By Joel Snape, Senior Security Researcher at Nettitude
Across most branches of industry, it is common to find security companies doing pro-active vulnerability research on equipment used in that industry and publishing details of the issue found after liaising with the vendor to ensure they are fixed. For example, in the wake of several large-scale internet attacks in 2016, researchers focused their attention on IoT devices with many reports surfacing of issues with devices such as CCTV cameras, home routers and network-connected storage devices.
In the maritime space however, much less research has been publicly shared, predominantly because of the comparative cost and lack of accessibility of standard maritime equipment, although research has been carried out for several years, and some of the results have been publicly presented. Nettitude have pulled together highlights of the most relevant research in the public domain from a few key systems and highlighted the impact these vulnerabilities have within the marine and offshore sector, full details of which can be found in this report. So, what did the researchers find? Is the equipment currently used secure?
Automatic Identification Systems (AIS) Security
The Automatic Identification System (AIS) provides a mechanism for marine traffic to broadcast real-time location and navigation data to other vessels and on-shore systems, including vessel traffic services (VTS). The carriage and transmission of accurate data on AIS is mandatory for certain ships under SOLAS, but the system is used in an increasingly wide variety of nautical applications.
In 2013 and 2014, Trend Micro published an in-depth analysis of the AIS protocol and identified several threats that affected the AIS protocol and some implementations of it. Their key findings were that AIS is very susceptible to spoofing attacks, and that with modern software-defined radio (SDR) technology it is possible to build a custom AIS transmitter/receiver relatively cheaply.
If persistent AIS spoofing were to take place, it could lead to ships being unable to rely on the accuracy of the data while navigating through certain areas until the attacker was discovered. As AIS transmissions are radio based and could be mobile, tracking malicious broadcasts to a specific location could prove difficult and time-consuming. It’s important therefore to ensure that procedures for responding to AIS failure are in place, and that AIS is not solely relied on for navigation (as is usual best practise - reliance on AIS has been responsible for collisions in recent years).
Electronic Chart Display and Information System (ECDIS) Weaknesses
The Electronic Chart Display and Information System (ECDIS) is increasingly at the core of the ship’s navigation system and is mandated for certain ship types by SOLAS. It is used by crew to navigate using electronic charts using input from sensor systems such as GNSS, AIS, radar and gyroscopes. The integrity of the information displayed by the ECDIS is therefore critical to the safe navigation of the vessel.
In 2015, NCC Group published a report into an ECDIS system from one of the main ECDIS manufacturers where they outlined a number of serious weaknesses which would allow a malicious actor on the same network as the ECDIS to gain complete control of the system. It is common for ECDIS systems to be connected to the ship’s on-board network to allow them to receive updates and for the crew to gain access from other terminals. This poses a risk of exposure of the ECDIS to other devices on the network, such as laptops or satcom devices which may themselves be compromised. It is essential to ensure that ECDIS system software is updated whenever new releases are available from the manufacturer, and network designs should be reviewed to establish whether the ECDIS can be segregated or firewalled from the rest of the network.
For some more developed vessels, the primary interconnection with the outside world is via satellite which allows for continuous near-global connectivity. To provide this connectivity a satellite terminal (often called a satcom terminal) is used to interface between the ship’s network and the internet via a constellation of satellites. Increasingly, additional communications mechanisms, such as 4G, have been added to allow additional bandwidth and lower latency when ships are docked or inshore. However, as the technology is still relatively expensive, there are a large number of ships that still operate via non-IP based satellite systems required by SOLAS for the Global Maritime Distress and Safety System (GMDSS).
Typically consisting of an antenna, associated RF circuitry and an embedded router, their direct connection to the internet makes them especially at risk of attack, and this has made them probably the largest target of marine security research over the last few years. In 2018, a researcher re-examined the state of satcom equipment and found serious issues predominantly affecting aircraft but with some examples of vulnerable devices deployed on ships. While carrying out their research, they discovered one ship’s satcom device was infected with the malicious botnet Mirai, which was used to mount denial-of-service attacks on internet infrastructure.
Finally, some interesting work has been done into the security of the transmitted communications themselves. At the ‘Eleventh Hope’ Conference in 2016, Stefan Zehl and Schneider outlined the details of the Iridium satellite air protocol and how to decode it with cheap commodity software-defined radio (SDR) hardware. They published an open-source set of tooling for decoding the signals, and this can allow voice and data to be intercepted. It is important to fully understand the security capabilities of any communication technology used, and if transmitting information over public networks like the internet, ensure that adequate levels of encryption are in place to protect sensitive information.
It is likely that satcom terminals will remain a focus of research, and so far it appears that many devices used continue to be vulnerable to common security issues. It is important therefore to follow good security best practise when deploying and operating satcom devices:
- Change default credentials, and use strong, hard-to-guess passwords
- Apply software updates from the manufacturer when they become available
- If possible, restrict administration interfaces so that they can only be accessed from authorised locations
- Ensure that strong encryption is used to protect sensitive data being transmitted over the internet (e.g. a virtual private network (VPN), HTTPS, SMTPS for email)
Understanding the risks faced by your organisation and applying the appropriate risk treatment is key for all users of connected equipment in marine and offshore industries. Shipowners and operators, in particular, need to respond to the requirement to address cyber risks in safety management systems required by the ISM Code before 1 January 2021.
Nettitude can provide a range of guidance, assurance services and help to both inform and help you prepare effectively for cyber events within your organisation. Please contact us for more information.
In addition, in order to learn more about the current research around the cyber security of the equipment used in the Marine and Offshore industries, and how organisations can ensure they are following best practices, please see our full research report on the topic.