Ken Munro: When ignorance is definitely not bliss
Ken Munro: “The ransom is only the start of it – even if the operator pays up, their data may still be irrecoverable, it may still be leaked, or they may be targeted again in the future”
As the smoke from the latest salvo of cyber-scares clears, men like Ken Munro are promising to guide us through the minefield. Stevie Knight writes.
First of all there was WannaCry ransomware, that was troubling enough. Then there was the sudden collapsing of Maersk and Rosneft’s systems under the onslaught of the NotPetya attack and suddenly much of the maritime industry realised they, too, were in the firing line.
Ken Munro of Pen Test Partners is a penetration tester, or an ‘ethical hacker’. His job is to find the vulnerabilities of a system, “get in and then show how it’s done”. He is, he admits, hooked on “the unpredictable nature” of his business.
So, what made him take up this strange career? “I was working in a restaurant in the '90s when I realised I could make the electronic till print out my mortgage amortisation status. I realised at that point that working in a restaurant was probably the wrong career.”
He cut his teeth in the early days of antivirus software, but more recently “became heavily involved in the Internet of Things, and ‘smart’ devices”, studying the vulnerabilities that all these developments expose. So, he’s aware of the trends and according to him, this is simply “no time for people to put their heads in the sand”; old attitudes have to give way to new realities, fairly fast.
One fundamental change is that ships can no longer be thought of as floating islands. “Since some bright spark decided to connect them up to the internet, ships are more of a floating data centre,” he said. “So now there’s really no such thing as an ‘onboard’ system – it doesn’t end at the hull. They are systems like any other.”
Unfortunately, developments have left a surprising number of holes. For example, one might reasonably expect communication links to be connected to the internet, “but what about engines and propulsion?” In fact, he says, “there are search engines that can show a number of ship’s control systems on the web”.
Further, what about the crew’s laptops? “If there isn’t proper segregation, one crew member’s access could be a conduit to somewhere entirely different inside your system.”
Unfortunately, innovation is helping brew the ‘perfect storm’: viruses and malware are no longer limited to nuisance value: NotPetya (which in fact he explains was a worm and crypter combo wrapped up as ransomware), demanded US$300 in bitcoin. However, he says, “the ransom is only the start of it – even if the operator pays up, their data may still be irrecoverable, it may still be leaked, or they may be targeted again in the future”.
Yet at the same time, we are putting more trust into our interconnected world than ever before: for example, a remotely operated tug has just been put through its paces, with great interest from authorities like Singapore.
“Vehicles can become a weapon,” he says. “Take a remote operation for example. You believe you are seeing the telemetry from your vessel, but do you swing left or right? It’s all based on what you believe the sensors are telling you.”
He points out: “It might not sound that significant, until you realise it might be a tug pulling a big ship into berth. It could ram it into the side of the port, putting that facility out of action for several weeks. I don’t think we have seen significant examples yet, but it wouldn’t take much for ransomware to take control of a ship’s system, people would probably pay up pretty quickly.”
But even if we cut loose from innovation and stuck where we are right now, we still wouldn’t be safe; the risk is inevitably growing: “It just takes someone to realise what we have on the ships, someone to realise we have a lot more money tied up on these vessels than you’d normally find on land, and then I think we will start to see more targeted crime.”
However, despite the ramped-up evolution of the hacks, a lot of it isn’t that well written and he says there’s still some basic hygiene that will help.
So, what should businesses, shipping lines and so on actually check?
He says: “Look to see if there are ‘always on’ connections to the internet. Then make sure that people only have the level of access they need; hackers exploit excessive access”.
After that, "make sure your ECDIS system can only pull a map update from one specific, authenticated site, and only take what’s necessary – not the whole lot". The same goes for any system updates – it’s worth noting NotPetya took advantage of this particular loophole, spreading via a malicious MeDocs accountancy software update.
Then look at your handover process when a ship comes into port or leaves. “In one place I found it was a USB stick,” he says, these being an all-too-common infection vector. Of course there’s also a need to educate your staff and crew about system ‘hygiene’.
“Those are key, get the basics sorted out, and frankly the hacker will probably move onto someone more vulnerable.”
Apart from this, he advises: “Make very, very sure your policy covers cyber attacks. I think the insurance companies are seeing it as very big issue, and don’t want to take on an unsized risk.”