Ships are just giant floating computers, filled with ransomware, BadUSB, and worms

A coalition of shipping industry associations has published The Guidelines on Cyber Security Onboard Ships, laying out best practices for the giant ships that ply the seas, and revealing that these behemoths are routinely infected with worms, ransomware, and malware spread by infected USB devices.

The document recounts incidents in which infected ships were stranded because malware caused their computerized navigation to fail, and there were no paper charts to fall back on; incidents where fleet owners paid off ransomware demands to keep ships at sea safe, and where the entire digital infrastructure of a ship at sea failed due to malware that spread thanks to weak passwords.

The report includes details of two incidents where USB thumb drives have led to a cyber-security incident, delays, and financial damage.

1) A dry bulk ship in port had just completed bunkering operations. The bunker surveyor boarded the ship and requested permission to access a computer in the engine control room to print documents for signature. The surveyor inserted a USB drive into the computer and unwittingly introduced malware onto the ship's administrative network. The malware went undetected until a cyber assessment was conducted on the ship later, and after the crew had reported a "computer issue" affecting the business networks. This emphasises the need for procedures to prevent or restrict the use of USB devices onboard, including those belonging to visitors.

2) A ship was equipped with a power management system that could be connected to the internet for software updates and patching, remote diagnostics, data collection, and remote operation. The ship was built recently, but this system was not connected to the internet by design. The company's IT department made the decision to visit the ship and performed vulnerability scans to determine if the system had evidence of infection and to determine if it was safe to connect. The team discovered a dormant worm that could have activated itself once the system was connected to the internet and this would have had severe consequences. The incident emphasizes that even air gapped systems can be compromised and underlines the value of proactive cyber risk management. The shipowner advised the producer about the discovery and requested procedures on how to erase the worm. The shipowner stated that before the discovery, a service technician had been aboard the ship. It was believed that the infection could potentially have been caused by the technician. The worm spread via USB devices into a running process, which executes a program into the memory. This program was designed to communicate with its command and control server to receive its next set of instructions. It could even create files and folders. The company asked cyber security professionals to conduct forensic analysis and remediation. It was determined that all servers associated with the equipment were infected and that the virus had been in the system undiscovered for 875 days. Scanning tools removed the virus. An analysis proved that the service provider was indeed the source and that the worm had introduced the malware into the ship's system via a USB flash drive during a software installation. Analysis also proved that this worm operated in the system memory and actively called out to the internet from the server. Since the worm was loaded into memory, it could affect the performance of the server and systems connected to the internet.

The Guidelines on Cyber Security Onboard Ships [International Chamber of Shipping et al]

Ships infected with ransomware, USB malware, worms [Catalin Cimpanu/Zdnet]