All At Sea: OT/IT Infrastructure on a Cruise Ship

First things, can you hear me in the back? Okay, you do have to worry about these microphones. Fantastic. Um, me Monroe, I was pentest many years ago. I was a Czech team member in 2007, but yeah, that's about as far as I got. Um, that was pre who remembers Paros? Anyone with gray hair? Yeah, cool. Um, I work for a firm called Pentest Partners, PTP. My particular interest is embedded systems. Uh we've got a team of hardware guys that do amazing things. Now this isn't actually my talk. Uh this talk would typically have been delivered by one of my colleagues called Andrew Tierney. Cyber Gibbons. Follow him. He's amazing. The reason he can't give this talk is

actually he's on a cruise ship right now. And um anyone here ever pentested a vessel? No. Good. Okay. You're going to look good. One of you. One of the great things about um cruise ships is you get to go to some really really cool places. So who's itinerary is land in Miami this afternoon. He then gets on the cruise ship with the customers on board goes to Costa in Mexico then I ratan Honduras then cosmel in Mexico and then back to the Bahamas and finally Miami. Wow, what a life. Get involved in ship pen testing. It's really really good fun. It's also like shooting fish in a barrel. Um, right. I believe based upon some

stats that the US Coast Guard put out that we pested more vessels than anyone else over the last few years. But quick gathering of the primary problems we find is number one, documentation is shocking. Change control is a pulling around that documentation. Network segmentation is supposed to work. Um, it's often segmented into fire zones for obvious reasons, but it's usually quite easy to defeat that and then third parties. A lot of the shipping and cruise operators are starting to get the hang of secured now, but they're being slowly let down by their supply chain. So, they bring in third parties to do engine monitoring, performance monitoring, even entertainment systems on your cruise ship, and those third

parties keep letting them down. So, one of the real challenges we have with any vessel, but particularly cruise ships, is you don't get downtime. You are working on a vessel with thousands of people on board. You can't do anything to that vessel that's going to jeopize its safety. You have to be extremely careful. And those of you with experience of working in OT environments will know how easy it is to knock things over. You don't have the option to do that. So how do you go about testing a live environment that's safety critical but giving a degree of insurance as well? One thing there is be no noise. You will not see any output from tooling

or scanners. So that's when I bring in the concept of what's called a network ferret. And if you follow Andrew, you'll know. Andrew, you know a lot about bananas and also network feriting. What is a network ferret? Well, it's about physically finding things because we can't use the usual tooling that we're familiar with for network discovery. It's hard. It's going to be difficult. So we physically have to go and cable trace and find stuff. And given the size and complexity of cruise ship, how do you do that quickly and efficiently given you've got, if you're lucky, five or six days, that's not enough time to do a full assessment of a vessel. So, where the hell do you start? And Andrew

loves taking photographs of himself. But the way that you're going to get stuff is physically exploring that ship and being really efficient and intelligent about how you find stuff and how you prioritize vulnerabilities that really matter. You are going to do a lot of steps. Uh there was a cruising incident in very heavy heavy weather in the Bay of Biscate. It made the press. Um somebody died on the back of it and we were on board that ship at that time. Stuff was flying around the server rooms. It was rolling so much. But anyway, we carried on. So how do you find issues in a ship? Now those of you again, you've got experience environments. Where do you start? Well,

you're going to start with paper. Then you might escalate a little bit. But one thing in six, seven years of testing ships, we have never ever needed or used an exploit. You don't. I told you it was easy. It is like shooting fish in a barrel. So, let's start with the safest way of evaluating the network on vessel. So, you're going to get some documentation. And I'm sure like all of us who worked in pen testing a long time, what you really want to do is a white box test. You want source code. You want everything that's going to accelerate what you do. Now getting documentation of a cruise ship network. If there's bad documentation, it's just

