Penetration testing has demonstrated that ECDIS and radar can be hacked, which could result in a grounded ship
Hackers have demonstrated that navigation systems, including ECDIS and radar, are not immune to cyber attacks even if owners enforce a physical air gap between the satellite communications. There are four main methods of introducing malware to ECDIS, three of which are associated with the way electronic navigational charts (ENCs) are introduced or upgraded.
One method is if malware has infected a USB memory device that is plugged into ECDIS, another is to infect a CD used for ENC updates and a third is through a direct link between ECDIS and the ship’s satellite communications. A fourth method is through an indirect link between the satellite communications and ECDIS via another operational technology (OT) device, such as the automatic identification system or voyage data recorder.
Penetration test specialists Naval Dome and Cyber Prism highlighted the ease with which malware can be used to alter information on key navigation devices at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, held on 15 June in association with Norton Rose Fulbright.
During this summit, Naval Dome chief executive Itai Sela described how cyber security experts broke into radar and ECDIS. They were able to change the position of a ship, the depth information on ECDIS and meddle with targets on radar. This would have placed a ship in jeopardy of grounding.
This was done through introducing malware in email and breaking passwords in shipping company headquarters. “We found multiple blind spots and that many systems are unprotected,” he said.
One of the biggest vulnerabilities is that many ECDIS installed on ships are operating on legacy Microsoft Windows-based operating systems and are updated with ENCs, usually on a weekly basis. This generates easy attack vectors to hackers and little defensive barriers to malware, Mr Sela explained.
“We found multiple blind spots and that many systems are unprotected”
Naval Dome experts hacked the headquarters of a shipping company and instructed someone there to send an infected ENC update to the ship. Once that was inside ECDIS, the malware started to act, manipulating the depth data and altering the ship’s position on the display.
Naval Dome has developed a USB-based security capsule that defends OT equipment, such as ECDIS and radar, from cyber attack. It provides a multi-layered defence with software that detects and intercepts malware that generates executable files to infect devices. There is also a cloud-based ‘sandbox’ to test file that do not have executable files before they open in ECDIS.
“Nothing goes into the system without approval and detection,” said Mr Sela. This security device was tested by Lloyd’s Register (LR) this year and DNV GL is in the process of type-approving it, he added.
“Nothing goes into the system without approval and detection”
Also at the summit, Cyber Prism technical director Keith Chappell conducted a live demonstration of how easy it is to access data in ECDIS using an adapted USB device. This pretends to be a network and captures data, such as passwords, usernames and administration accounts, he explained.
His colleague, development director Dave Manning explained that OT operating systems may remain unchanged on ships for decades, which means they become unsupported by software companies. “If hackers get into the OT then the ship can be in trouble,” he said “and remember it could be a 20-year-old machine running on an old operating system”.
Mr Manning said shipping companies should understand the vulnerabilities and operating systems on vessel OT. Shipping companies should monitor systems, know the status of software updates and patch levels. “No one considers the source of OT patches,” Mr Manning said, adding that ship operators should update the security of OT on board ships if new satellite communications equipment is installed.
Classification societies are formulating notations and guidance to help shipping companies improve their onboard cyber security, especially as this becomes a requirement under IMO’s ISM Code from January 2021. LR, ABS and DNV GL provided guidance to delegates at Riviera’s summit on 15 June.
LR cyber security product manager Elisa Cassi said shipping companies should have a third party monitor their IT network, the OT equipment and people to “stop people sharing data or compromising procedures”.
“Stop people sharing data or compromising procedures”
She said an attacker may try to get through the communications system to compromise components of the navigation system. Shipowners “need to identify any compromise before the attacker tries to penetrate” onboard OT devices and “intercept this at the time when an attacker tries to authenticate”.
Ms Cassi explained that technology can support the early detection of cyber incidents on ships, ports or offices, and intercept and prevent a cyber attack. She added that shipping companies need to “investigate the vulnerabilities through analytics and machine learning”, understand the behaviour of potential threats and use predictive analysis.
LR conducts surveys of cyber security of on board systems and can determine whether a ship is safe to navigate. Ms Cassi said LR is also working with other class societies to define cyber secure ship notations.
ABS advanced solutions business development manager Pantelis Skinitis said shipowners need to change passwords on OT, such as ECDIS and radar, as some have not been changed since they were originally commissioned on the ship. He also advised owners to verify vendors and service engineers and ensure their USB sticks are clean of malware.
ABS has created cyber safety guidance for ship OT, particularly for ships coming into US ports and terminals. In its development, ABS identified the risks, vulnerabilities and threats to OT. “Managing connection points and human resource deals with the biggest threat to OT systems on board,” said Mr Skinitis.
DNV GL has developed new class notations covering cyber security of newbuildings. It has also produced an online video to instruct shipping companies to become more aware of cyber threats. During the summit, DNV GL maritime cyber security service manager Patrick Rossi said ship operators should set up multiple barriers to prevent hackers.
These should include firewalls, updated antivirus, patch management, threat intelligence, intrusion detection, emergency recovery and awareness testing. OT should be segregated from open networks, only official ENC provider USBs and update disks should be used and cleaned of malware before being inserted into ECDIS and these systems should be segregated from the internet.
Owners set bridge rules to be cyber secure
Shipowners are using segregation and bridge rules to prevent cyber threats from entering ECDIS and other operational technology on ships.
Zodiac Maritime has introduced rules on its container ships to prevent malware from entering key operational technology for vessel navigation. Zodiac’s manager for quality, health, safety and the environment Karl Meher-Homji told Marine Electronics & Communications that its seafarers and vendors were not allowed to have any USB memory sticks on the bridge of the ships.
He said this was imposed to tighten security on the bridge of container ships and had prevented malware from being accidently or deliberately transferred to key navigational equipment.
USBs are not even used for updating electronic navigational charts on ECDIS. Captain Meher-Homji said ENC updates were brought on to ship bridges on disks from reputable ENC providers and their local agents.
Cruise ship operator Disney Cruises segregates its operational technology from crew and passenger wifi networks to reduce the risk of malware infection. An IT manager with Disney Cruises said the operational network of each ship was completely separate from the satellite communications that guests and seafarers use for social media and other internet services.