Surprised
Well, not really. I suspect the rational for most of the info sec was "we're in the middle of the ocean, who's going to hack us?". Nevermind that the people on the ship are the bigger risk. That would cost money to fix!
Penetration testers looking at commercial shipping and oil rigs discovered a litany of security blunders and vulnerabilities – including one set that would have let them take full control of a rig at sea. Pen Test Partners (PTP), an infosec consulting outfit that specialises in doing what its name says, reckoned that on the …
I wouldn't be surprised if shipping containers would be a very low margin business. You have mega capital expenses (Google "MSC Gülsün") and a bunch of very large players that all offer pretty much exactly the same product: pick up container in Shanghai, drop it off in Rotterdam. That's the sort of business where you want to cut all non-essential costs.
If the attacks are via unsecured wifi access points you'd need to get pretty damn close to perform this hack. This isn't something some guy halfway across the world could do, so it would be pretty obvious who is doing it.
Now if they had control via satellite that would be more troubling, as that hack could happen from quite a distance...
Well, you could have an evildoers launch getting pretty close to a loaded tanker, in, for example, the Straits of Hormuz. Lots of places around the world where sea room is rather confined and traffic is heavy, including the English Channel, the Bosphorus, Suez and Panama Canals, not to mention navigable rivers like the Elbe, Weser, Rhine, Mississippi etc.
How about a drone?
,
Bobbing about in a launch on the high seas alongside a passing merchant ship while trying to (a) find a spot where you can connect to the wi-fi (remember that the point of the rogue AP's was that wi-fi doesn't travel that well through a series of metal boxes), and (b) hoping this is one of the vulnerable ones, doesn't sound all that efficient to me.
Less efficient than the traditional eyepatch/gun/parrot approach, say.
However guy with a device or two standing on the shore at the big canals the seaway into the Great Lakes etc and scanning for vulns in passing vessels is entirely possible. You can even bring your own deckchair.
Think of the terrorist cells in Sinai or the drug cartels in Central America. Stop the ship in the canal, create a diversion and get your product on board.
Creative minds in such spheres will be reading this and going ‘hmm’.
Also if you can run the engine room from the bow that suggests someone amidships on a close shore can as well.
"Bobbing about in a launch on the high seas alongside a passing merchant ship while trying to (a) find a spot where you can connect to the wi-fi (remember that the point of the rogue AP's was that wi-fi doesn't travel that well through a series of metal boxes), and (b) hoping this is one of the vulnerable ones, doesn't sound all that efficient to me."
Or you could just wait until it's in port. The vulnerabilities still exist when the ships are not out by themselves on the high seas.
As for hoping it's one of the vulnerable ones, I rather suspect that the list of vulnerable ships is extremely similar to the list of ships.
WiFi can sometimes travel a surprisingly long distance if you have a decent antenna and there's not much between you and the target. And ships are surprisingly often near land (as a minimum, twice each journey).
I suspect nothing will change until it's "You're not allowed to dock here until you have ${some basic security certification}".
You can, could have someone sneak in via boat and hide under the rig. With a powerful enough aerial they could pick up the WIFI. You could have a rogue employee who either is annoyed or in an attempt to steal secrets got a job there specifically to exploit the week network.
I don't think of the high seas as a place where you'd lug a powerful aerial on a boat to hack passing cargo container wifi. The open ocean is not exactly a comfortable place to be, unless you're in a very big ship.
And even then, things can get rough.
Poor infosec in the middle of the Pacific ? I think the cargo companies can live with that.
I’m in Dundee, the rigs are just over the horizon and in known positions. Sea kayaks (I did a refresher course recently) have a depression at the front for a compass for heading for places over the horizon. You make the jump to St Kilda that way for eg. I would go out to Bell Rock locally the same way because it is not visible from shore being too low down.
The rigs are kayakable to and the weather forecast is pretty good these days. Kayaks are very, very buoyant and you can raft up with colleagues in rough seas as the Inuit do.
Here in Scotland we have the legend of the Selkies, who take the form of seals on the sea and walk as men on land. Inuit wear sealskin and their kayaks are sealskin and they wear them. There are historic records of Inuit turning up in Scotland. Young males sometimes got wanderlust and got quite a distance.
