“This was a vulnerability that could have allowed a hacker to remotely shut down the drilling control system, a blowout preventer, power management systems, or an emergency shutdown system,” says Mate J. Csorba, Principal Specialist Cybersecurity, Marine Cybernetics (MC). In January 2016, Csorba’s MC team and partners at the Norwegian University of Science and Technology (NTNU) contacted Siemens about a denial of service (DoS) vulnerability in a series of their programmable logic controllers (PLCs). Designed for discrete and continuous control in industrial environments worldwide, these PLCs are among the most widely deployed Siemens controllers. Many critical applications are built on top of this family of PLCs.
“We engaged with ProductCERT, the central Siemens team for responding to potential security incidents and vulnerabilities,” continues Csorba. “Through a coordinated disclosure procedure, we sent an encrypted proof of concept showing how the vulnerability could be exploited.” The resulting dialogue between Marine Cybernetics services and Siemens produced a firmware update that addressed the issue.
“This most recent finding has been the result of our collaboration with the Department of Telematics at NTNU. The investigation relied on state-of-the-art security testing methodologies, in particular fuzzy testing and negative testing of industrial communications,” Csorba adds. “The proof of concept developed by MC only required TCP/IP packets to be sent to the PLC. By doing this we could disable a PLC in such a way that only a cold restart would bring it back to normal operation.”
The issue detected received a base rating of 7.5 out of 10 based on the industry standard for assessing the severity of computer system security vulnerabilities (CVSS) – which meant it was a high-severity vulnerability. Most control systems are designed assuming a secure PLC operating environment.
But in practice, industrial systems are often connected to other networks, allowing remote access through the Internet. “This vulnerability could have been exploited by an attacker gaining access to the control system network. This is why the verification and testing of deployed barriers, such as network segregation, and secure remote connectivity is so essential to ensuring system security,” says Csorba. While the vulnerability identified by Marine Cybernetics services and NTNU was, on this occasion, in a Siemens PLC, serious vulnerabilities have also been reported in similar products from other vendors. “The ProductCERT team from Siemens was excellent. They handled the finding and disclosure process professionally and swiftly. The major control system vendors take such findings very seriously and are continually working to maintain and improve their development cycles.”
But at the same time, he states, owners in the maritime and offshore industries should seriously contemplate third-party verification of their assets’ cybersecurity. “The current practices to mitigate cybersecurity risks, especially in the industrial environments where these controllers are used, are not always best suited for addressing such issues,” Csorba explains.
Customized tools and methods
This is just one example of how DNV GL works to identify and prevent cybersecurity vulnerabilities that can impact critical maritime and offshore control systems. As part of DNV GL – Maritime, Csorba works in one of the test labs in Trondheim, Norway, where the focus is on addressing cybersecurity in on-board control and various auxiliary systems.
The DNV GL – Maritime labs can host replicas of a variety of control systems, including power management systems, blowout preventers, drilling control systems, steering and propulsion systems. Cybersecurity threats are entering the maritime domain, but the testing of systems for cyber vulnerabilities is still relatively new to the maritime and offshore industries. Proprietary and closed-source solutions require novel and often customized tools and methods to address these concerns.
“Cybersecurity regulations and guidelines are for the most part still under development,” says Csorba. “But maintaining the integrity and resilience of cyber-physical systems, including critical control systems, requires a holistic approach to safety and security. This is an area where we foresee increased demand over the next few years the industry becomes more aware of the potential vulnerabilities in these complex, software-dependent systems.”