Commercial shipping environments are rife with vulnerabilities, according to researchers – up to and including unpatched “mystery boxes” that no one knows anything about.
“In every single [nautical pen] test to date we have unearthed a system or device, that of the few crew that were aware, no one could tell us what it is was for,” said Andrew Tierney, researcher with Pen Test Partners, writing in a blog on Monday. “In other scenarios an undocumented system or device would be considered a malicious implant. In maritime cyber security it’s business as usual.”
In one case, a monitoring system was uncovered whose purpose was not known – although it was connected to the main engine. Fleet management had no record of its purchase or installation; all hardware was unlabeled. It had been installed by a third party with whom a commercial arrangement had stopped several years ago, Tierney said.
In addition to the connection to the engine, it also connected to a console on the bridge via Ethernet – but the crew had covered it up, because they had no use for it.
Tierney noted that the box seemed “suspicious,” and he embarked on an investigation, uncovering that the box was aggregating sensor data using a common ICS approach and the standard protocol specification for shipboard communications, NMEA 0183.
“We weren’t particularly surprised to see NMEA 0183 data over [User Datagram Protocol (UDP)] being sent to broadcast,” he explained – UDP being an alternative communications protocol to TCP and used primarily for establishing low-latency connections. “The format of it showed it was – the messages began ‘$IN’ – much like any other NMEA data. Some GPS sentences begin $GPGLL, for example.”
After discovering an unlabeled Moxa RS232->Serial converter connected to the mystery box with a shielded cable leading away from it, Pen Test Partners were eventually able to find that the cable ended at the main engine, a room-sized MAN B&W 10G90ME model, going into an auxiliary serial connection on a PLC. The engine was housed 11 decks below the box itself – and it was here that the NMEA 0183 data emanated from.
So, bottom line, “we’d found a Windows machine that was [remotely] connected to main engine controls, which no one knew about,” Tierney said. “The kicker? The Windows machine had TeamViewer running on it. The box hadn’t been patched in ages either.” He added, “We’ve proved in the past that we could bring entire fleets of vessels to a halt remotely through similar exposure of critical systems.”
Pen Test Partners wasn’t able to find out whether sending rogue commands to the box could adversely affect the engine of the ship’s functions. But Tierney pointed out that the mystery box’s existence is emblematic of a common issue plaguing nautical security.
“A lot is done to make everything as efficient as possible,” he explained. “So there are now a lot of different systems that gather data from around the vessel, aggregate it, display it and send it ashore. This data has to come from high-risk systems: the ECDIS, the ICMS, main engine, fuel oil systems….[The monitoring system] needs to interface with all these systems.”
He added, “How are you going to do that? Get a service engineer for the ECDIS and ICMS and main engine onboard? No. You use what is already available. And your goal is to get it working, not get it working securely.”
Often in the quest to get a system up and running, he said that shortcuts are made, such as using Ethernet networks and SMB file shares to send and receive data – with no firewall or other security implemented.
Pen Test Partners has shown in the past that the global shipping industry is vulnerable to a range of hacks and flaws that are trivial to exploit and easy to mitigate against. It has previously released several proof-of-concept (PoC) attacks where it demonstrated multiple techniques for disrupting the shipboard navigation systems, for instance. This could be used for forcing collisions or forcing a ship off course.
The mystery box issue is simply another security problem, brought on by a high level of complexity in on-board systems. “Every ship you get on is different, even from the same class and from the same shipyard. Each new system installed is another source of complexity, it really shows after a while,” Tierney said.
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.