Reading the posts I feel like a lot of HN doesnt fully understand what we're defending against? These ships are BIG.
First, "manually control" engines and rudder isnt a thing. You're talking about a rudder that could be four stories tall. manual input is physically impossible and you wouldnt want it anyway. screw around with the rudder too much or too quickly and the underway mass of a 500,000 short-ton tanker will rip it out of the ship.
a tanker engine starts at 2.5 stories tall (8-10m). Before ECM and modern SCADA automation these things could take an entire day to start. Everything from fueling to speed and fire suppression are intimately linked through a network on the ship. you can restrict these networks from the rest of the ship but its generally not advised. ship engines communicate with breaker panels, engine controls on the bridge, and telemetry from shipping companies for preventative maintenance.
the solution to this is to have a SOC or rapid response team combined with redundant systems. assume a serious compromise is a failure condition and start the EPO/Mayday.
all it takes is a hacker to add a couple extra zeroes to the idle speed of the engines and youre now a runaway ship, or worse, a runaway engine fire.
I was in the US Navy decades ago, long before these digital systems. That said, there are many ways to control rudders, and for that matter engines, that don't rely on someone hooking up a block and tackle (although that actually was the method of last resort for destroyers, of course much smaller than these cargo ships). Taking "manual control" simply meant not running the steering directly from the bridge, e.g. instead running it from the hydraulic controls in after steering (a compartment directly above the rudders).
Exactly, ultimately there is always a point where the digital control meets up with the mechanical control that does the actual work. If the digital fails then you assess the mechanical control directly.
> First, "manually control" engines and rudder isnt a thing. You're talking about a rudder that could be four stories tall.
Except it is actually a thing. Large ships have a separate emergency steering hydraulic circuit driven by its own generator, and operated by hand, commands given from the bridge by radio or telephone.
Namely that every tanker, chemical tanker or gas carrier of 10,000 gross tonnage and upwards or every other ship of 70,000 gross tonnage and upwards, the main steering gear shall comprise two or more identical power units. Theres no requirement for separate circuits in these large applications. "power units" meaning we just duplicate the engine/partial drivetrain and slave it to the SCADA system as a standby unit. these standby's can be started by using residual air in the compressor system (if available) or by diverting charge air from the compressor system to the standby.
remember: we've been hacked, so compressor valves are likely to be locked shut (or worse, destroyed) until someone can get down to the engine room and force-open the valve manually.
ships will often "flip" between engines for service intervals, so it can be useful for the SOC team during triaging the problem, but the failover likely wouldnt provide much help.
to answer the question "couldnt we steer using air?" and yes you could, but it would be glacially slow. you might only have enough power air to move 5-10 degrees.
> First, "manually control" engines and rudder isnt a thing.
I think you're taking "manually control" a little literally here. Based on the other comments I saw that used this phrase (or roughly similar phrases), it didn't sound like they expected a crew to strap a rope to the rudder and start pulling.
It sounded more like a way to physically disconnect everything "smart" in the event that it became compromised, and have a way to interact manually with the rudder (now air-gapped) via dumb electronics (probably integrated circuits and an analog pid system) would meet their criteria.
That may or may not be possible for various reasons on modern ships, but what's being implied in this comment doesn't seem to be being suggested.
For the sake of an example, if we assume the Baltimore bridge ship was hacked to crash, I think it's doubtful crew could have gotten to and manually actuated the rudder (assuming that was possible) fast enough to prevent the collision.
They got the engine restarted, though, right? If there's a manual override for the rudder hydraulics it stands to reason that would also be located in the engine room, or at least very nearby. So I suspect this incident actually proves they could have responded to a fly-by-wire anomaly, but can't know without reading the report.
If they were standing by to do so, then yes, they would be able to take action in a timely fashion. (It is a standard practice on some ships to have such personnel standing by during high-risk situations.)
Then add a bridge that connects the two buses where you could just pull a fuse for a total disconnect. The bridge would have to have a very simple protocol to make it difficult for a worm to cross.
That’s how I’d do it if I had to design a ship that also had to be networked.
Oops, the technician was having some problems one day, so they plugged a wireless device on one bus and another on the other bus so even after pulling the fuse hackers still had control.
Of course, if they are connected by default, it's very likely the hacker could establish control of a device on the secure side of the bus and load up something in NVRAM on it maintaining control even after a disconnect.