going to slow down. If there's good documentation, you're going to find vulnerabilities, but you're going to find them faster cuz you can accelerate. Sometimes we get really good networks and off track that one very quickly. See, there was worthwhile focusing over there. You'll see electronically updated great range control on documentation, which is brilliant. It saves us time. But more often, again, I'm sure those of you who have ever worked in utility, you're going to find stuff stuck to cabinets. You're going to find stuff's been updated, stuff's been changed, there's pens in there, and very often that that network diagram doesn't really relate to what's going on inside that um system. So, they're going to have a lot of problems trying to figure

out exactly what's going on. Sometimes you can really target, you'll say, "Look, all the stuff's here. Great. Let's target that." But most time you get dunk and you end up having to go exploring and you'll explore and you'll find lots of really weird and unusual systems the likes of which you probably haven't encountered before. So that is a stability management system. Stability management on any vessel is important. On a cruise ship it's particularly important because a lot of your cabins are high up. So it's critically important how the weight is ballasted around the vessel. It's important to have it correctly correct what we call the centric height so it doesn't rock too much so you make the

passion sick. It's important to have the vessel in trim for and after otherwise it's not very fuel efficient. So if you're not in trim you'll use more fuel. You'll find weird things like uh mediated mediated devices that aggregate lots of sacks. When your customer gets on board that cruise ship, they want internets. And since we've had VAS and Starink, they expect always on connectivity and you'll need lots of devices to aggregate that and broker around the vessel. You find some other weird things as well. And you have to go hunting and sometimes the easiest way to go hunting is looking for stuff that people weren't expecting, the undocumented things. number of times you will find

wireless access points that the crew didn't know about and the yard didn't know about when it was built and what's happened is a third parties come in so in case it was AB you probably know from environments a very large OT integrator but you'll find access points all over the place so you might as well just get on your phone and start hunting them and see what they do very rarely do the crews in In some cases, even the owners and operators of these vessels know these things existed. So, you'll find open or probably secured access points or access points with generic keys that are common across every one of them that gives you back

door access into critical systems. So, that could be your cruise staff member or your customer. One of the most common sources threat issues on board the vessel is actually the staff. They all have a certain amount of metered internet access that they're allowed on every trip. And of course, what everyone do? They guzzle it all and they'll get more. So the staff will often either buy vouchers from each other or try and bypass the metering. And actually one of the last examples I've got in this talk is a bypass of one staff access internet access points that gave us access to the the bridge control systems. So find things you then find lots of other weird MM devices. So that

NET device anyone seen MBNet device before? We'll get to it in a bit more detail in a minute. And lots of other random and weird connectivity devices that have just been chucked in to patch panels that do weird things and very often they haven't been configured correctly. They've been left with default states. they haven't got credentials set all sorts of random weird and unusual things even in this case we got into a power management cabinet and found this device top right and what was fascinating was that it's 4G connectivity but the antennas hadn't connected what we think happened is when this was being built they actually run out of non-connected devices so put a connectivity device and

just remove the antennas you'll see sort of weirdness all the time um this is actually on uh a different vessel we're following um a cable down some trunking. Asked the client if we pull it out, pulled it out and in there was a completely unknown cellular router. Client had no idea what had been done. We think it was related to third party that put it in for so they connect remotely. Uh and we the client said should we just connect it and see who screamed? Disconnected it. No one screamed. Winner. One of the other challenges we see is again particularly in shipping environments and I'm sure you see it on land all the time is if you make

security controls too people will try and find ways around them. I'm going to give you an example from sea not on a cruise ship but this is on a a moss maritime CS55 exploration drilling platform. Uh and we were challenged a little while back to um see if remotely we could take uh control of dynamic positioning system. Um this thing can drive itself out to a potential well sites but about four knots he gets towed. The DPS is there so it doesn't have to put down anchors in very deep waters. You can quickly do exploratory um B and see if your well is going to produce oil in which case you bring in a fixed rig.

