Cyber Attack on Commercial Vessels?

Categories: Attacks, CISO

Over the past weeks there have been a number of interesting articles on cyber attacks on commercial vessels. Many contain very little detail. All of these stem from the recent cyber attacks which have, understandable, got people a little worried. These recent cyber attacks are, as I and others have been trying to tell people, only the start. And please stop reading Cyber and thinking “Oh, only over the internet”. Stuxnet was a “Cyber” attack and it required physical access to machines. The continued recklessness of organisations not maintaining their technical equipment and not performing any kind of regular health check (like you would a car with an MOT) is pure negligence. But forgive me, long hours fixing systems after a simple patch would have save them makes me tetchy. 

Now, I love a good story but what would it take to bring harm to a ship via the “internet”. First lets go back to 1995 and look at Iain Softleys masterpiece Hackers. The film portrays an insider attack against an oil tanker fleet with the “Da Vinci” virus, taking advantage of salt water ballast manipulation to destabilise the ships. An interesting and perfectly possible scenario if:

  1. The ships control systems are purely digital with no manual control and override systems;
  2. The digital control systems are linked electronically to home office;
  3. Home office has read and write capability over the control systems; and
  4. The chief engineer is not present on the vessel

Back in 1995 none of these would have been possible but are they today? Earlier this year Campbell Murray took complete control of a super-yacht. Possible because of 1 to 3 above where true and there was no regular review of security and safety of the digital systems. But there is a gulf in difference between a super-yacht and a working vessel. I recently proved the ability to take over control of a working vessel through a wireless attack against an engine room management system, made possible by a bug in the manufacturers maintenance system. Covert it is not as you really needed to be within 10 meters of the vessel. Could this have been done via the internet, no. The vessels systems are completely digital but with analogue control systems are also in place. Engineering can override the digital controls although it does take work and there is always an engineer on board. There was also no digital link to the vessel control systems from the home office. Only a digital link to the vessel management system, which logs location, heading, speed. A completely separate system.

Now, why is point 4 very important? I have had the pleasure of spending time with a number of engineers and chiefs in my time and they are all without exception highly talents machine heads. Should an attack occur and an external party take control of a vessel remotely, I would wager that the chief engineer would be pulling wires out of systems and running things manually.

Good cyber security for a commercial working vessel involves two things:

  1. Understanding your cyber risk by having a penetration tester review your electronic systems to identify any potential or real avenues for attack so you can rectify them; and
  2. Making sure you always have a damn good engineer running the heart of your vessel.