Saturday, October 22, 2016

Sécurité - Sécurité - Sécurité

Sécurité is a safety signal used as a preface to announce a navigation safety message. It could be an approaching storm, a navigation light failure, a submerged log in a harbor entrance or military gunnery practice in the area. 

There's a digital transformation the shipping industry,  just as there have been in many others as the internet continues to connect industries and people who've performed even the most manual of jobs and functions.
The principal aim is to integrate all the shipbuilding functions “so they work in harmony and are properly aligned to build complex vessels”, Tim Nichols, marine division marketing director for Siemens’ PLM software, told a round table in Hamburg.
Yesterday we witnessed a global denial of service attack, resulting from a denial of service, apparently targeting Dyn, a Manchester, NH based DNS provider.  The attacks lasted roughly eleven hours and denied popular websites like Spotify, Twitter and others the proper name resolution needed to allow their names to be converted to their actual IP address. For the uninitiated reading my blog, DNS is the Internet's telephone book.  Wapack Labs => 603-606-1246. DNS translates into our actual numeric IP address. It allows your computer to remember your speed dial name instead of the actual number.

So why am I talking about maritime at the same time as the massive DDoS attack of yesterday? 

Because just this week, we published a report on a Maritime Internet Service Provider who allowed thousands of shipboard border IP addresses to be resolved outside of their network.  Over the course of the last two years, we've reported on key loggers and bad guys logging into vessel traffic systems, embedded and integration points, terminal operations, security systems, logistics, and shipboard connections. And about six months ago, a maritime CISO reported to us that satellite communications had undergone a denial of service, rendering ship-to-shore communications neutered. The result? Ships couldn't talk to the ports -- they were kept at sea.  While many of us would say "who cares?" --if a ship runs out of fuel it becomes a navigation hazard. Onboard medical issues, ordering of supplies, delivery of supplies, all become tricky, but as importantly, when a ship leaves Port A for Port B, their cargo might be bought and sold several times. In this case, because the ships kept at sea contained cargoes like crude oil, there was a very real chance that hackers were manipulating markets --yes, far fetched, but you just can't make this stuff up.

As well, Wapack Labs has been collecting key logger outputs from roughly 1250 caches of malware outputs. When a user logs onto their email, the key logger captures the user name/password pair, and then sends images of the clipboard to the external repository. We've performed hundreds of thousands of victim notifications from this data, and made it searchable for free through our api ( 

Here's why I'm concerned.  Massive attacks like yesterday are going to become commonplace. This will become the new normal as the Internet of Things puts autonomous internet-enabled dumb tools in the hands of hackers as new weapons.  On land, we simply wait it out.  Neither Spotify nor Twitter are mission critical, but what if I told you that industrial controls, GPS (navigation at sea), fuel monitoring, and new ships carrying highly dangerous cargos like liquid natural gas and crude are FILLED with these same devices that are creating opportunities of massive attacks like the one we witnessed yesterday.

The picture shown above is a vessel tracking system ( taken just moments ago (9:15 Saturday morning).  The VTS shows the ports and maritime traffic in southern New England --Connecticut, Cape Cod and the Islands --and even with the crap weather going on in New England right now, you can see, there's a TON of maritime traffic. This view is essentially the air traffic control system of the sea.  Imagine you're the master of one of these at sea vessels and losing confidence in your VTS's ability to show you where other ships are? Or running dry and adrift? Or losing navigation, pumps or communication?

Yesterday's demonstration was just that folks... a demonstration. When this hits the maritime, air, train, and trucking industries who are relying more and more on automation via the internet, non-mission critical internet sites like Spotify and Twitter will quickly become safety at sea, safety in the air, and safety on the road issues. You heard it here first folks. The sky isn't falling just yet, but unless we get a handle on the need to balance security with interconnectedness, you'd better get ready.  As we see more and more autonomous vehicles --cars, ships, airplanes, etc., this scares the hell out of me. This internet was never meant to be secure, and there aren't enough layers of security that can be bolted onto one of these maritime systems that will make them safe --or the people who man them. 


Preparing to head off to the FS-ISAC Summit tomorrow. Nashville here I come. Next week, it's the National Defense Transportation Association where I'll be speaking and sitting a panel on --you guessed it, the intersection of cyber and physical in the maritime and logistics space. 

I look forward to seeing many of you! 

So until next time,
Have a great weekend!