The following are common cyber vulnerabilities, which may be found onboard both existing ships, and on newbuild ships:

obsolete and unsupported operating systems

outdated or missing antivirus software and protection from malware

inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords,

shipboard computer networks, which lack boundary protection measures and segmentation on networks

safety critical equipment or systems always connected with the shore side

inadequate access controls for third parties including contractors and service providers.

Back to our NMEA attack example…

If the ECDIS is in track control mode whereby it directs the autopilot, the hacker can fool it through GPS data tampering and cause the ship to change direction.

Ships masters may counter that they would cross reference the ECDIS position with ARPA in the event of position uncertainty, though it is perfectly possible to insert identical position errors in to synthetic radar, removing the ability to verify by cross checking.

If the crew are alert, then they should pick it up and take control, but they are being presented with exactly the same tampered position data as the automated systems, so crew would need to be very alert indeed.

Security of the convertors is very important.

The convertor must be ‘hardened’ against security attacks. This means ensuring that the administration passwords are not left default by the installer. Default passwords are very common.

Can we identify and convertors used for critical or safety equipment?

There’s an interesting security flaw in some convertor firmware. An exploit is available in the Metasploit security exploit framework that is popular with hackers. One example vulnerability is referenced as CVE-2016-9361 and allows the hacker to recover the admin password, even if it has been changed from the default. This vulnerability has been fixed, but the software needs to be updated to apply the patch.

Almost all OT networks on board communicate using a protocol known as NMEA0183. This protocol offers no encryption or message authentication. The only validation that the message is correct is a 2-byte XOR checksum that is simply present to ensure the message was electrically correctly received.

A NMEA 0183 message might look like this:

Where the 5-letter code beginning ‘$’ dictates what type of message it is, with the variables after passing useful information.

The example above was taken from a remote data storage module for a voyage data recorder. It shows GPS heading and location data plus AIS information.