This one was really interesting though. Uh the organization question was really worried. It wasn't that long after Deep Water Horizon. They were very worried that if someone could compromise their vessel externally and disable the dynamic positioning system, the thrusters, it would drift station, break the umbilical, and then the blowout prevent could cause problems and then you have another deep water horizon. So they were really worried about this. They wanted to know if we could find a way in. And one of those interesting exercises which showed that uh there were challenges with people trying to bypass network segregation. So we're in one of the engineering uh offices and we found this PC quite interesting and this

engine was really interesting in order to go and administrate the systems. These are all held down in stations and that was down 13 flights of metal stairs in the dark. It was horrible. So to go and do anything, you had to go down 13 flights of steps, do whatever you want, then come back up. So we were looking at this um office up in the nice warm part of the uh the ridge and

suffix. That's interesting. Why is that? Why is that been connected to C local? Why is it disconnected? So we started having a bit of a closer look. You ever get that thing where you turn up to do a pen test and um everything's clean and like nothing's wrong? And yeah, I mean that one well this is one you see physically this RJ this was actually hanging just off the side on the the board and I don't you can see from the photograph you see that is actually really clean whereas that was actually quite dirty. thought I get the feeling this engineer actually knew we were coming right >> and pulled a cable out. We thought why

don't we put it back and see what happens. So we popped it back in and as a result of that we discovered oh it picked up a um IP address. It was connected to the corporate network even though it should have been one of the drilling networks and um yeah he got domain admin hashes and that gave us compromise from that particular vessel of every single one of their rigs and HQ. if we got the A. Yeah, just from one little removed um article called Dport. But the job went quite further than this because um what the client's worried about that could screw around with the dynamic position system couldn't cause horizon. And in fairness, the network was quite well

designed. So the propulsion system which we were targeting was actually very well segregated from the rest of the network. We did find a route from um MPC from the C network local into the drilling control network. Great. That was interesting. But it still didn't give us the bridge into the propulsion system because it was a good Yeah, it had team gear on it. Awkward. Um, so that gave us reach from the public internet into the draw control network, but we still couldn't get access to propulsion system. And that's when we uh found some of the switches that involved doing some of the segregation. They were seen scaly anyone looked at scale really interesting very very common um

industrial control network. So we'll encapsulate the um serial data encapsulate it onto um IP which is much better at being transmitted longer distances because sending serial over 3 400 m you're going to get a table of signal degation. So we'll encapsulate in IP. So, we found loads of these switches. Went back. We bought one on eBay. We couldn't understand though. We were looking at it why the password hash, the admin password, the hash got longer with longer passwords and like that's not a hash, is it? We're doing something else here, right? Yeah. The one thing we know is a hash is always the same there, right? So, went and bought one um off eBay. Little bit more

research. Found a 20 pin JPEG had a firmware off it. did some very clever things that I'll be honest with you I don't particularly understand um and reverse engineered and discovered that actually instead of hashing passwords they were encrypting them with a static password of ELS debug uh which meant of course you could then break the password and now we defeated the segregation of DPS as a little aside um vulnerability disclosure is usually very very tough I manage all disclosers at PTP probably 200 a year now um some of them are quite challenging but actually seems really really good with this. Um they acknowledged it within a couple of hours, verified it the next day. So

yeah, we think this is quite big though. We think it affects more than you believe. So it took about 6 weeks, but they still fantastic. Pushed out a patch. Um it's nice to see a vendor getting a good rep dealing with vulnerabilities. Anyway, that gave the compromise that gave the ability to break down the segregation. Um, all the while though, we discovered that the um the vendor of the propulsion system had a back door into the thrusters as well. That was very quickly removed. Anyway, back to cruise ship. What do we find? Stuff everywhere. We'll talk about that. Um, we're on one cruise ship and there was in the kitchens there was a smart herb garden. So, they were trying to um

