PortandTerminal.com, February 20, 2020
LONDON – Recently, penetration testers looking at commercial shipping and oil rigs discovered a whole host of security blunders and vulnerabilities – including one set that would have let them take full control of a rig at sea.
The Register, a UK based news website that covers IT and science news published an interview with Ken Munro from Pen Test Partners, the company that identified the oil rig’s IT vulnerabilities. You can read the original by clicking here. The following is quick run-down of what Munro and the PTP team found and why it is so terrifying.
First, a bit about the people who did the penetration testing.
Who are Pen Test Partners?
Pen Test Partners (PTP), is a UK based infosecurity, or “infosec”, consulting firm that specialises in doing what its name says – penetration testing. They get hired to try and penetrate an organization’s IT systems, find its vulnerabilities and advise on how to fix them before the bad guys can do any damage. Think of PTP as the Ethical Hackers you want to have on your team.
Recently, penetration testers at PTP looking at commercial shipping and oil rigs discovered a litany of security blunders and vulnerabilities – including one set that would have let them take full control of a rig at sea.
Let’s repeat that. After doing maritime penetration testing PTP discovered vulnerabilities that would have allowed them to gain “full compromise” of a deep sea drilling rig, as used for oil exploration.
PTP’s founder Ken Munro explained they would have had control of “stop engine, fire up thrusters (dynamic positioning system), change rudder position, mess around with navigation, brick systems, switch them off, you name it.” Basically, they could have driven away an oil rig.
That can’t be good.
What did PTP learn about maritime info security?
PTP’s Nigel Hearne explained as politely as he could that many maritime tech vendors have a “variable” approach to security.
Making heavy use of the word “poor” to summarise what he had seen over the past year during their testing, Hearne wrote that he and his colleagues had examined everything from a deepwater exploration and the aforementioned drilling rig to a brand new cruise ship to a Panamax container vessel, and a few others in between.
Among other things the team found were clandestine Wi-Fi access points in non-Wi-Fi areas of ships (“they want to stream tunes/video in a work area that they can’t get crew Wi-Fi in,” said Munro), and crews bridging designed gaps between ships’ engineering control systems and human interface systems.
Why were seafarers doing something that seems so obviously silly to an infosec-minded person? Munro told the Register: “Someone needs to administrate or monitor systems from somewhere else in the vessel, saving a long walk. Ships are big!”
Another potential explanation proferred by Munro could apply to cruise ship crews where Wi-Fi is generally a paid-for, metered commodity: “Their personal satellite data allowance has been used up, so they put a rogue Wi-Fi AP on to the ship’s business network where there are no limits.”
A Panamax vessel (the largest size of ship that can pass through the Panama Canal, the vital central American shipping artery between the Atlantic and Pacific) can be up to 965 feet from stem to stern. A crew member needing to move from, say, bow thruster to main machinery control room in the aft part of the ship and back again will spend significant amounts of time doing so. It’s far easier to jury-rig remote access than do all that walking.
PTP also found that old infosec chestnut, default and easy-to-guess passwords – along with a smattering of stickers on PCs with passwords in plaintext.
“One of the biggest surprises (not that I should have been at all surprised in hindsight) is the number of installations we still find running default credentials – think admin/admin or blank/blank – even on public facing systems,” sighed Hearne, detailing all the systems he found that were using default creds – including an onboard CCTV system.
The pentesters also found “hard coded credentials” embedded in critical items including a ship’s satcom (satellite comms mast) unit, potentially allowing anyone aboard the ship to log in and piggyback off the owners’ paid-for internet connection – or to cut it off.
Other articles you may find interesting
Copyright © 2019 PortandTerminal.com. All rights reserved. This material may not be published, broadcast, written or redistributed.