Cruise Ships and Super Yachts – Understanding the impact of cyber incidents OBSERVATIONS FROM MARINE & OFFSHORE CYBER ENGAGEMENTS. By Tom MacDonald, Managing Principal Security Consultant at Nettitude
01
02
CONTEXT
SECTOR COMMONALITIES
Nettitude have recently completed a variety of cyber engagements for our marine and offshore (M&O) clients,
Are ships as remotely isolated as often thought? While the answer to this question varies in complexity
encompassing ISO 27001 assessments and incident response services through to penetration tests and threat
depending on marine sub-sector, for the Cruise and Super Yacht industries, remote isolation has long since
intelligence-led red teaming.
passed, making cyber security a crucial concern.
As a result of these engagements, we feel well placed to offer guidance on how marine and offshore companies can improve the cyber security practices within their organisations – implementing change at the strategic level to set the conditions for future success, whilst also incorporating some quick wins at the operational and tactical level of marine operations. This article will focus on the cruise and superyacht subsectors of the M&O space, highlighting some of the challenges those industries face, but also showing where industry specific factors can be used to improve security posture. It will also draw out some higher-level themes that Nettitude believe can make a real difference in the high risk area of marine operations. Nettitude have been carrying out full spectrum cyber assurance for over 15 years, and firmly believe that an isolationist approach to cyber security is unlikely to result in success. It is critical to consider an approach that comprises changes to people, process and technology within the business. Challenges in one area of the triad
can be mitigated with strengths and successes in others. Demonstrating real world impact on your ships’ systems from vulnerabilities found provides a much deeper and more meaningful assessment than a simple list of technical issues found would. For example, a technical issue (such as the ability to execute remote code injections) on a web interface can be used to gain access to the management systems for a super yacht’s hospitality roster and pull the guest list for all upcoming events.
Clients who have carried out their own threat modelling and concluded that their risk of compromise is extremely limited due to the ‘water-gapped’ nature of their vessels, have later found these conclusions to be misleading. Thorough investigation of the vessel connectivity has often revealed the presence of always-on banded VSAT connections for bluewater voyages, multiple 4G networks for close to shore use, and the ability to deal with bonded Ethernet connections from portside ISPs via an umbilical connection from the harbour.
Nettitude firmly believes that all assurance based testing (e.g. penetration testing, red teaming and social engineering) should lead to a clear understanding of the impacts on the assets that matter to you, so that clear business based decisions can be made in terms of risk management.
Further examination has also revealed dedicated VSAT links to operational technology (OT) providers, providing real time data over unfiltered and unmonitored satellite links back to engine monitoring systems or third-party navigation software suppliers. These connections are often two-way, allowing the OT vendor direct access over poorly protected infrastructure to critical ship systems. An example of this can be seen using the following Shodan.io query: title: sailor 900” which will quickly reveal administrative interfaces for many VSAT connections, as well as exact locations for those vessels1, 2.
Figure 1 - Shodan search results for VSAT connections for Sailor 900 systems
Cruise ships vs super yachts Many similarities exist between the cruise and superyacht industries, allowing us to highlight themes that are applicable to both sectors. Both industries make use of information technology (IT) responsible for the daily running of the vessel, with navigation, engine management, HVAC and other physical processes being controlled by OT3. Additionally, both subsectors also have the increased pressure of demands from clients – whether that is 5000 passengers in the cruise industry, or 150 guests of an owner in the superyacht sector. Due to the incredible complexity of modern bluewater vessels, both sectors make use of outsourcing specialists for critical parts of vessel functionality. Both industries also make use of crew rotations in various forms, introducing additional complexity for knowledge handover and making longer change management programmes harder to manage. Given the competition for employment in the sector, staff can be reticent to make changes due to the risk of causing outages at critical times, leading to security slowly becoming degraded over time.
1
1. https://www.shodan.io/search?query=title%3A%22sailor+900%22. 2. http://192.234.80.206/. 3 https://csrc.nist.gov/glossary/term/Operational-technology
2
03
THE CRUISE SECTOR
The cruise sector can introduce additional challenges for designing and implementing an effective cyber strategy. With such large vessels carrying over 5000 passengers4 on a constantly deployed vessel, the ability to have patching windows, service outages or periods of upgrades can be extremely limited due to the tight economics of having the vessel underutilised. Additional complexity is introduced when consideration is given to the vast array of systems involved in providing all the facilities and attractions that modern passengers expect – audiovisual systems and stage management systems are often as complex as those found in West End or Broadway theatres and specialist knowledge can be extremely difficult to locate within the available pool of crew. OT within the cruise industry can be unparalleled in scale and complexity, with detailed troubleshooting knowledge often limited even amongst senior crew. Given the requirement for absolute reliability of secondary / tertiary systems, it can be extremely common for OEMs to have direct access to the systems from the vendor headquarters. These connections are often insecure by nature, opening the vessel to significant risk through a supply chain attack. Attacks of this nature have become more common as attackers realise an easier way to their target can be through a trusted third party company5. OT often has a significantly longer design life than IT on a modern liner and is not as easy to upgrade without extended periods of downtime and sea trials. During a recent engagement, Nettitude carried out an assessment of various OT systems utilised within the industry and found multiple critical vulnerabilities within five days that were responsibly disclosed to the manufacturer. Some of these vulnerabilities caused irreversible hardware failure and malfunction from simple network scanning techniques as well as more advanced issues.
