Playing with Ballast

A low-tech attack to onboard PCs could become the access point to enter on board operational systems like filling or emptying ballast tanks and causing mishaps.  This network invasion could cause the ship to list and possibly capsize.  This type of an attack could be motivated by criminal motivations or an actual terrorist attack to a vessel and its associate arriving or departing port facility.

While working in a large US eastern seaboard port many years ago, I would marvel at the size of LNG ships entering the port and navigating through small channels to the LNG facility destination.  Imagine if a bad actor was able to penetrate the rather basic PC’s on ships and takes over the operation, like filling or emptying the ship’s ballast tanks.  The ship begins to list and crashes into an adjacent pier, causing a major explosion.  A past Sandia National Laboratories white paper estimates an LNG explosion would cause a sizeable “fireball.”[1]     

Maritime transport remains one of the most economical and vital mode of shipping in the world’s economy.  On-time and intact shipments effect everything from commodity(s) availability and current market pricing, to the actual stability of a small country.[2]  Many savvy cyber researchers believe capsizing a merchant vessel with a cyberattack is a relatively easy task.  Researchers have already reported on many ways to infiltrate on-board vessel networks, like: satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, and the list goes on.  But a critical question remains that once a bad guy gets into a vessel network, what can they do to the ship?? 

In 2015, Wapack Labs outlined the infiltration of a Danish Pilot company called DanPilot.  DanPilot is a publicly owned Danish company who provides expert piloting services to ships passing between the Baltic Sea and the North Sea. This heavily traversed seaway area is a primary route for the movement of oil, gas and other goods between Russia, the Nordic countries, and northern European Union.  We discovered that hackers had compromised DanPilot computers.  Their computers were likely targeted by Nigerian attackers who installed keyloggers to collect DanPilot user names and credentials; likely to sell them for fraudulent use.  DanPilot acts as the maritime air traffic control system for this very dangerous stretch of water.   Loss of piloting control by DanPilot could easily mean maritime disaster, or at a minimum cause shipment delay.  From a physical perspective, loss of pilot control could result in collisions, environmental risks (oil spill) and lost lives.  Our analysis is over 5 years ago, yet demonstrates, the past and still current, continued cyber intrusion into the maritime transportation sector.  This was a financially motivated attack, yet could have easily pivoted to a criminal of terroristic attack. 

Figure 1. Moxa device

Critical vessel control systems to include the IP-to-serial converters, GPS receivers or the Voyage Data Recorder (VDR), may be compromised with relative ease.  Many vessel operating devices still run Windows XP and Windows NT.   System administrators rarely change these PC admin passwords.  And the ships that do have non-default credentials, likely still have out of date firmware that is often easily defeated.  An example cited by ThreatPost researchers is that many Moxa device servers on many ships are vulnerable to a firmware downgrade attack which would allow an easy compromise.  Researchers explain that these type tactics are, “low-skill attacks.”  Password security and patch management are so poor at sea that compromise does not require significant expertise.

These easily hacked devices communicate with a number of control systems via a standardized messaging system called NMEA 0183 messaging[3] (it is a superset of the messaging format that GPS devices use).  These include autopilot systems, propulsion control, dynamic positioning, engine control, ballast control and digital compasses; basically everything that is needed to operate a ship.

Figure 2. MV Hoegh Osaka car carrier

Messages are commonly switched using RS485 serial datacomms, either directly or encapsulated over IP networks.  Some research exposed that the Controller Area Network (CAN) is used as a bridge between IP and serial.  Any point where serial meets IP is a point where the hacker can potentially access the messaging system.  Once a hacker is able to reach the control systems, it would for instance be possible to replay the MV Hoegh Osaka incident.   This is where the car carrier ship’s ballast tanks were not filled correctly and resulted in the ship developing a heavy list during a tight turn out of the port.  It narrowly avoided capsize due to a favorable wind direction.  “Modern ballast control systems provide remote monitoring and operation from the bridge, usually running on a PC,” rresearchers explain.  “So, the attacker would simply send the appropriate serial data to the ballast pump controllers, causing them all to pump from port to starboard ballast tanks.  That change in trim alone could cause a capsize.”  If the change in ballast was not enough to sink a vessel by itself, then an additional command, through a NMEA message to the autopilot, could be initiated commanding the ship to turn either direction; which may cause a ship to capsize. 

Figure 3. Damage to cars on MV Hoegh Osaka

Access to the ship’s control system could be remote or local, depending on the attacker preference and motivations.  Several research firms have conducted tests on remote attacks over satcoms.  Serial network attacks can be carried out remotely via the satcom connection, or by physically locating the convertors.  Previous research has shown forcing a ship off-course or causing collisions, whch in tight channels or traveling past a bridge could be disastrous. 

Ship owners are seldom the ship operators and those charter operators are rarely interested in security; especially cyber security.  When responsibility and liability for maritime cyber security incidents remains unclear, it is difficult to identify who should take control of properly patching and overseeing cyber-risk management.   

By: Bill Schenkelberg, virtual Trust Officer (vTO)

About Wapack Labs

Wapack Labs, located in New Boston, NH, is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com

[1] https://apps.dtic.mil/dtic/tr/fulltext/u2/a442674.pdf

[2] https://threatpost.com/hacker-capsize-ship-sea/142077/

[3] http://freenmea.net/docs

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!