Cyber Management Course (Ma) – Module 5
Many newer serial to IP convertors support SSH or similar traffic encryption, making man in the middle and similar hacking attacks much more difficult. Convertors should have encryption enabled. If they do not support encryption, check for software updates that do, or replace the convertors with more up to date models that support encryption.
Cyber Management Course (Ma) – Module 5
There’s an interesting security flaw in some convertor firmware. An exploit is available in the Metasploit security exploit framework that is popular with hackers. One example vulnerability is referenced as CVE-2016-9361 and allows the hacker to recover the admin password, even if it has been changed from the default. This vulnerability has been fixed, but the software needs to be updated to apply the patch.
Cyber Management Course (Ma) – Module 5
Serial to IP convertors usually have a web interface for configuration. The default credentials are usually admin/superuser, superusr/<blank> or admin/<blank> in the case of Perle and usually admin/moxa, admin/admin or admin/<blank> in the case of Moxa convertors. These are published by the manufacturers on their own web sites
Once the hacker has the password, they can administrate the convertor. That means complete compromise and control of the serial data it is sending to the ships engine, steering gear, ballast pumps or whatever.
Cyber Management Course (Ma) – Module 5
Security of the convertors is very important.
The convertor must be ‘hardened’ against security attacks. This means ensuring that the administration passwords are not left default by the installer. Default passwords are very common.
Can we identify and convertors used for critical or safety equipment?
Cyber Management Course (Ma) – Module 5
Direct control from the bridge of, for example, the ships engine occurs by the engine levers sending network data over the OT network to the engine control systems in the engine control room.
There are numerous potential security flaws in the OT network that a hacker could exploit. First, we will look at the cabling.
Serial network cabling isn’t often the best way to send OT data around a vessel. An IP network will usually be in place throughout, so serial to IP convertors are used to ‘encapsulate’ the serial OT control data and transport it to the control systems over the IP network.
The convertor receives serial data at one side, then sends it out over an IP network from the other side. A second convertor at the outstation (e.g. the engine control room) converts the data back to serial again.
Cyber Management Course (Ma) – Module 5
There’s a reason that their security isn’t great – for many years OT networks were completely isolated from the internet and from corporate networks. The threat vector was primarily from physical attack, so they were kept behind lock and key in, for example, electricity substations and water pumping stations.
Utilities faced a barrage of OT hacking incidents as systems were accidentally (or thoughtlessly) connected to the internet in the 2000’s. This culminated in the Stuxnet incident in 2009 and 2010; an attack by nation states against the Iranian uranium enrichment programme that got out of hand. Lift systems in Germany were affected, production lines in the USA were compromised, all users of similar OT to the Iranians. Those familiar with the ‘notPetya’ incident at Maersk will note similarities here, though that was an IT attack, not OT.
Cyber Management Course (Ma) – Module 5
Examples of OT include propulsion control, steering, ballasting and many others. You are probably more familiar with an ethernet or IP network from your home or work computer; you’ll be familiar with the network cable that plugs in to your home router with a small clip. It’s called an RJ45 connector.
Serial networks operate differently; they are much more popular in industrial systems such as utilities and vessels where safety and reliability is paramount, however their cyber security is often non-existent or very weak. You may be familiar with 9 PIN serial cable connectors like this:
Cyber Management Course (Ma) – Module 5
You may also come across terms such as ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) but generally we mean the serial data networks and devices that control machinery.
Chapter 1 of the Operators Course (Op) discussed how OT has become more IT and now there is a bridge between the two. There were rumours that certain government organisations went `old school` to typewriters as it was the only way to guarantee security.
“The problem with a Typewriter, is that I can’t download the latest software patches to keep me safe from a Virus or Hacker…….”
Cyber Management Course (Ma) – Module 5
In addition to network segregation, another useful layer of protection is to ensure that key systems can only access the resources they need to.
For example, an internet browser on a computer on the vessel business network should not be able to access pornographic web sites.
All operators should have content filters in place to help ensure that crews do not (intentionally or accidentally) access web sites from business computers that may contain malware.
If content filters have been implemented by the operator, then the web site should be banned to users.
Cyber Management Course (Ma) – Module 5
Very often, the crew and operators perception of network segregation may not actually match the reality of the on board network. Through ongoing maintenance and upgrades to systems, changes by engineers and for many other reasons, carefully designed segregation may have been undermined.
For example, an ECDIS may have been isolated from the vessel IT network when first installed. In order to make the chart update process more efficient, automatic CMAP updates may have been implemented subsequently. In order to do this, it was connected to the business network so that it had access to the internet in order to access online chart update services. That well-intended change to the network has now accidentally created a link between the IT and OT networks, possibly exposing OT systems on the public internet.
Evaluating network segmentation requires certain network testing tools. Running these tools requires a degree of expertise; some tools can cause some systems to crash if run without care, particularly on the OT side of the network.
Tools such as NMAP are free, part of the Kali distribution. However, only experts in security assessment should use them on a live vessel network.
However, without testing the network, one is reduced to taking the word of the operator and crew.