Business / Industry Intelligence (Maritime / Cruise Line Industry)

In recent years, cruise liners and their associated infrastructure rely more heavily on the interconnectivity of IT systems and operational technology (OT) systems, creating a robust digital environment to successfully execute their missions.

However, as ships become “smarter” and more interconnected, the risks of cyber attacks increase, which can negatively impact the business. The U.K. Government’s Transportation Department recently issued a warning in the “Cyber Security for Ships” code of practice in 2017 regarding the growing vulnerabilities in the maritime industry. It stated that computer system hacks could, at worst, endanger
human life. If the hack were a terrorist motive, this could certainly threaten lives.

In addition to dangers posed by terrorists, the cruise line’s customer data could be stolen and misused. For example, if passengers’ data, such as a bank card or other personal information, has been uploaded to an online system – perhaps for the purpose of making their stay more personalized and automated – then a data breach of this system could enable criminals to commit identity fraud upon the victims, also causing legal liabilities and reputational risks to the cruise line.

While cruise liners have a proven ability to successfully compete with other holiday destinations, this advantage will quickly diminish if passengers feel unsafe. Clearly, to maintain customer confidence in the cruise lines, it is paramount for maritime enterprises to define a clear and secure strategy relating to IT/OT convergent cyber security.

The maritime industry has previously failed to recognize the risks of cyber attacks. However, as cruise ships becoming floating digital worlds of their own, it is crucial that cruise lines recognize and address the emerging threats and risk outcomes, for the sake of passenger safety and overall industry integrity.

Business Impact /Report Focus

This Maritime Cyber Threat Intelligence report focuses on the convergence of IT and Operational Technology (OT), and other risks  associated with CLIENT, its subsidiaries and its industry competitors. Based on open source intelligence sources and ship visits, CLIENT extensively uses OT systems that are critical to daily operations. In recent times, the vectors of attack relative to the cruise line industry
have expanded from traditional IT systems to the OT attack surface. This trend has materialized because, traditionally, OT devices were (and still are) built with simplicity and functionality in mind, not security. However, due to their criticality for operations, indicators of compromise (IoC) and identified vulnerabilities in OT systems should drive immediate analysis and serious remediation efforts.

Our Fortress IntelX Security Operations Team can confirm, via non-intrusive tests conducted in recent weeks, that possible attacks on OT
network targets can be executed upon the CLIENT infrastructure from third-party network connections. This scenario highlights the need for vigilance in the organization’s “Third-Party Risk Management” efforts (i.e. policies and procedures). CLIENT, its subsidiaries and operating companies, span the globe; therefore, the overall IT/OT technical footprint is extremely large and complex, requiring systems to monitor and manage both Third-Party Risk and associated vulnerabilities in the shipboard and shoreside OT environment.

The tangible effects of a cyber attack or a breach of the OT networks (e.g., system stoppage) could cripple vessels and reduce the company’s profit by millions of dollars per day. Considering multiple subsidiaries and facilities owned by CLIENT, large-scale attacks could cause significant financial and reputational damage to the brand. Also, OT incidents could have a downstream effect in supply chain and distribution networks, further heightening the damage to the company.

