Abstract
Maritime transportation is backbone of globalized trade and the manufacturing supply chain as nowadays more than four fifths of world merchandise trade by volume is carried by ships. Safe navigation of ships of today depends heavily on cyber-physical systems, of which the central is the Electronic Chart Display and Information System (ECDIS). The paperless ship navigation is allowed when the type approved ECDIS with official electronic navigation charts acts as an independent backup for the primary system. In this paper, we present an analysis of cyber security weaknesses of the paperless ship navigation that relies on two internetworked ECDIS workstations in the backup arrangement. The method of analysis is based on cyber security testing of the ECDIS workstations with an industry vulnerability scanner tool. The detected vulnerabilities are analysed in the context of ECDIS backup arrangement and safeguards implemented on board the paperless ship. The obtained results suggest that the critical cyber threat vectors result from uncontrolled internetworking of unmaintained ECDIS workstations with identical hardware and software configurations.
Similar content being viewed by others
Data availability
Not applicable.
References
Brčić D, Žuškin S (2018) Towards paperless vessels: a Master’s perspective. Pomorski zbornik 55: 183-199. https://doi.org/10.18048/2018.00.12
Brčić D, Žuškin S, Valčić V, Rudan I (2019) ECDIS transitional period completion: analyses, observations and findings. WMU J Marit Affairs 18:359–377. https://doi.org/10.1007/s13437-019-00173-z
Hareide OS, Jøsok Ø, Lund MS, Ostnes R, Helkala K (2018) Enhancing navigator competence by demonstrating maritime cyber security. J Navig 71:1025–1039. https://doi.org/10.1017/S0373463318000164
International Electrotechnical Commission (2018) Maritime navigation and radio communication equipment and systems - digital interfaces - part 460: Multiple talkers and multiple listeners – Ethernet interconnection - Safety and Security. IEC 61162–460:2018 RLV
International Electrotechnical Commission (2019) Maritime navigation and radiocommunication equipment and systems-cybersecurity-general requirements, methods of testing and required test results. IEC 63154 ED1
International Hydrographic Organization (2019) Current IHO ECDIS and ENC Standards
International Maritime Organization (2009) Adoption of amendments to the International Convention for the Safety of Life at Sea, MSC.282(86), Annex 1
International Maritime Organization (IMO) (2017a) ECDIS—Guidance for Good Practice, Resolution MSC.1/Circ.1503/Rev.1
International Maritime Organization (IMO) (2017b) Guidelines on Maritime Cyber Risk Management, MSC-FAL.1/Circ.3
International Maritime Organization (IMO) (2017c) Maritime Cyber Risk Management in Safety Management Systems, MSC 98/23/Add.1
Kaleem Awan MS, Al Ghamdi MA (2019) Understanding the vulnerabilities in digital components of an integrated bridge system (IBS). J Mar Sci Eng 7:350–370. https://doi.org/10.3390/jmse7100350
Kessler GC, Craiger JP, Haass JC (2018) A taxonomy framework for maritime cybersecurity: a demonstration using the automatic identification system. Trans Nav Int J Mar Navig Safety Sea Trans 12:429–437. https://doi.org/10.12716/1001.12.03.01
Lee E, Mokashi AJ, Moon SY, Kim G (2019) The maturity of Automatic Identification Systems (AIS) and its implications for innovation. J Mar Sci Eng 7:287–304. https://doi.org/10.3390/jmse7090287
Lewis S, Maynard L, Chow CE, Akos D (2018) Secure GPS data for critical infrastructure and key resources: cross-layered integrity processing and alerting service. Navig J Inst Navig 65:389–403. https://doi.org/10.1002/navi.251
