Can’t Sail Away from Cyber Attacks: ‘Sea-Hacking’ from Land


The warnings had been issued for years. The techniques were simple enough — penetrate the platform through the onboard navigation system and then go horizontally across the onboard networks to gain control of key systems such as steering and the throttle. The hackers did exactly this — surprisingly without foreknowledge of the specific systems they were to hack prior to beginning the penetration. They were in and through the navigation interface in a remarkably short time and had control of both the steering systems and the throttle in quick succession. From this effort came a coveted “Black Badge” from the Maritime Hacking village of the annual cyber security conference DefCon, held in August 2021 in Las Vegas.

The conference’s Hack the Sea Village “SeaTF” hacking challenge allowed teams of 3–5 individuals to gain hands-on experience hacking real maritime hardware in a controlled environment using Fathom5’s “Grace” maritime cyber security testbed. The simulated maritime bridge setup is meant to be an accurate facsimile of equipment typically in use onboard ocean-going vessels, allowing hacking teams to attack the afloat environment. Using realistic components and protocols, hackers were able to penetrate different maritime subsystems including navigation, firefighting, and steering systems. While this year’s challenge required hackers to tap into propulsion, steering, and navigation systems through a wired connection to their laptops, next year the hope is to provide a wireless environment.

 

 

Importantly, the 2021 competition once more demonstrated that hacking skills from land-based systems and environments are easily transposable to a maritime environment. The winning team had neither experience in the simulated environment or in maritime hacking in general. A skilled hacking team typically takes at most 14 hours to penetrate the system safeguards and remotely take control of both steering and throttle controls. While the simulation used at DefCon did require “plugging into” the equipment, remote-access hacking is possible as demonstrated in February 2017, when hackers took control of a German-owned container vessel traveling from Cyprus to…

Source…