    Threat Intelligence Notable Findings

    • Utilizing our cyber threat intelligence tools and processes, our expert analysts monitored and ranked competitors and brands. See Appendix B for details. Highlights of this analysis include the following:
    • Breaches occur more frequently within the leisure industry, as indicated by news reports from industry sources. All cruise ships have  installed multiple point-of-sale (POS) terminals. If left unsecured (e.g., with no antivirus), accessible to the internet and on a primary infrastructure network, this condition enables a popular attack vector via WiFi hacking or a phishing campaign.
    • Maritime OT systems often lack any built-in encryption or authentication codes, which allows attackers to assess cruise ships as a “soft option” for attack, be it for state-sponsored motivations, ransom or just criminal mischief.
    • A major misconception with cybersecurity is thinking that proactive security measures are too complicated and expensive; however, this belief shows little understanding of the return on security investment. Also, many people misjudge whether there are adequate safeguards already in place. This misjudgment is fed by a general perception that being the target of a cyber attack is very unlikely – hence they tend to de-prioritize necessary expenditures to apply safeguards. Yet the reality is eye-opening: the exploitation of technology for nefarious means will always take place in some form, be it at sea or on onshore.
    • Cyber attacks in the maritime industry are usually left unreported to the maritime community compared to onshore attacks. But with today’s ships being more internet-connected, a cyber attack at sea risks being more dangerous than one onshore.
    • In 2015, only 12% of crew received cybersecurity training. In subsequent years, this figure slightly improved but lags far behind the goal. In 2017, a Bimco report indicated only 47% of crew were aware of cyber-safe policies or cyber hygiene guidelines. While improving, the objective of making cybersecurity training a priority still pales in comparison to the immediacy of the growing threat.

    C+

    Client overall risk score

    C-

    Average Cyber Risk Score Within Cruise Line Industry

    Approximately 90% of world trade is transported by sea

    With ships and ports acting as the arteries of the global economy, ports increasingly rely on communications systems to keep
    operations running smoothly. Any IT/OT compromise can create major disruptions for complex logistic supply chains. Global
    shipping is still feeling the effects of a cyber attack that hit A.P. Moller-Maersk (MAERSKb.CO), showing the scale of the damage a
    computer virus can unleash on the technology-dependent and inter-connected industry.

    Ong Choo Kiat, President of U-Ming Marine Transport (2606.TW), Taiwan’s largest dry bulk ship owner, said the fact Maersk had
    been affected rang alarm bells for the whole shipping industry – as the Danish company was regarded as a leader in IT technology.

    “But they ended up one of the first few casualties. I therefore conclude that shipping is lacking behind the other industry in term
    of cybersecurity,” he said. “How long would it take to catch up? I don’t know. But recently all owners and operators are definitely
    more aware of the risk of cybersecurity and beginning to pay more attention to it.”

    In a leading transport survey by international law firm Norton Rose Fulbright, 87% of respondents from the maritime industry believed
    cyber attacks would increase over the next five years – a level that was higher than counterparts in the aviation, rail and logistics
    industries.

    OT Vulnerabilities

    In the list below, FIS analysts have identified the most likely threats against OT Systems in the CLIENT
    ecosystem, which will be discussed in further detail:

    • Vendor connecting a Malware-infected USB/Media
    • OT/IT personnel connecting a Malware-infected USB/Media
    • Hospitality Crew/Passenger connecting a Malware-infected USB/Media
    • OT/IT personnel installing a Malware-infected Unauthorized Application
    • Vendor Remote Access/Network Connection Compromise
    • Vendor Remote Access/Network Connection Remote Installation of Malware
    • OT/IT personnel performing Denial of Service Attack on OT Systems running OT protocols
    • Hospitality Crew/Passenger performing Denial of Service Attack on OT Systems running OT protocols

    Note on Malware

    In today’s cybersecurity landscape, “Malware” is really composed of two components: 1) an Exploit – which is the code that compromises the system by gaining administrative privileges (e.g., Eternal Blue exploit), and 2) the Payload – which is the actual software the attacker wants to install (e.g., Rootkit to control system remotely). In this report, usage of the term malware refers to both modules of modern Malware.

    USB Infected with Malware

    There have been many documented cases of USB or other data media being used to propagate Malware to disconnected or “Air-Gapped” OT networks. The most famous case is STUXNET, which was the first documented case of a cyber attack against OT-related systems. But as with many attacks, the threat does change depending on who connects the USB.

    Vendor connecting a Malware-infected USB/Media

    This is by far the most disastrous case of USB connection. A vendor has a HIGH probability of physical access to any part of an OT system (including locked cabinets where PC/Servers are housed). Also, a vendor will most likely log into OT systems with HIGH privileges. This
    combination of physical and administrative access equates to a HIGH Threat level due to these access and permission factors.

