Ships engines, a guide for pen testers

I spent several years as a ships engineer before straying in to pen testing. Ships used to be fairly secure; they were physically isolated at sea. Satcoms were scarily expensive, usually available only to the captain for business-critical communication. Even satphone use was heavily rationed.

All that has changed: big satellite data packages are offered in order to attract the best crews. Vessel efficiency is remotely monitored to ensure that fuel costs are kept as low as possible. Bear in mind that it can cost several million dollars to refuel a large container ship

So now you have a vessel full of industrial control systems, hooked up to the IT and crew networks. There’s probably remote access for engine monitoring by a third party, maybe remote access for IT support. Those networks are usually segregated, but I’ve never yet failed to bypass that segregation.

Engines the size of houses

It’s a not an exaggeration. What are the engines and other equipment like on a container ship?

This is a 66,000gt ship, approximately 280m long. Rated about 5500 TEU.

This is the top of the main engine.

It’s a Sulzer RTA96C – 96 means each piston is about 96cm across. It has 10 “units” or cylinders.

This bit you see at the top is just the exhaust valve and cylinder head. The large pipe is hydraulics to open the exhaust.

This is a spare piston and piston rod.

It’s a slow-speed two-stroke diesel, so it works a bit differently to the diesels you may be used to.

This is the spare cylinder liner.

The holes around the bottom let the air into the cylinder when the piston is at the bottom of it’s stroke.

To force that air in, you need turbochargers. These are big.

This is the exhaust side.

That little green tank lets you inject crush walnuts to clean the turbine.

This is the inlet side. It draws air direct from the engine room.

If you are stood here when the engine is running, it is deafening. Hearing loss territory.

A view up from the bottom plates up to the top. The middle plates contain the fuel and exhaust pumps, alongside doors to get into the scavenge space – where the air flows into the cylinders.

This is one of 5 fuel/exhaust pumps. They are actuated by a massive camshaft, largely hidden from view.

The hoses are covered in a second wall so that leaks can be detected.

How fast does one of these go?

Well, maximum 102rpm. We were going at around 40rpm at this point.

This is direct drive – the engine is direct onto the prop. You want to go backwards? Reverse the engine.

The prop shaft is also long.

We were doing about 65rpm when I took this, producing about 33.76MW of power.

How does it measure the power?

Two sensors on the prop shaft detect how much that massive lump of metal has twisted.

There is a massive flywheel. You turn the engine over very slowly using an electric motor on this to make sure everything is lubricated and moving. It’s called the turning gear.

You don’t start it with this though.

That’s done with 30 bar air from these two massive tanks. It lets air into the cylinder, using a distributor like on a car. Start air scares me.

There’s enough compressed air to do up 10 changes of engine direction.

All of this is normally electronically controlled, either direct from the bridge or from the engine control room

Manual Control

If the electronic controls fail, you fall back to local control.

On these, it is literally sticks.

Left stick adjusts the cam shaft for working in either direction, and admits the start air. Right is fuel. It is unregulated – you could easily overspeed an engine with these.

You still practice when you get a chance.

This is why I get frustrated when old-school captains state that ships can’t be hacked. ‘If we’re hacked we will go back to manual control’ they say

Which completely misses the point. 1: you need to know you’ve been hacked in order to take action. 2: manual control of a ships engine is difficult – manoeuvring often results in running out of start air, leaving you stranded

These massive doors on the bottom plates let you into the crankcase.

There is a lot of extra machinery to support these beasts. First off, they don’t work without power. So you have 4 generators.

These are much smaller – 5-6MW.

They work at 6.6kV – which you call HV on the ship.

This is a big, scary voltage.

That all feeds into the HV switchboard on the ship.

Opposite that is the motor control centre, or low voltage switchboard. This controls all the 440V loads, pumps, fans, etc.

There are tens of pumps. Seawater pumps, low-temperature cooling, high temperature cooling, lube oil, fuel oil, ballast, anti-heeling, bilge, fire-fighting. Some are 750kW.

You have to clean the fuel oil and lube oil. To do this, you use centrifugal purifiers. There are big ones for the main engines and baby ones for the generators (BLOPs – baby lube oil purifiers).

There are also automatic filters that use compressed air to clean themselves.

All that heat needs to go somewhere. Plate heat exchangers are common for this – around 60 plates of titanium carry alternating fluids for cooling.

You can undo the nuts and clean them one by one. It’s slow.

Air compressors – for filling those massive tanks for starting the engine.

The heavy fuel oil the engine runs on needs to be heated to be runny enough to use.

When you are in port, the engine isn’t producing heat to use. So you have a boiler to pipe heat to all the fuel tanks.

When you are down in the engine room, alarms will sound. Various bits of machinery need tending to.

If the cog lights up – it’s a machinery alarm. The others all signify different things. RED IS BAD.

The Red Button

On this ship, I had to hit this button once.

I got an alarm at lunch on my pager. Went down, and saw high-temp cooling water spraying from one of the exhaust valves.

The header tank was already at low and was soon going to alarm low-low. We had to shut down the main engine.

With no main engine, you can’t steer. Luckily the waters weren’t busy and nothing bad happened.

Fun times:

The poo tank

Never forget the poo tank!

This digests all the poo so you can pump it overboard as clean-ish effluent. This one had a bad belly and wasn’t doing a good job.

Conclusion

Most of the systems above are managed by industrial controllers. The same controllers that you’ll find in electricity substations, production lines and water purification plants.

They use serial communications, rarely encrypted, rarely authenticated. The hardware and software is often very out of date. We often find connections and systems that the crew know nothing about. Systems that aren’t even on the network diagrams that we’ve been given.

Ships used to be secure by virtue of their physical isolation. That isn’t the case any more. Everything is connected, often in ways that the installers and operators weren’t intending.

N.B. This isn’t a ship we have tested the security of.

These photos were taken in 2006/7, back in the day when my job was to keep ships operating.