TL;DR
- Cargo vessels integrate IT and OT systems.
- Pen testing aims to prevent IT-based OT compromises.
- Avoid disruptions to operations.
- Network segmentation and perimeter controls are key.
- Direct OT testing is limited due to high risk.
- Fleet-wide vulnerabilities often share root causes.
- Strengthening processes and policies addresses issues vessel-wide.
Introduction
Cargo vessels are full of interconnected systems, whether they’re LNG carriers, bulk carriers, or container ships. You get the usual IT for business operations and crew welfare, and then you have OT keeping the ship moving and safe, from navigation to engine diagnostics.
When we test, the aim is simple. We look for ways an attacker could move from IT into OT without ever putting the vessel at risk. We focus on high impact, realistic attack paths. On large vessels we usually work in time boxed engagements, going broad and deep enough to understand the real risk. A big part of that is proving that OT cannot be reached from IT. This involves extensive testing of network segmentation, testing IT and OT gateways, and visual inspection of the systems onboard.
How complex?
Testing a vessel has many unique challenges. To represent this, here is a brief overview of IT and OT of a modern container vessel or chemical tanker:
- Modern vessels have separate networks for business operations, crew welfare, and technical (OT) functions.
- They also have diverse connectivity which can make pen testing engagements challenging, including offboard communications via VSAT, Starlink, and cellular connections.
- Modern vessels are becoming even more integrated and can have a core network managed by third-party providers, a mix of virtualised servers, and various onboard systems like email, SMS, and fleet management systems.
- And of course, critical operational technology of which some OT systems are air-gapped, while others are connected through dedicated gateways. Most commonly, this will be the ECDIS for updates and an Energy Management System (EMS), but engine diagnostics (main and generator), Ballast Water Treatment System (BWTS) and Exhaust Gas Cleaning System (EGCS) may also be connected.
A note about OT systems
In most ship engagements we avoid deep, intrusive testing of OT networks and devices. Once you are on an OT network, it is almost always possible to cause serious impact. The right place for strong security controls is at the edge of that network, using well configured gateways or firewalls.
Pushing in-depth testing onto a live, operational vessel is rarely a good idea. The risk is high, and the disruption to operations while at sea is almost never worth it.
The stages of the testing process
A typical engagement involves the following steps:
1. Assessing the security maturity
The first step is to assess the maturity of the company in terms of the identify, protect, detect, respond, and recover framework, normally using interviews and documentation reviews. This helps to direct further testing.
2. Understanding the systems onboard
Gaining an understanding of the systems onboard the vessel is extremely important. This would normally use a combination of documentation review, interviews with crew members, network exploration, and physical survey of the vessel which, depending on its size, can require a lot of ferreting
3. Network segmentation checks
Network segmentation testing to ensure that IT and OT are adequately isolated. This would normally involve basic checks alongside efforts to compromise any gateways between systems.
4. Testing the infrastructure and comms
The test should cover the core network, including satellite communication equipment, firewalls, switches, and other essential infrastructure. It also involves evaluating Wi-Fi networks for segmentation, and passwords are adequate. Alongside this, a survey for any rogue devices will be carried out.
5. Assessing IT systems and applications
A conventional Windows IT infrastructure test, normally aiming to achieve widespread compromise, starting from either an unauthenticated or normal crew account.
Tests of any applications onboard that are critical to operations, such as the Planned Maintenance System or cargo management.
6. Evaluating OT system security
Proportionate checks of OT systems to ensure that they do not present excessive risk. It is acknowledged that many OT systems are poorly secured, and focus should generally be on preventing initial access using network segmentation.
7. Examining the external attack surface
Checks of the external attack surface of the vessel, such as exposed external IPs and Wi-Fi.
Tests to confirm that Endpoint Detection and Response will prevent basic malware from being deployed.
8. Reviewing third-party systems
Examining any third-party systems, to the extent possible, is crucial to comprehend the potential risks they pose. This would typically cover maritime specific software and some IT / OT gateways or monitoring devices.
This structured approach ensures that the pen testing covers the most critical aspects of a vessel’s digital and operational infrastructure without disrupting daily operations.
Look beyond a single vessel, is it a fleet wide issue?
Even though the test might focus on a single vessel, it is often possible to find fleet-wide issues. Some issues will be inherent in the design and implementation of a system across all vessels. The root cause of many problems will be in missing processes and policies that, once in place, will fix the issue for all vessels. Testing for the issue on other vessels can often be carried out remotely or by the crew, without having to undergo expensive pen tests.
Conclusion
Pen testing cargo vessels is about reducing the chance that IT issues can ever reach OT, so you avoid operational disruption in the first place. Direct testing of OT is not always realistic because the risk is too high, but you can still tackle fleet wide problems by finding the root causes and fixing them across similar vessels.
By taking a measured approach to network segmentation and perimeter controls and strengthening processes and policies, you will be in a better place.
No Comments yet!