Can You Hack An Ecdis? : Yevgen Dyryavyy

OLYMPUS DIGITAL CAMERA

 

Photo: JCB

In an increasingly connected world, cyber security is more important than ever. NCC Group, one of the world’s leading cyber security research companies, regularly investigates the susceptibility of non-traditional systems to attack in order to help raise awareness of the risks to these systems.

This article discusses the results of a research project looking at the security risks and weaknesses within Electronic Chart Display and Information Systems (ECDIS), an information technology product used by the maritime industry. ECDIS is a computer-based navigation information system used as an alternative to paper nautical charts. These systems are usually installed on the bridge of the ship and used by navigation officers as an aid to traditional paper chart navigation.

Information technology proliferation within the maritime and shipping industry is usually very slow. There are several contributory factors to this; for example, the adoption of a new software product could take months, if not years, due to diversity and geographic spread of the vessels across the globe. Another factor is that manufacturers, vendors, and software development companies have to comply with a range of regulation frameworks and certification programs, such as the International Convention for the Safety of Life at Sea (SOLAS), the Convention on the International Regulations for Preventing Collisions at Sea (COLREG), the Convention on Facilitation of International Maritime Traffic (FAL), and the Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation (SUA), among others, all of which take time to achieve. Such compliance programs and frameworks were established decades ago and tend to cover product usability, general safety,and conformance to standards. When compared to the current and future threat landscape, there is very little provision on information security and data privacy within the standards.

Although guidelines and frameworks such as Security Development Lifecycle (SDL) do exist, vendors are not obliged to follow them. Crew members and management companies often install software such as control systems, office based application suites, and email clients on shipboard systems, and these programs can contain vulnerabilities. Typically the following systems are found to be interconnected via shipboard local area networks (LAN):

  • SCADA for power plant control and machinery monitoring
  • ·Just-in-time spare part ordering
  • CCTV systems
  • Bridge Navigation Watch Alarm System (BNWAS)
  • Track history and electronic logbook
  • Remote monitoring
  • Onboard Wi-Fi and Internet access (to be used by crew and guests)
  • VoIP Telephony

The cyber security research community has now turned its eye on the maritime industry, and research is being conducted against the software and hardware that forms a crucial part of vessels’ systems. The recent exposure of several vulnerabilities found in Automatic Identification Systems (AIS), and methods for attacking them, is an indication that general interest is growing. Such interest will inevitably attract those with malicious intent. These vulnerabilities are of great concern as increasing satellite connectivity, such as the roll out of Ka Band offering high-speed broadband services around the world at speeds of up to 50Mbps at sea, is resulting in ubiquitous, fast, and cheaper connectivity. These stable and fast connections make compromise of vessel systems easier than ever before.

The increasing threat to maritime security and integrity has been recognised by the maritime community, and the United Kingdom Hydrographic Office (UKHO) has released information security standards (S-63) concerning Electronic Navigational Charts (ENC) distribution systems, with which chart distributors now have to comply. These have subsequently been implemented in their ADMIRALTY Vector Chart Service (AVCS).

S-63 is an industry standard cryptographic system which provides hydrographic offices and ECDIS manufacturers with the tools to protect ENCs, and which authenticates the originator of the charts so that end users can be assured of the source of their data. 

These are the first steps to address the integrity of one particular aspect of shipboard systems. However, much more needs to be done to improve information and cyber security within the maritime industry.

ENCs form a crucial part of the system that is used by navigation officers to steer and plot the course of vessels. Due to recent regulation changes, all vessels are now required to carry and use ECDIS. Although ECDIS brings many benefits and provides great assistance with navigation, it also represents an increasing attack surface and thus introduces risks that shipping companies, navigation officers, and the maritime community in general should be aware of.

An ECDIS system is, in NCC Group’s experience, typically a workstation PC, usually running an operating system, which is installed on the bridge of a vessel. There are sensor feeds connected, typically including radar, Navigational Telex (NAVTEX), Automatic Identification Systems (AIS), Sailing Directions, Position Fixing, Speed Log, Echo Sounder, anemometer, and fathometer. These sensor feeds are often connected to the shipboard LAN (via special serial/NMEA to LAN adaptors), which in turn has a gateway to the Internet. ENCs are loaded in to ECDIS and used by navigation officers to plot the course, navigate, and monitor the voyage progress, speed of the vessel, and many other crucial indicators. These charts are either downloaded on to ECDIS directly via the Internet or loaded from CD/DVD or USB memory disk manually by the personnel. As a result of the connections to external systems and sensors, the ECDIS workstation becomes a highly connected convergence point for navigation. These data sources not only provide valuable information but also are conceivably viable attack vectors.