So don’t discount the possibility. Also here in Dundee we have self powered mobile rigs docked all the time. One was recently subject to Extinction Rebellion protest, three young women with climbing gear climbed one of the legs (they stick up in the air when docked, used to block CH5 analogue services). You could get close to one in a kayak or small boat quite easily. All the local yacht clubs are just east of the rig docks. Running a rig into the Tay Road Bridge would cause a lot of disruption. It is not far West of the rig so you wouldn’t have to take it far. If it went right through a span of the Road Bridge you could carry on to the Tay Bridge carrying the East Coast mainline.
We also get cruise ships in dock in the summer. Same thing applies.
And note there is NO dedicated, on station rig defence unit in the British Armed Forces. The Norwegians have one. The SNP’s Independence White Paper proposed to create one and base it on the East Coast along with surface ships.
There are NO surface naval ships based in the East Coast or the Northern Isles Scapa Flow is history as a naval base. The British rigs are utterly and completely unprotected. We would have to ask the Norwegians to help.
So any attackers would have quite some time to cause havoc before being bothered. I expect Polis Scotland would have to try.
Anyone taking an oil rig in the UK would probably find the Special Boat Service (SBS) dropping them a 'call.' I believe they have the maritime counter terrorism role.
Being the same as the SAS in terms of role and training, that 'call' would be at the working end of some violence.
At a previous place of work, one of the consultants went to check the security of some of a cruise liner's systems, mostly for on-board purchases and charges. PCI DSS sort of thing. It only took a day or so, but they weren't going to change the ship's schedule, so he got a few free extra days lounging around before it next docked. Nice work, if you can get it.
Jesus, guys. I'm not even a technologist, and I know that is a horrible idea. All you need is some hacker or cyber-terrorist to grab control of a big container ship entering Hong Kong or something, and start using it to run down ferries and water taxis, or force the ship aground to pile a bunch of losses and liability on the owner, for the benefit of an unethical competitor.
You can do a lot of damage with a large vessel, but "running down water taxis" isn't one of them. Kind of like a rhinoceros trying to pin down a squirrel.
Running into another large ship (e.g. cruise ship) that is equally hard to maneuver would be a more likely issue. Or ramming an oil platform.
Cruise ship? Nah. That's just civilian crap. You want your zombied tanker heading straight at the USS Gerald R Ford or HMS Queen Elizabeth in a port that doesn't have complete separation of civil and military vessals.
To me you just grab the panamax in the panama canal (or Suez), kill all engines, drop the anchor and then scramble the codes so it can't be restarted.
Disruption alone to international trade etc. No need to ram anything, no one is hurt etc. Abillity to get close because of the sides of the canal etc.
Same with something like the Sydney landmarks, statue of liberty, oil terminal etc. Large static and high profile.
They just saw or blast-cut the anchor chains and tow it one way or the other to get it out of the way. Troublesome, yes, but it's not like the Canal isn't prepared for such things as a Panamax suddenly going adrift within.
Thankfully, last I checked, running the mules requires a bit of a deft touch and a good eye, both of which require local presence. They may have monitoring equipment, but operations, like with the ships while they're in the canal, requires an actual person at the helm.
Every merchant vessel I've worked on had a gun locker of one description or another. Granted, I only worked on them in port or on delivery and test runs, not while going about their business (coms, computers & controls mostly).
"More to the point, that would require the crew are licensed to use firearms."
And not forgetting, licensed for each jurisdiction they make port in, bearing in mind that even locked away, those weapons may be illegal to even possess, as some British "security guards" discovered in India a year or three back.
I worked with a young gentleman, some years back who took a job at C&W jumping ship from RACAL.
He confirmed that they all had weapons training for such an event as the ship potential hijacking (Gun boats) & access to the gun locker & as the most junior officer on the ship he got to ring the bell for New Year at midnight (When\wherever that happened to be the seas).
Hope you are well Mr Wxxxxxx, wherever life took you.
Since when did one need a license to use weapons on the high seas? Who is the licensing authority? How is it enforced, and by whom?
