Ethical hackers Pen Test Partners, have spent a lot of time highlighting cyber vulnerabilities within the maritime sector by speaking at various shipping conferences and events to promote the need for better cyber security.
One of the most common questions that senior partner Ken Munro gets asked following one of his engaging presentations is: “Where do we start with maritime security?”
In answer to this question, he’s put together a list of ten tactical tips which maritime industry executives can out into practise straightaway to drastically reduce the risk of becoming victims of hacking.
#1 Make sure your satcom system isn’t on the public internet.
Most airtime providers offer a private IP address space, so hackers can’t reach your satcom system as easily over the internet.
It’s easy to find out if your vessel terminals are public or not: put the IP address in a browser and see if you can route to the terminal web interface from the public internet. Or you could port scan it. Speak to your airtime provider and check.
#2 Check that your satcom system has its passwords changed from the manufacturer’s default
By far the most common problem: the satellite terminal installer hasn’t changed the admin passwords from the default admin/admin or similar. Ensure the passwords are complex and only known by those who need to know.
#3 Update the software on the satcom system
Make sure it’s at the latest version and ensure it is updated every time the manufacturer publishes an update. Updates usually include fixes for security flaws, so the more out of date the software is, the more vulnerable it is.
Check the terminal vendors software update pages regularly – security fixes are often hidden in the changelog and not easy to find. This takes time and effort, so to spare the legwork consider using a patch update alerting service.
#4 Check that your bridge, engine room, crew, Wi-Fi and business networks on board are logically separated
If a device on your vessel is compromised, segregated networks will ensure critical systems are kept safe from the hacker. Do crew members personal laptops on the ship network have access to the navigation systems? Have you actually checked to make explicitly sure?
#5 Secure USB ports on all ships systems
It’s very easy to accidentally get malware on USB keys. We’ve already seen cases of ECDIS and other systems compromised by ransomware. How often do you see a phone charging from a USB port on a bridge console? Phones can be full of malware too.
To prevent accidental introduction of malware to vessel systems, lock down USB access. If critical systems can only be updated by USB, keep dedicated USB keys in a secure location that are used for nothing other this purpose. This isn’t ideal, but is better than open USB access!
#6 Check all on-board Wi-Fi networks
Strong encryption, strong Wi-Fi passwords and good Wi-Fi router admin passwords are a must. Crew Wi-Fi for personal use must not connect to anything other than the internet and/or on-board systems (e.g. media streaming) for personal use.
Any ship systems that use Wi-Fi (e.g. tablets for comms and navigation) MUST have raised security levels, including stronger authentication.
#7 Don’t rely on technology
Officers of the watch must be reminded not to rely too heavily on technology and get fixated on screens. GPS can be spoofed, ECDIS position can be manipulated and even synthetic radar can be hacked to misreport.
Whether it’s navigation, collision avoidance or loading, the Mark 1 eyeball must be employed to ensure the situation outside the bridge reflects what the technology reports.
#8 Teach your crew about cyber security.
Resources such as Be Cyber Aware At Sea are great for raising awareness and helping your crew avoid inadvertently opening the vessel to compromise.
#9 Make your technology suppliers prove to you that they are secure
If you don’t ask for security, you don’t get it! Your technology and services suppliers won’t spend any time on security if they don’t think the market wants it.
A 3rd party audit of your supplier would be a good start, though in the short term you should ask them for evidence of security accreditations such as ISO27001 or compliance with the NIST cyber security frameworks.
#10 get a simple vessel security audit carried out
Some of the worst vessel vulnerabilities are the easiest to find and fix. Bear in mind that maritime security issues are often systemic: they don’t affect just one ship in your fleet, the same issue can affect them all.
“Developing a security policy, following IMO, ISO and/or NIST frameworks is important but it can take a long time for companies to implement particularly where process and mindset changes are required,” said Ken Munro.
“However, these tactical tips can be put into practise straightaway and every second counts.”
Source: Pen Test Partners