Current shipboard control systems contain significant levels of automation to perform complex functions to not only reduce costs but also improve performance. While automation offers great benefits, it also introduces a set of corresponding cybersecurity related risks. According to a BIMCO/IHS survey, positioning systems, ECDIS, and engine control and monitoring systems are the most vulnerable shipboard systems to cyberattacks.
In general, the number of vulnerabilities found in Industrial Control Systems (ICS) components has been steadily increasing. The first information about vulnerabilities in ICS components became available in 1997, when only two vulnerabilities were published. Over the past five years, this index has increased from 19 vulnerabilities in 2010 to 189 vulnerabilities in 2015. Exploitation of shipboard system vulnerabilities are due to the following:
- Reliance on commercial off-the-shelf (COTS) technologies
- Continued use of legacy systems
- Systems access
- Offshore reliance
- Information availability
- Configuration management and maintenance
How do actors exploit shipboard systems? There are multiple potential cyber threats to navigation systems, such as radar and ECDIS, from its connection to other ship systems and links to online services through satellite communications, according to NCC Group. Other threats could come from the spoofing of data that navigation aids use for ship positioning and route checking. Spoofed radio signals could be used to transmit ship Automatic Identification System (AIS) or Vessel Traffic System (VTS) information that would also affect ECDIS, or even sending malicious chart data. Human-based threats are also a factor, from viruses being introduced from a USB stick slotted into ECDIS by navigators loading route plans or service engineers doing software updates.
Several mitigation measures can increase the security and resiliency of shipboard systems: instituting maritime cybersecurity standards, conducting routine vulnerability assessments, ensuring personnel use best practices, mitigating insider threats, and developing contingency plans for cyberattacks. Gnostech has significant shipboard cybersecurity engineering services based on its U.S. naval and maritime domain expertise, including performing assessments for all U.S. Coast Guard National Security Cutters (NSC) and Fast Response Cutters (FSC) in addition to the U.S. Navy Littoral Combat Ship (LCS) program. Our services follow our tailorable process:
- Initial assessment
- Design and development of remediation(s)
- Maintain, sustain, and monitor with our lifecycle engineering services
Shipboard systems are vastly complex, and are becoming more susceptible to cyberattacks. Therefore, performing independent assessments and implementing needed cybersecurity solutions are vital to system integrity and functionality.
About Gnostech Inc.:
Gnostech Inc. is an applied engineering and consulting company with expertise in information assurance and cybersecurity engineering, and major combat and space systems development and integration. For more information, visit www.gnostech.com, or stay connected by following us on LinkedIn or @GnostechInc on Twitter.