If the hacker has established remote access to the vessel (perhaps through satcoms, creating a back door through a phishing attack or a physical network implant) the next step might be to tamper with the GPS data stream on the vessel network.

An ‘ARP poisoning’ attack involves the hacker instructing the various systems on the network to send their data to via them. The hacker effectively inserts themselves in to the data stream in what is known as a ‘man in the middle’ attack. By adjusting the GPS position reports from the GPS receiver in the NMEA 0183 data stream, the systems can be fooled.

Unlike GPS jamming or spoofing attacks, where no position data or gross position errors are received, this type of hack is much more insidious: the change in position is gradual and far harder to detect.

There’s a reason that their security isn’t great – for many years OT networks were completely isolated from the internet and from corporate networks. The threat vector was primarily from physical attack, so they were kept behind lock and key in, for example, electricity substations and water pumping stations.

Utilities faced a barrage of OT hacking incidents as systems were accidentally (or thoughtlessly) connected to the internet in the 2000’s. This culminated in the Stuxnet incident in 2009 and 2010; an attack by nation states against the Iranian uranium enrichment programme that got out of hand. Lift systems in Germany were affected, production lines in the USA were compromised, all users of similar OT to the Iranians. Those familiar with the ‘notPetya’ incident at Maersk will note similarities here, though that was an IT attack, not OT.

You may also come across terms such as ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) but generally we mean the serial data networks and devices that control machinery.

Chapter 1 of the Operators Course (Op) discussed how OT has become more IT and now there is a bridge between the two.  There were rumours that certain government organisations went `old school` to typewriters as it was the only way to guarantee security.

“The problem with a Typewriter, is that I can’t download the latest software patches to keep me safe from a Virus or Hacker…….”

There are multiple networks on board any large vessel:

Business network

Crew network and WiFi

Bridge systems

OT networks, including engine management and propulsion

Satellite communications and the internet

…among many

Very often, the crew and operators perception of network segregation may not actually match the reality of the on board network. Through ongoing maintenance and upgrades to systems, changes by engineers and for many other reasons, carefully designed segregation may have been undermined.

For example, an ECDIS may have been isolated from the vessel IT network when first installed. In order to make the chart update process more efficient, automatic CMAP updates may have been implemented subsequently. In order to do this, it was connected to the business network so that it had access to the internet in order to access online chart update services. That well-intended change to the network has now accidentally created a link between the IT and OT networks, possibly exposing OT systems on the public internet.

Evaluating network segmentation requires certain network testing tools. Running these tools requires a degree of expertise; some tools can cause some systems to crash if run without care, particularly on the OT side of the network.

Tools such as NMAP are free, part of the Kali distribution. However, only experts in security assessment should use them on a live vessel network.

However, without testing the network, one is reduced to taking the word of the operator and crew.