I've seen this on most commercial ships that travel in dangerous parts of the world. I wouldn't expect to see it on shipping between, say, France, England and Denmark.
From what I understand from the Captains who actually do it, jettisoning "illegal" weaponry when entering the waters of countries where they are frowned upon is routine. Guns are cheap, cargo is not.
Well, since you need to obey the law of the flag state of the vessel, which is pretty obvious, you need to obey their rules:
https://www.ics-shipping.org/docs/default-source/Piracy-Docs/comparison-of-flag-state-laws-on-armed-guards-and-arms-on-board-2017.pdf?sfvrsn=0
I've been on plenty of voyages passing dangerous parts of the world. No guns. It's a rarity.
This post has been deleted by its author
If people are going to try to do it, it needs to be designed around so that they either can't or they can in a secure way.
Just saying that's a poor excuse and they shouldn't have done it is of no bloody use whatsoever when faced with the expense of an avoidable incident.
Unless the company thinks it can walk away without any liability:
Try walking to the other end of the ship in a force 6 gale... Sometimes you just don't want to have to don the s'owesters just to do some minor change.
Regarding the jury rigged WiFi.. I'd also wonder just what sort of sites were being visited by the crew? It's lonely out at sea afterall...
There were definitely at least some accidental references in things, though I don't recall any sniggering at school about Pugwash - and there would definitely have been some.
Last year, Radio 4's Something Understood episode "The Voice" snuck in a cracker from Ivor the Engine:
"Owen's not awake yet. Give him a blow, Ivor!"
Ooer.
This attitude is why there are problems.
Last time I checked, I didn't need to put on a boiler suit, hard hat, safety boots, and gloves to go out to a PC in an air-conditioned space to fix a user's PC.
Then there's the weather. People die on vessels going out 300m.
https://www.londonpandi.com/knowledge/news-alerts/maib-report-on-fatal-accident-on-board-maersk-kithira/
There are no IT crew. Outside of cruise ships, there is no one with training in this. It's down to the person who knows the most IT.
Honestly, your comment is glib and pretty offensive, and totally lacking in understanding that not everyone is a desk jockey.
I am told there is a principle in designing parks. You build the park, see where people want to walk, then build the paths along those lines. If a designer decides that a path will go from A to B, but people prefer to take a different route, they will.
The same applies to security. It is just plain dumb for an infosec person to say "this is what users should do" and then build security around that. A better approach is to see what users actually want and then make those available in a secure manner.
Trouble is, designing parks and designing ships, especially things like container ships (where the cargo dictates the shape) and submarines (where space is at a necessary premium), are two entirely different kettles of fish. And have you had to go down the length of three football fields (exact fraction depends on the variant) multiple times a day, usually up on a tossing, wind-swept deck or downbelow in cramped decks? As they say, necessity is the mother of invention, ease of use trumps security anyway, and a captain at sea isn't one without the consent of his/her crew.
There’s a corner just opposite the local shops. There’s a paved path which cuts it leading from the island crossing. The council deciding to do the sensible thing. The local garden centre can be walked to but you don’t want to walk all the way down to the vehicle entrance. So you slither down the little bank. There’s a path there now. At the local Aldi carpark there are two slithers down to the pavement. The vehicle approach is not good for pedestrians. I expect them to be make official and paved very soon.
Some paths are just egregious. At one angled T-junction I run through early on Sunday mornings sometimes there’s one of those fenced in controlled crossings where they make you trudge 20m up the road then has a 10m chicane to get to the other carriageway. I’m outside the fence on approach and I run across the grass strip below. Hardly any traffic and I have a full view of it. Later on the same run there’s a 5 roads city roundabout with pedestrians corralled by fences. Again I’m outside the fences on approach and I run round it on the outside facing any traffic. Never had a problem. Wouldn’t do it midweek.
Meanwhile, in NK and Iran, somebody's new project is getting massive funding. Why build warships when you can just borrow them? Why build expensive bombs when tankers are free? Look up 'blockship' for simplicity. With enough tin cans, is Tianjin within WiFi range of Pyongyang? Or a "fishing boat" in Bohai? What's that phrase? "Cheap as ships" ?
