Introduction
In an increasingly connected world, cyber security is more important than ever. NCC Group, one of the world’s leading cyber security research companies, regularly investigates the susceptibility of non-traditional systems to attack in order to help raise awareness of the risks to these systems,
In this paper, we discuss the results of a research project looking at the security risks and weaknesses within Electronic Chart Display and Information Systems (ECDIS) [1], an information technology product used by the maritime industry.
ECDIS is a computer-based navigation information system used as an alternative to paper nautical charts. These systems are usually installed on the bridge of the ship and used by navigation officers as an aid to traditional paper chart navigation.
The International Maritime Organization (IMO) is currently implementing regulations which require these systems to be installed on all commercial vessels, with the aim of completely replacing the use of paper nautical charts in the near future. This paper presents and reviews the security issues found in one well-known ECDIS software product during research conducted by NCC Group.

Preparing for Cyber Battleships

Information Technology and Cyber Security in Maritime.
Information technology proliferation with in the maritime and shipping industry is usually very slow. There are several contributory factors to this; for example the adoption of a new software product could take months, if not years, due to diversity and geographic spread of the vessels across the globe. Another factor is that manufacturers, vendors, and software development companies have to comply with a range of regulation frameworks and certification programs, such as the International Convention for the Safety of Life at Sea (SOLAS) [7], the Convention on the International Regulations for Preventing Collisions at Sea (COLREG), the Convention on Facilitation of International Maritime Traffic (FAL), and the Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation (SUA), among others, all of which take time to achieve. Such compliance programs and frameworks were established decades ago and tend to cover product usability, general safety, and conformance to standards. When compared to the current and future threat landscape, there is very little provision on information security and data privacy within the standards.
Although guidelines and frameworks such as Security Development Lifecycle (SDL) do exist, vendors are not obliged to follow them. Crew members and management companies often also install software such as control systems, Microsoft Office, and email clients on shipboard systems, and these programs can also contain vulnerabilities.
Typically the following systems, as shown in the diagrams below, are found to be interconnected via shipboard LAN:

  •  SCADA for power plant control and machinery monitoring
  •  Just-in-time spare part ordering
  •  CCTV systems
  •  Bridge Navigation Watch Alarm System (BNWAS)
  •  Track history and electronic logbook
  •  Remote monitoring
  •  Onboard Wi-Fi and Internet access (to be used by crew and guests)
  •  VoIP Telephony

 

Figure 1: Diagram of systems typically connected to a ship’s LAN [source http://pdf.nauticexpo.com/pdf/maritime-information-systems/ecdis-900/31325-42061-_9.html]

Figure 2: Onboard navigation network system [source http://www.furuno.com/en/business_product/merchant/product/voyager/]