Cyber Pirates Prowling Ship Controls Threaten Another Big Shock (bloomberg.com) 34
An anonymous reader shares a report: In February 2019, a large container ship sailing for New York identified a cyber intrusion on board that startled the US Coast Guard. Though the malware attack never controlled the vessel's movement, authorities concluded that weak defenses exposed critical functions to "significant vulnerabilities." A maritime disaster didn't happen that day, but a warning flare rose over an emerging threat to global trade: cyber piracy able to penetrate on-board technology that's replacing old ways of steering, propulsion, navigation and other key operations. Such leaps in hacking capabilities could do enormous economic damage, particularly now, when supply chains are already stressed from the pandemic and the war in Ukraine, experts including a top Coast Guard official said.
"We've been lucky so far," said Rick Tiene, vice president with Mission Secure, a cybersecurity firm in Charlottesville, Virginia. "More and more incidents are happening, and the hackers are getting a better understanding what they can do once they've taken over an operational technology system. In the case of maritime -- whether it be the ports or the vessels themselves -- there is a tremendous amount that could be done to harm both the network and physical operations." Rear Admiral Wayne Arguin, the Coast Guard's assistant commandant for prevention policy, said shipping faces cyber risks similar to those in other industries -- it's just that the stakes are so much higher given that almost 80% of global trade moves on the sea. While Arguin declined to put a number on the frequency of attempted break-ins, he said "I feel very confident that every day networks are being tested, which really reinforces the need to have a plan." "That universe includes not just ship operators but port terminals and the thousands of logistics links in global supply chains that are increasingly interconnected," the story adds.
"We've been lucky so far," said Rick Tiene, vice president with Mission Secure, a cybersecurity firm in Charlottesville, Virginia. "More and more incidents are happening, and the hackers are getting a better understanding what they can do once they've taken over an operational technology system. In the case of maritime -- whether it be the ports or the vessels themselves -- there is a tremendous amount that could be done to harm both the network and physical operations." Rear Admiral Wayne Arguin, the Coast Guard's assistant commandant for prevention policy, said shipping faces cyber risks similar to those in other industries -- it's just that the stakes are so much higher given that almost 80% of global trade moves on the sea. While Arguin declined to put a number on the frequency of attempted break-ins, he said "I feel very confident that every day networks are being tested, which really reinforces the need to have a plan." "That universe includes not just ship operators but port terminals and the thousands of logistics links in global supply chains that are increasingly interconnected," the story adds.
I heard it was The Plague (Score:3)
Eugene!
Re: (Score:1)
Re: (Score:2)
"I will not allow a network computerized system to be placed on this ship while I'm in command."
Commander Adama [youtube.com]
Re: (Score:2)
Critical systems exposed to the internet (Score:3)
What could go wrong?
look at me... I'm the captain now. (Score:2)
That's what you get (Score:3, Insightful)
If you don't have the first clue about security but insist in using technology because "it allows me to cut corners", that is what you get.
No sympathy from me, frankly. Get your shit secured or perish.
27 year old story (Score:4, Insightful)
But seriously, why do we have to go through this cycle over and over again? Someone thinks it would be a good idea to hook something up to the internet while simultaneously ignoring lessons from every single time any new type of device is introduced to the internet.
Re: (Score:3)
Boss: Hey make it so I can access this shit from home. Don’t give me any complex passwords or dongles either. Nobody has time for that.
IT: Sir that would be a huge security risk.
Boss: I don’t care make it happen or I’ll find someone who will!
IT: Alrighty then here’s your remote desktop shortcut with a password of 123.
Re: (Score:1)
Another version:
Boss: Hey make it so I can access this shit from home. Donâ(TM)t give me any complex passwords or dongles either. Nobody has time for that.
IT: OK, but it will take 6 months and a million dollars to run a dedicated fiber line from the office to your home, are you okay with that?
Boss: *momentarily shocked*
IT: It's either that, or I give you a remote desktop shortcut with a password of 123 then we get sued for 10 or 100 times that much when someone hacks the system.
How this one will end de
Re: (Score:2)
Yeah, "the little boat... flipped over."
"Then put the ship's ballasts under manual control."
