Maritime OT Security Is Broken: Lessons from the North Sea

TLDR: Maritime infrastructure like cruise ships and LNG tankers are riddled with legacy systems, flat networks, and non-existent segmentation. Attackers can easily pivot from public-facing office networks to critical OT systems, including navigation and ballast control, using basic techniques like LLMNR/NBT-NS poisoning and default credentials. Pentesters should prioritize physical access assessments and network discovery in these environments, as the lack of basic security hygiene is systemic.

Maritime security is often discussed in terms of high-level geopolitical threats, but the reality on the ground—or rather, on the water—is far more mundane and dangerous. Recent research presented at DEF CON 33 by John-André Bjørkhaug exposes a glaring truth: the systems keeping massive vessels afloat and on course are essentially giant, unhardened, flat networks. If you can get a foothold on a ship’s office network, you are often one step away from controlling critical operational technology (OT).

The Pivot from Office to Bridge

The attack surface on a modern vessel is surprisingly similar to a poorly managed corporate office, but with significantly higher stakes. During engagements, researchers found that network segmentation is almost non-existent. A single compromised workstation in an office area often provides a direct path to the bridge, engine room, and navigation systems.

The primary culprit is the lack of internal network segmentation. Once inside, standard post-exploitation techniques work with alarming efficiency. Using tools like Responder, an attacker can capture NTLM hashes from the office network. Because these environments often rely on legacy Windows systems, such as Windows XP or Windows 7, they are frequently vulnerable to exploits like CVE-2017-0144, commonly known as EternalBlue.

The technical flow is straightforward:

1. Connect to an exposed network socket in a public area (e.g., a cafeteria or gaming room).
2. Run network discovery to identify the domain controller or management workstations.
3. Use LLMNR/NBT-NS poisoning to intercept credentials.
4. Pivot to the OT network, which often shares the same physical infrastructure as the office network.

The Myth of Air-Gapped Systems

Many maritime operators claim their OT systems are air-gapped. This is almost always a lie. In practice, these systems share the same physical switches and routers as the guest Wi-Fi and office networks. When a ship’s navigation system or ballast control server is connected to a Cisco switch that also handles office traffic, the "air gap" is purely logical, and often misconfigured.

During one engagement, researchers found an ESXi server controlling ballast tanks that was accessible directly from the office network. The server’s management interface was protected by default credentials, a common Identification and Authentication Failure according to the OWASP Top 10. Once the attacker has domain admin rights, they can move laterally to these management interfaces without any resistance.

Physical Access as a Force Multiplier

Physical security on ships is often treated as an afterthought. If you can bypass a door, you can often plug directly into the backbone of the ship’s network. Researchers demonstrated that even restricted areas, like engine rooms, can be accessed using simple tools like a universal cabinet key or even an umbrella to reach under a door and manipulate the handle.

Once inside a restricted room, the goal is to find a network switch. If the switch is not hardened, you can simply plug in a device like a Raspberry Pi to establish a persistent C2 channel. The lack of port security means that any device plugged into an open port is automatically granted access to the network.

Spoofing Maritime Protocols

Beyond the internal network, maritime-specific protocols are inherently insecure. The Automatic Identification System (AIS), which ships use to broadcast their position and identity, lacks any form of authentication or integrity checking. This makes it trivial to spoof a ship’s location or identity.

Using a Software Defined Radio (SDR), an attacker can broadcast fake AIS data. This can be used to create "ghost ships" on navigation displays or trigger false man-overboard alerts. These alerts act as a siren, drawing crew members away from their posts and creating chaos that can be exploited for further physical or network-based attacks.

What Defenders Must Do

The path to remediation starts with basic hygiene. Maritime operators must implement strict network segmentation, ensuring that OT and navigation networks are physically or cryptographically isolated from office and guest networks. Every switch port should be configured with port security, and default credentials must be replaced across all management interfaces, from Cisco switches to ESXi hosts.

For the pentester, the takeaway is clear: stop looking for complex zero-days. The vulnerabilities in this sector are decades old. Focus on the basics—network discovery, credential harvesting, and physical access. If you can find a way to plug into the network, you have likely already won the engagement. The maritime industry is currently in a state where the "it's working, don't touch it" mentality is the greatest security risk of all. Until operators accept that their legacy systems are not air-gapped, they will remain wide open to anyone with a laptop and a bit of patience.