Written by Geir Inge Jensen, CISO | 07 September 2020
* By subscribing to the latest news from our blog, you consent to us storing your email address, and sending you monthly emails. You can, at any time, retract this consent.
"We have a firewall in place, so that means our onboard systems and networks are secure."
This is a common thing heard from many shipping companies.
Sure enough, a firewall serves as a central component in any vessel cybersecurity infrastructure, as they prevent attackers from accessing your onboard networks and systems in malicious ways.
In today’s new cyber threat reality, however, total reliance on firewalls alone provides a false sense of security. Let me show you why.
The firewall is one of many tools in your toolkit for onboard IT and OT security. Without additional protection measures to back it up as part of your overall vessel safety and security risk management, the firewall is simply not enough to protect your fleet from the growing multitude of threats out there.
Why is that, exactly? For one, firewalls cannot protect you from malicious traffic coming through authorised apps and protocols. What’s more, firewalls are extremely limited in their capacity to prevent the kind of massive, targeted phishing email attacks that, over the past month, have been launched against hundreds of vessels, across shipping companies all over the world.
What makes the recent spear-phishing campaign against ships particularly sophisticated is that the emails – typically attempting to deliver malware or a virus – are duplicates of messages sent in the past, often from other shipping companies or maritime authorities. This makes them deceptively plausible, increasing the likelihood of the captain clicking on malicious attachments or links.
Furthermore, numbers in the email have typically been altered – invoice number, dates, you name it. In addition, the original sender and subject line have been changed, making it hard to track down the source email. Any links in the original email have also been replaced with a new link, directing you to malware.
These social engineering attacks would never have been thwarted by firewalls alone.
The widespread email attacks against the maritime sector represent one example of how firewalls can be breached. Let’s look at two other real-world industry scenarios where onboard firewalls fall short in protecting ships.
Traditionally, OT and IT have been separated. With the internet, though, OT and IT are coming closer, as stand-alone systems are becoming integrated. As you know, disruption of the operation of OT systems may impose a significant risk to the safety of your onboard crew and cargo, and also impede your ships’ operation.
I hear many statements like, “Oh, we don’t have our OT on a network that connects to the Internet, it’s all offline.” In reality, we see that more and more systems on the vessel are connected to the Internet. Even if you have your ECDIS machine offline, you probably have some IoT systems, such as the engine control servers or propulsion systems, and so on.
The number of IoT devices is skyrocketing. And the vendors behind these systems want to have the sensor data sent back to their own systems. So what’s happening is that your IoT devices are sending data back to some kind of cloud, for instance the Azure cloud, and then back to the vendor. To do that, you need to have DNS open through the firewall, be it Google or something else.
By having DNS open, it’s really easy for hackers to bypass the firewall. Once they are past the firewall, everything on the network is compromised if there’s no other security in place.
When discussing threats to your vessel IT infrastructure, we must not forget the software your crews bring with them on board. Most people regard their mobile as a private piece of equipment that they have complete control over. Nothing could be further from the truth. It’s well known that Android-based phones are prone to have malware installed, but it’s even true for Apple’s IoS.
Last year, 18 apps on Apple’s App Store were found to contain malware that uses the ‘Karkoff’ technique to establish a Command-and-Control session back to the hacker. By having one of these apps – which in reality is a Trojan malware – on one of your crew member’s phones, the hacker will be on the inside of the firewall and can use their phone as a starting point to attack other systems on the vessel.
As the malware uses DNS as the communication channel, even the most strict firewall rules are bypassed.
Just as there are maritime choke points, i.e. naturally narrow channels of shipping having high traffic because of their strategic locations, so there are choke points in network security.
The firewall is one such choke point – but it’s useless if there's an effective way for an attacker to go around it. Why bother attacking the fortified front door if the kitchen door around back is wide open? Similarly, from a network security perspective, why bother attacking the firewall if all you need is a phishing email?
This is where a Defence in Depth (DiD) architecture comes into play. Defence in Depth is an approach to cybersecurity in which a series of detection and protection mechanisms are layered to safeguard networks and systems.
The basic premise of the Defense in Depth strategy is that the security of your onboard systems and networks cannot rely on one single security mechanism.
This is why we created Dualog® Protect – to effectively close the gaps created by depending on a singular security solution.
A previous Dualog blog article discusses why DNS is an excellent place for plugging in a defence layer that protects against threats that firewall or stand-alone antivirus solutions often miss.
By operating at the DNS level, Dualog® Protect serves as the first line of defence, safeguarding your ships and their onboard IT systems even before an attack occurs.
Preventing Command-and-Control attacks via DNS blocking is an efficient addition to the firewall. By utilising blocking and filtering at the DNS layer, you can intercept malware or other malicious content before a harmful connection can be established, and effectively stop the outgoing calls from already infected devices onboard. In addition, the filtering can be used to protect the crew from reaching unlawful or harmful sites.
Read more: Dualog® Protect – easily explained
If you’re relying on a single layer of security to protect your vessels’ IT and OT systems, you’re leaving your fleet vulnerable to targeted cyber attacks. Long gone are the days when it was enough to have a good antivirus program and a firewall. Today, safeguarding your vessel IT environment is much more complicated.
For this reason, it makes sense to implement a solution that offers a range of features designed to protect against an ever-evolving threat landscape and the changing needs of today's modern shipping company.
With Dualog® Protect in place to provide that crucial extra layer of security fortification to your IT operations, you drastically reduce the risk of malware attacks.
Learn more about Dualog® Protect in our free webinar, where you get an accessible overview of the service.
Geir Inge Jensen is the IT Operations Manager at Dualog. Adding over 20 years of experience in network design and cyber security, Geir Inge is passionate about developing solutions and services that help shipping companies create a more cyber-resilient environment onboard their vessels. When he is not fighting maritime cybercrime, you can find him in the mountains enjoying the great outdoors with his camera in hand.