Well I didn't add this but I would stipulate that the secure side would have almost no permanent memory at all if possible. I mean, we've been controlling boats without electronics for millenia so if you make it a priority to have no permanent memory, it should be achievable.
It's doable. The biggest issue is that all these engineers are gonna cost $$$$ to design these systems and you will need to do a lot of QA, which also costs $$$$.
Specifically, either don't plug wireless devices on the trusted network, or have some procedure that makes it damn sure any such device will be unusable when the ship is running.
We have some ways of protecting against malicious firmware, but the kind of consumer hardware that gets those is so complex and flawed that you are better without. If the hacker needs full physical access to the ship before the attack, you are about as good as you can get.
Yeah, well I wouldn't have any component on the secure side have any permanent memory.
PLCs (as used in the Iranian centrifuges) are basically made to re-programmed on the fly. You use them because you didn't want to hire out a team to build a system so it's 1000x cheaper, but it means they are infinitely hackable. They're basically a port 80 web server on your network that openky dumps code into Bash to be run. Having them on any network is extremely dangerous.
If I were to buy a product from a company, I would hope I am paying them good money to at least dedicate some engineering to build a custom device. You know, with circuits and non-networked signed EEPROM. Not ship control code in Bash on port 80.
And at the end of the day, you can't guarantee anything to be unhackable, but practicing defense in depth makes it hard as possible.
But anyway, I think the main issue is that ship companies are not tech companies and don't really have the money to build this. /shrug
Zero-trust network isolation for the operational side is probably the only real solution, but it's expensive since using the network side to update the industrial control systems on the operational side is no longer allowed. Here's a writeup on the Colonial Pipelines ransoware attack for comparison:
What are some of the solutions to an cybersecurity incident in-progress that involves taking over a moving ship? Much of the article talks about how it's important to prepare for this incident and that there's a simulation developed for this scenario, but the recommendations at the end look preventative instead of intended to fix an active incident.
The article's preventative methods include "Install security updates as soon as they come and automatically as much as possible," "Do not assign administrator rights to end users," "Do not allow the use of weak passwords," use multi-factor authentication, don't install non-approved software, conduct risk assessments for computer systems in use, and make plans for cyber incidents in advance.
Lol, preventative measures in this case are dumb as crap in the sense of they should be more
"This is an extremely locked down industrial device that only executes signed code and has every port on the machine epoxied over" as just the starting paragraph.
Unfortunately the exact details of what to do in a cyber incident are really closer to a per system plan. Honestly it's something that should be red teamed/blue teamed in a simulator many times, then dump some harbor pilots and captains in the sim against the red team to see what the common default reactions are.
I'm not concerned about this kind of attack. Very few people live or work sufficiently close to the sea to be a potential target. Nobody can crash a container ship into the Pentagon. The damage a ship colision could do is probably mostly economic (a refinery, some docks, a bridge) and environmental (storage tanks near docks, a nuclear power station).
It makes sense to do training for the shipping companies. Cyberattacks on shipping companies happend before, just not on ships. These attacks were ransomware. They don't intend to destroy their hacked assets, because no ransom would be paid, and they don't hack one system/target, they hack all of them at the same time.
Good article, because it's a canary in the coal-mine that warns us against drive-by-wire in personal automobiles. Personally I will never own or use a car that is drive-by-wire, especially if it's connected to the internet. I believe strongly there will be (soon?) be an incident where an org or individual will hack a fleet of such cars, cause widespread death, and the public will pull their hair and say "how could this have happened?!"
To what end? If the hack happens, I think it's much more likely that we see a string of assassinations that look like accidents, or kidnappings that don't look like vehicle-related skulduggery at all. It's just not as valuable if you pull the trigger all at once.
Turn all stoplights green (not red!) at the same time. This was actually the idea of a scifi story back in the 1960s--it came out first as a short story (probably in Analog), then as a book. (FWIW, I found the short story better.)
Like many of the ideas in the book 1984, turning all the stoplights green at the same time in New York City was probably not possible in the 1960s. It is now.
“Because some people just want to see the world burn”, unfortunately.
The idea that someone would actually fly two commercial airliners into downtown manhattan to take out the World Trade Center was also pretty unlikely, circa 2000 and 2001.
The US and China go to war, over Taiwan say. This would be part of a general attack on the US, and would include things like the power grid, internet infrastructure, and anything else that can be disabled or turned against us.
Terrorists decide that 9/11 wasn't good enough, and they can do 1000x more damage, death and terror from the comfort of their computers.
