Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Cyber Pirates Prowling Ship Controls Threaten Another Big Shock (bloomberg.com) 34

An anonymous reader shares a report: In February 2019, a large container ship sailing for New York identified a cyber intrusion on board that startled the US Coast Guard. Though the malware attack never controlled the vessel's movement, authorities concluded that weak defenses exposed critical functions to "significant vulnerabilities." A maritime disaster didn't happen that day, but a warning flare rose over an emerging threat to global trade: cyber piracy able to penetrate on-board technology that's replacing old ways of steering, propulsion, navigation and other key operations. Such leaps in hacking capabilities could do enormous economic damage, particularly now, when supply chains are already stressed from the pandemic and the war in Ukraine, experts including a top Coast Guard official said.

"We've been lucky so far," said Rick Tiene, vice president with Mission Secure, a cybersecurity firm in Charlottesville, Virginia. "More and more incidents are happening, and the hackers are getting a better understanding what they can do once they've taken over an operational technology system. In the case of maritime -- whether it be the ports or the vessels themselves -- there is a tremendous amount that could be done to harm both the network and physical operations." Rear Admiral Wayne Arguin, the Coast Guard's assistant commandant for prevention policy, said shipping faces cyber risks similar to those in other industries -- it's just that the stakes are so much higher given that almost 80% of global trade moves on the sea. While Arguin declined to put a number on the frequency of attempted break-ins, he said "I feel very confident that every day networks are being tested, which really reinforces the need to have a plan."
"That universe includes not just ship operators but port terminals and the thousands of logistics links in global supply chains that are increasingly interconnected," the story adds.
This discussion has been archived. No new comments can be posted.

Cyber Pirates Prowling Ship Controls Threaten Another Big Shock

Comments Filter:
  • by Burdell ( 228580 ) on Wednesday June 29, 2022 @10:33AM (#62659672)

    Eugene!

  • by Alumoi ( 1321661 ) on Wednesday June 29, 2022 @10:35AM (#62659676)

    What could go wrong?

  • by Opportunist ( 166417 ) on Wednesday June 29, 2022 @10:36AM (#62659682)

    If you don't have the first clue about security but insist in using technology because "it allows me to cut corners", that is what you get.

    No sympathy from me, frankly. Get your shit secured or perish.

  • 27 year old story (Score:4, Insightful)

    by DaFallus ( 805248 ) on Wednesday June 29, 2022 @10:52AM (#62659720)
    Wasn't this the plot from Hackers? That movie came out like 27 years ago.

    But seriously, why do we have to go through this cycle over and over again? Someone thinks it would be a good idea to hook something up to the internet while simultaneously ignoring lessons from every single time any new type of device is introduced to the internet.
    • Boss: Hey make it so I can access this shit from home. Don’t give me any complex passwords or dongles either. Nobody has time for that.
      IT: Sir that would be a huge security risk.
      Boss: I don’t care make it happen or I’ll find someone who will!
      IT: Alrighty then here’s your remote desktop shortcut with a password of 123.

      • by davidwr ( 791652 )

        Another version:

        Boss: Hey make it so I can access this shit from home. Donâ(TM)t give me any complex passwords or dongles either. Nobody has time for that.
        IT: OK, but it will take 6 months and a million dollars to run a dedicated fiber line from the office to your home, are you okay with that?
        Boss: *momentarily shocked*
        IT: It's either that, or I give you a remote desktop shortcut with a password of 123 then we get sued for 10 or 100 times that much when someone hacks the system.

        How this one will end de

    • by RobinH ( 124750 )

      Yeah, "the little boat... flipped over."

      "Then put the ship's ballasts under manual control."

      "There's no such thing anymore, Dick."

    • by ctilsie242 ( 4841247 ) on Wednesday June 29, 2022 @11:56AM (#62659904)

      A simple phrase I've heard over and over again in IT: "Security has no ROI".

      • by HiThere ( 15173 )

        Yes. And (nearly) everyone knows that it's wrong. You just can't calculate the ROI on security. This doesn't mean it doesn't exist.

