo product, which enabled them to access and modify ECDIS files and insert malicious content. If exploited in a real scenario, these vulnerabilities could cause serious environmental and financial damage. 

Yevgen Dyryavyy, security consultant at NCC Group, said that access to ECDIS on vessels is somewhat restricted, but this should not be used as a sole defence mechanism. “An ECDIS could still be accessed through a USB stick or an online chart update or even sensor compromise or other systems that's connected to the vessel’s local area network.”

Cyber security was discussed at IMO’s MSC meeting last November with some calling for the development of cyber security guidelines.