Extortionists decide to leverage this capability to extort money from car companies.
More targeted killings would be motivated according to your thought.
This is just the top of my head. I'm sure there are others.
> It's just not as valuable if you pull the trigger all at once.
Not if they short-sell the car-manufacturer stock first! Granted, that might increase their odds of being caught, but attackers don't have to be wise to be dangerous.
Depending on what can be hacked, another possibility would be a string of suspiciously-smooth thefts.
Do you drive an old car? Drive-by-wire throttles and controller area networks became commonplace in cars a solid 20 years ago. The benefits of these components within a car is completely orthogonal to any sort of external network connectivity.
I swapped an EJ22 out of a 2001 Subaru Impreza into an '86 BRAT. At least as of 2001, there were still a lot of discrete pairs of wires that a sufficiently savvy person (I.e., not me) could debug with a multimeter. Thank goodness. It was enough fun getting it running without involving CANBUS in the process.
I believe our 2005 Civic was largely discrete pairs of analog wires too, even if it was throttle by wire. It gave me very little electrical trouble.
Troubleshooting the headlights on my 2010 Suzuki SX-4 involved printing some 30 pages from TFM. The entirety of the wiring diagram for my '76 Triumph TR6 fit on three pages. We own a Willys CJ-2A, and the whole wiring diagram fits on one sheet. The wiring diagram for the circuits that actually make it run probably fits on an index card.
When you turn off the headlights in my wife's 2018 Impreza, there's a noticeable delay between turning the switch and the computer deigning to allow you to turn the lights off.
Are there recent model vehicles without computer controlled throttles?
I know ABS implies computer modulated braking, but I don't think it implies the computer can brake without user input or override user input and not brake. Otoh, automatic emergency braking is standard on some vehicles and optional on many.
Computer controlled steering is currently rare, but is part of lane keeping assistance.
ESC (basically same actuator hardware as ABS) can definitely brake without user input and it's mandatory in all cars sold after 2012. Steering assist is mostly torque limited by design, you should be able to easily overpower it.
Well the authorities will probably do something sensible like ban keyboards or something. They already banned the flipper zero in Canada because it can be used to unlock insecure cars.
So I agree, but my question next is what cars are you finding that meet this standard? Networks show up in cars quite early, not sure how far back I’d have to go to buy one that is suitably off grid.
I own a 1999 Mercedes-Benz E300 turbodiesel and a 1995 Toyota Land Cruiser. Both of these vehicles are modern, computerized machines with electronic engine management, airbags, and computer controlled transmissions. Neither of them have any need for "software updates" nor do they have any way to do so. They both have OBD-II interfaces, and the Benz has a proprietary interface as well. I'll be sticking with these vehicles for as long as it takes for the current complexity fetish to subside. If that means never buying another vehicle that's fine by me :)
My plan for the Land Cruiser is to install the engine and transmission from an early 2000s Mitsubishi Fuso. This will entail grafting the ECU and TCU from the Fuso into the Cruiser's wiring harness, and doing some transmission modifications to hook up the tailshaft to the Toyota transfer case. Should just about double fuel economy and improve driveability. I can't think of any reason I'd buy a newer vehicle, the "improvements" they offer just aren't worth the cost.
On grid cars don't tend to stay that way. My 2013 Ford was built with a 2g modem, a recall replaced that with a 3g modem, and now the 3g modem has no one to talk to. My 2017 Chrysler also has a 3g modem with no one to talk to.
A malicious person could standup a fake 3g network, I guess. But LTE has strong mutual auth, so cars with 4g modems will be very hard to attack once 4g is dead. OTOH, 4g and 5g can more easily coexist: as I understand it, 5g can run with 4g compatible control protocol, with some slots 4g and some 5g depending on the needs of the mobile stations nearby, 2g and 3g needed a block allocated, so once the minimum size block was no longer well utilized, it's a waste of spectrum. This may mean 4g is kept alive a lot longer than 2g/3g.
Readit News
First, "manually control" engines and rudder isnt a thing. You're talking about a rudder that could be four stories tall. manual input is physically impossible and you wouldnt want it anyway. screw around with the rudder too much or too quickly and the underway mass of a 500,000 short-ton tanker will rip it out of the ship.
a tanker engine starts at 2.5 stories tall (8-10m). Before ECM and modern SCADA automation these things could take an entire day to start. Everything from fueling to speed and fire suppression are intimately linked through a network on the ship. you can restrict these networks from the rest of the ship but its generally not advised. ship engines communicate with breaker panels, engine controls on the bridge, and telemetry from shipping companies for preventative maintenance.
the solution to this is to have a SOC or rapid response team combined with redundant systems. assume a serious compromise is a failure condition and start the EPO/Mayday.
all it takes is a hacker to add a couple extra zeroes to the idle speed of the engines and youre now a runaway ship, or worse, a runaway engine fire.
