Cyber attacks are of increasing concern in a wide range of industries including the maritime, oil and gas, and energy sectors. Information warfare is gathering intensity, and sometimes the best defence is to subject your organization to a simulated attack.
This insight is driving the recruitment and development of ethical hackers, sometimes referred to as ‘white hat hackers’ in an allusion to heroes who take on black-hatted bad guys in the movies.
In cyberspace, the bad guys are all too real. Cyber attacks can lead to lost production; increased health, safety and environmental risk; damage claims; and reputational loss. The world’s largest container shipping line, AP Moeller-Maersk, stated that the so-called NotPetya ransomware cyber attack in the summer of 2017 could cost it between US$200–300m.
The threat is also of concern to insurers needing to manage their risk, and to owners who want complete insurance coverage: so, locking hackers out is increasingly important.
In one example of the white hats winning, DNV ethical hackers, collaborating with a Norwegian university, alerted Siemens to a zero-day vulnerability, computing jargon that means it was previously unknown to Siemens. “The vulnerability could have let a hacker remotely shut down the drilling control system, a blowout preventer, power management systems, or an emergency shutdown system,” explains Mate J Csorba, Principal Specialist Cybersecurity, DNV - Marine Cybernetics Advisory, who found the cyber loophole.
Hacking to stay cyber secure
DNV advises extensively on cyber security in the maritime, oil and gas, and energy sectors. Its focus is on practices, tools and concepts to protect operational technology (OT) and information technology (IT) combined.
Achieving this means assessing cyber security vulnerabilities that hackers could exploit. DNV’s Recommended Practice (RP) DNVGL-RP-0496 Cyber security resilience management for ships and mobile offshore units in operation – which helps companies to prepare for an ISO 27001 certification – outlines a strategy to assess weakness under three headings: technology, processes, and people (Figure 1).
Ethical hacking is one of the technology solutions to staying cyber secure by testing and verifying OT, IT and linkages between them. “What distinguishes DNV’s white hat team is that it combines hacking expertise with profound knowledge of operational technology in key business areas,” says ethical hacker Elisabet L Haugsbø, project engineer at Marine Cybernetics Advisory, DNV - Maritime. “We know what can be done if a hacker gets control, giving us a better idea what to look out for than someone with purely IT experience.”
Ethical hacking in practice
DNV’s ethical hackers use a familiar three-step process starting with passive and active reconnaissance of the cyber security of, say, a ship, an oil platform, or a utility’s remote-metering infrastructure. They then scan for potential vulnerabilities and, if they find any, try to gain access through penetration testing.
“An unethical hacker would then try to secure access to the system for the future and cover up their tracks by altering files and logs,” explains Haugsbø. “We do not do that: we reveal vulnerabilities to help customers mitigate them.”
An initial phase of an ethical hack could involve simply walking around on a vessel to try to gain unauthorized access to a computer server cabinet because it is unlocked, for example.
“There may be access control related information not kept securely, such as passwords, and we might try tapping into the crew WiFi to find a route into the control systems,” Haugsbø adds. “Next, we scan for vulnerabilities that could be used to enter and exploit the system to affect operations or access confidential information.”
Some scanning and testing is carried out remotely over the internet from DNV’s centres of expertise.
“What distinguishes DNV’s white hat [ethical hacking] team is that it combines hacking expertise with profound knowledge of operational technology in key business areas. We know what can be done if a hacker gets control, giving us a better idea what to look out for than someone with purely IT experience.”
Huge, publicly available online databases of vulnerabilities identified worldwide are updated daily by various organizations and are available along with search tools to ethical hackers, including DNV's specialists.
Despite this, many companies are all-too-vulnerable, says Haugsbø: “In the shipping sector, for instance, we see passwords never being changed, or being pre-set by IT departments onshore and printed and posted on walls. Some passwords are weak or just factory defaults.”
Other weaknesses include crew members backing up data on personal hard disk-drives; infected USB sticks being used to transfer loading-condition data to shore; and unencrypted emails.