"There's no such thing anymore, Dick."
Re:27 year old story (Score:5, Insightful)
A simple phrase I've heard over and over again in IT: "Security has no ROI".
Re: (Score:2)
Yes. And (nearly) everyone knows that it's wrong. You just can't calculate the ROI on security. This doesn't mean it doesn't exist.
Re: (Score:2)
100% agreed, it is wrong. There is a reason why companies pay for insurance, locks on the door, and fire protection. However, it seems that in many companies, programming security just goes out the window, because it gives the company more money to add more features or revenue streams than to have defense in depth in the code.
Re: (Score:3)
Re: (Score:2)
A simple phrase I've heard over and over again in IT: "Security has no ROI".
I usually respond to that by asking how much of a loss we're looking at when something gets compromised and we have to restore all of the VMs on that server.
Re: 27 year old story (Score:2)
This doesn't seem like a hard problem to solve ... (Score:1)
... provided your ship is equipped and staffed to operate under manual control long enough to park itself in a safe state.
I mean, how hard is it to make sure that instructions are authentic and they actually came from an authorized person, not some remote (off-ship) computer that itself could be hacked? How hard is it to have a "man in the middle" on the ship that relays the authenticated instructions to any system that controls the ship itself? This isn't rocket science, folks.
If the "man in the middle"
Re: (Score:2)
provided your ship is equipped and staffed to operate under manual control long enough to park itself in a safe state.
Unfortunately that is exactly the opposite of the industry's vision of the future, which is to have no staff on board the ship, and to replace them with a combination of automatic fire control systems (or more likely, just more insurance) and to contract repair techs to fly out to the ship if there's a problem. Taking the crew off the ship means they can't be kidnapped for ransom by pirates.
Re: (Score:2)
One would hope humans would correct the errors, but remember the human responsible for making sure the Uber self driving car didn't run into anything, preferably humans?
More directly is the Torrey Canyon crash. When humans assume their control input will produce the desired outcome, they can be slow to figure out what they expect isn't what is happening, even controlling ships that should provide plenty of reaction time:
4. The master ordered a change of course but that took the ship, as he was aware, towa
Re: (Score:2)
Re: (Score:2)
A 100% autonomous ship also gives the ship's owner a lot of plausible deniability. For example, if the ship is not making any money, it can just "drift off course", fry its electronics, and sink. All from remote. Add a dubious message from "pirates" (this could just be an anonymous email with photos of stuff in the ship, or perhaps something more elaborate using deepfakes), and the owner now can do a complete claim on insurance, washing their hands off of that unprofitable ship for good.
Of course, the se
Re: (Score:2)
Re: (Score:1)
Or maybe they just want you to believe it's not scary. It's not like the currently employed opsec guy is going to say "we're fucked and I don't deserve to be paid".
Re: (Score:2)
Your first example quoted a spokesman for a group of companies that would need to spend a lot of money if they took this seriously. So this means I should believe him when he says "Don't worry, trust me."?
How stupid can you be? (Score:4, Insightful)
Ten or fifteen years ago, some stupid 16 yr old asshole in the UK played with Britrail switches, and people died.
And you want to make your ship's controls Internet-enabled, no air gap.
The CEOs and CTO's need to go to jail for personal liability.
And the industry is testing autonymous ships (Score:2)
Given the Russian tankers running around with their transponders off so they can sell oil, this kind of thing makes an ideal excuse to blow shit out of the water if it's not under positive control and ID.
Open Ports (Score:2)
But I thought that maritime treaties guaranteed open ports!
The attack surface is the same as cars, WiFi (Score:2)
Cars are now full of computers controlling everything and communicating over a internal network. Controls for the radio, locks, starter, windows, cruise control, climate control are also on the network. Ships are no different.
Then they added wireless access to things on the network. Not just WiFi. There are key fobs, bluetooth, cell or satellite access like GM's Onstar. The locks, starter, radio controls, climate control, fuel injection are all on that internal network.
So now, instead of needing to bre
You have to learn why things work on a starship (Score:2)
Reliant's prefix code is 16309. If they're still using 5-digit PINs a couple centuries from now, then today's Coast Guard is probably pretty fucked.