No. It's a transform fault. One side is moving North, the other is moving South. There is no vertical movement to speak of.
Roger's Creek hasn't moved in a century, or thereabouts. When it finally shifts, it might take the Healdsburg fault (the Northern extension of the combined fault zone) and the Hayward Fault with it (Rogers and Hayward are joined under San Pablo Bay) ... a total distance of about 120 miles could rupture, probably producing a Mag 7.5ish quake, which will pretty much cock up the entire San Francisco Bay Area.
I'm hoping for smaller pressure-relief type quakes, but I'm prepared for the worst. Not paranoid, pragmatic.
Why hasn't this happened? Because it's not productive to attempt it.
You can only borrow a large ship as long as the Officer of the Deck (military) or Officer of the Watch (Merchant) doesn't notice the heading has changed. That'll take all of, oh, I don't know, maybe a minute or so max when you're out of sight of land and it's cloudy so you can't see the stars. Far less if you're close to shore and have landmarks to eyeball. Regaining physical control of a ship's steering from teh evul h4><xors wouldn't take another minute or thereabouts. There are always manual over-rides that can't be circumvented.
Changing a ship's speed would be noticed immediately by everybody on board. The vibrations seep into your psyche, and any unannounced change, even a small one, will jolt even the soundest sleeper wide awake. The necessary crew would be moving to take care of the problem before the OotD/OotW could issue the order.
Remember, kiddies, this is real life, not the movies.
You've got a totally broken threat model.
The article describes and oil rig using dynamic positioning. The generators are running pretty much all the time, as the thrusters are continuously working to keep the rig on station.
If there is significant mechanical failure, and the position cannot be held, then a big red button is pressed. This triggers the BOP, cutting the drill chain at the seabed, and drop the drillchain from the top.
The operator of the rig performed a risk analysis and found that even under normal mechanical failure, manual control was simply not quick enough to stop this happening. The generators, if you cannot control them from the bridge, are around 3-4 minutes away from the bridge. The thruster controls are in the legs, two of which are 1-2 minutes away, the other 3-4 minutes away, then a slow lift ride (unless the weather is rough - then it's a ladder climb). You now have 6+ people (1 for the four legs, 1 for the two generators needed) communicating via phone with the bridge to keep things working. They cannot fully practice this with every crew, as unlike on a ship, as it would cause too much risk. When it has been practiced, the control required to use 4 separate thrusters to keep it on station is incredibly hard without the control systems in place.
Now, an attacker comes along. We found you could disable the phone system, causing them to fall back to radios - which even with leaky feeders, were found to be unreliable in the legs. You now don't have comms. We found that it was possible to wipe the configuration of the breakers in the main switchboard, preventing automatic synchronisation. This highlighted the problem that although the generators had synchroscopes, the bus ties did not. This made operation much more awkward. At the same time, totally control over the drilling control network had been obtained. We could brick every switch and PLC, stopping that working entirely. That's just the start of systems we took control of.
So now you've got the potential for drive-off incident, which costs millions of dollars. Even if you don't, you have the potential to cost the company huge sums whilst they restore the config of over 400 PLCs, many of which don't have up-to-date backups.
And no, you won't wake up with the sound small changes on a rig, unless you never sleep.
So remember kiddo, if you paint the only risk as the most severe one and in limited situations, yes, you can ignore it.
Apparently you have never hear the term "topic drift". It's part and parcel of online forums, and I would wager a guess that it's the reason most commentards use this forum.
I'm on record as saying that I've been telling manglement that PLCs (and other bits of industrial SCADA haberdashery) should never be reachable from outside the local network. Here's a link to one ElReg post of mine on the subject from way back in 2011 ...
Yes, I know how common rail engines work. They should not be accessible outside the LAN if they are being used in critical systems. Making them accessible to all and sundry is effectively slapping a large KICK ME note on your own back. Sounds like I agree with you, no?
Ah, the good old "topic drift" thing. I'm here too, and it drifted back to what the article is about.
We've had access to common-rail engine PLCs from the corporate network before. So, they can be attacked.
You've picked clear weather, with an alert crew, not taken into account human factors.