Ultimately, ECDIS compromise could lead to loss of life, environmental pollution and big financial losses. Connectivity between the critical systems and the office and communication platforms (operating system, email, VoIP and Wi-Fi access), combined with the access to the Internet, could allow attackers to gain unauthorised access. This access could be achieved by various means, such as the introduction of a virus via portable USB disk by a crew member, or the exploitation of an unpatched vulnerability via the Internet. Once such unauthorised access is gained, attackers could be able to interact with the shipboard network and everything to which it is connected. Once access has been achieved, it might be possible to:

  • Subvert sensor data and misrepresent it to ECDIS. This could influence the decision-making process of navigation personnel, and possibly lead to collision or the ship running aground
  • Steal ENCs.
  • Compromise local area network and gain access to other data

NCC Group research into the available ECDIS demo product of one the major ECDIS manufacturers has revealed several serious trivial security shortcomings, weaknesses, and vulnerabilities. General recommendations for minimising or mitigating the risks highlighted in this paper are:

  • ECDIS developers should look to adopt Security Development Lifecycles
  • Processes and procedures should be put in place to document, monitor, and patch the ECDIS software and its underlying system on a regular basis. Build reviews should be conducted periodically to establish a secure baseline, and when using any third-party software, processes should include the installation of security patches as they become available from the vendor
  • The update process for ECDIS charts should be monitored and logged, especially where manual updates are performed via CD or Flash USB disk. All update files should be scanned using antivirus software at the very minimum
  • The internal network infrastructure to which ECDIS is connected should be reviewed to establish if the ECDIS system could be completely segregated or otherwise firewalled
  • Physical access to ECDIS and its underlying components should be limited to the appropriate personnel only

In spite of evidence that steps are being taken to mitigate existing risks in an ever-evolving technological world these steps need to be re-assessed and re-tested on the regular basis. All technology that is currently in use by the industry, be it ENCs distribution system or types of Wi-Fi Access points installed on a vessel, should be assessed and tested for security. In particular, the following areas of research should bring interesting results.

  • Research into wider network and hardware configurations and deployment of a variety of shipboard networks and interconnectivity with a view to cyber security will include:
  • Security assessments of a shipboard networks
  • Security assessment of all the associated devices, such as Satellite Routers, Switches and Firewalls, that are connected to ECDIS
  • Security review of all other devices, such as Serial-to-Lan adaptors used to feed the sensor data to ECDIS.

Further research into the possible development and introduction of certification processes for cyber security in relation to maritime systems will look at:

  • Applicability of existing accepted certification processes
  • Development of industry- specific standards and certification processes

The security vulnerabilities discovered during this research is not surprising given the little prior research attention. As their major method of risk mitigation manufacturers are currently relying on the restricted access to ECDIS systems on vessels. This reliance is inadvisable, because viable attack entry points exist to the system through, for example, USB memory stick, sensor compromise, or from other systems connected to the vessel’s local area network.

In NCC Group’s experience it is common for ECDIS to be connected to the internal network while also being connected to the Internet (thus creating a bridge between internal and external systems) in order to download data such as ENCs and other software updates via the satellite link. These methods of connectivity, which introduce significant risks, are preferred by some manufacturers. For example, in the case of a flat LAN other PCs, servers, or Wi-Fi access points could exist on the same network segment with no firewall in place, providing entry points and increasing the attack surface.

It is reasonable to expect that more sophisticated threats will target these systems soon, if indeed they have not already been targeted. Therefore NCC Group recommends that more attention should be drawn to the security of such software products and the systems they are deployed upon.

For the past 10 years Yevgen Dyryavyy has held a number of positions within Information Technology. He has participated in the development of Information Technology Risk assessment software which is being used by blue chip companies. He is also a committee member at British Standards Institute (BSI), covering technical aspects of Maritime navigation and radio communication equipment and systems (IEC EPL/80).

Yevgen is currently working at NCC Group as information security consultant and penetration tester providing services to clients covering threat analysis, source code review, vulnerability assessment, risk management, ISO27001 and PCI-DSS compliance consultancy.

 

Leave a Reply

UK Maritime Pilots' Association
European Maritime Pilots' Association
Internation Pilots' Association SITE SPONSORS
Navicom Dynamics
OMC International