Updates to the cybersecurity ecosystem seem to have gotten lost at sea for the shipping industry. Measures that have been outdated for years in other sectors are still in force on the high seas, meaning that ships are susceptible to being robbed, hacked, and even sunk. Vessels that were traditionally isolated are, thanks to the Internet of things and advances in technology, now always online via VSAT, GSM/LTE and WiFi connections, and have complex electronic navigation systems.
A study by Pen Test Partners has shown how easy it is to gain access to a vessel in the shipping industry. Some of the access methods presented are truly worrying: exposed satellite communication terminals, user interfaces accessed via insecure protocols, default login details that have never been modified… The list goes on. In this industry, a cyberattack would have an enormous economic and business impact, since maritime transport moves goods totaling millions of Euros all around the world.
Satellite communications: a threat in motion
Thanks to Shodan, a search engine for IoT connected devices, the Pen Test researchers discovered in previous investigations that the configurations of some satellite antenna systems were easily identifiable through old firmware or unauthenticated connections. To gain access to systems, and ultimately hack them, they came across dangerous default login details, like “admin/1234”.
ECDIS, charting a course for disaster
The Electronic Chart Display and Information System (ECDIS) is the electronic system used by these ships to navigate, and that also warns the captain about any hazards on their course. This tool, which contains graphical and nautical information, is an alternative to the old fashioned maritime maps that don’t offer information in real time. Upon testing over 20 different ECDISs, the analysts discovered that most of them used very old operating systems (some with Windows NT, from 1993), and incorporated configuration interfaces with low levels of protection.
In this way, the researchers demonstrated that cyberattackers could cause the ship to crash by accessing the ECDIS and reconfiguring the database in order to modify the dimensions of the ship. If the ship seemed to be a different size, longer or wider than it really is, the electronic systems would offer incorrect information to other nearby crews. They also showed that attackers could force a collision by falsifying the position of the ship shown on the GPS receiver. It may sound implausible, but in the case of particularly busy shipping routes or places with low visibility, a falsification of this type could be catastrophic.
Even if the vulnerabilities shown by the analysts aren’t exploited in such an extreme way, it’s hugely important to know that security gaps in vessels can cause substantial damage, both to national industries and in the maritime environment, including ports, canals, and docks. The analysts underlined that, by using ECDIS, it is also possible to gain access to the systems that warn the captain of possible collision scenarios. By controlling these collision alarms, attackers could bring routes as important as the English Channel to a standstill, endangering the imports and exports of a whole country.
Simple solutions for complex systems
As well as updating systems and ensuring that no sensitive information is exposed on the network, the shipping industry must also maintain the defenses that are needed for Internet devices, like we’ve seen in the case of satellite communication systems. To maintain connection privacy, Transport Layer Security (TLS) protocols must be put in place on these devices, since a failure in just one device can compromise the security of the whole network.
The analysts reported that a first step to mitigate most of the problems exposed in the study would be to use strong passwords for admin profiles, making sure to modify the default login details. To avoid serious problems like sabotage, destruction of ships or goods, collisions, and loss of infrastructure, it’s essential to have protection systems for the whole network perimeter, including the transport of goods, to bring the domain of cybersecurity out into international waters.