Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Cybergibbons 🚲🚲🚲 Profile picture
@cybergibbons
Apr 3 26 tweets 7 min read Read on X
I broadly agree with this thread, but there's a few aspects where I think the scale and magnitude of the issues on modern ships is maybe not clear.

The number of modern vessels that have all their critical safety systems air gapped is getting lower and lower.
What do I mean by critical systems?

Steering (which, oddly, depends on the type of vessel)
Propulsion (which can be the same as steering)
Power management system
ECDIS (electronic charts, which may or may not directly impact navigation)
Let's look at a few of the times we've found air gaps eroded on vessels.

This is the console used to control dynamic positioning on an offshore support vessel. This is designed to hold position, with control over propulsion and steering. Image
It's running on two Windows boxes, which are rather old.

Let's have a look in that control cabinet.
Image
Image
What's that?

A modem.

An ISDN modem, connected to Fleet Broadband (FBB, the slowest and oldest satellite connection).

This is not an air gap. Image
This is one of the generators on a similar offshore support vessel.

We knew there was a condition monitoring system, feeding back data allowing for predictive maintenace to take place. How is that information getting back? Image
Inside the control cabinet is a little cellular router.

We're on the bottom plates, so no cell signal, and the antenna isn't fitted and there is no SIM. Image
Oddly, the little router has a WAN/LAN port - not discrete ports like on most routers.

How could it be firewalling or securing the generators? Image
Well, it wasn't. It was just two subnets.

Change your IP address and you can route to the other subnet. Image
The controllers for the generators were exposed to this network. Download a little tool, and you can interact with them over the network.
Image
Image
But how can you gain access to that network?

Well, each cabin had a little box for satellite TV. Turns out network segmentation had not been put in place.

This is not an air gap. Image
This is a little embedded PC we found on a container ship. Some kind of gateway for performance monitoring.

It made one connection out to the ECDIS, but this was one way. Image
But to communicate with the engine, it used Modbus - this can't be a one way connection as it is request/response.
Image
Image
The kicker was that the box had an active TeamViewer connection. And could interact with the main engine.

This is not an air gap. Image
These systems are incredibly common.

Only one ship that we have tested - which was built in 1982 - has not had any of the critical systems connected to external entities.
On one super yacht we even found out the main engines had their own dedicated satellite connection for diagnostics.
The other aspect I don't agree with is how often these connections are "one way".

Often they are described as one-way, sometimes they are designed in such a way, but often this is a pretty token attempt at protection.
There are devices called data diodes that only allow data to flow one way, but we rarely see these.

A common control is only using one half of a serial connection.

If you can only receive data, then that's fine. This is a performance monitoring system using this method.
Image
Image
Far more common is the use of "gateways" or firewalls. Now, these are a security control, but that doesn't mean they are perfect.

Often we find ways around them.
But more to the point - it doesn't matter - they are no longer air gapped.

If the vendor who installed them can use them for remote access, so can an attacker.
A common theme across all of the systems above was that they weren't documented and the risk wasn't properly understood.

We had to find them and examine them in depth to understand them.
Often the crew know there is a system, sometimes they know where parts of it are, but on many occassions we've had to root around to find them.
In one case, it's entirely conceivable that a cellular modem designed to allow remote servicing of the STAGE CURTAINS on a cruise ship could result in us impacting fire alarms, lighting and propulsion.

It took two of us a day to find this cellular modem...
So once again - no, we can't say if the Dali was hacked.

But we need to be aware that air gaps are becoming very rare.
In my notes on tests, 32 different gateway systems made by many vendors.

Did we break all 32? No, of course not.

But some of them, we very much broke them.
And to be clear, a dynamic positioning vessel is very different to a container ship.

The helm and main engine controls are much less complex on a container ship and far more likely to remain air gapped.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cybergibbons 🚲🚲🚲

Cybergibbons 🚲🚲🚲 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cybergibbons

Cybergibbons 🚲🚲🚲 Profile picture
Mar 30
Ships might be "wide open" to cyber attack, but in my opinion, this shows a lack of nuance around what is being attacked, what the impact would be, and if it would be stopped by the crew.
I would say that IT security - the corporate stuff - in maritime is as bad as it can get.

Getting from IT to OT - operational technology, the actual moving bits - is much harder.

(or just to OT, direct, another topic)
We've ended up in the situation where nearly all ships differ to others.

I think this makes ensuring they're secure hard. We need to check each one.

Conversely, it means that attacking them is hard, as you need to understand each one.
Read 14 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Mar 29
Another thread on container ships and how the power and steering systems *should* work when things go wrong.

This diagram is of a fairly typical containership's electrical distribution.

You have four main diesel generators (often called auxilliary engines). Image
They are multi-MW in size and produce 6.6kV.

Picture from another ship BTW.

When you are maneuvering you need power and redundancy - so you will have 3 or 4 of these running and on the bus. Image
This is the high voltage (technically medium voltage...) switch board, in the blue rectangle.

It's split into A-bus and B-bus. Between the two halves is a tie breaker (purple rectangle), connecting the two halves. This would normally be closed.
Image
Image
Read 21 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Mar 28
What are the engine rooms like on these Panamax container ships?

They are quite big!

This is the top of the single main engine. It's a Sulzer 10RTA96C.

That's 10 cylinder, each 96cm across. With a 2.5m stroke.

These are just the exhaust valves. Image
It's a slow-speed, two stroke diesel. Max speed is around 100rpm. Image
It's connected directly to the prop via a massive prop shaft. No gear box.

So, how do you go in reverse?

You stop the engine, and start it in the other direction. Image
Read 13 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Mar 26
The ship has a full blackout for over a minute before impacting the bridge, followed by a second shorter loss of power.

Just after the lights come back on, you can see heavy soot which would likely be one of the main diesel generators being brought up.
A blackout at this point in time is about a worst case situation. You'd lose the rudder, main engine and bow thrusters, leaving you unable to do anything.

The 440V emergency generator would be first to start, but this would only restore power to the steering gear immediately. Image
The steering gear will run off 440V emergency generator but only one of the two hydraulic pumps (normally port) will be running, hence you have half the displacement.

Regulations generally say the emergency generator must start and be online in under 45s.
Read 18 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Feb 24
I've obtained one of these "EMP generators" that are intended to cause glitches in gaming machines, either for free gaming or to dump coins.

It's pretty odd.
Image
Image
Most prominent is the 3-pin device on top.

It's an NPN transistor for RF.

It's socketed and comes with a spare....
Image
Image
Superficially... when you press the button, it generates a field that can light up a fluorescent tube... Image
Read 24 tweets
Cybergibbons 🚲🚲🚲 Profile picture
Jan 14
I'm trying to decode some digital modes from an SDR and I think I've found the most capable but least user friendly software, ever.

Now, it is free. And it seems to be the best available. BUT OMG, the UI.

This is the config screen. Image
Then you get the main RX/TX screen.

Can you spot the button you need to press to open the control of frequency? Image
It's this one! Image
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(