Hello Everyone,
I am a cyber security researcher, and I am currently working on a project regarding threats to passenger ships. I have a ton of questions and am looking for the right resource. My background is in networking, and I currently work as a network pentester (offensively exploiting network vulnerabilities).
I have spent a decent amount of time researching the known or potential vulnerabilities but am struggling to identify their impact if successfully exploited.
Here are a couple of examples:
What could happen if an attacker manipulated the Load Computer and injected bad data for fuel systems, stability, and haul stress? Worst-case scenario or most likely scenario. How would you go about investigating that?
What happens when the ship loses satellite internet connection? What systems do you fall back on? Does this have any significant impact on operations?
(Cruise ship specific maybe) Does the fire suppression system unlock passenger cabin doors to allow firefighters into the rooms? I was thinking along the lines of a passenger purposefully setting off the fire alarm and tripping the sprinklers.
Like I said I have so many questions, and I am super grateful for anyone taking the time to answer. I think I’ll have more questions on an ongoing basis, so if anyone would like to swap knowledge, let me know. I am happy to answer technical or cyber security questions. Also, feel free to google my username, to check that I am on the up and up or dm me on Twitter.
I am not off passenger ships, but I can give you my 2 cents.
I watched the part of the video you linked where he talks about the load computer, and I’d describe that exploit as a nuisance as a worst case scenario. First, the load computer should be isolated, which it is on every oil tanker I’ve worked on. But I’m not sure what it would control, because it would just tell me the ballast tank is full, then I’d look out the window to see if we were leaning over 10°, and then go about my day once I realized nothing had changed from 4 hours ago when the tank was empty. On my last trip I had one tank radar that didn’t work at all, and another that was off by a foot, and we managed just fine, but perhaps we were under attack, I wouldn’t know, we just disabled those radars. You just need to manually sound the tanks, which there are enough people for, more than enough on a cruise ship. These programs also have a way to just enter everything manually, so really you’re just adding a little work to one of the mate’s day.
I am neither engineer for neither ships nor networks, however the program controlling the propeller pitch (how much force the prop is outputting) or the orientation of the drives would be a very bad thing to have a bad guy inject code into. I have no idea where those systems are even controlled from, but it is an electrical signal at some point. Some ships also have dynamic positioning, which is software reliant, which would be bad to have go sideways.
I have to break out the hard drive of pirated movies instead of looking at Instagram. /s
Operationally, we just have to rely on GMDSS to communicate with the office, however I can imagine this could be more problematic with so many passengers. Given the nature of cruise ship’s routes, I’d imagine they’d just get a little closer to shore to get a call out to the office from the captain’s cell phone.
As I said, not a cruise ship guy but I was curious and DM’ed my buddy who is. The doors do get unlocked, but not automatically. Only automation he mentioned is ventilation in some atriums to clear smoke.
thank you! this is all really helpful. The impact of specific vulnerabilities can be hard to quantify when unfamiliar with the systems and failure controls.
I’ll look into the propeller pitch program controller and see if it runs off the same serial connection.
As for the sat internet - this was good to know. I was thinking if there was some remote cyber attack, completely disabling the internet connection might be the quickest way to remediate until things could get figured out. But wasn’t sure if that would have some unintended consequences elsewhere.