How to pen test cargo vessels

TL;DR

• Cargo vessels integrate IT and OT systems.
• Pen testing aims to prevent IT-based OT compromises.
• Avoid disruptions to operations.
• Network segmentation and perimeter controls are key.
• Direct OT testing is limited due to high risk.
• Fleet-wide vulnerabilities often share root causes.
• Strengthening processes and policies addresses issues vessel-wide.

Introduction

Cargo vessels have many interconnected systems, whether they’re LNG carriers, bulk carriers, or container ships. They are equipped with a mix of IT and Operational Technology (OT) systems. IT systems handle the day-to-day business and crew welfare, while OT systems keep the ship running safely, for example, navigation to engine diagnostics.

The goal of pen testing is to find potential vulnerabilities, focusing on how an attacker might exploit the IT side to affect OT systems without actually disrupting operations. This testing aims to find high impact and high likelihood weaknesses.

We have worked on many vessels over the years in time boxed engagements to obtain good coverage and depth of these large vessels. One of our main goals is to ensure that OT systems cannot be impacted from the IT side. This will involve extensive network segmentation testing, IT / OT gateway testing, and visual inspection of the systems onboard.

How complex?

Testing a vessel has many unique challenges. To represent this, here is a brief overview of IT and OT of a modern container vessel or chemical tanker:

• Modern vessels have separate networks for business operations, crew welfare, and technical (OT) functions.
• They also have diverse connectivity which can make pen testing engagements challenging, including offboard communications via VSAT, Starlink, and cellular connections.
• Modern vessels are becoming even more integrated and can have a core network managed by third-party providers, a mix of virtualised servers, and various onboard systems like email, SMS, and fleet management systems.
• And of course, critical operational technology of which some OT systems are air-gapped, while others are connected through dedicated gateways. Most commonly, this will be the ECDIS for updates and an Energy Management System (EMS), but engine diagnostics (main and generator), Ballast Water Treatment System (BWTS) and Exhaust Gas Cleaning System (EGCS) may also be connected.

A note about OT systems

These engagements typically avoid in-depth testing of OT networks and devices. If an attacker were to obtain network access to OT systems, they could nearly always have severe impact. The primary security control needs to be implemented at the perimeter of an OT network, using gateways or firewalls. The risk of in-depth testing OT systems on an operational vessel is too high in most circumstances and will usually affect operations too severely to test while at sea.

The stages of the testing process

A typical engagement involves the following steps:

Assessing the security maturity

The first step is to assess the maturity of the company in terms of the identify, protect, detect, respond, and recover framework, normally using interviews and documentation reviews. This helps to direct further testing.

Understanding the systems onboard

Gaining an understanding of the systems onboard the vessel is extremely important. This would normally use a combination of documentation review, interviews with crew members, network exploration, and physical survey of the vessel which, depending on its size, can require a lot of ferreting

Network segmentation checks

Network segmentation testing to ensure that IT and OT are adequately isolated. This would normally involve basic checks alongside efforts to compromise any gateways between systems.

Testing the infrastructure and comms

The test should cover the core network, including satellite communication equipment, firewalls, switches, and other essential infrastructure. It also involves evaluating Wi-Fi networks for segmentation, and passwords are adequate. Alongside this, a survey for any rogue devices will be carried out.

Assessing IT systems and applications

A conventional Windows IT infrastructure test, normally aiming to achieve widespread compromise, starting from either an unauthenticated or normal crew account.

Tests of any applications onboard that are critical to operations, such as the Planned Maintenance System or cargo management.

Evaluating OT system security

Proportionate checks of OT systems to ensure that they do not present excessive risk. It is acknowledged that many OT systems are poorly secured, and focus should generally be on preventing initial access using network segmentation.

Examining the external attack surface

Checks of the external attack surface of the vessel, such as exposed external IPs and Wi-Fi.

Tests to confirm that Endpoint Detection and Response will prevent basic malware from being deployed.

Reviewing third-party systems

Examining any third-party systems, to the extent possible, is crucial to comprehend the potential risks they pose. This would typically cover maritime specific software and some IT / OT gateways or monitoring devices.

This structured approach ensures that the pen testing covers the most critical aspects of a vessel’s digital and operational infrastructure without disrupting daily operations.

Look beyond a single vessel, is it a fleet wide issue?

Even though the test might focus on a single vessel, it is often possible to find fleet-wide issues. Some issues will be inherent in the design and implementation of a system across all vessels. The root cause of many problems will be in missing processes and policies that, once in place, will fix the issue for all vessels. Testing for the issue on other vessels can often be carried out remotely or by the crew, without having to undergo expensive pen tests.

Conclusion

Simply put, pen testing cargo vessels minimises or even prevents IT-based OT compromises, so avoids operational disruption. Direct OT testing is not always possible due to the high risk, but finding and fixing fleet-wide vulnerabilities is possible by understanding root causes.

By taking a measured approach to network segmentation and perimeter controls, and strengthening processes and policies, you will be in a better place.