I will just leave this here.
https://features.propublica.org/navy-uss-mccain-crash/navy-installed-touch-screen-steering-ten-sailors-paid-with-their-lives/
Drifted back to what the article was about? I refer you to the first six words of the first paragraph of the article. To wit "Penetration testers looking at commercial shipping".
And I refer you to the comment in this thread that I was responding to: "It's been nearly 40 years since Superman 3 yet no one seems to have done the 'hack ships to do stuff' thing in anger.".
I know SCADA stuff is vulnerable. I've been bitching about it (on land, sea and air) for literally decades.
I did not pick clear weather. I even mentioned cloud cover, at night.
The McCain incident should never have happened. It's cause was, quite simply, high ranking muck-a-mucks putting entirely too much faith in unproven technology. Again, I'm pretty sure I'm agreeing with you on the underlying issue at hand ...
I don't think we do though - you are under the notion that the crew are infallible. That they will notice, that it will be obvious.
https://www.gov.uk/maib-reports/collision-between-ro-ro-passenger-ferry-red-falcon-and-moored-yacht-greylag
"the master became fixated upon the information displayed on his electronic chart and operating engine controls, ignored information displayed on other electronic equipment, and became cognitively overloaded due to high stress"
It's a downplaying of the risks because you are not accounting for human factors.
But here's the rub. How do you KEEP it separated, especially if determined individuals keep bunging things on and bridging networks because they have better things to do? Given the number of ways things can be bridged, I frankly don't see a way you can keep someone from bridging an isolated LAN somehow.
Well, since the security people have decided to use an abbreviation for penetration that is actually a noun (and can be used as a verb also around those pre-existing nouns), pen, that has been used since the 14th century to refer to a place for confining animals (an animal pen) and to writing implements (quills, pen points, fountain pens, ballpoint pens), perhaps they have no-one else but themselves to blame for creating such a play on words?
Though I will also note that calling themselves penetration testers also leads to a whole new set of puns and implications.
A few points here.
1. Working on ships can be really boring. Its not like its a 9-5 job, you are there for 24 hours for extended weeks. This means the temptations to hack the systems to make access easy is far greater. I remember being on a Royal Fleet Auxillary vessel in the 90's and I was amazed by the amount of pirated games that were onboard, because basically there is so little to do on your off-time. If ship owners wish to reduce the temptation to hack, they should provide the facilities to the crew for R&R in a separate secure system. But most won't because it increases cost.
2. Most ship systems are based on COTS systems. This means there is a great temptation for crew to "re-use" bits of kit. Its very hard to lock down say a PC running windows 7 to a determined user with a lot of time on there hands. The biggest threat however is things like USB sticks. They get plugged in so that someone can run their porno picked up on-shore which runs a virus. Virus checkers are very hard to run on such systems because a) without internet access they cannot be easily update b) interfere with the functionality. Fortunately most viruses are designed not to attack control systems but to get bank details etc, although the ransomware ones are a pain
3. Its all very well saying that passwords should be secret, changed etc, but IT policy often does not work well in a Operational technology environment(OT). Imagine a systems where you want to move a ship from a hazard, and your password has expired or you forgot your password and the system locks you out. In fact security standards emphasise that safety trumps security when there is a conflict.
4. Marine systems are very conservative, meaning they are very slow to react. The industry is moving forward, but with systems out there which are 25 years or older, it will take a long time before systems are bought into the 21st century cybersecurity wise
I'd love to come up for a solution for 3.
There are certain systems - like the ECDIS - where it's just not possible to set passwords that are long, complex, per-user, and confidential.
But it is possible to set the password on your switches and PLCs to not be the same across all 150 rigs with the same drilling package.
Same with HMI consoles - it may need a basic level of access with simple creds, but the Windows box doesn't need to have local admin password of 00000000.
@cybergibbons
Making sure that default passwords are not reused or forced to be changed is important, however it raises another issue.
The common test against any security change is the "Major shitstorm at 1 O'clock in the morning a long way away..."
Basically if a safety critical system goes titsup in an inaccessible location at a time when 1st line support is unavailable, what do you do?
If a system was installed 20 years ago (not uncommon), where do you find your passwords. Are the stored on-site, if not does the company who installed your kit still exist, can they be contacted, have they maintained there records, do they know where they are?