Then there was the firewall mounted in an engine performance monitoring cabinet, but not connected; the on-board firewall with base functions disconnected; and control system devices connected to insecure on-board WiFi.
“Keeping software patched and hardened against cyber attacks sounds an obvious precaution,” Haugsbø says. “But we have seen Windows operating system software being updated only during major upgrades, so it is years out of date. Sometimes Windows is installed with standard settings left unchanged.”
In the utility sector, DNV found a large share of one client’s meter data servers were prone to a Denial-of-Service (DoS) vulnerability that could have impacted the entire metering infrastructure.
Keeping hackers out of operating technology
“Critical network segments in [oil and gas] production sites used to be isolated but are now connected to networks, making operational technology more vulnerable. It is one reason why we conduct ethical hacking for customers in the sector.”
Greater attention is being focused on the cyber security of operational technology as more use is made of ‘smart’ sensors, monitors, equipment and machinery and as connectivity between such components, and even with corporate IT systems, increases in the industrial Internet of Things.
Decades ago, few if any critical functions and systems on ships were automated, and they were certainly not online. Safety in shipping and offshore units now depends heavily on cyber systems (Figure 2); but are crews aware of the new threats?
A Ponemon Institute survey of US oil and gas professionals responsible for securing or overseeing cyber risk in the OT environment found 59% believe there is greater cyber risk there than in enterprise IT.1
“Critical network segments in production sites used to be isolated but are now connected to networks, making operational technology more vulnerable,” says Petter Myrvang, Head of Information Risk Management, DNV. “It is one reason why we conduct ethical hacking for customers in the sector.”
Haugsbø adds: “In one test, we were able to tunnel between different network levels, including the office level, on an offshore production unit. We also encountered insufficient filters in routers communicating from shore to ship.”
Sector responses to cyber risk
“When performing ethical hacking, you are asking the customer to let their guard down; so, it helps that DNV is a trusted partner. When sending [cyber security] penetration testing results to a customer, we encrypt them and always use a Virtual Private Network when accessing sensitive project folders."
Industries vary in their awareness and responsiveness to cyber security risk, according to Patrick Rossi, Cyber Security Service Manager for DNV - Maritime: “Until recently, oil and gas has been the most mature in this regard because of its in-built practice of managing operational risk related to handling hazardous hydrocarbons. The power sector has also been in the forefront due to high availability requirements for steady, reliable distribution of sources of energy.”
Maritime lags a little, Rossi adds: “For example, people in the industry are embarrassed about sharing negative findings. In some jurisdictions, there is a good culture of reporting safety incidents so that the entire industry can learn from them, but cyber security is not there yet.”
Encouragingly, says Rossi, DNV now sees more maritime customers seeking to tackle cyber security: “Some have already performed cyber-risk assessments and want more guidance. We are definitely seeing a pick-up in this.”
Ethical hacking is a sensitive exercise that requires operators to share their weaknesses. “We recognize this,” says Rossi. “When performing ethical hacking, you are asking the customer to let their guard down; so, it helps that DNV is a trusted partner. When sending [cyber security] penetration testing results to a customer, we encrypt them and always use a Virtual Private Network when accessing sensitive project folders. We value our customers’ trust and eagerness in discovering vulnerabilities and improving on their cyber resilience capabilities.”
References and further resources
Responding to concerns over cyber threats to operational technology, DNV developed the aforementioned Recommended Practice DNVGL-RP-0496 as the first cyber security risk management guidance in collaboration with all Maritime segments.
"We have taken a complex challenge such as cyber security risk management and provided simple-to-use guidance that even non-experts can start with; enabling the sector to learn how to tackle these problems themselves is the best way to make an impact in this industry," DNV's Patrick Rossi explains.
The company also led a two-year joint industry project with several large players in the oil and gas sector. It resulted in DNV Recommended Practice DNVGL-RP-G108 Cyber security in the oil and gas industry based on IEC 62443.
