The following is a brief report of some of the content of a recent symposium that discussed a increasingly important topic, of which, I am woefully ignorant. Fortunately I have a friend who worked with me earlier on the CIMSEC Corvette Week Project who has expertise in the field, and he has been kind enough to provide his impressions. He goes by the pseudonym Juramentado.
Infragard Rhode Island Chapter recently hosted a “Maritime and Port Security” symposium in June. The speakers included representatives from various federal, military and law enforcement agencies.
Infragard is a coalition of civilian industry members and the FBI – covering multiple national security critical sectors including but not limited to Finance, Manufacturing, Energy, Maritime, Rail, and Aviation. The main theme that emerged from various presentations is the convergence of Physical and Cyber security and its impacts, especially in the Maritime space.
A good example of convergence is the risk of foreign marine traffic acting as an information gathering node. Vessels can easily house Wifi antennas connected to computing assets running software designed to penetrate vulnerable wireless networks. By “war-driving” US shorelines and ports, a lot of useful information could be gathered in plain sight. This is a variation of a long-standing malicious actor practice – “war-driving” became popular first as hackers wished to just gain free Internet access, and eventually leading to more nefarious goals.
The Industrial Internet of Things (IIoT) has many unexpected side effects – for example, many vehicles today can use firmware updates to improve performance and control of commercially made subsystems. These updates would be delivered via remote means, such as SatLinks. The updates can be vulnerable to corruption during download, and if allowed, can install automatically without notifying the operators. In one instance, this resulted in unexpected loss of subsystem control at a critical time. Many industrial zones claim to not be running wireless networks, but the proliferation of cheap and easily available wireless networking appliances, coupled with users’ natural tendencies for more convenience, have made the average network’s perimeter what security practitioners call “soft and chewy.” There are now many devices that utilize the Public Internet for both control and convenience. While wireless cameras are easy to set up (think of a home security system you can control over your smartphone), that same video feed is traveling over the world’s largest unsecured network, and subject to many possible attacks including spoofing, interference and other threats.
Food for Thought: “In this age of the IIoT, relationships equal opportunities for attackers.” The Global Supply Chain network provide entry and exploit points to get from small, relatively low risk targets to larger targets. A recent example cited hacker attempts to obtain login information to enter the computer network of a manufacturer of retail parts. This small supplier was tied to a client’s network – Supplier B. Supplier B serviced in turn – a large critical industry manufacturer. The interconnectedness of their networks is a reflection of the global economy and Just-InTime production. Each manufacturer is connected to each other’s computer systems for convenience, efficiency and speed of delivery, but this intermeshing is also a channel by which malicious actors can exploit for their purposes as well.
Efforts by commercial intelligence firms have revealed a criminal cyber campaign underway since late 2015 called “The Daily Show.” It was dubbed as such because the perpetrators used the pseudonym Jon Stewart to file for fraudulent Internet Domain addresses used in their attacks. The Daily Show is the brainchild of a Nigerian based criminal enterprise – they’ve managed to penetrate multiple industrial sectors, including maritime domains, mostly through unsecured and weakly protected computer systems. The truly concerning aspect is that “The Daily Show” has not relied on sophisticated malware and social engineering campaigns of the like conducted against the Financial or Defense sectors. Rather, they often use basic tools such as keyloggers (a virus that once installed on the target machine automatically records the keystrokes of the operator and sends it back to the attacker), delivered through fraudulent e-mails loaded with malicious attachments. Keyloggers are not new; nation-states were using them as far back as the 1970s to compromise electric typewriters in foreign embassies. This fairly unsophisticated method having such a successful outcome reflects the constant need to develop cyber-security maturity against both old and new attacks.
Notably, exploits used by The Daily Show have strong similarity to the attack methods used in the 2013 Antwerp Drug Heists, whereby entire containers of illicit drugs were smuggled into the port, then cleared for release without the proper authorities ever knowing about it.
Malicious actors are also openly attending Global Supply Chain conferences, actively looking for new technologies to exploit, interrupt or steal and reconnoitering for whitepapers and other publicly accessible documents that give context to how a particular component or product in a supply chains is built, maintained and protected. There was a recent concerted effort by unknown parties to gain as much information as possible on Industrial Flow Metering, the same kind of equipment used in POL storage, shipping and transfer. As with many things in the age of IIoT, that kind of industrial control directly connected to the Internet becomes an exploit point – to cause market volatilities, supply interruptions, all the way to a potential environmental disaster.
The bulk of malicious activity aimed against Maritime Security so far is financially motivated. But as we all know, money is what makes the world go round, and terrorism, non-state actors and even hostile nation-states needs a share of that in order to further their causes.
Juramentado is an observer of naval matters. He is an IT Risk and Information Security practitioner in the defense and financial services industries. The views and opinions expressed in this article are those of the author, and do not necessarily represent the views of, and should not be attributed to, any particular nation’s government or related agency.