Delivering advanced cyber security capability on a sub-sea control system
A global provider of industrial solutions for the oil and gas industry approached PA and 7Safe to provide assurance regarding security on a sub-sea control system that will be deployed on a Floating, Production, Storage and Offloading vessel (FPSO).
This was a challenging task because it required not only adjusting existing exploitation techniques to the configuration of the network devices we were testing but also building some bespoke software to transfer arbitrary data to and from the air-gapped network.
The initial assessment highlighted that the existing security features of their solution were not sufficient to protect the system from potential exploitation. 7Safe conducted numerous simulated attacks demonstrating that an attacker could connect to the network and carry out Man-In-The-Middle attacks, change time data coming from the ship GPS system, to intercept and modify network traffic whilst remaining virtually unnoticed. In addition, we successfully demonstrated some non-trivial and innovative attacks on air-gapped computers such as stealing sensitive information by encoding it to QR codes on the operator’s screen. This information later could be captured and decoded by a scanner on an Android mobile phone.
The security assessment helped the client to understand and remediate issues with configuration on their solution, ensuring uninterrupted operations, resilience and protection from a variety of modern digital threats. The planned follow-up from this exercise is to conduct a retest of the whole system in a live environment during January 2018 in South East Asia.
If you need help securing your applications and infrastructure, speak to one of our penetration testing experts or read more about our penetration testing services.
Or to develop your own knowledge and skills in the latest growing penetration testing techniques, find out about our leading ethical hacking training courses.