The risk of cyber-attacks is ever present across all industries and sectors.
The IMO has recognised the threat of cyber-attacks in the marine industry and will require ship operators to consider cyber risk management as a part of their safety management system. This will include a cyber security assessment which should be done no later than the first annual inspection of the company’s Document of Compliance after 1 January 2021. In this article we look specifically at some vulnerabilities associated with ECDIS systems.
Bridge Systems and ECDIS
Amongst the many systems that must be considered within this assessment is the bridge navigation equipment. Equipment such as ECDIS that receives frequent updates to its chart catalogue and its software make it high risk. It may also be possible for anyone on the bridge to plug their own device into the ECDIS via a USB port.
How is ECDIS Vulnerable?
Ship operators will need to initially identify any vulnerability to their vessel’s cyber security. In the case of ECDIS this can include: Interfaces with shore side systems. This type of interface is often used to conduct software updates remotely. The ECDIS can also be interconnected with other navigation systems, such as GNSS and ARPA. This can make the system vulnerable to a virus spread between platforms. Control of removable media such as
USB drives and CD which are commonly used on ECDIS to install updates to the ENC’s, the permit files and software.
Any removable media sources must be checked to ensure they are free from malware. Any breach of ECDIS security could result in ECDIS sensor data being manipulated with unreliable information displayed to the officer of the watch. It could even mean a total loss of the ECDIS and any equipment on its associated network.
Assesment and Detection
The team conducting the assessment should identify the likelihood and impact of a potential breach, and put in place measures in the ship’s management system to ensure these threats do not become a reality. The measures put in place should mean that any threats are detected before they become an issue. For example, if an update to the ECDIS means using removable media, such as a USB drive, then checks on the content should be run prior to using the drive. Access to the ECDIS to conduct updates should be limited to as few people as possible as a way of protecting equipment.
When You’ve found a Threat!
The procedures put in place to protect the vessel should include responses to a detected threat. The IMO Guidelines on cyber security advise that a team should be established, and a recovery plan put in place, to take the correct steps to restore systems such as ECDIS to a safe working condition.
Help is at Hand
All activity on the ECDIS should be logged and accurate records maintained. This now includes the steps taken to avoid cyber threats to the ECDIS. To assist with this, the United Kingdom Hydrographic Office (UKHO) has updated its publication NP133C ENC and ECDIS Maintenance Record to include a section on cyber risk management.
The cyber risk checklist contained in the publication allows the crew to conduct a risk assessment when updating their ECDIS, as well as keeping an accurate record of the steps they have taken in line with their company’s cyber security procedures.
The checklist outlines the steps that the crew should take when updating their ECDIS:
The ADMIRALTY ENC and ECDIS Maintenance Record (NP133C) is designed to help mariners demonstrate compliance with IMO regulations during Port State Control inspections, with easy-to-use checklists and templates to record ECDIS annual performance checks and software maintenance.
Find Out More
Protecting ECDIS is just one small piece of the cyber security jigsaw puzzle. For more information on cyber security for shipping please visit the Cyber Security Insights area of our website: www.nepia.com/cyber-security.
Author: John Southam