ChatGPT to Disrupt Maritime IT/OT Security

SAN FRANCISCO : The maritime industry should be concerned by the release of ChatGPT, an AI chatbot. This generative AI tool can be used to accelerate the execution, speed and quality of attacks. It also provides tools to hackers who heretofore may have the ability to penetrate vessels without the knowledge base required to disrupt vessel operations. ChatGPT, as it is currently designed and regulated, is essentially a force multiplier for effective cyberattacks in maritime, especially for less experienced attackers.

ChatGPT can be used to write persuasive and personalised phishing emails. This is significant for maritime because phishing emails very often are the beginning of disruptive, widespread attacks, such as ransomware attacks. There have already been some cases of ransomware affecting vessels in the past couple of years. One took place in 2020, when two ships were infected by the ransomware Hermes 2.1 via the AZORult trojan. The infection came as a macro-enabled Word document attached to an email, affecting multiple workstations on the administrative networks.

If a user clicks on a malicious link, they would likely be taken to a website which infects malware onto their computer or discloses their login credentials to attackers. The attacker can infect and access the IT segment onboard the vessel. IT segment includes crew and passengers’ internet access (Ethernet and Wi-Fi connections) and entertainment system networks. They can pivot from there to the vessel’s operational technology (OT) environment. Here is an example of a phishing email created by ChatGPT, which happily incorporates a malicious link:

ChatGPT can also help attackers write malicious code which helps them control the OT network, for instance through a ransomware attack. Maritime protocols are usually very complicated to write code for, widely expanding the number of potential attacker profiles (https://techcrunch.com/2023/01/11/chatgpt-cybersecurity-threat/?guccounter=1), especially those with less computer skills. Once again, ChaptGPT obliges in this example:

This is especially concerning because network segregation is challenging onboard a vessel and often broken down for ease of use. Yet it is critical for protecting OT onboard vessels from less-trusted IT networks where threats propagate with relative ease. Examples of vessel OT (https://fundamentalsfirst.co.uk/cyber-security-solutions/ot-cyber-security/maritime/) include the Automatic Identification System that broadcasts the vessel’s identification data, cargo, current position and course and the Container Tracking System, used to track the contents and movement of containers using GPS.

OT and IT networks are typically configured in one of four ways: Flat, Firewalls, Host and Remote Access Server. Ease of connection between IT and OT assets vary with each approach. A Flat network provides direct access between IT and OT assets, in which both connection to OT and abuse of insecure protocols and services is trivial, due to there being no protection. In contrast, a Remote Access Server network provides a segregated OT environment utilising a Remote Desktop Protocol (RDP). A Firewall network is configured to allow some traffic, for instance when a configuration tool needs access to a protocol like Modbus. However, attackers can still attack the OT environment in this case, as firewall rules are often configured to be overly permissive, for instance by enabling all communications between two IP addresses.

Controlled remote access can still be provided alongside segregated IT and OT environments, through installation of a remote access service (RAS) in a DMZ (subnetwork) between the IT and OT networks. A RAS is a workstation within the OT environment from which a remotely connected user can perform administration or operation functions, when connected via RDP for access to OT components. With the RDP connection, the IT-side firewall can be configured to only allow in-bound access through the approved protocol port (e.g. RDP) and to the jump box only.

These types of attacks become more accessible to a variety of attackers with the use of ChatGPT. Its role as force multiplier will only become more significant as attackers rely on its sophisticated functionalities in order to achieve their goals, putting vessels in danger of further cyber incidents. This makes cyber security measures, including staff training and awareness campaigns for phishing emails increasingly important