3
Governance, oversight and communications Inter-team communication between network operations, security operations and OT vendors is essential to ensure that OT does not lead to increased physical risk. Whilst it may sound initially trivial and unimportant, Nettitude have carried out red teaming engagements where it was evident that the network operations and security teams were located on different floors of a building – resulting in severely degraded communications at times of crisis and during incident response. By moving physical location so that all interested parties were closer together and using modern collaborative technology, the mean time to detection (MTD) of abnormal activity dropped sharply. This is just one aspect where the people and process aspects of security can combine to have a great effect.
24x7 continuous activity
Roles and responsibilities
However, this sector can also benefit from some real economies of scale to secure their assets. The entire supporting organisation and business processes of cruise liners is accustomed to 24 / 7 activity and adopting the ‘follow the sun’ nature of business operations. This is critical from a people and process perspective, as attackers are rarely in the same timezone as the network defenders and have little respect for the target organisation’s normal working hours. Nettitude’s red team have also used this technique to demonstrate risk to our clients, taking advantage of a weaker Security Operations Centre that operated during night hours to obtain access to defined asset objectives. Cruise liner operating companies are likely to already have a culture that lends itself to differing nations and outsourcers working together to ensure constant availability of logistics, safety and navigation.
The scale of owner companies can also allow for dedicated staff to be assigned solely to fleet security duties; dockside, at headquarters, as well as onboard as part of monitoring the shipboard assets. It is extremely likely that workstations and servers are already being monitored for service availability by systems administrators, reducing the effort required for a security administrator to gain visibility of network activity aboard the ship. Larger ships are more easily able to add a team of security administrators to the already sizeable crew. A sensible strategy could be to have an ongoing programme of secondment from the shoreside IT / OT team onto a vessel for a short period. This would hugely improve inter-team relationships as well as highlight the constraints and frustrations that each team continually operate within. The end state is increased communication and a greater willingness to appreciate the balance required between security and usability.
4 https://www.royalcaribbeanpresscenter.com/fact-sheet/31/symphony-of-the-seas/. 5. https://www.theregister.co.uk/2019/04/16/wipro_confirms_flushing_phishers_from_systems/
4
04
SUPERYACHT SECTOR
Whilst there are some similarities between cruise liners and superyachts, there are also some stark differences. Yacht owners are often extremely concerned with privacy of their personal and business affairs, as well as ensuring that physical security is never compromised. Superyachts often have periods where the owner is not making use of their vessel, allowing for the crew to undertake patching, architecture revisions and security upgrades. Whilst the owner is aboard however, the need to guarantee 100% availability of internet, gaming connections, theatre systems and HD streaming can lead to misconfigurations due to the desire to ‘just make it work’. During a recent assessment, Nettitude saw an airgapped AV network bridged by a well-intentioned firewall rule put in place to make it easier for the crew to copy newly downloaded movies onto the owner’s Plex media server. This had the unintended effect of allowing an attacker to gain access to the media network due to the lack of network access controls and then tunnel into the main superyacht operations network to carry out onward exploitation.
5
Crews aboard yachts are often significantly smaller, with certain staff carrying several job roles concurrently. A perfect example of this could be the Electrical Technical Officer (ETO) who has responsibility for anything electrical-related aboard the entire vessel once the electricity leaves the engines . This can range from running the owner’s theatre system or replacing batteries in guest room doors through to managing the VSAT connection. Running the equivalent of a medium sized business’ IT network and guaranteeing the confidentiality, integrity and availability of data is a dedicated skillset that requires significant system administration experience. This is rarely combined with knowledge of marine electrical systems such as radar, radio, navigation systems and electrical distribution.
Roles, responsibilities, training and testing Nettitude would recommend that owners invest heavily in the training of ETOs in modern business IT practices, as well as partnering with CREST-accredited security firms to carry out rolling vulnerability analysis and penetration testing. Where ongoing training is not possible, it is possible to employ a dedicated security administrator who is responsible for security aboard all fleet vessels, manages relationships with third party security companies and holds third party IT / OT outsourcers to security best practices. It is critical that owners see that their business affairs and personal security are being placed at risk from poor systems administration practices coupled with a perception that the yacht is ‘water-gapped’.
