Threat actors can gain access to ships' valuable operational assets quickly and without being detected. These breaches place passengers at risk and can cause serious damage to equipment and corporate reputation. The maritime industry needs ways to detect and mitigate these cyber risks before they can cause damage.
OTORIO Pen-Testers Help Maritime Company Correct Critical Security Flaws
A global maritime company asked OTORIO to conduct a security assessment of one of their cruise ships. They wanted to see their level of protection against cyber attacks.
The customer runs a number of luxury cruise ships. OTORIO’s iot penetration testing security team spent close to 3 days in a dry dock environment, with a “black-box” approach, to identify security gaps. They had no prior knowledge of the internal network and their goal was to determine if an on-board passenger could potentially gain access to the ship’s crown jewels.
OTORIO’s penetration testing teams come from Israel’s elite technological units and are experienced in successfully defending mission-critical, cyberphysical systems. The team employs unique penetration techniques that are non-disruptive and can be carried out with maximum efficiency, with zero impact on daily operations.
OTORIO was tasked with:
Acting Like Hackers
OTORIO pen-testers were not given access to any of the ship’s IT or operational networks. Instead, they needed to act like attackers, searching for covert entryways and cracks in the ship’s cyber-security. As testing was restricted to the public facing areas, such as the business centers, bars, casino, restaurants, and an internet café, the team was able to reach only a limited number of machines. Despite this limitation, they were able to gain access to some of the ship’s most valuable operational assets in only a few hours. The team was then able to gain access to the master computer, achieve keylogging capabilities on it, and collect hashed credentials of more than ten users - including the administrator of the domain.
While some solid security practices were in place, the team found a number of security issues that enabled OTORIO to bypass these measures. Most importantly, OTORIO pen-testers were able to gain access, undetected, to the ship’s balance control systems. Had this been achieved by a malicious actor, it would have given them complete control over the ship’s flotation and balancing systems, placing the entire craft, and the people on it, in danger.
The team made 18 mitigation steps to remediate the risks and help the company stay safe from any dramatic reputational, financial or privacy & identity implications.
Some of the recommendations included:
With no account lockout configured in the domain, attackers can easily obtain users’ passwords using brute force. Additionally, the team found outdated and End-of-Life versions of software tools, which exposed the system to many security issues, gave attackers the ability to perform malicious activities, and gain control of the systems.
OTORIO’s assessment gave this company a solid awareness of their current security posture and specific implementation guidelines. This will enable them to protect their passengers’ safety and privacy and prevent financial loss and IP theft.