      OT/IT personnel connecting a Malware-infected USB/Media

      USB Connection by OT/IT personnel on OT systems is a serious concern. OT/IT personnel has a MEDIUM probability of physical access to any part of an OT system (including locked cabinets where PC/Servers are housed). Also, OT/IT personnel usually log into OT systems
      with HIGH privileges. This combination of physical and administrative access equates to a HIGH Threat level due to these access and permission factors.

        Hospitality Crew/Passenger connecting a Malware-infected USB/Media

        USB Connection by Hospitality Crew/Passenger on OT systems is a LOW concern. Hospitality Crew/Passenger have a LOW probability of physical access to any part of an OT system (including locked cabinets where PC/Servers are housed). Also, Hospitality/Passengers will
        most likely log into OT systems with LOW privileges. This combination of physical and administrative access equates to a LOW Threat level due to these access and permission factors.

         

          Installing a Malware infected Unauthorized Application

          Cases of unauthorized applications installed on OT Systems that secretly contained Malware have been documented a reasonable number of times. For example, in 2014 there was an attack on a German Blast Furnace OT system that caused $1 Million in damage, which prevented operators from shutting-down the furnace safely. These targeted OT attacks used watering hole deception to induce
          an unwitting employee to download an OT-related app that secretly contained a Malicious Rootkit.

            OT/IT personnel connecting a Malware-infected USB/Media

            USB Connection by OT/IT personnel on OT systems is a serious concern. OT/IT personnel has a MEDIUM probability of physical access to any part of an OT system (including locked cabinets where PC/Servers are housed). Also, OT/IT personnel usually log into OT systems
            with HIGH privileges. This combination of physical and administrative access equates to a HIGH Threat level due to these access and permission factors.

            Vendor Remote Access/Network Connection

            Vendor Remote access has only recently emerged as a top-of-mind cyber threat, due to the 2015-2016 Ukraine power grid attack where an apparent Nation State Hacker group completely took over the remote access to electrical substations. At one point, the hackers actually began taunting the power operators by moving their mouse cursor to shut power off while the hapless operators were looking on.

              Vendor Remote Access/Network Connection Compromise

              A vendor who has remote access to OT systems, either via a Remote Access sub system or an installed VPN gateway, represents a unique threat to Maritime OT systems. The OT operator is “trusting” the vendor to be as secure or more secure than the OT System operator. Without detailed third party disclosures of a vendor’s security posture, it is assumed to be a MEDIUM probability of compromise occurrence. Also, a vendor will most likely log into OT systems with HIGH privileges. This combination of compromise probability and
              administrative access equates to a HIGH Threat level due to these access and permission factors.

                Vendor Remote Access/Network Connection Remote Installation of Malware

                A vendor who has remote access to OT systems, either via a Remote Access sub system or an installed VPN gateway, represents a unique threat to Maritime OT systems. The OT operator is “trusting” the vendor to be as secure or more secure than the OT System operator. Without detailed third party disclosures of a vendor’s security posture it is assumed to be a MEDIUM probability of Malware Installation. Also, a vendor will most likely log into OT systems with HIGH privileges. This combination of compromise probability and administrativeaccess equates to a HIGH Threat level due to these access and permission factors.

                 

                  Denial of Service Attack on OT Systems

                  In the aftermath of the Ukraine power grid attack in late 2017, the Anti-Virus software company ESET reported a new class of Malware targeting OT Systems. ESET coined the Malware “Industroyer” and also disclosed that it had the capability to perform Denial of Service Attacks (DoS) autonomously. Given this emerging threat, it is reasonable to model the threat of DoS attacks into OT systems and networks. A DoS attack is defined as a cyber attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

                    OT/IT personnel performing Denial of Service Attack on OT Systems running OT protocols

                    A DoS Attack being attempted OT system is a LOW concern. However, OT/IT personnel do have ability to log into OT systems with HIGH privileges. This Low concern and High administrative access equates to a MEDIUM Threat level due to these access and permission
                    factors.