Its scenarios like these that worry people and has to be measured against the unknown risk of a system being remotely hacked.
I worked on this for an oil company. When we started, you could get hold of an offshore rig from your desk.
A few things to add:
- the conservatism also bites in different ways: adding anti-virus, for instance, eats resources that were originally not planned for. As you are indeed dealing with old systems, often the only way to shore these things up was only adding a security gateway where all I/O is scanned for viruses. A certain AV vendor did very well off the back of that because the project needed *lots* of them.
- ESD (Emergency Shutdown Devices) were at the time still fully isolated. I hope it stays that way.
- the industrial world hasn't exactly covered itself with glory here either, we can across PLCs that could be frozen in an indeterminate state with a SINGLE malformed packet, and in that case it's not a matter of switching it off and on to recover it, it needs to be reflashed and reprogrammed. Ouch.
- the principal risk to such isolated platforms is indeed the engineer who wanders in with an unchecked laptop and so acts as the virus carrier.
"ESD (Emergency Shutdown Devices) were at the time still fully isolated. I hope it stays that way."
One thing not mentioned is that there has been a push for greater analytics from customers. This mean that things that used to be isolated have been connected. The drive to sell services has often come at the cost of greater risk.
The drive to sell services has often come at the cost of greater risk.
IMHO that is also what drove the COTS approach, switching to using Windows instead of Unix. That said, that was also a side effect of the then frankly shocking costs of proprietary Unix variants.
I'd love to see someone cook up decent Linux or BSD based process control frameworks, but there is apparently no market for them and to do it right costs money. People have to eat.
Having been stuck on a survey ship, anchored 40 miles off the coast of Montrose for nearly 3 weeks, the entertainment consisted of:
5 quid for a 24 bottles of Grolsch.
A video tape or two of episodes of The Prisoner
A video tape of Benny Hill & a few other movies.
More video tapes (3rd generation rips) of (very bad) porn that when the "movies" finished broke into a chronicle & picking up the story of another passenger ship featuring Kunte Kinte in the middle of the Atlantic cruise to the US that was by that point over 12 years old.
I chose the night shift to be on watch as part of my job roll because of the Grolsch I could drink, choose what I wanted to watch from the "choice" available once everyone had gone to bed or were working, didn't have to take calls from client\employer, bacon butties every 90 mins & sleep through the long day of nothing.
My one regret was apparently missing the whales swimming alongside & under the anchor chains at 4am on one occasion.
If you want to implement security in situations like these, you have to make it easy, reliable, and seamless. Any crew, whether it's on an oil rig or a production line in a factory, simply isn't going to stand for anything that makes their dreary, complex, demanding, sometimes dangerous jobs more difficult. Many will actively rebel against what they view as 'outsiders' telling them what to do. And the mentality of "Well, if he doesn't comply, he's fired!" is only going to lose you skilled workers and make everyone unhappy in the long run. Maybe if your workers are completely beaten down, this would fly, but when you treat people like this, then you end up with theft, sabotage, shoddy work, and a general "I don't give a fuck" attitude.
Possibly these are the scenarios that Smart cards are best for--all the worker needs is to remember their card and possibly a short PIN for added security. While not as easy as a blank password, certainly it's easier than typing "Password1234" 20x a day. Or, if you find someone just leaving their card by the workstation, possibly a fingerprint reader would be good---most people won't leave a finger by their console.
The moral of the story is if you complicate anyone's day and don't give them something positive in return, they will always find a way to work around your best intentions. We human apes are pretty clever, especially when it comes to working hard to find new ways to be lazy.
The bridging of networks that are supposed to be air-gapped is a big problem. If some crew member opens something loaded with Ransomware and the network is bridged into the engineering network, they could wind up dead in the water until they send a certain purse of bitcoin to a numbered account. The ransom could be cheap when compared with the loss of a day under power if the attack wasn't targeted at the ship, but that loss of a day could be millions of anybody's money.
A bridge into cargo manifests could be a load of fun. I can't even guess what a 40' container of iThingys might be worth if somebody could pull up enough information to forge some shipping documents.