grow their own herbs on board. It was a nice idea, right? So everything's fresh and it was this device that was um managing it for them and yeah yeah yeah Raspberry Pi lack of secure boot loader uh not a great way to go. So we managed to compromise that that was a bit of fun and you also find lots of other devices just flying around. It's just crazy. Probably one of the maddest uh compromises we had. Um has anyone been on a cruise ship? I've been on a few. I'm not really a fan of cruising but hey whatever. Uh, I asked Darly to give me a picture of a golf simulator on a cruise ship as they did. Um, anyway, so we're

on a cruise ship and board cruise ship passengers want to keep their golf swing up, right? So, the golf simulators on board. So, we started looking at this golf sim, which is quite interesting. And um, yeah, the organization had put it onto a a separate van. Um, they considered it a dirty V uh, the tech they called it. and all of their more sensitive stuff, stuff they consider a bit dirty, was on that separate VLAN, including the golf sim. Uh, now that golf needed to be able to manage by the uh the vendor. They needed to update um the software, troubleshoot remotely, so they had access was put on a separate subnet. Unfortunately, um it

had Tinger available and over a period of a couple of days on that same VLAN managed to get compromised remotely through default Tinger credits. then realized that on that same dirty VLAN there was an old and outdated web interface the safety management control system which is one of the things that runs everything on a cruise ship they've got access to other VLAN voyage data recorder which I'll talk about in a minute at that point we could have bricked the voyage data recorder now the VDR on a ship is effectively black box on an airplane your VDR isn't operating your insurance isn't covered your ship don't go nowhere So we could have stopped that vessel sailing with several thousand customers

on board, multiple staff. That would be very very expensive incident just because someone didn't get third party segregation, right? But it's also quite important I think sometime to talk about the risks, aren't there? And the great from this well AB device just pulled the config from the SD card and walked off. Is there a risk? I don't know. I'm not sure. Uh, you'll often find critical systems that rely on USB do license management. Can you pull it out? Does it matter? I don't know. Physical controls not so much of a problem and other weird devices that do weird things. So, that's really just basic stuff. What about the next level? Where where are we going to

go to that's not very likely to cause outages and instant onboard the vessel? We've done paper, we've done exploration. What about, I don't know, doing something really simple like passive art? what we do with art to find things you know I don't need to teach about art it's a bit pointless um but what it does do is quickly and relatively safely allow you to evaluate local network so good example of fanny we made just by doing passive art was looking at the art now most times when table you're going to see stuff useless to you HP whatever completely useless to you but then just occasionally cuz remember you're on a cruise ship now you're going

to see weird on urm. What the hell are urtherm? Well, urethm are a really interesting organization. Spend quite a bit time looking into them. They do among many things oily water separators. Now, what's oily water? Well, when you your build tanks are filled for balance or um engine, you get oil in them. And when you need to clean build tanks, it's illegal just to pump them uncleaned into water. So you have an oily water separator which will take the shitty stuff off and put it into a separate storage tank giving you relatively clean billagege water which is then put through some chemical treatment and it's then safe to put overboard. So this is really interesting. So we've done layers here.

We found the oily water scrub. Now, on this particular vessel, the chief, that's the chief engineer. Really interesting person to talk to. By the way, always take coffee and donuts onto a ship and go and talk chief cuz they'll tell you everything you need to know. This old desktop PC had been repurposed to connect the CCC TV so he could see it and also the oil water separator so he could measure. This is a really important thing. If you get if you pump your oil water overboard, right, you're in big big trouble. Massive fine. So, he repurposed his old PC and this is what the network was supposed to look like is new PC was now plugged into the main

corporate network and the old PC on a completely isolated subnet where CCTV or the water separated. However, as often happens with best laid plans and all that, um, someone had just plugged a switch in and meant that he could now administrate the oil separator from his new PC as well. It completely blown down segregation and there is the switch that shouldn't have been there. That completely blew apart the um segregation to be there. So now a really interesting route from the business network into really dangerous places. Get on to it. Yes, guess what? It hasn't been configured very well. No one's bothered to lock it down and it's a right old mess. Yeah. So, that wasn't great. Do