I was in the US Navy decades ago, long before these digital systems. That said, there are many ways to control rudders, and for that matter engines, that don't rely on someone hooking up a block and tackle (although that actually was the method of last resort for destroyers, of course much smaller than these cargo ships). Taking "manual control" simply meant not running the steering directly from the bridge, e.g. instead running it from the hydraulic controls in after steering (a compartment directly above the rudders).
Except it is actually a thing. Large ships have a separate emergency steering hydraulic circuit driven by its own generator, and operated by hand, commands given from the bridge by radio or telephone.
https://www.imo.org/en/About/Conventions/Pages/International...
Namely that every tanker, chemical tanker or gas carrier of 10,000 gross tonnage and upwards or every other ship of 70,000 gross tonnage and upwards, the main steering gear shall comprise two or more identical power units. Theres no requirement for separate circuits in these large applications. "power units" meaning we just duplicate the engine/partial drivetrain and slave it to the SCADA system as a standby unit. these standby's can be started by using residual air in the compressor system (if available) or by diverting charge air from the compressor system to the standby.
remember: we've been hacked, so compressor valves are likely to be locked shut (or worse, destroyed) until someone can get down to the engine room and force-open the valve manually.
ships will often "flip" between engines for service intervals, so it can be useful for the SOC team during triaging the problem, but the failover likely wouldnt provide much help.
to answer the question "couldnt we steer using air?" and yes you could, but it would be glacially slow. you might only have enough power air to move 5-10 degrees.
Deleted Comment
I think you're taking "manually control" a little literally here. Based on the other comments I saw that used this phrase (or roughly similar phrases), it didn't sound like they expected a crew to strap a rope to the rudder and start pulling.
It sounded more like a way to physically disconnect everything "smart" in the event that it became compromised, and have a way to interact manually with the rudder (now air-gapped) via dumb electronics (probably integrated circuits and an analog pid system) would meet their criteria.
That may or may not be possible for various reasons on modern ships, but what's being implied in this comment doesn't seem to be being suggested.
"There's no such thing, Duke"
— Hackers, 1995
I’ll write more about it once I figure out why my smart refrigerator is showing me porn instead of the weather.
Have a non-networked backup navigation radar.
Have a way to manually control engines and rudder (wrench on an actuator, sound-powered phone circuit[a] from bridge to the machinery room).
Practice using all of the above.
[a] These are required on basically all ships as a safety measure. Crew know how to use them.
Bridge
Battlestar Galactica
Deleted Comment
Then put the networked stuff on another bus.
Then add a bridge that connects the two buses where you could just pull a fuse for a total disconnect. The bridge would have to have a very simple protocol to make it difficult for a worm to cross.
That’s how I’d do it if I had to design a ship that also had to be networked.
Of course, if they are connected by default, it's very likely the hacker could establish control of a device on the secure side of the bus and load up something in NVRAM on it maintaining control even after a disconnect.
It's doable. The biggest issue is that all these engineers are gonna cost $$$$ to design these systems and you will need to do a lot of QA, which also costs $$$$.
Specifically, either don't plug wireless devices on the trusted network, or have some procedure that makes it damn sure any such device will be unusable when the ship is running.
We have some ways of protecting against malicious firmware, but the kind of consumer hardware that gets those is so complex and flawed that you are better without. If the hacker needs full physical access to the ship before the attack, you are about as good as you can get.
If it was intentional then that’s different.
Remember the sabotage of Iranian nuclear centrifuges
PLCs (as used in the Iranian centrifuges) are basically made to re-programmed on the fly. You use them because you didn't want to hire out a team to build a system so it's 1000x cheaper, but it means they are infinitely hackable. They're basically a port 80 web server on your network that openky dumps code into Bash to be run. Having them on any network is extremely dangerous.
If I were to buy a product from a company, I would hope I am paying them good money to at least dedicate some engineering to build a custom device. You know, with circuits and non-networked signed EEPROM. Not ship control code in Bash on port 80.
And at the end of the day, you can't guarantee anything to be unhackable, but practicing defense in depth makes it hard as possible.