        • 100% agreed, it is wrong. There is a reason why companies pay for insurance, locks on the door, and fire protection. However, it seems that in many companies, programming security just goes out the window, because it gives the company more money to add more features or revenue streams than to have defense in depth in the code.

        • Security doesn't have ROI - it mitigates LOI
      • A simple phrase I've heard over and over again in IT: "Security has no ROI".

        I usually respond to that by asking how much of a loss we're looking at when something gets compromised and we have to restore all of the VMs on that server.

    • Thats what my mind went to. The fake virus from hackers.
  • ... provided your ship is equipped and staffed to operate under manual control long enough to park itself in a safe state.

    I mean, how hard is it to make sure that instructions are authentic and they actually came from an authorized person, not some remote (off-ship) computer that itself could be hacked? How hard is it to have a "man in the middle" on the ship that relays the authenticated instructions to any system that controls the ship itself? This isn't rocket science, folks.

    If the "man in the middle"

    • provided your ship is equipped and staffed to operate under manual control long enough to park itself in a safe state.

      Unfortunately that is exactly the opposite of the industry's vision of the future, which is to have no staff on board the ship, and to replace them with a combination of automatic fire control systems (or more likely, just more insurance) and to contract repair techs to fly out to the ship if there's a problem. Taking the crew off the ship means they can't be kidnapped for ransom by pirates.

    • One would hope humans would correct the errors, but remember the human responsible for making sure the Uber self driving car didn't run into anything, preferably humans?

      More directly is the Torrey Canyon crash. When humans assume their control input will produce the desired outcome, they can be slow to figure out what they expect isn't what is happening, even controlling ships that should provide plenty of reaction time:

      4. The master ordered a change of course but that took the ship, as he was aware, towa

    • Two trends that do not help: 1) more companies want their ships under computer and centralized control and 2) more companies want fewer crew. In the extreme example, a takeover could happen at a critical time and not give the crew enough time to react ie steer an oil tanker to run aground and spill their oil into the environment. In lesser examples, simple piracy is a possibility. Fool a cargo ship into a hostile country's waters to that it can be seized. For example Russia is suffering sanctions right now
      • A 100% autonomous ship also gives the ship's owner a lot of plausible deniability. For example, if the ship is not making any money, it can just "drift off course", fry its electronics, and sink. All from remote. Add a dubious message from "pirates" (this could just be an anonymous email with photos of stuff in the ship, or perhaps something more elaborate using deepfakes), and the owner now can do a complete claim on insurance, washing their hands off of that unprofitable ship for good.

        Of course, the se

        • Unlikely. By the time you have a vessel that's decrepit enough to qualify for such a scenario it's unlikely that it can sail autonomous as its engine will require continuous T&C to make that final trip. Not to mention that retrofitting remote control on such a ship just before its final voyage is going to look suspicious.
  • by whitroth ( 9367 ) <whitroth@[ ]ent.us ['5-c' in gap]> on Wednesday June 29, 2022 @11:22AM (#62659786) Homepage

    Ten or fifteen years ago, some stupid 16 yr old asshole in the UK played with Britrail switches, and people died.

    And you want to make your ship's controls Internet-enabled, no air gap.

    The CEOs and CTO's need to go to jail for personal liability.

  • Given the Russian tankers running around with their transponders off so they can sell oil, this kind of thing makes an ideal excuse to blow shit out of the water if it's not under positive control and ID.

  • But I thought that maritime treaties guaranteed open ports!

  • Cars are now full of computers controlling everything and communicating over a internal network. Controls for the radio, locks, starter, windows, cruise control, climate control are also on the network. Ships are no different.

    Then they added wireless access to things on the network. Not just WiFi. There are key fobs, bluetooth, cell or satellite access like GM's Onstar. The locks, starter, radio controls, climate control, fuel injection are all on that internal network.

    So now, instead of needing to bre

  • Reliant's prefix code is 16309. If they're still using 5-digit PINs a couple centuries from now, then today's Coast Guard is probably pretty fucked.

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Working...