Microsoft (2020a) Microsoft Security Bulletin MS17–010 - Critical. https://technet.microsoft.com/library/security/MS17-010. Accessed 17 Jan 2020
Microsoft (2020b) Microsoft: Search Product Lifecycle. https://support.microsoft.com/en-us/lifecycle. Accessed 17 Jan 2020
Oil Companies International Marine Forum (OCIMF) (2020) Ship Inspection Report (SIRE) Programme - Vessel Inspection Questionnaires for Oil Tankers, Combination Carriers, Shuttle Tankers, Chemical Tankers and Gas Tankers, Seventh Edition (VIQ 7). https://www.ocimf.org/media/127546/SIRE-Vessel-Inspection-Questionnaire-VIQ-Ver-7007.pdf. Accessed 17 Jan 2020
Shapiro LR, Maras MH, Velotti L, Pickman S, Wei HL, Till R (2018) Trojan horse risks in the maritime transportation systems sector. J Trans Sec 8:1–19. https://doi.org/10.1007/s12198-018-0191-3
Svilicic B, Kamahara J, Rooks M, Yano Y (2019a) Maritime cyber risk management: an experimental ship assessment. J Navig 72:1108–1120. https://doi.org/10.1017/S0373463318001157
Svilicic B, Kamahara J, Celic J, Bolmsten J (2019b) Assessing ship cyber risks: a framework and case study of ECDIS security. WMU J Marit Affairs 18:509–520. https://doi.org/10.1007/s13437-019-00183-x
Svilicic B, Rudan I, Frančić V, Doričić M (2019c) Shipboard ECDIS cyber security: third-party component threats. Pomorstvo-Sci J Maritime Research 33:176–180. https://doi.org/10.31217/p.33.2.7
Svilicic B, Rudan I, Jugović A, Zec D (2019d) A study on cyber security threats in a shipboard integrated navigational system. J Mar Sci Eng 7:364–375. https://doi.org/10.3390/jmse7100364
Svilicic B, Rudan I, Frančić V, Mohović Đ (2020) Towards a cyber secure shipboard radar. J Navig. https://doi.org/10.1017/S0373463319000808
Swiss Government Computer Emergency Response Team (2020) Notes About the NotPetya Ransomware. https://www.govcert.admin.ch/blog/32/notes-about-the-notpetya-ransomware#. Accessed 17 Jan 2020
Tam K, Jones K (2019) MaCRA: a model-based framework for maritime cyber-risk assessment. WMU J Marit Affairs 18:129–163. https://doi.org/10.1007/s13437-019-00162-2
Tenable (2020) Tenable Products: Nessus Professional. https://www.tenable.com/products/nessus/nessus-professional. Accessed 17 Jan 2020
Trend Micro (2020) Safe Lock. https://www.trendmicro.com.my/my/enterprise/tmsl/index.html. Accessed 17 Jan 2020
United Nations Conference on Trade and Development (UNCTAD) (2019) Review of Maritime Transport 2019. https://unctad.org/en/PublicationsLibrary/rmt2019_en.pdf. Accessed 17 Jan 2020
United States Computer Emergency Readiness Team (2020) Alert (TA17-181A) Petya Ransomware. https://www.us-cert.gov/ncas/alerts/TA17-181A. Accessed 17 Jan 2020
Weintrit A (2018) Clarification, systematization and general classification of electronic chart systems and electronic navigational charts used in marine navigation. Part 1 - electronic chart systems. TransNav Int J Mar Navig Safety Sea Trans 12:471–482. https://doi.org/10.12716/1001.12.04.17
Funding
This research was financially supported by the University of Rijeka, grant number uniri-tehnic-18-68.
Author information
Authors and Affiliations
Contributions
B. Svilicic has developed the methodology. B. Svilicic and M. Kristić have performed the research. All authors have provided the resources and wrote the paper.
Corresponding author
Ethics declarations
Conflicts of interest/Competing interests
The authors declare no conflict of interest.
Code availability
Not applicable.
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Svilicic, B., Kristić, M., Žuškin, S. et al. Paperless ship navigation: cyber security weaknesses. J Transp Secur 13, 203–214 (2020). https://doi.org/10.1007/s12198-020-00222-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12198-020-00222-2