                      Hospitality Crew/Passenger performing Denial of Service Attack on OT Systems running OT protocols

                      A DoS Attack being attempted by Hospitality/passenger is a MEDIUM concern (pending more detailed research on customer compromise habits). Also, Hospitality/passengers have LOW privileges, so this equates to a MEDIUM-LOW Threat level due to these access and
                      permission factors.

                        Threat Name Level
                        Vendor connecting a Malware-infected USB/Media HIGH
                        OT/IT personnel connecting a Malware-infected USB/Media HIGH
                        Hospitality Crew/Passenger connecting a Malware-infected USB/Media LOW
                        OT/IT personnel installing a Malware-infected Unauthorized Application HIGH
                        Vendor Remote Access/Network Connection Compromise HIGH
                        Vendor Remote Access/Network Connection Remote Installation of Malware HIGH
                        OT/IT personnel performing Denial of Service Attack on OT Systems running OT protocols MEDIUM
                        Hospitality Crew/Passenger performing Denial of Service Attack on OT Systemsrunning OT protocols MEDIUM-LOW
                        A DoS Attack being attempted OT system is a LOW concern. However, OT/IT personnel do have ability to log into OT systems with HIGH privileges. This Low concern and High administrative access equates to a MEDIUM Threat level due to these access and permission
                        factors.

                        FIS Threat Intelligence Team Mitigation Implementation Recommendations

                        Some mitigations listed above require extended effort to implement. A few can be implemented rather quickly. Below is a listing of the mitigations that can be implemented and notional time that it would take to perform them.

                          Within 6 Months:

                          • Enhanced Policy vigilance on USB/Media use in OT systems
                          • OT Asset Inventory
                          • OT Vendor/Supplier surveys (how secure are vendors who can remote)
                          • Enhanced Policy vigilance on USB/Media use in OT systems
                          • Enhanced Policy vigilance on installation of applications in OT systems
                          • OT/IT network packet captures to determine number of Hacker events
                          • OT/IT network survey to determine baseline
                          • OT/IT network survey to determine activity baseline
                          • IT Network Discovery/Shipboard Attack surface mapping

                          Within One to Three Years:

                          • OT Vulnerability Testing and Vendor Research
                          • Anti-Virus/Endpoint applications preventing connection
                          • Scanning Stations for Malware scanning of Vendor/Crew brought onboard
                          • OT Network Monitoring to detect remote access
                          • OT Firewall implementation and configuration
                          • Anti-Virus/Endpoint applications preventing Malware execution/installation
                          • Enhanced Policy vigilance on installation of applications in OT systems
                          • OT Network Monitoring to detect downloads and Malware connection
                          • OT Network Monitoring to detect network attacks
                          • OT/IT network packet captures to determine number of Hacker events
                          • OT/IT network survey to determine activity baseline
                          • OT Asset Inventory
                          • IT Network Discovery/Shipboard Attack surface mapping