But anyway, I think the main issue is that ship companies are not tech companies and don't really have the money to build this. /shrug
https://airgap.io/blog/zero-trust-network-isolation-for-indu...
You could cut the hardline at the mainframe.
The article's preventative methods include "Install security updates as soon as they come and automatically as much as possible," "Do not assign administrator rights to end users," "Do not allow the use of weak passwords," use multi-factor authentication, don't install non-approved software, conduct risk assessments for computer systems in use, and make plans for cyber incidents in advance.
"This is an extremely locked down industrial device that only executes signed code and has every port on the machine epoxied over" as just the starting paragraph.
Unfortunately the exact details of what to do in a cyber incident are really closer to a per system plan. Honestly it's something that should be red teamed/blue teamed in a simulator many times, then dump some harbor pilots and captains in the sim against the red team to see what the common default reactions are.
It makes sense to do training for the shipping companies. Cyberattacks on shipping companies happend before, just not on ships. These attacks were ransomware. They don't intend to destroy their hacked assets, because no ransom would be paid, and they don't hack one system/target, they hack all of them at the same time.
Past a certain magnitude, "mostly economic" damage is extremely impactful as an attack.
Deleted Comment
Deleted Comment
Deleted Comment
Like many of the ideas in the book 1984, turning all the stoplights green at the same time in New York City was probably not possible in the 1960s. It is now.
“Because some people just want to see the world burn”, unfortunately.
The idea that someone would actually fly two commercial airliners into downtown manhattan to take out the World Trade Center was also pretty unlikely, circa 2000 and 2001.
The US and China go to war, over Taiwan say. This would be part of a general attack on the US, and would include things like the power grid, internet infrastructure, and anything else that can be disabled or turned against us.
Terrorists decide that 9/11 wasn't good enough, and they can do 1000x more damage, death and terror from the comfort of their computers.
Extortionists decide to leverage this capability to extort money from car companies.
More targeted killings would be motivated according to your thought.
This is just the top of my head. I'm sure there are others.
Not if they short-sell the car-manufacturer stock first! Granted, that might increase their odds of being caught, but attackers don't have to be wise to be dangerous.
Depending on what can be hacked, another possibility would be a string of suspiciously-smooth thefts.
I mean, it depends on the person pulling the trigger, right? A sociopathic 14 year old from Bogota might not care.
I swapped an EJ22 out of a 2001 Subaru Impreza into an '86 BRAT. At least as of 2001, there were still a lot of discrete pairs of wires that a sufficiently savvy person (I.e., not me) could debug with a multimeter. Thank goodness. It was enough fun getting it running without involving CANBUS in the process.
I believe our 2005 Civic was largely discrete pairs of analog wires too, even if it was throttle by wire. It gave me very little electrical trouble.
Troubleshooting the headlights on my 2010 Suzuki SX-4 involved printing some 30 pages from TFM. The entirety of the wiring diagram for my '76 Triumph TR6 fit on three pages. We own a Willys CJ-2A, and the whole wiring diagram fits on one sheet. The wiring diagram for the circuits that actually make it run probably fits on an index card.
When you turn off the headlights in my wife's 2018 Impreza, there's a noticeable delay between turning the switch and the computer deigning to allow you to turn the lights off.
I know ABS implies computer modulated braking, but I don't think it implies the computer can brake without user input or override user input and not brake. Otoh, automatic emergency braking is standard on some vehicles and optional on many.
Computer controlled steering is currently rare, but is part of lane keeping assistance.
My plan for the Land Cruiser is to install the engine and transmission from an early 2000s Mitsubishi Fuso. This will entail grafting the ECU and TCU from the Fuso into the Cruiser's wiring harness, and doing some transmission modifications to hook up the tailshaft to the Toyota transfer case. Should just about double fuel economy and improve driveability. I can't think of any reason I'd buy a newer vehicle, the "improvements" they offer just aren't worth the cost.
A malicious person could standup a fake 3g network, I guess. But LTE has strong mutual auth, so cars with 4g modems will be very hard to attack once 4g is dead. OTOH, 4g and 5g can more easily coexist: as I understand it, 5g can run with 4g compatible control protocol, with some slots 4g and some 5g depending on the needs of the mobile stations nearby, 2g and 3g needed a block allocated, so once the minimum size block was no longer well utilized, it's a waste of spectrum. This may mean 4g is kept alive a lot longer than 2g/3g.