you remember I mentioned about MVEX? Um, so this is one of the generators on board. This is one of the much smaller ones, right? So, this is this is what your emergency generator. Remember the MV Darly instance in Baltimore, right? So, part of the reason that went wrong is they've misconfigured the main breaker and the emergency generator when it um span up tripped a bunch of other out first. hadn't configured it right. Worth reading the report. This is the emergency generator. If you lose power, it must come on for 30 seconds. If you don't have power on a vessel, you've got no hydraulics. You've got no control of steering. So, you are drifting, right? So, you have to have your um generators

working. This is a critical device. You ain't sailing like you've always data recorder. And in there we found this NB spy device being used to provide a degree of segregation between one network that was uh less concerning and I value network managing the generators but of course LAN go through the same port. Interesting. So what it was supposed to do was provide a degree segregation from the shan into the generator controllers but on port all you have to do is change your IP address. So that's on there and now you can access all the devices. Great. So that gave us access to all the generators and now we can shut up the ship down. Nothing else works. Bad day.

Uh another mad one. Back to uh text virus. When you're aboard a cruise ship, most of the cruise ships we've been on have had knack in place. Work access control. Right. So if you don't present the right certificate, you ain't going on the network. Great. Now a new low computer, so the stability computer that's supposed to make sure you put the bananas in the right place, right? Was being installed by third party and needed to have a user interface on the bridge so captain could check stability and move ballister need that would talk to the server which is down seven decks where all the tech stuff was. The >> problem you've got is cable routing on

board ships is complicated. If you need to root cable, you're going to need to drill through the deck plate, send decks, send drills. That hole then needs to be fireproofed and waterproofed otherwise you've got major issues which means that drilling holes in ships is really really expensive and tech providers will do anything they can to avoid drilling stuff. Now remember I said this had knack. So when you connected without required certificate the knack would drop you into a black hole. Great what you'd expect. Unfortunately devices in the black hole could communicate to each other. They weren't isolated so they could actually talk to each other which is really interesting because we did this and then what we noticed is the

tech installer the load computer had realized this too and realized they could just jack the UI into any wall port and jacked computer into any wall port and they could communicate. Brilliant. So we jacked into any wall port and could now see all the encrypted coms going between the two and had complete control over the load computer. Pop the load computer, pop a serial type converter and then have complete control of control and management system made the main engine go bad day just because a tech vendor was being lazy. We also see a trustyation route of dual homing being used very often. Now remember I talked how important it is being trim for fuel efficiency. Vessel

performance is a really really important um feature of any any ship. If you imagine when you fill up with fuel, when you bunker, you're talking millions of dollars of heavy fuel oil. So, anything you can do to use a bit less fuel is going to save you a lot of cash. So, that's when the performance moni monitoring system is really key. So, that'll be visible to the captain, the chief engineer, and probably also available back to shorebased HQ. So, they can see if the captain's being really efficient with their use of fuel. But where do you get all that data to give you performance analysis? So you got to drill holes, tap here, do or you

could go and find the one ring that rules them all, which is the voyage data recorder, of course, where all the data that you need that tells act investigators how what the ship was doing before it tank is held. So it's got everything on the VR. This is what's called the free module. uh unlike an airplane which is it's a really rugged uh uh black box there are two components to a VDR bit below deck which will store data and store it even in a water logged environment and then the float free module uh as soon as the ship goes down it becomes buoyant and floats free beacon on it and so if the ship's lost

the float free module floats on the surface and someone comes along and recovers it and works out what went wrong VDR very very important device. So that is what's called the uh data recording unit. That's below decks. It's a very complicated environment that broke a lot of as you can see serial data, IP data, lots of unused devices. So we're trying to do performance monitoring and we're connecting to the voyage data in order to get that data off. So in this particular case, we're asked to look at uh how the PMS full management system had been integrated with the data recording unit. Now, usually if the if the um ship has gone down and say the marine investigator

