The shipping industry’s cybersecurity is still in its infancy and prone to attacks which could allow a threat actor to track, hijack, or even sink a vessel along with other ways to disrupt the shipping industry.
Pen Test Partners researchers tested over 20 different ECDIS (Electronic Chart Display and Information System) units that ships use to navigate and found several vulnerabilities which could allow an attacker to control the Operation Technology (OT) systems used to control the steering gear, engines, ballast pumps and lots more, according to a June 4 blog post.
An attacker could exploit these flaws to either send a ship in the wrong direction or even trick crew members by making it appear as the ship is on course when it isn’t.
Some of the systems were vulnerable due to poor cybersecurity hygiene such as the use of default credentials while others ran systems as old and outdated as Windows NT.
Researchers spotted admin interfaces over telnet and HTTP, a lack of firmware signing, and the ability to edit the entire web application running on the terminal. The ships tested also lacked rollback protections to prevent a threat actor from elevating their privilege by installing an older more vulnerable firmware version.
By exploiting these weakness researchers were able to gain control of ship ECDIS allowing them to control the ship’s route by altering the data used to communicate with GPS satellites.
Tampering with the ships ECDIS could also allow a threat actor to gain control of the ship’s autopilot as most modern vessels are in ‘track control’ mode most of the time, where they follow the ECDIS course, researchers said.
“Hack the ECDIS and you may be able to crash the ship, particularly in fog,” researchers said in the report. “Younger crews get ‘screen fixated’ all too often, believing the electronic screens instead of looking out of the window.”
Researchers could also clog shipping lanes by spoofing the position of the GPS receiver on the ship and ultimately falsely making the ships appear as though it will collide with other ships in the area when there actually isn’t a chance of collision.
A lack of network segregation on the always-on satellite connections makes it easy for an attacker to hack the satellite communications leaving various vessels exposed.
Researchers even were able to develop methods to track and hack ship’s satellite communications and linked the satellite communication terminal version details to live GPS position data to develop a clickable map highlighting vulnerable ships while showing their real-time position.
While some of the issues could be rectified by simple setting strong admin passwords, some of the vulnerabilities needed to be disclosed privately to the manufactures. Researchers said Vessel owners and operators should address these issues quickly, or more cybersecurity incidents will occur within the industry.