                          Threats and Vulnerabilities of Interest

                          • “Tick” is a cyberespionage group primarily targeting organizations in Japan and the Republic of Korea. The group is known to conduct attack campaigns with various custom malware such as Minzen, Datper, Nioupale (aka Daserf) and HomamDownloader. Unit 42 last wrote about the Tick group in July 2017. Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company. The USB drive and its management system have various features to follow security guidelines in South Korea. The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet. In addition, our research shows that the malware used in these attacks will only try to infect systems running Microsoft Windows XP or Windows Server 2003. This is despite the fact that the malware appears to have been created when newer versions of Windows software were available. This would seem to indicate an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity. Air-gapped systems are common practice in many countries for government, military and defense contractors, as
                            well as other industry OT verticals.
                          • OT Compromise: The attack focuses on targeting the devices that serve as a “bridging point” between the operational technology (OT) and IP networks. A proof-of-concept attack could cause ships to veer off course, and it all stems from simple security issues, including the failure to change default passwords or segment networks. The weaknesses found stems from several vulnerable IP network devices on ships, which are used in business systems, crew mail and web browsing. Researchers point out they all exist on the same network behind operational devices
                          • Port of Antwerp: Between 2011-2013, organized criminals breached the port IT system and facilitated drug smuggling. In 2013, drug traffickers hacked an IT system to track security patterns and container movement at Antwerp shipping. The research
                            suggests that the IT threats were not a short-term or quick attack. It was a very deliberate and lengthy attack. It went on for two years. During that time, the drug traffickers were using the information to smuggle drugs and do human trafficking in an out of the port. The actual event was kept private from the public, but it was finally documented in a research paper (Bateman, 2014).
                          • VSAT Hacking: Satellite antenna systems are not spared from vulnerabilities and are prone to cyber attacks, which exposes to hackers the devices and machinery to which these VSAT systems are connected. Until now we believed that ships sailing far away in the ocean are safe from the reach of cyber-criminals, but latest research proves that even ships are not spared. According to security researcher using the Twitter ID “x0rz,” shipboard systems are quite vulnerable to hack attacks because of the faulty configuration of specific satellite antenna systems installed on them. While having a conversation with The Next Web, x0rz stated that minor glitches in the configuration could help cyber-criminals fulfill their nefarious motives.

                          Threats and Vulnerability Analysis

                          • The Tick Group somehow compromised a secure type of USB drive and loaded a malicious file onto an unknown number of them. These USB drives are supposed to be certified as secure by the South Korean ITSCC (English).

                          • The Tick Group created a specific malware we are calling SymonLoader that somehow gets on older Windows systems and continuously looks for these specific USB drives.

                          • SymonLoader specifically targets Windows XP and Windows Server 2003 systems ONLY.

                          • If SymonLoader detects the presence of a specific type of secure USB drive, it will attempt to load the unknown malicious file using APIs that directly access the file system.

                          Unit 42 does not currently have either a compromised USB drive nor the unknown malicious file we believe is implanted on these devices. Because of this, they are unable to describe the full attack sequence.

                          Because they do not have either a compromised USB drive or the unknown malicious file, we are also unable to determine how these USB drives have been compromised. Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering.

                          Researcher Ken Munro, with Pen Test Partners, showed how the attack could work and how it is possible to manipulate a ship’s steering,
                          propulsion, ballast and navigation data. The attack focused on targeting the devices that serve as a “bridging point” between the OT and IP networks.

                          For the proof of concept, researchers focused on serial-IP converters, including those made by Moxa and Perle Systems, which are used to
                          send serial data over IP/Ethernet networks’ cabling. Researchers were able to use a ThinkPad running Kali Linux (Debian-derived Linux
                          distribution designed for penetration testing and digital forensics) to look at the data running through the serial-to-IP converters.

                          These converters have an array of security issues if not updated, he said. The web interface for configuration generally have default credentials, which ironically are published by the manufacturers on their own websites.

                          “Once you’ve got the password, you can administrate the converter,” wrote Munro from Pen Testers. “That means complete compromise and control of the serial data it is sending to the ship’s engine, steering gear, ballast pumps or whatever.” Even if the passwords have been changed, the converter is still susceptible to attack. Alarmingly, the Moxa converter firmware also contains a known security flaw
                          (CVE-2016-9361) that enables hackers to use Metasploit modules (a tool for developing and executing exploit code against a remote target machine) to recover the administrator password – even if it has already been changed.

                          The vulnerability has a CVSS score of 7.5 and impacts an array of Moxa versions, including several versions of the Nport 5100 firmware and the Nport 5200 series firmware. Attackers may be able to route serial traffic through their attack laptop and inject a filter, modifying the GPS location data being fed to the Electronic Chart Display and Information System (ECDIS). Ultimately, if the ECDIS is in “Track
                          Control’ mode (which is autopilot), then the hacker can fool it and cause the ship to change direction.

