At a shipping conference in Athens, Greece, Ken Munro, a security researcher at Pen Test Partners, said that maritime cybersecurity is facing similar challenged now to what industrial controls security in utilities started addressing several years ago.
Munro said that ships are moved on from running industrial control systems on dedicated, isolated network with customer and arcane protocols to something much more complicated and connected.
He said that these ships were now “always-on, connected through VSAT, GSM/LTE and even Wi-Fi. Crew internet access, mashed up with electronic navigation systems, ECDIS, propulsion, load management and numerous other complex, custom systems. A recipe for disaster.”
Munro said in a blog post that a search of Shodan.io can unearth shipping equipment all over the world. He said that it was easy to find plenty of logins for Globe Wireless over plain text HTTP, also an earlier branding as ‘Rydex'.
“Globe were bought out and rebranded as Inmarsat in 2013, so you can date the comm box by the brand alone. Most of these are very old, undoubtedly running dated firmware,” he said.
Another problem found was with a satellite antenna called Cobham Sailor 900.
“Now, in the absence of known exploits such as this one for the Sailor 900, to make changes or do malicious things, one needs to authenticate as an admin user. The default is admin/1234. I haven't and won't be checking these creds on someone else's terminal, but what chance someone forgot to change these during installation?” said Munro.
He said that most of the maritime ‘hacking' incidents reported in the press appear to be simple default/missing creds from comms terminals, then the ‘hacker' clicking around a control system GUI. “That doesn't really count as a hack to my mind, though the consequence is the same,” he added.
Another problem discovered was with KVH CommBox private network terminals which disclosed the name of the ship on the login page as well as a list of crew with access to the terminal. Munro was able to quickly find out where the ship was as well as a random crew member's Facebook page in subsequent investigations.
“This poor chap is ripe for phishing – we know pretty much everything about him. Simple phish, take control of his laptop, look for a lack of segregation on the ship network and migrate on to other more interesting devices. Or simply scrape his creds to the commbox and take control that way,” said Munro.
Munro said that ships need to bring in basic security policies as soon as possible. “TLS needs to be in place on satcom boxes. How can this be still missing on live devices today? Password complexity is a must, particularly for high privilege accounts.”
He said these devices must be updated as a matter of urgency. “It's simply not acceptable to leave vanilla firmware in place.”
“There are many routes on to a ship, but the satcom box is the one route that is nearly always on the internet. Start with securing these devices, then move on to securing other ship systems,” warned Munro.
Thomas Fischer, threat researcher and security advocate at Digital Guardian, told SC Media UK that one of the challenges when talking about implementing security standards in these kinds of environments is understanding who is ultimately responsible: the service provider (eg Inmarsat), or the shipping company?
"In most cases, one can argue that the service provider should actually be taking the lead on ensuring that the terminals they provide to ships are secure and ensuring that proper admin credential protection is in place. However, as we've seen in the past with wireless access points and home-based routers, it often takes a major incident or exploit to change the attitudes of the manufacturers," he said.
Javvad Malik, security advocate at AlienVault, told SC Media UK that many traditional industries adopted technology at a slower rate and faced fewer threats.