Redefining piracy: the risk of poor IT security in shipping

30 November 2017 (Last Updated November 29th, 2017 11:22)

Connecting mission-critical technologies to the internet combines both risk and reward. Jalal Bouhdada, founder and principal ICS security consultant at Applied Risk, discusses the risk posed by unsecured VSAT communication links in the maritime sector.

Redefining piracy: the risk of poor IT security in shipping
Recent months have seen cyberattacks targeting critical environments across the globe. Credit: Caspar Rubin

The maritime industry currently plays a part in almost 90% of world trade.

Furthermore, the global cruise industry alone generated almost $40bn of revenue in 2015. With any such lucrative industry, it is no surprise that we witness a large number of malicious actors attempting to take advantage. Recent months have seen cyberattacks targeting critical environments across the globe – from Ukraine’s power grid and Chernobyl’s nuclear power station, to shipping giant Maersk, which saw significant disruption in the wake of the WannaCrypt cyberattack.

The rise in attacks against critical infrastructure highlights a shift in the cybersecurity landscape. In the past, hackers have directed their efforts towards traditional IT systems, such as the offices of white collar workers, to drive disruption or to secure financial reward. As this game of cat and mouse has escalated, both the security of IT environments and the attack capabilities of skilled hackers have risen in tandem. With improved capabilities, hackers now turn their attention to an industry in the early stages of connected IT adoption – maritime. This is not only due to a misplaced reliance on air-gapping, but also due to the use of unsecured technologies supporting critical functions.

VSAT systems: a new threat point

Very small aperture terminal (VSAT) is a communications system, developed by the US Navy in 1986. It is widely used in military, cargo and cruise ships, as well as offshore drilling platforms. The technology provides a link between IT systems and a satellite – allowing for internet connectivity on a ship during a voyage. Whilst this has the potential to increase efficiency by pushing the industry away from traditional communications systems, without adequate security considerations this gain can swiftly turn to loss.

Due to insufficient security considerations, VSAT potentially offers hackers a backdoor into vital systems within active vessels. Hacking systems traditionally separated from the internet by many nautical miles of open ocean has in the past been prohibitively difficult. However, with the advent of internet-connected systems, particularly in areas where security is not yet mature, environments where security was previously assured now contend with the full capabilities of modern-day hackers. The risks could include live location tracking of vulnerable vessels, and in a worst-case scenario, the loss of critical function such as power and navigation.

Networked and unsecured: the risk to critical technology

The potential risk we see stemming from VSAT links are not witnessed in a vacuum – industrial environments are also a key target for hackers. As the security capacity of industry is, as yet, immature compared to its IT counterpart, hackers are beginning to realise that breaching major, financially significant operations can provide a far larger pay-out than focusing on traditional IT networks. Instead, by taking advantage of vulnerabilities as simple as not changing the default username and password on internet-connected devices, the threat to the maritime industry rises.

Maritime, unlike exclusively land-based organisations, experiences a unique form of risk in case of a breach. With a large amount of global cargo and LNG tankers interacting with shipping in some way, any loss of function could have significant ramifications in case of interruption. Additionally, recent research has revealed that sea kidnappings rose threefold in 2016, despite a net decrease in the total amount of global piracy. Through operating unsecured, unsafe technology, the potential exists for hackers and hacktivists to remotely influence critical function, such as communications or movement, amplifying the threat to ships, crew, passengers and cargo in high-risk areas.

As a result of the growing level of risk, the maritime industry is taking drastic action – increasingly turning to radio for ship navigation – systems with roots in World War II technology. With the Industrial Internet of Things (IIoT) predicted to be worth $13.49bn by the end of the decade, a 228% growth on its equivalent figure two years ago, the potential for networked technology in critical environments is clear. What becomes evident, however, is the pressing requirement for adequate security measures. Instead of integrating security into critical functions, the maritime industry is on the cusp of completely ignoring networked technology and its associated benefits.

Critical vulnerabilities: a backdoor to essential systems

Ransomware is currently one of the most popular malware strains available to hackers, making it an obvious choice for those looking to disrupt known critical vulnerabilities. APM Terminals, a subsidiary of shipping giant Maersk, for example, recently came under attack directly through its IT/OT infrastructure, with hackers holding its data to ransom. Through using certain malware strains, it is trivial for malicious actors to lock critical systems and demand a ransom – usually payable by bitcoin. In addition to financially motivated threat actors, we now see a different breed – hackers seeking to test their skillset against new, unexplored systems.

“VSAT potentially offers hackers a backdoor into vital systems within active vessels.”

This is a new challenge for the maritime industry. Security has historically never been a priority; however, with a growing level of technological connectivity utilised for critical maritime operations, the industry must be educated not only on how to ensure security is embedded within connected systems, but also that there is now a minimal use of legacy technology. If hackers catch wind of its use, the number of attacks targeting critical maritime operation systems will rise.

It is a major concern that these systems are often designed without security in mind, meaning that hackers can directly and effectively target crucial areas. The development of a comparable security response is lagging behind. The risk posed by unsecured VSAT communication links is not limited to the system itself. Unsecured internet-connected devices, once breached, can be used as a staging ground for further attacks. These can either take the form of an advanced persistent threat (APT), which sits on a network for years, or can be achieved through standard malware.

Security: from burden to business enabler

There are not many examples within the maritime sector of breaches occurring. It is therefore difficult for device manufacturers to prepare against an attack they perhaps do not fully understand. That is why security has never been a priority, leading to the production of technology that gives little consideration to security. It is not currently a requirement for manufacturers to ensure security is baked into technology from the outset, and organisations are under no obligation to use secured technology beyond their own best practice policies. This creates an environment which is now drawing the attention of malicious actors. To truly meet this threat, the entire supply chain, from end to end, must integrate security across the products designed, manufactured, produced and utilised within it.

VSAT communication links, in their current state, are needlessly insecure. It is therefore essential that the maritime industry conducts a review of its entire security process, including infrastructure, interface and protocols. This may begin by simply segmenting the network infrastructure and applying security hardening to the system. This is of course only the beginning; the increased level of risk is resulting in maritime turning away from networked systems and therefore not achieving the efficiency benefits. Instead, by integrating security across the maritime industry, vessels could be able to utilise the latest technologies with a vastly reduced level of risk.

“Unsecured internet-connected devices can be used as a staging ground for further attacks.”

Once secure technology is sourced, stakeholders have the opportunity to undertake continuous security assessments, providing staff with the security training necessary to effectively protect critical environments against attack. With threat actors continuing to target connected systems, particularly within maritime, we expect to witness a shift where cybersecurity measures are no longer seen as a burden, but rather as an enabler of productivity, efficiency and safety.

The maritime industry sits on a knife-edge. On one side, we see the potential for growing levels of efficiency through networked technology; on the other, a regression to legacy systems to ensure continuous uptime. It is now possible for the maritime industry to combine both of these essential elements – the key is effective security.