The test results revealed with startling simplicity the ease with which hackers can access and override ship critical systems.
With the permission and under the supervision of system manufacturers and owners, Naval Dome’s cyber engineering team hacked into live, in-operation systems used to control a ships’ navigation, radar, engines, pumps and machinery.
While the test ships and their systems were not in any danger, Naval Dome was able to shift the vessel’s reported position and mislead the radar display. Another attack resulted in machinery being disabled, signals to fuel and ballast pumps being overridden and steering gear controls manipulated.
Commenting on the first wave of penetration tests, on the ship’s ECDIS, Asaf Shefi, Naval Dome's CTO, the former Head of the Israeli Naval C4I and Cyber Defense Unit, said: "We succeed in penetrating the system simply by sending an email to the Captain's computer.
“We designed the attack to alter the vessel’s position at a critical point during an intended voyage - during night-time passage through a narrow canal. During the attack, the system's display looked normal, but it was deceiving the Officer of the Watch. The actual situation was completely different to the one on screen. If the vessel had been operational, it would have almost certainly run aground,” he explained.
According to Shefi, the Naval Dome hack was able to alter draught/water depth details in line with the spurious position data displayed on screen.
“The vessel's crucial parameters - position, heading, depth and speed - were manipulated in a way that the navigation picture made sense and did not arouse suspicion,” he said. "This type of attack can easily penetrate the antivirus and firewalls typically used in the maritime sector.”
Commenting on the ease with which Naval Dome was able to by-pass existing cyber security measures, Shefi further explained: "The Captain's computer is regularly connected to the internet through a satellite link, which is used for chart updates and for general logistic updates. Our attacking file was transferred to the ECDIS in the first chart update. The penetration route was not too complicated: the attacking file identified the Disk-On-Key use for update and installed itself. So once the officer had updated the ECDIS, our attack file immediately installed itself onto the system.”
In a second attack, the test ship’s radar was hit. While the radar is widely considered an impregnable, standalone system, Naval Dome's team used the local ethernet switch interface - which connects the radar to the ECDIS, bridge alert system and VDR – to hack the system.
“The impact of this controlled attack was quite frightening,” said Shefi. "We succeeded in eliminating radar targets, simply deleting them from the screen. At the same time, the system display showed that the radar was working perfectly, including detection thresholds, which were presented on the radar as perfectly normal.”
A third controlled attack was performed on the machinery control system (MCS). In this case, Naval Dome's team chose to penetrate the system using an infected USB stick placed in an inlet/socket.
"Once we connected to the vessel's MCS, the virus file ran itself and started to change the functionality of auxiliary systems. The first target was the ballast system and the effects were startling. The display was presented as perfectly normal, while the valves and pumps were disrupted and stopped working. We could have misled all the auxiliary systems controlled by the MCS, including air-conditioning, generators, fuel systems and more.”
Itai Sela, CEO of Israel-headquartered Naval Dome, warned that the virus infecting ship systems can also be unwittingly transferred by the system manufacturer.
“As manufacturers themselves can be targeted, when they take control of on board computers to carry out diagnostics or perform software upgrades, they can inadvertently open the gate to a cyber attack and infect other PC-based systems on board the ship. Our solution can prevent this from happening,” he claimed.
Meanwhile, following a recent blog, which highlighted vessel satcom box vulnerabilities, using Shodan, a search engine which finds devices connected to the internet, Pen Test Partners has again warned shipowners and operators to ensure their satcom boxes are secure.
In the updated blog, senior partner Ken Munro explained how he was able to use a new real time ship-mapping feature on Shodan to geo-locate vulnerable vessels through their satcom boxes.
By combining this with AIS data, hackers have everything they need to select a suitable ship to attack. They can choose a vessel en route to a nearby port, ready for load theft, or perhaps cripple a ship in a particular area, ready for piracy.
“Although it was possible before to find a specific vessel’s location, it required a lot of work to analyse and present it on a map. The new mapping feature makes it trivially easy for hackers and criminals alike,”warned Munro.
He urged shipowners and operators to secure their satcom boxes by changing default passwords and applying all updates received from their satellite communication providers immediately.