- There have been concerns raised in the industry about cyber risks of ‘operational technology’ onboard ships, such as ECDIS.
- The main cyber concerns are that the ECDIS operating system software can be corrupted or get a virus.
- Under the ECDIS regulations in place since the 1990s, shipping companies cannot rely on just one ECDIS unit – they need to have a backup system.
There have been concerns raised in the industry about cyber risks of ‘operational technology’ onboard ships, such as ECDIS. We talked to Navtor, one of the world’s leading ECDIS technology companies, about how the risks can be best managed, says an article published on Tanker operator website.
Cyber concerns
The main cyber concerns are that the ECDIS operating system software can be corrupted or get a virus, a virus can be introduced using a USB stick, and the charts can be corrupted. But all of these risks can be mitigated easily by using modern technology and following procedures.
Perhaps more importantly, it should be possible to show this to other people with a stakeholding in maritime safety, such as insurers, authorities and charterers, that the ECDIS is being managed in a way which eliminates cyber risks.
To put people’s concerns at rest, the whole system needs to be demonstrably secure. There is no means for any hack or corruption to occur in chart data as it flows between the hydrographic office, the electronic chart supplier and the vessel systems.
There is tight control over what data can enter the ECDIS system so that only correct software updates, charts, chart updates and chart licenses are allowed. The ECDIS is running an up to date operations system with the latest patches.
Old operating systems
The biggest potential risk with ECDIS probably comes from the use of old equipment with operating systems which have not been updated.
The first systems, type approved in 1999, ran the Windows versions which were being used at the time.
You wouldn’t use 1999 Windows systems in the office, partly due to the cybersecurity concerns, with systems no longer being provided by patches by Microsoft. Most companies would not allow this. Shipping companies should not do so either.
It is rare for ships today to use ECDIS systems with old operating systems, says Tor Svanes, CEO of Navtor. This has much to do with today’s cyber risk management processes.
Every ECDIS manufacturer must make sure they keep the ECDIS software updated, Mr Svanes says.
When shipping companies consider a new ECDIS supplier, the ease and security of the maintenance service should be a major factor.
Which operating system is used by ECDIS companies?
There is an increasing trend for ECDIS companies to use Linux rather than Windows for the operating system, says Bjørn Kristian Sæstad, Chief Quality Officer & Chief Business Development Officer OEM at NAVTOR.
But there is no clear answer as to whether Windows or Linux are safer from viruses. Arguably, the Windows community has a higher vigilance about viruses, says Anders Holme, CTO of Navtor.
Perhaps the legal requirement to update ECDIS operating systems is not crystal clear, since once a system was given a “type approval” certificate, it is valid for life.
But there is a reasonably clear obligation, since ensuring up to date operating system software is one of the most important cyber security risks, which should be considered in any risk assessment, which shipping companies are required to do.
In addition, SOLAS Chapter V/27 says that nautical charts “shall be adequate and up to date”. If the ECDIS is running older software, it may not be able to display the chart information fully, even if the chart files themselves are up to date. For example newer features like Particularly Sensitive Areas (PSSA) and Archipelagic Sea Lanes (ASL) maye not display on older ECDIS software, according to a 2016 paper by Lucian Indries of the University of Oslo (Candidate number: 8008).
USB sticks and connectivity
A second concern is that viruses can be introduced with USB sticks. This concern is heightened if an older Windows version is being used for the chart display system, because there are many viruses in circulation which can attack old Windows versions.
It is not usually practical to disable USB drives on ECDIS systems, because they may be the only way to update the software and put in new virus updates (although Navtor has an alternate system for chart updates, described below).
Many chart suppliers send chart updates by e-mail attachment, which means copying them into the ECDIS with a USB stick, or by a CD.
Data communication is also needed to ‘unlock’ new chart files, when a vessel is going to a new area. The chart is already stored onboard the ECDIS, but the shipping company pays for a permit to view the chart. For smaller distributors, these permits would typically be sent by e-mail, and need copying onto a USB stick.
But shipping companies should have strict procedures about how USB sticks can be used with an ECDIS, as should any service personnel who come onboard to update the software.
The USB stick used for updating ECDIS systems should not be used for anything else. “If you take that stick and use it for storing movies, pictures and whatever you do, then there is a risk,” Mr Holme says. It also means a violation of procedures.
Hacking chart data
A third concern is that the chart data itself can be hacked. For example, an enterprising and vicious hacker may wish to send chart data to a ship which indicates deep water in a part of the sea where, in reality, there is a shallow rock. So there needs to be a secure communications chain from the chart supplier to the ship.
A chart supplier such as Navtor does not verify the accuracy of the data itself – this is the responsibility of the hydrographic office which supplies it. In the same way, it is the hydrographic office’s responsibility to ensure that data on their paper charts is correct.
But the chart supplier will ensure that the data cannot be corrupted or hacked on its way to the vessel. Navtor’s data is protected using S-63, an International Hydrographic Organization (IHO) standard for encrypting, securing and compressing electronic navigational chart (ENC) data.
Chart mistakes and inaccuracies made by hydrographic offices are rare, but they do happen. In one example, “ a customer said there is something wrong here in the Port of Rotterdam. We took action and found the problem,” Mr Svanes says.
Note that when this happens, digital systems can be updated much faster than paper charts. “All vessels can be updated in hours,” Mr Holme says.
There is a secondary means of verifying that chart data has not been corrupted, because the ECDIS will show radar images overlayed on the chart. For example, the radar image of land will show on top of the chart showing land. If there is corruption with the chart data, they are not aligned.
The ECDIS will also sound an alarm if it identifies a problem with data input. “This is in the specification for ECDIS,” Mr Svanes says.
Electronic safer than paper
Some people may argue that the cybersecurity risks of ECDIS, although very small, mean they outweigh the benefits of using electronic charts over paper, or that paper charts should still be carried as a contingency.
But paper charts come with risks which electronic charts don’t have. “Paper can burn, or get water spilled on it,” says Navtor’s Anders Holme.
Updating digital systems, and receiving new charts, was also much easier to do than with paper charts during the COVID era, when it was harder to arrange physical deliveries to the ship, he says.
Backup to ECDIS
Under the ECDIS regulations in place since the 1990s, shipping companies cannot rely on just one ECDIS unit – they need to have a backup system. This can be a second ECDIS, or paper charts.
It would be easier for shipping companies if the backup could be a second ECDIS, so then they do not need to have to handle paper charts onboard.
Navtor provides a “planning station”, a software tool which can be used for planning routes, which uses the same ENC charts. A popular option is to use it with a 46 inch touch screen.
This planning station can also function as a third back-up, because it runs on the same software kernel and charts as the actual ECDIS system.
Navtor’s Navbox
Navtor provides its own device to manage the connectivity between the ECDIS and the satellite communications system and the cloud, called the “Navbox”.
This is a physical device onboard the ship, which plugs into both the ECDIS and the satellite communications system.
It ensures that only bona fide chart updates, sent from Navtor, via Navtor’s cloud system, can be uploaded onto the ECDIS. So it allows the ECDIS to be connected to a network in a secure way, avoiding the need for USB sticks.
The connection between the ECDIS and the Navbox is set up with secure APIs, which ensure that only the right chart content can be exchanged.
So we can describe the Navbox solution as end to end secure, without needing any extra policies / procedures.
Did you subscribe to our daily newsletter?
It’s Free! Click here to Subscribe!
Source: tank operator