A blog about reverse-engineering, malware, coding, and other random stuff.
"We prefer to help ourselves. We make mistakes, but we're human--and maybe that's the word that best explains us."–Captain James T. Kirk
Watching Blue Origin's New Shepard and William Shatner conquering the gravity well at 90, was a moment that put a smile on my face.
An update on the Suez Canal situation with the Ever Given. Recovery efforts on Friday failed, meaning that as of this post on Saturday, this appears to be the longest complete shutdown of the canal since it reopened following the 1973 Arab-Israeli conflict. Initial reports in the media are pointing to high winds and a sandstorm as the reason the ship veered off course and ran aground. Dozens of ships have accidents in the Suez each year, but I'm still a bit skeptical.
In another twist, it has been reported that the Russians have been mocking the incident and suggested shippers consider an alternate Arctic route, perhaps facilitated by Russia's fleet of nuclear powered ice-breakers. I am guessing this is just opportunistic propaganda by the Russians, and idea sounds a bit far fetched. It does demonstrate yet another motive and mindset that could lead to a state sponsored cyber attack on maritime choke points. Interesting...
As is so often the case, there is no single, magic bullet "solution" to this public policy concern. There are, however, choices we can make in public policy to minimize negative outcomes. As in other public policy matters, the maritime cybersecurity challenge isn't going to be solved by a quick cash dump from government coffers. Improvement is going to take long term policy focus and a shift in culture.
The US Coast Guard took some first steps in this direction with NVIC 01-20 last year. The policy, for the first time "provides guidance to facility owners and operators on complying with the requirements to assess, document, and address computer system and network vulnerabilities." For MTSA facilities that have never had a requirement to even think about cyber security until now, a gradual approach to implementing governance standards makes sense. It will take time, and iterative updates and course corrections, hopefully with private sector input. If it is done correctly, it could foster greater cybersecurity awareness in maritime industry culture, and that will have more impact than installing firewalls and IDS.
A second significant step in the right direction was the US maritime national security strategy released in January. Josh Steinman, the senior cyber policy advisor on the Trump administration's National Security Council staff, and a Navy veteran, certainly seemed like he grasped the essence of the matter. He was even our keynote speaker for the first year of Hack The Sea village at DEF CON.
The policy, as I pointed out in my interview with Cyberscoop, it is far from perfect. There is little in the policy to address the supply chain threats I've mentioned in my previous post. But the policy is a good start. The goals it outlines for workforce development, for instance, are certainly laudable. Poor training and certification standards, and a poor quality workforce have plagued cybersecurity for years. It is my sincere hope the Biden administration will follow through with the strategy released in January, and not let it fall victim to partisan rancor.
It is also my hope that improvements can be made with respect to the supply chain dilemma. The FDA's efforts to improve security in the medical device industry, for example, could be used as a template for fixing the security of maritime operational technology (OT).
Gradual progress, along the course set by the two policies I've mentioned here, could partially mitigate the threat of a scenario like the one I described in my last post.
Imagine you are a Chinese planner tasked with limiting US response to an impending campaign to seize Taiwan. Blocking the Panama Canal, and capsizing roll-on-roll-off vessels in ports, to block our sea-lift capabilities would certainly be a good start. Let's review the elements involved in such an operation.
First, an attacker would have to get access to port facilities and their EDIFACT systems. This has already been done numerous times "in the wild". A noteworthy example was the breach of the Port of Antwerp discovered in 2012. Attackers used physical devices placed onsite, phishing emails, and other techniques to gain access to the port's C-Point Nxtport environment, and manipulate EDIFACT messages.
While the attack on Antwerp was focused smuggling contraband in cargo containers, the same access and capabilities could be used to sink vessels. Pen Test Partners, in the UK, explained how this was possible back in 2017.
Now we can move on to blocking those sea lanes like the DC Beltway at rush hour. We had a glimpse of how this could happen this week when the Ever Given, a container ship from Taiwan's Evergreen line, appeared to navigate in circles then lodged itself sideways in the middle of the Suez Canal before shutting down engines.
Attacking
the engines on a ship, to shut them down the way it happened in the
Suez this week, was something my team demonstrated with
Auto-Maskin controllers in 2018. I would also like to note that even after we notified authorities, and Auto-Maskin, little was done to address the security vulnerabilities, no effort was made to rush out a patched firmware update. The family of engine control units continued to be used by major marine diesel OEMs, often rebranded, leaving end-users unaware of the danger in their supply chain and engine room.
Now, let's talk navigation. A lot of researchers have demonstrated attacks on various components of a ship's navigation systems that could have easily resulted in
the "interesting" AIS tracks that preceded the wreck. One of them is my colleague Gary Kessler, who gave a talk about it at DEF CON last year. He described how an attacker could subvert systems like AIS and ECDIS, and even cause coastal navigation lanes and related buoys to appear to "move", leading to disaster. A number of maritime incidents over recent years could be examples of such attacks "in the wild", but I'll decline making an assessment without more evidence.
So, as it relates to what happened in the Suez this week, what do I think about the chances the attack was the work of a sophisticated, cyber threat actor? Well, I'm not saying it was aliens. But...
So, ICYMI, someone decided to do some AIS donuts and then park a container ship in the Suez.
Meanwhile, I got to pwn both maritime and aviation systems at HackTheMachine. A lot of N2K and ARINC 429, lots of caffeine, loads of fun. My teammate Hipu left a minecraft server on one of the "ships" after getting root. I guess they should be glad he didn't engage in any "art" projects.
I haven't posted in quite a while, so time for an update. I've been busy getting Redoubt Research, LLC off the ground and running Hack The Sea 2.0 in 2020.
I submitted the application for DEF CON villages for 2021. I hope to see everyone in person in Vegas this year for Hack The Sea 3.0, Deep Dive, as much fun as the virtual conference was last year.
Currently working on some new research on maritime ICS/OT, but can't say more than that due to NDA. Not sure if we will wrap up ethical disclosure in time to enter a talk at DEF CON, but I will certainly have interesting stuff for you all in 2021.
Finally, I will be at Hack The Machine with friends from Fathom5 next week. I am pretty stoked, and prepping some scripts and gear this weekend. The Navy has some very cool content on tap, and there is virtual space participation. Hope to see you there!