comes along, they'll plug into a limit host which will give them forensically robust access long-term data store which is where all the stuff goes there. So, you got the fix capsule below deck and fl capsule above deck and that goes into the control here. So, we've got everything we want here for performance measuring to know we're being efficient in one box. How do we connect to it? Well, that's what you're supposed to do. Ideally, you're going through the Linux host, but that's actually forensically uh managed. It's behind locked flap really the best place. So, what about going in through the switch? Okay, interesting. There's the switch that's next to that. Ideally, what you'd expect in a dual end environment is to the

Windows box to the switch. What they really did is just connect it in that way, which was a really bad idea because what that gave us was a route from the business network through the voice data recorder and the ability to get access to all of that data. Bad day. Interesting. And there you go. There's the voice data recorder data in real time. We can now see exactly what's happening to the ship. We can see what's going on. Bad day. Yeah. Um, password hygiene on board vessel is not great. I never seen the password parameter misspelled as password. I have no idea what was going on there. Uh, yeah, once you're into the full read

access, everything on that VDR, you can destroy all the data. So, yeah, can break everything. And again, another technique for those of you who know your OT networks is to go and tap the network instead. Just go and sit there. And often we'll do as soon as we get on board and just pop pop a network app in and leave it running for a few days to see what it's picking up and it can find you some really weird and unusual stuff listening. So this is a great example. This was another maritime tech vendor. So this is what if you haven't come across them. They're one of the two manufacturers of ships engines but they

do a lot of other technology as well. This was a device that was supposed to secure navigation systems aboard ships. So, uh, we don't carry poker charts anymore. We have digital navigation. It's called ECIS, electronic control display information system, and that's the box you've got. There'll always be two on the bridge. And you'll look at those. It's a bit like a moon map. Uh, and they're very high value systems. It's critically important to keep up to date. One of my colleagues who used to be a chips officer genuinely remembers being given paper chart updates in a jiffy bag and you'd have to go get them out and print the chart changes onto your paper map. They could be legal to

go to the next reef found or a wreck or whatever. So digital updates solve that but it's really really important to protect the integrity and the update mechanism of that digital mapping system. So this is why what's introduced is an EDIS gateway and it's supposed to protect all those ECIS navigational systems from compromise. Um unfortunately what they successfully did is expose every single one of their ECIS gateways to compromise with this security device. What they've done is the uh they taken the MT topics and they hadn't put any form of authentication in front. didn't put any client certificates or anything in front of which meant if you could access one of these devices you can get access to

every single one of the actis environments managed by lots of different brands of ships cruise ships tankers you name it what a bulla so they try to sell a product to improve security and in process expose every single one of those devices and we find this time after time after time and boy it makes for a lot of vulnerability disclosures and other things. So, one of the joys of being on a cruise ship is there are bars on board and you can genuinely sit at the bar and do high value security research. So, this is one of the bars. Now, you remember I mentioned at the very beginning, a lot of the networks are around fire zones. So, they can close

down the networks, they'll put devices in a fire zone, use that as part of the segregation, too. So, we sat at one of the bars, asked the bum if we could jack in, and he was like, "Whatever, man." Okay. Um gave access and I don't if you can see there, we've got access to that is one of the um uh storage batteries for a backup supply. Um yeah, that's interesting. So, we from the bar, we got access to one of the key backups in one of the devices. Uh yeah, little bit of exploring of the network got a bit further. This is with the um active portals for crews get access to the internet. Bypass that compromised the um

the segregation on that network got us a bit further and off the back sitting at the bar that is the bridge control system. We got remote access to that whilst on the bridge but at the same time we also had it in the bathroom. So with a little bit thought, a little bit network fiting, a little bit of careful knowledge and safe exploration, we've gone from the point of having a seat at the bar to having control of the ship only by that of the c of the captain. By way ships do have steering wheels, they never use them. That is the steering wheel on the ship. It's none of these crazy things in Yeah. Um that then from