Secure design and commission
Holistic simulation of real world impacts
Yacht maintenance and inventory management software is often poorly designed or supports weak authentication mechanisms. This can allow attackers to gain access to internal plans and imagery of the vessel, removing the need for attackers to physically monitor and carry out reconnaissance of the vessel – this data is now accessible remotely to the attacker after a single successful phish of a crew member. It is also essential that during the design, procurement, build and commission of new vessels that secure design principles are applied to networks, software and the operational procedures to be used within these environments.
Where owner buy-in is proving difficult to achieve, engagement with the owner’s own security team and the commencement of a threat-intelligence led penetration test against the vessel and its crew can often serve to highlight areas of weakness and demonstrate the impact of a future compromise. Nettitude have recently carried out a security assessment of a superyacht, resulting in multiple CVEs being discovered in custom yacht software and the production of a full attack chain representing a total compromise of all data on the vessel in under nine hours. As part of this assessment, Nettitude were able to determine and alter the blind spots of security cameras, as well as alter the logging posture of the door control software to allow unauthorized access to the owner cabin and the engine room.
6 https://www.yachting-pages.com/content/tips-for-an-electro-technical-officer-eto-on-a-superyacht.html
6
05
MITIGATION
Throughout this report, we have touched on areas where the industries face challenges, but also where they are able to make quick improvements. There are also several other areas that all M&O sectors can make changes in.
1: Strategic intent and objectives
3: 3rd parties and assurance
The most critical is the provision of an organisation wide cyber security strategy, as change is most likely to be implemented from the top. Without this strategy, vision and oversight from the key decision makers, there will be no common goal that teams are working towards and small pockets of uncoordinated excellence will develop. The aim is to create a team of teams7, working together with the aim of achieving the goals set down in the strategy. The implementation of frameworks such as the LR Cyber Security Framework (CSF) or NCSC guidelines can also provide a handrail for businesses who are unsure of what steps they should be taking. These frameworks should be holistic in nature and take into account far more than just traditional class based activities that are solely focused on the vessels. They should include shore based operations, 3rd parties and cloud services as well as the vessels themselves.
Third party outsourcers and their products should also be validated and tested to ensure that they do not present an easier route into the target organisation, as well as being forced to show that their software was developed in a secure software development cycle or is aligned to appropriate Evaluation Assurance Levels (EALs)8. Larger businesses with larger buying power may be able to insist they attend vendors headquarters to verify that their administrative practices are up to standard (for example, credentials for each vessel are unique, access to vessels is prevented except for maintenance windows etc).
Please speak to us further for more information on how we can support you
2: Skills and capabilities Having dedicated fleet security staff that are experienced in modern administration and technologies, who are empowered to make potentially disruptive change, can make a significant improvement to security posture. Nettitude frequently see organisations have recruited cyber specialists, but have not empowered them to effect change outside of their own department, instead forcing multi-month change processes for small amendments such as removing cleartext network management protocols. Where IT and OT systems add greater complexity, each system should be assigned a dedicated security focused member of staff, who reports into the organisation wide security committee and steering groups. Recruitment criteria can also be amended to allow for experienced systems administrators or security personnel to transfer into the M&O space. The requirement for staff running IT systems aboard vessels to have 3-5 years of experience on a superyacht narrows the recruitment pool and prevents any competent IT staff from applying and implementing modern practices and technologies.
7
Assurance testing should be conducted at organisational and component levels to provide the level of assurance required to validate that cyber security threats can be mitigated effectively.
4: Simulating the response to potential impacts
For more details on bespoke M&O security assurance and consultative services, please get in touch with Nettitude directly at solutions@nettitude.com
Incident response and crisis scenarios and tabletop exercises10 can also help an organisation iron out frictions in their playbooks, as well as highlighting gaps in the defensive posture. In Nettitude’s experience, these activities and their consequences often act as the catalyst for meaningful change in an organisation. Clients in the M&O space are an attractive target to attackers. However, by implementing modern enterprise IT practices around people, processes and technology, implementing a cyber security strategy and carrying out cyber hygiene it is possible to drastically reduce the likelihood and severity of a compromise.
7. https://medium.com/@beaugordon/key-takeaways-from-team-of-teams-by-general-stanley-mcchrystal-eac0b37520b9 8. https://www.commoncriteriaportal.org/. 9. https://www.ncsc.gov.uk/information/exercise-in-a-box. 10. https://www.lr.org/en/latest-news/preparing-for-the-maritime-cyber-security-challenge/.
8
UK Head Office Jephson Court, Tancred Close, Leamington Spa, CV31 3RZ
Follow Us
Americas 50 Broad Street, Suite 403, New York, NY 10004
Asia Pacific 1 Fusionopolis Place, #09-01, Singapore, 138522
solutions@nettitude.com www.nettitude.com
Europe Zekeringstraat 52, Amsterdam, 1014 BT