Ethical Hacking

Cyber attacks are of increasing concern in a wide range of industries including the maritime, oil and gas, and energy sectors. Information warfare is gathering intensity, and sometimes the best defence is to subject your organization to a simulated attack.

This insight is driving the recruitment and development of ethical hackers, sometimes referred to as ‘white hat hackers’ in an allusion to heroes who take on black-hatted bad guys in the movies.

In cyberspace, the bad guys are all too real. Cyber attacks can lead to lost production; increased health, safety and environmental risk; damage claims; and reputational loss. The world’s largest container shipping line, AP Moeller-Maersk, stated that the so-called NotPetya ransomware cyber attack in the summer of 2017 could cost it between US$200–300m.

The threat is also of concern to insurers needing to manage their risk, and to owners who want complete insurance coverage: so, locking hackers out is increasingly important.

In one example of the white hats winning, DNV GL ethical hackers, collaborating with a Norwegian university, alerted Siemens to a zero-day vulnerability, computing jargon that means it was previously unknown to Siemens. “The vulnerability could have let a hacker remotely shut down the drilling control system, a blowout preventer, power management systems, or an emergency shutdown system,” explains Mate J Csorba, Principal Specialist Cybersecurity, DNV GL – Marine Cybernetics Advisory, who found the cyber loophole.

Hacking to stay cyber secure

DNV GL advises extensively on cyber security in the maritime, oil and gas, and energy sectors. Its focus is on practices, tools and concepts to protect operational technology (OT) and information technology (IT) combined.

Achieving this means assessing cyber security vulnerabilities that hackers could exploit. DNV GL’s Recommended Practice (RP) DNVGL-RP-0496 Cyber security resilience management for ships and mobile offshore units in operation – which helps companies to prepare for an ISO 27001 certification – outlines a strategy to assess weakness under three headings: technology, processes, and people (Figure 1).

Ethical hacking is one of the technology solutions to staying cyber secure by testing and verifying OT, IT and linkages between them.

“What distinguishes DNV GL’s white hat team is that it combines hacking expertise with profound knowledge of operational technology in key business areas,” says ethical hacker Elisabet L Haugsbø, project engineer at Marine Cybernetics Advisory, DNV GL – Maritime.

“We know what can be done if a hacker gets control, giving us a better idea what to look out for than someone with purely IT experience.”

Ethical hacking in practice

DNV GL’s ethical hackers use a familiar three-step process starting with passive and active reconnaissance of the cyber security of, say, a ship, an oil platform, or a utility’s remote-metering infrastructure. They then scan for potential vulnerabilities and, if they find any, try to gain access through penetration testing.

“An unethical hacker would then try to secure access to the system for the future and cover up their tracks by altering files and logs,” explains Haugsbø. “We do not do that: we reveal vulnerabilities to help customers mitigate them.”

An initial phase of an ethical hack could involve simply walking around on a vessel to try to gain unauthorized access to a computer server cabinet because it is unlocked, for example.

“There may be access control related information not kept securely, such as passwords, and we might try tapping into the crew WiFi to find a route into the control systems,” Haugsbø adds. “Next, we scan for vulnerabilities that could be used to enter and exploit the system to affect operations or access confidential information.”

Some scanning and testing is carried out remotely over the internet from DNV GL’s centres of expertise.

Vulnerabilities identified

Huge, publicly-available online databases of vulnerabilities identified worldwide are updated daily by various organizations and are available along with search tools to ethical hackers, including DNV GL’s specialists.

Despite this, many companies are all-too-vulnerable, says Haugsbø: “In the shipping sector, for instance, we see passwords never being changed, or being pre-set by IT departments onshore and printed and posted on walls. Some passwords are weak or just factory defaults.”
Other weaknesses include crew members backing up data on personal hard disk-drives; infected USB sticks being used to transfer loading-condition data to shore; and unencrypted emails.

Then there was the firewall mounted in an engine performance monitoring cabinet, but not connected; the on-board firewall with base functions disconnected; and control system devices connected to insecure on-board WiFi.

“Keeping software patched and hardened against cyber attacks sounds an obvious precaution,” Haugsbø says. “But we have seen Windows operating system software being updated only during major upgrades, so it is years out of date. Sometimes Windows is installed with standard settings left unchanged.”

In the utility sector, DNV GL found a large share of one client’s meter data servers were prone to a Denial-of-Service (DoS) vulnerability that could have impacted the entire metering infrastructure.

Keeping hackers out of operating technology

Greater attention is being focused on the cyber security of operational technology as more use is made of ‘smart’ sensors, monitors, equipment and machinery and as connectivity between such components, and even with corporate IT systems, increases in the industrial Internet of Things.

Decades ago, few if any critical functions and systems on ships were automated, and they were certainly not online. Safety in shipping and offshore units now depends heavily on cyber systems but are crews aware of the new threats?

A Ponemon Institute survey of US oil and gas professionals responsible for securing or overseeing cyber risk in the OT environment found 59% believe there is greater cyber risk there than in enterprise IT.1

“Critical network segments in production sites used to be isolated but are now connected to networks, making operational technology more vulnerable,” says Petter Myrvang, Head of Information Risk Management, DNV GL – Oil & Gas. “It is one reason why we conduct ethical hacking for customers in the sector.”

Haugsbø adds: “In one test, we were able to tunnel between different network levels, including the office level, on an offshore production unit. We also encountered insufficient filters in routers communicating from shore to ship.”

Sector responses to cyber risk

Industries vary in their awareness and responsiveness to cyber security risk, according to Patrick Rossi, Cyber Security Service Manager for DNV GL – Maritime: “Until recently, oil and gas has been the most mature in this regard because of its in-built practice of managing operational risk related to handling hazardous hydrocarbons. The power sector has also been in the forefront due to high availability requirements for steady, reliable distribution of sources of energy.”

Maritime lags a little, Rossi adds: “For example, people in the industry are embarrassed about sharing negative findings. In some jurisdictions, there is a good culture of reporting safety incidents so that the entire industry can learn from them, but cyber security is not there yet.”

Encouragingly, says Rossi, DNV GL now sees more maritime customers seeking to tackle cyber security: “Some have already performed cyber-risk assessments and want more guidance. We are definitely seeing a pick-up in this.”

Ethical hacking is a sensitive exercise that requires operators to share their weaknesses. “We recognize this,” says Rossi. “When performing ethical hacking, you are asking the customer to let their guard down;so, it helps that DNV GL is a trusted partner. When sending [cyber security] penetration testing results to a customer, we encrypt them and always use a Virtual Private Network when accessing sensitive project folders. We value our customers’ trust and eagerness in discovering vulnerabilities and improving on their cyber resilience capabilities.”

Source: Hellenic Shipping News