T1 12 Maritime Cyber Security - Fotis Sofronis

and I'm supervisor at KPMG and in Greece in the cyber security practice that actually what we're doing is cyber security services digital transformation in the cyber space we do a little bit of threat management I'm also member of the hack train in the UK community if you ever heard about it in the train industry and My love for the sea as captain and skipper, this initiate, this, it was my incentive for this presentation. I know if anyone is familiar with, or have relatives in the maritime, it will be assistance for this. So, what we'll discuss about today's, the maritime, and we will start from the early ages, because, seaping was, since mankind here, it was since mankind, imagine that at 3,000 years now,

We used cargo shippings for the transportation of goods and a number that came up recently is that 90% of the world trade that's carried out by shipping transportation. A capacity that has been increased in the late 60 years over 20,000%. And of course what we will see from our clients, from our case studies in the industry and in maritime, was that port vessels, seabourts, and anything included in the maritime industry, is well connected with very high-end IT infrastructure being important recently. But just to give you an inner side of the statistics, it's that the sea, as you all know, covers 70% of the surface of the Earth, and 80%

of the people living near or by the coast. And of course 95% of internet traffic, it goes underwater. So it makes sea etc part of our life and supporting the humankind. And another number that I would like to bring to this presentation is the large container ships. And actually to give you an inner side of how big they are. Imagine that the large cargo ship can carry on cargoes of 1,000 planes or 35 big trains or 11,000 load trucks. That means a huge amount of money, huge amount of products are being transported through cargo ships, through containers, by the sea. So imagine that the maritime industry is at a hybrid now that invests in a lot of money in the IT

industry, so makes bigger exposure of risks that they are not well known. Since we started from a quick survey, from a recent survey that we performed recently, that maritime awareness in the cyber, in the maritime industry is low or too non-existent. Since we did a lot of talks with CEO of shipping companies or with brokers, charters, charters, everything seems that they are not well aware. So what actually this brings to our mind if you have so highly connected, so huge industry connected with IT means there is exposure. And recently we put together some high profile attacks that happened in the last 10 years, like hackers, they have been shutting down an oil rig, a petrocylium plant in

Houston that we will see later. All Somali pirates hired sophisticated hackers to attack to ships and to drive them close to the Gulf of Adden, which is a forbidden area for big ships. You know all the pirates that has been heated, and we see the movie always. And of course the GPS signal, the GPS spoofing attack that happened recently between South Korea and North Korea when fishermen returned to the ports early because they couldn't estimate the GPS signal due to a spoof attack that has occurred from the North Korea. So all this seems a little bit disturbing for this industry that exchanges a lot of goods, money and somehow supports the system. So I'd like to go briefly to

two, three, five cyber attacks just to give you an insight and then we will discuss later an example case that we've started to perform in our offices. Recently we see the Maersk cyber attack that was hit by a malware NotPetya, if you know the file sharing. Just to understand what happened there, imagine that the company shut down 76 ports globally in India in in the USA, in Spain, and all the online traffic of file sharing, you have to understand that when a vessel coming into a port, they have to exchange documents in order to get approval from the captain, then send it back to the shipping owner, then send it to the port authority. So it means

a lot of paperwork that has been performed, which is going to be online through file sharing, exchanging mails. But this went offline and the company, this let's say failure cost the business 300 billion, 300 million, 300 million. And I have an example here that imagine that a sea would enter in the port every 15 minutes of 20,000 cargoes that have to be offloaded by the sea and has to be performed with no IT. So everything went on paper. and my EIRSK CEO was the CEO of SAP, if you know. So the IT infrastructure was state of the art for the shipping companies in 2017. Now there have been some reconstructions on that. Another one was near to our neighbor, Cyprus, in

Limassol, when a fishing attack on a male, some people impersonate that they were the fuel suppliers in Africa, that they provide fuel to the ships, and... They asked politely to change the account to deposit the amount of money and actually it was paid to another account that the Interpol found it out later that it was in Poland. The company there lost half a million also. Another one was the oil rig stability in Houston when oil workers that they spent free time in the internet through the satellite communication they downloaded the malware through pornographic material or through torrents and actually infected the control management system of the oil rig and through a rut they could get

remote access and execute commands in the control system of the oil rig. And recently was another sophisticated attack from a drug smugglers that they hired hackers to infiltrate and get access to the cargo management system in Port of Antwerp in Brussels. And actually they want to estimate and locate the cargos where containing drugs in order to dispatch drivers to locate the cargos and take it before schedule in order nobody find out that the shipping was carrying out drugs. But all this came to the conclusion that there are many vulnerabilities on both systems in the shipping industry. Meaning that a large ship has a lot of known systems but obsolete. Like they don't have, let's say, access control to

some sensitive information or

they don't use segmented networks or VLANs to protect sensitive information or the systems. that they carry on the management of the SIP and of course there is low quality on communication imagine that a broadband of 50 megabits is not the case for a cargo ship because they use the satellite communication which actually is 64 kilobytes so imagine that if something happened to the SIP they cannot download security patches to fix it or they cannot even get updates so everything that carries only on a ship on a system, so quite obsolete and very vulnerable. And of course is, let's say, a high risk target for any potential hacker due to the large amount of money that the shipping company is carrying on and they

