Commercial shipping environments are rife with vulnerabilities, according to researchers – up to and including unpatched “mystery boxes” that no one knows anything about.
“In every single [nautical pen] test to date we have unearthed a system or device, that of the few crew that were aware, no one could tell us what it is was for,” said Andrew Tierney, researcher with Pen Test Partners, writing in a blog on Monday. “In other scenarios an undocumented system or device would be considered a malicious implant. In maritime cyber security it’s business as usual.”
In one case, a monitoring system was uncovered whose purpose was not known – although it was connected to the main engine. Fleet management had no record of its purchase or installation; all hardware was unlabeled. It had been installed by a third party with whom a commercial arrangement had stopped several years ago, Tierney said.