Pen testing cruise ships

New build ships contracted for build from 1^st July 2024 must comply with IACS UR E26 & 27. What does this mean for assessing the cyber security of a cruise ship?

What’s the risk profile?

Cruise ships have a unique risk profile. This is due to the huge number of guests on board, highly complex hotel systems and payment systems, mixed up with very involved OT and safety management systems.

Threat actors emulated in tests include:

• A guest who wishes to obtain free services, such as internet, or food and beverage service
• A member of crew who has access to the corporate network, or has run out of their internet access allocation and wants to bypass controls to get unmetered access
• Credit card data theft or tampering with hotel systems, such as mixing up or locking room doors
• Advanced attackers who can compromise OT and navigational systems, causing power outages or possibly even collisions
• Ransomware groups seeking to disrupt service to a vessel, or move laterally to other ships, or to the corporate on-shore domain

Testing conditions

Typically, work would be carried out under ‘light-grey box’ conditions, with as much documentation, credentials and access permitted as possible. This helps accelerate testing and keeps costs manageable.

Often, third party maritime technology suppliers refuse to support or comply with requests to provide information or access. The operator or owner’s assistance is often needed to remind these suppliers of their obligations to support their clients and their desire to provide security assurance to their vessels!

Testing is time-boxed and will focus on the higher impact and more connected systems. More risky testing, particularly against OT systems, is typically carried out when the vessel is in a safe condition, such as alongside or still in the yard as it approaches launch.

If the vessel is operational and / or underway at the time of testing, then more risky tests may need to be deferred. Risk assessments will be performed with crew throughout to ensure that no unsafe actions are taken.

Testing perspective

One of the most important aspects is assessing the security of the vessel from the perspective of a guest. There are many networks exposed to a guest, such as Wi-Fi, TV, VoIP, cabin control networks and so on.

The main aim would be to compromise IT systems to obtain free services, although IT / OT segregation would be considered: compromise from a cabin through to critical OT systems has been achieved many times in the past.

Although OT systems are normally better isolated than IT systems, the impact if they are compromised can be extreme. Therefore it is proposed that they are examined at a design level and comprehensive testing performed. This would focus on those that are deemed vital to operation of the vessel from regulatory, safety and operational perspective.

OT methodology

Testing would use a risk-averse OT methodology, ensuring that no changes are made to systems. We have significant experience of many different maritime OT systems, which means that many vulnerabilities and typical weaknesses can be determined by low-risk techniques.

Impact assessment

Someone very familiar with the vessel, such as the chief engineer or technical new build team should be available to assist in assessing impact. This may also require someone with deep knowledge of the classification society rules and any typical port state inspections carried out.

It is common to find that there are single points of failure that can cause significant impact but do not have adequate security controls around them.

Which OT should be checked?

The following OT systems would be expected to be checked, but more or less may be included based on the vessel design:

• IAMCS / Automation
• Navigation / conning / ECDIS
• Safety Management System (with expected links to fire detection, watertight doors, VDR, ICMS etc.)
• Vessel performance monitoring
• Scrubber monitoring
• Remote engine diagnostics / monitoring
• UPS systems for any systems onboard
• VDR (if TCP / IP connected to other systems)
• Fire detection system
• Watertight doors
• PA / GA system
• Cabin control system (potential control of heating, water temperature, lighting and access control to cabins)
• Access control system for bridge, engineering and other restricted spaces, potentially including a physical key tracking system
• Firewalls and gateways associated with any OT systems
• Remote access mechanisms for any third party vendors, ensuring that compromise of a low-impact system such as theatre stage automation cannot impact high-impact systems such as ICMS. We have seen this in the past!

Alongside this, we generally recommend that an audit of the physical security of the vessel is carried out. This would involve looking at how spaces are secured using electronic access control and keys and performing a full walkthrough of the vessel.

During past engagements, issues have been found where spaces such as HVAC or swimming pool plant are inadequately secured, allowing access to IAMCS. From this perspective it may be possible to significantly impact machinery onboard.

Purple teaming

Over the life of a vessel, it is expected that new systems and equipment will be added and connected to networks. Whilst some of these will be fully approved and designed, we have often found unauthorised or poorly documented systems implemented.

For this reason, we are often asked to perform a “purple team” exercise, where we will use defined TTPs that should trigger any alerting or monitoring.

Ideally, the SOC would detect the presence of a new connected system, and then crew should have adequate tools to track down the system. Examples of such techniques would include placing a new gateway into various network locations and generating unexpected traffic such as TeamViewer from existing OT systems.

What else is tested?

Alongside the above enhanced testing, the following testing is often carried out:

• Connect to Wi-Fi and exposed Wired networks to check that they are adequately segregated from each other. Particular attention will be paid to the more easily accessible networks such as the guest and crew Wi-Fi.
• Investigate the quality of passwords used around the vessel, including the Wi-Fi, corporate machines, bridge systems, and external systems.
• Determine how passwords are stored on the vessel.
• Investigate how passwords are rotated when crew leave and join.
• Connect to the business network and investigate the connections back to shore, looking to compromise the Windows domain either from a position of no or low privilege.
• Check that vessel-to-vessel attacks are not possible
• Perform a network and physical audit of the vessel to discover any undocumented or unknown systems, looking for bridges between different network segments or unauthorised remote access.
• A vulnerability assessment of the onboard PCs and servers in the corporate domain
• A vulnerability assessment of TV / broadcast networks onboard.
• Check that the external attack surface of the vessel is minimised.

Conclusion

Cruise ships are one of the most complex environments we are asked to test the security of. Testing requires significant expertise in both the maritime and hotel domains, which is why several of our team are ex ships engineers or officers of the watch.