are willing to pay, of course, as the research shows us. So we did an assessment and we put together some vulnerable onboard systems like the SCADA that used the propulsion system of the ship. Or the AIS and GPIS, the charts, let's say, that navigates the SIPs. It gets updated because it's exchanging files with offshore and onshore gateways and drives the SIP in the SIP. And of course we find out that the RFID tracking system is very vulnerable to infection because they do not use encryption or let's say best practices of cyber security to protect information exchange between the ports and the ships so if any of the two infected the malicious attack may carry on on the ship

and infect both the ship and the port. And of course Yes, the GPS spoofing, it's something under research now and I would like to bring this to this presentation since we tried to test it in the lab but actually we didn't have good results. But I would like to give a highlight preview of what actually is and how it has been performed. So the GPS spoofing is sending false information to the ship. Any ship in the Atlantic or in the ocean gets direction from satellites, from different satellites, meaning that communicates with 2, 3, 4 satellites, gets the direction where it is sending back information and back to the ship again and that makes the position of the ship undepicted in the chart. So the

captain knows where the ship is located in the ocean. Of course there are beacons around, you see in the onshore and the offshore, all these transmissions are between VTS or might be and through the internet as well, through the satellite communication.

An example of calculating wrong position is this one. As you can see, a ship that gets direction from the constellation of satellites, of three satellites, let's say. And you have a neighbor, a closer attack that's been a bad person, let's say, that transmits a GPS signal that emits from your antenna and you are the bad guy, let's say. It makes the ship understand that there is and other satellites that provide information to the ship. So you have three satellites, let's say, in our example, that provides information to the ship and one that gives the wrong direction. So what does it make to the ship? They get the wrong position in their systems. And what they have to do? The captain

has to recalculate again the route in order to get to the right orbit. But what actually happened? It gets the ships in the wrong direction. position because after the new data inserted to the system to the global position system the ship already derives from its formal and original route so it is being spoofed and drives to another location as you can see there are plenty of information that can be found on the internet especially there are some platforms that you can get license and looking there you can get a lot of information for any ship that's been on the sea Imagine that any SIP that communicates with a satellite has an IP address so that makes the SIP vulnerable to the network as well because you can find

the IP and where the SIP is located. Some cyber defense on that was on that is cryptographing the GPS actually is being already applied by the US military and we see that the British already already implemented a new radar system, Elrond, but it takes time to develop. So it's not something that can come very easily to the shipping industry. But as we said before, they are not so much aware of the risks that they are running on.

I will go quickly through that because it's the cyber defense that we did with our clients and see what's happening when they need to protect of all this risk is that we propose a security architect that does not exist right now. Not in ports and not in the SIP ports. A basic one, something to develop like an architectural framework to protect your system and segregate your network. We need an identity and access management. Recently, we had a meeting with the CEO company with the CEO of a shipping company here in Greece and they say they wanted to adapt an identity access management. It's actually what they did because the knowledge of IT in these companies are limited. They downloaded an app from an app store, the DocuSign and

all members that they would like to exchange files, they sign in with their corporate accounts and they exchange in files like this. Nothing to do with identity access management but the needs exist to them but they don't know how to approach it. Of course education and awareness which is critical in this area since as we said in the start it's lower not existing. Some technical security measures that we have already go through is that my time systems needs assessment. Actually they don't have a standardized IT environment meaning that there are a lot of web applications running that have been developed by their developers just to support the SIPs and this has to be compatible with the applications in the ports, meaning

that no standardization in the system and lack of security and best practices is... we didn't face any best practice of security. Of course, they don't have IDS or IPA, something that detect or might prevent an attack. either to the ships or to the main function of the IT in the ports. And some services that we have already provided seems that we did a couple of cyber exercises. We compiled a couple of attack scenarios, how to pretend that we're an attacker for a shipboard. Since now, all the shipping companies are directed to penetrate their system and the infrastructure in the company where the people are working, computer environments, but not the vulnerable systems that operate in a

ship. Which means, up to this now, until for us, it was out of scope. So now we try to exploit vulnerabilities on SCADA systems in the propulsion, or in the RFIDs, or in the satellite communication, or the radio transmission, which is actually unencrypted and very easily can be hijacked.

But of course there is no incident response, meaning that if something happened, you know the silos in the shipping companies are very high. If something happened to a shipping company due to the fact that they will affect the financial potential crisis, they don't mention it. So the community, the maritime industry, they are not aware of what's happening. But we found out again recently in a meeting that a CEO said that they have been They have been victims of a phishing attack that some company in Bangladesh pretended that they were selling something to the captain of the ship and they wanted to get immediate paid. So they lost like 30,000. Which is not a big deal for them because the amount of money of the transaction, they don't

see like it is a cyber attack since they didn't lose so much money. And what to expect is that Internet of Things has already been applied in the shipping industry. Many small devices in the ship are communicating with some protocols like Zigbee and interact between each other. And data analytics as well. Now the shipping companies are implementing big data platforms in order to gather information from any potential devices that are running on a ship like the fuel consumption or the system performance and start to have an initiative on that case. And of course the crewless ships that have been performed recently, the last year in Scandinavia, where ships that have been monitored by the shore have been with no crew, dried in the sea.

It's been remotely targeted. Here I conclude some global resources. όπως το ακολουθούμε. Αλλά το πρόσφυγμα είναι ότι οι καλύτες πρακτικές είναι πολύ πραγματικές. Και πολλά δουλειά που ξεχνάζεται να συνεχίσει στην εξαρτήριξη της μάρειας. Αυτό είναι αυτό για εμένα.