that point onwards got us to some really interesting things. Is it better if I show you the next one? See OB Napper. Nappa is the vendor of one of the largest sat management control systems. Now we got access Nappa. We've got control of complete vessel. We have got absolutely everything there. So just to wrap up on cruise ships, scare places. Uh the good news is is there are some regs starting to take effect. So the international maritime organization IMO based in London we've given presentations about ship cyber there uh just before co oh sorry no just after co uh they brought in code 4898 that was supposed to address cyber security it had almost no effect on real

world security on board vessels I don't know why they bo something's changed we've had something um new in terms of regulation so the uh international association classification societies by act. So classification societies are if you've not come across them they're effectively the organizations that give like anot for your ship. So organizations like DNV uh ABS marine bureau of shipping class NK uh lawyers register uh yeah those sort of organizations there only 14 of them but they are the organizations come on board and check that your ship is safe and July the 1st they now had two new unified regulations E26 and 27 which cover cyber security. So, we're starting to see progress in ships towards making

them more secure and more robust, which is good. The problem we've got is this only applies to new builds from the rest of January this year. So, we got an enormous like legacy of 10, 20, 30 year olds that will never really be secure until they're scrapped. We are seeing progress in the right direction. The other major problem I have is the classification societies to me are a little bit like the rating agencies. So there's a bit of a conflict of interest there. So you go to Moody's to your stability of your bank or your debt and you don't like the what they give you as terms of a rating. They just go to Fitch

instead, right? And actually I see a bit of a conflict of interest is there is commercial contractual relationship between the ship owner and the classification society. Money changes hands. So it's not massively in the uh interest of the classification society to go your ship is either you're not saying sail. So I think it will take a long time for vessel truly to get to a point we can't let a network f on board and they don't find a way of completely screwing it over. So that's a good start. There is progress in the right direction. But my conclusions from all this is you will never truly understand risk on board a cruise ship or in fact

any network without really good documentation particularly if it's a serial network or an AT network you'll never get there without really good change control right your vessel evolve ships are refitted new stuff comes on board people change things so you cannot um keep your vessel documentation up to date without change control and back to the rig if you're Security controls are too robust. People will work out a way around them. So, it's got to be effective and efficient. Ships when they're built, they're built at least cost. Typically, the yards will bid for it. They will build your ship at this price. And often cyber security is the area where you'll find a cut. Stuff gets added to vessels afterwards.

They're refitted. New bridges are put up. Stuff's upgraded. You need to have really good control over that. My one lasting point, the most critical one is you as the ship owner, as ship builder, as a ship operator probably got one view of cyber security. I promise you all the third parties that you work with that have systems that are on board, that they connect, that they manage, have a very very different view of cyber security as you. There we go. Most importantly, if you ever get the privilege of testing a vessel, you're not going to be able to sit at a desk and jack in and find stuff that's genuinely meaningful. You will need to be exploring that vessel. You

need to be feriting around. You'll be doing tens of thousands of steps per day. But boy, is it really good fun and rewarding. Anyway, thank you. You've got a few of questions.

question there. >> Why don't they enforce new standards at the very least international works? >> Okay. So that's why it's really hard. >> A lot of that is basically just network hygiene. >> Yes. You have no issue there, but as long as they tend to be soated. >> Yeah. >> So, you're talking about regulations like this that be brought in by nation states, >> ships, right? >> Yeah. So, why do we think that loser ships are registered in places like Liber Liberia and Panama? because they'll always go to the flag of convenience. Regulations are arguably easiest. So, we've got a real problem here. You're trying to, you know, whack a mole in terms of getting people to