                          Port of Antwerp

                          Prosecutors say a Dutch-based trafficking group hid cocaine and heroin among legitimate cargos, including timber and bananas shipped in containers from South America. The organized crime group allegedly used hackers based in Belgium to infiltrate computer networks in at least two companies operating in the port of Antwerp. The breach allowed hackers to access secure data giving them the location and security details of containers, meaning the traffickers could use drivers to steal the cargo before the legitimate owner arrived.

                          The operation to hack the port companies took place in a number of phases, starting with malicious software being emailed to staff, allowing the organized crime group to access data remotely. When the initial breach was discovered, and a firewall installed to prevent further attacks, hackers broke into the premises and fitted key-logging devices onto computers. This allowed them to gain wireless access to keystrokes typed by staff as well as screen grabs from their monitors

                          VSAT Hacking

                          The researcher used Shodan search engine to trace the exact location of ships having “Very Small Aperture Terminal” (VSAT) satellite communications systems installed, and then he used default login information available on the internet for accessing those systems. He claimed that if an attacker gains access to the VSAT system, a variety of tasks can be performed. Once the system is infiltrated, the
                          attacker can easily view call logs on VSAT, upload firmware and modify system settings. Moreover, the VSAT system can be connected to other devices onboard and used as a gateway for gaining access to any vessel’s broader onboard network. Although this is an IT attack vector, it could allow access to OT systems through vendor VLANS. Evidence of some of these IP’s and gateways are listed in Appendix A.

                          Exposed Email Addresses

                          Exposed emails, while not as critical as leaked credentials, still represent a risk to organizations. Attackers frequently search for email addresses to use in Phishing and Spam campaigns. Additionally, having known email addresses can disclose information such as account name structure and assist attackers by giving them information to be used in social engineering attacks (FIS Threat Intelligence Team can provide full list of identified email upon request).

                          • Holland America Line Inc has 72 exposed email addresses found on the internet.
                          • Cunard Line has 14 exposed email addresses found on the internet.
                          • Princess Cruise Lines LTD has 10 exposed email addresses found on the internet.
                          • Seabourn Cruise Line Limited has 24 exposed email addresses found on the internet.
                          • Aida has 47 exposed email addresses found on the internet.
                          • Fathom has 8 exposed email addresses found on the internet.
                          • P&O Cruises has 46 exposed email addresses found on the internet.
                          • Oracle has 4521 exposed email addresses found on the internet.
                          • Val-Matic Valve & Mfg Corp has 6 exposed email addresses found on the internet.
                          • Schneider has 108 exposed email addresses found on the internet.
                          • Westmark Fairbanks Hotel has 1 exposed email addresses found on the internet.
                          • Cruises Only has 3 exposed email addresses found on the internet.
                          • Siemens has 6111 exposed email addresses found on the internet.
                          • Accesso, LLC has 19 exposed email addresses found on the internet.
                          • Westours Motors Coaches, Inc has 19 exposed email addresses found on the internet.
                          • Halton Co has 55 exposed email addresses found on the internet.
                          • The Onboard Spa has 13 exposed email addresses found on the internet.

                          Recommended actions include:

                          • Engage the vendors to review User Education Programs.
                          • Engage the vendors assess the vendors’ password policy.
                          • Engage the vendors assess the vendors’ security training program for help desk personnel.

                          View More Resources Here

                          Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 1
                          Utilities
                          Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 2
                          Transportation
                          Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 3
                          Healthcare
                          Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 4
                          Finance
                          Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 5
                          Energy
                          Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 6
                          Additional Industries
                          Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 7

                          Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 8 Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 9 Emerging Risk Brief: Maritime Cyber Threat Intelligence and Vulnerability Landscape 10

                          189 S Orange Ave #1950, Orlando, FL 32801
                          (855) 367.8737
                          sales@fortressinfosec.com

                          COPYRIGHT © 2019. FORTRESS INFORMATION SECURITY. ALL RIGHTS RESERVED. PRIVACY POLICY