“We have responded to the need for a recommended practice addressing how oil and gas operators – upstream, midstream and downstream – working with system integrators and vendors can manage the emerging cyber threat. It outlines a tailored approach for the industry on how to build security, with the emphasis on operational technology,” DNV’s Petter Myrvang explains.
In another sector, Kongsberg Maritime recently became the first organization to receive DNV type approval for the cyber security capabilities of their Information Management System (K-IMS). The approval programme, DNVGL-CP-0231, is designed in accordance with the principles in International Electrotechnical Commission standards IEC 62443-4-2 and IEC 61162-460.
Verification and technical assurance
“When utilities use standard formats such as Device Language Message Specification (DLMS) for messaging with smart energy devices, there are many challenges in protecting against accidental or malicious inputs that could be designed to exploit vulnerabilities in the device”
Ethical hacking can assist with the verification and technical qualification of equipment and systems. DNV is seeing increasing interest among operators and vendors in testing – including ethical hacking – for cyber vulnerabilities as part of DNV’s longstanding verification services.
Patrick Rossi sees ethical hacking as a necessary third-party verification step for any critical cyber-enabled infrastructure: “By addressing cyber security right from the concept phase, third-party penetration testing activity can then be used to validate the effectiveness of the barriers that were initially designed into the integrated system.”
In response to rising demand in the energy sector, the company established a new DNV Technical Assurance Laboratory (DTAL) in 2016 with the techniques and tools to detect device flaws as part of a product security evaluation service currently being applied in the sector. This service includes applying ethical hacking techniques to products.
“When utilities use standard formats such as Device Language Message Specification (DLMS) for messaging with smart energy devices, there are many challenges in protecting against accidental or malicious inputs that could be designed to exploit vulnerabilities in the device,” says Chris Storer, a security evaluator at the DTAL.
"For example, we find cases where messages intended to read values can unexpectedly change those values instead, or where missing data in messages can lead to actions that change a device state in unexpected ways. The challenge we address in the DTAL is how to efficiently carry out tests that cover all these types of interface and protocol flaws before the target device or application is exposed in the field.”
Universities and professional training organizations offer options ranging from graduate and Masters level degrees to short courses. DNV’s Mate J Csorba and Patrick Rossi each have the internationally-recognized Certified Ethical Hacker (CEH) qualification from EC-Council, the world’s largest cyber security technical certification body, for example.
“To become an ethical hacker, you need to be curious about what else you can do with things. As a boy, that meant discovering undocumented functions for devices. As a hacker, the fun is in finding ways around usual features, discovering new ones by exploring the technology. We are all passionate about this.”
“However, it is not something you can learn by reading; you need to dive in and do it,” says Elisabet L Haugsbø, who learned the skill at DNV. Her background is in engineering cybernetics and testing of control systems. It is, she says, “a perfect marriage with ethical hacking when it comes to finding cyber security loopholes in control systems and operational technology.”
Csorba arrived at DNV with a doctorate in telecommunications and became increasingly interested in the need for ethical hacking. Rossi’s background was in automated manufacturing engineering: he has a masters degree in cybernetics. “To become an ethical hacker, you need to be curious about what else you can do with things,” says Rossi. “As a boy, that meant discovering undocumented functions for devices. As a hacker, the fun is in finding ways around usual features, discovering new ones by exploring the technology. We are all passionate about this.”
Discovering a zero-day vulnerability, as DNV’s Csorba did in the Siemens case study, is a rare event underlining the unpredictability of ethical hacking. “You start with the topology of the system as supplied by the customer, figure out how it is set up, but then do not know what you will encounter,” says Haugsbø. Ethical hackers therefore need a large range of hacking tools and deep understanding of both the OT and IT systems.
As DNV expands and broadens its cyber security work, it is starting to share ethical hacking know-how internally so that experts may combine it with their experience of operational aspects of maritime, oil and gas, and energy.
“It is about having the right toolbox to give current and future customers a good service,” says Haugsbø. “I can imagine us one day doing the total certification of an entire vessel from the physical components and machinery through to the software and cyber security.”