comply, but if you ask them too much and too hard, they'll just go and register the vessel somewhere else. So, that's a real challenge we have is you've got flag state control, classification societies owners operators charter parties, all lots of these different complex environments. So, trying to get someone to follow a rag is help. And that's where the international maritime organization does a good job is when they set race everyone listens. >> Question two ranges same should be straight away. >> Yep. >> Yep. That's about right. This is what you'll find when you go on this question back here. >> Yeah. So when you're supposed around these are you doing this with backstage bathroom here or you also pretending to

be customers on the ship sleeping around >> so in most cases so there'll always be someone from cruise ship security teams on board with us >> you sort of sneaking into their rooms >> no so again what does it achieve right we have done exercise this is really good fun so key management key management on board vessel is really important So you need to keep the customers out of the you know the dangerous places. A really fun job where uh one task was to access the key management system the physical uh yeah and we completely ruined it and ended up getting the master key for the entire ship that we've done. So yeah we generally are

it's hard to exhaust us because we need to move fast but there always someone on the vessel knows we're doing and then the bomb. Oh you're the pen testers. Yeah. Right. Okay. Great. Okay. Give me an okay. Any more questions about that one here? >> Um, what's the state of IPv6 after >> zero? Yeah, probably available, probably not configured doing stuff. Question here some getting free Wi-Fi. What kind of techniques were they using? Are they relatively lightweight or were they? >> Yeah, very very lightweight stuff. Just bypass captive portals of stuff that you know you do every day. Um it's it's a whole lot worse on uh tankers and cargo ships cuz most of the

crew are after porn. So there's nothing else to do on board. Um any more questions out there? >> Great. Oh, one of testing any of these 24 hours max. >> Wow, what a question. Um, [Music] what you prioritize? Honestly, I'll stick a network tab on and leave leave it in the background. I would look for routes to uh compromise safety management control system. It's like anything you do on the SNS or ICMS is very very high value, very high risk. Once you got access to any sort of user account that you're all good so I would definitely go for the safety manage control system. Any more questions out there? One >> oh operational technology. So yeah

DCS industrial controls sorry I use it but interchangeably that's bad. >> Have you done any private? >> That's actually a really good question. Um there's a huge difference between um any uh tanker cruise ship cuz they use a protocol called Nimir0183 which bizarrely is a messaging system that's the same as GPS. So GPS me use the same protocol. So any of you looked at your gumin logs you'll see stuff going on these these networks you'll be very familiar with. [Music] Superyachts use a different protocol near 2000 which is electrically compatible to with CAM. So those of you who know your car will be will be familiar with that. Uh is security any better? No, it's just different. Um and

in my experience, I've done a little bit of CPR work. uh owners of superyachts get utterly wrenched in my opinion um by organizations that claim they know what they're doing and turn up and be like this is rubbish. So superyacht's really interesting. >> Yeah. >> Have you tested any military ships? >> No. >> Uh so sort of true sort of not true. Um we did do had a little uh workshop at a supplier of ECIS systems and one of the systems they had was called a wet or ect this uh which is one XP why bother um so we haven't been on board ships just got around to it question over here I think >> yeah so obly you're doing the preach

testing do you find you a player said, "Can you come do the response from our vessel offer?" >> Yeah. So, we've been asked about it and it's really really difficult to do because the vessel could be anywhere in the world and we're not and in order to be on the vessel you need um when sea you have to be helicopter trained. So, you have to done the dunk tank dunk tank testing. Uh so it's a matter of having the right person in the right place with the helicopter's got the right accreditations to get them out of a vessel to instant response on an OT network. Um yeah complicated. Yeah we we tried to put a service

together around that and just gave up in the end it was points. Any more questions out there want back again? >> Yeah. Can I ask if you have a platform moving from a leadership to a corporate network or somewhere? >> Yeah. So the example I gave with the exploration drilling rig uh the DA we took was actually DA of the entire domain on shore as well. So we took the entire corporate infrastructure out from the oil rig. That was a bit mad. Yeah. So you do often find that too. It's doomed. Any more out there? Thanks so much for listening.