Increasingly, we find articles on cyberattacks in shipping in LinkedIn and other global media. Especially after the cyber-attack in June 2017 on the APMM computer network with the malware “NotPetya” and the associated costs of more than US $ 300 million, which caused APM Container Terminals to be paralyzed worldwide, this topic was put on the agenda. By the way, not only APMM was affected. Numerous other companies were also affected, including the Russian oil and gas producer “Rosneft”. It should be noted that specialists in the computer security software industry assume that the malware has been injected into accounting software through a software update. According to IT specialists, “NotPetya” only affects Windows systems.
Interestingly, the knee-jerk accusation of the United States and Great Britain to have identified Russia as the causer, without being able to provide any evidence. By the way, not today. From a logical point of view, this accusation makes no sense, after all. Rosneft is a Russian company with an international board of directors, one of the largest natural gas producers in the world and directly involved in the construction of the gas pipeline Nordstream 1 and Nordstream 2 from Russia through the Baltic Sea to Germany. The Russian state is Rosneft’s majority owner. Political and tangible economic motives may well be with behind this unproven claim of the US and Britain in the context of Nordstream 2.
Today, cyberattacks can come from any direction, be it economic or political blackmail, damage to market competitors and their IT infrastructure, be it for military or terrorist purposes. There is really no IT field where influence can be exempted by cyber-attacks. In the rapidly intensified use of IT networks in all areas of social, economic, political and military life not too big surprise.
What is new is the hype about the external influence of viruses / Trojans / malware on internal networks on ships or in airplanes, which has since been unmistakably triggered by the IT industry. And it is amazing what is conjured up out of the hat in the absence of technical nautical knowledge of IT specialists. Scenarios are being developed and modeled on model experiments that have little in common with shipboard reality. It is always apparent that experimental artifacts are used as potential danger and the experienced navigator wonders: what are they trying to tell us?
Fact is that the knowledge by IT specialists about technical systems, technical propulsion and operating systems, including their networking on board and their redundancy are very limited. That they have no idea of organization of the watchkeeping and supervision by nautical / technical officers. Because that is exactly the point that is ignored. One might get the impression that watch officers and engineers sleep during their service. 24 hours uninterrupted operation of the main engine, peripheral systems and nautical equipment means not that in this area are nothing happen. Surveillance, control and alarm systems are always ready to trigger alarms by their fixed limit parameters in case of irregularities.
The staged cases e. g. the independent switching on / off of ballast systems / diesel generators or other systems, proves that these scenarios let miss any expertise. There is a drastic reason that these systems can’t be so easily switched on and off for reasons of operational safety, that the influence is blocked on valves by being switched to manual operation. E.g. Under normal circumstances ballast water systems are always at sea taken under manual control for safety reasons. Other operation systems are partly switched to manual operation too and only valves are active in remote control mode which are for the running service required.
The artificial created manipulation scenarios regarding e-nautical bridge equipment and remote control systems to take over external control and influence of ship guidance processes completely obscure the fact that in the event of irregularities in operations, the experienced watch officer can immediately switch to redundant operating states in order to disconnect them from networks until the causes of the irregularities have been clarified. This means nothing else e.g. that GPS manipulations like spoofing are able to be block if e-nautical systems are used in Dead Reckoning Navigation Mode to separate such systems from external GPS data inputs.
Below are various system-relevant and redundant usable position / course and speed procedures of e-nautical systems on ships:
• Dead Reckoning, the last known position is taken as a starting point, course and speed sensors are used
• Manual operation with manual data entry
• Some ECDIS Systems are working based on LINUX software solutions what gives them the capability to be resistant against cyber-attacks to MS Window systems
• Dead reckoning / course and speed sensors are used.
Radar monitoring with restrictions, course and speed value (ride through the water recommended) will be taken directly from the respective sensors, like gyrocompass and speed sensors how single axis sensor/ EM sensor/ Doppler sensor. Required entries for speed sensors: manual drift data for single axis sensor / EM sensor, consider bottom / water track specification
• Manual operation with manual data entry. In case of failure of course sensor, are radar systems recommended to use in HEADING MODE, with the effect that ONLY RELATIVE MOTION representation possible. For experienced navigators this is not a problem and it also allows navigation without gyro compass. Target acquisition is possible in EPA (manual target acquisition) or ARPA (automatic target acquisition) mode.
• Display radar echoes with optimized manual settings. The ability to use cyber-attacks how in media are published to take influence to the radar presentation isn’t technically possible. It could be changed something at parameter settings. But that can be considered as excluded. For this one would have to intervene in maintenance / service tools, which however are not freely accessible and password protected for the user. This has no effect on the echo itself, it is an analog signal, which is first converted into a digital signal / video by the D / A converter.
• Dead Reckoning Mode
• Manual operation (which concerns certain manual entries), which does not affect the technical function of echo sounder, which is always available.
• GPS not mandatory
• Depending on the type of log: note manual drift entries in radar systems/ ECDIS, note bottom / water track specification and input SOG / STW
• Depending on the use of NACOS with multipilot systems, there is the use of integrated track and track control (Track Mode / Course Mode / Heading Mode) procedures that provide direct access to rudder control.
• The mentioned procedures can be stopped with the follow up mode and the rudder control is immediately separated from the track control procedure, because the follow up mode fulfills the principle of overriding rules.
• It is also possible to take over the rudder control directly via the helm control station, in autopilot mode or manual control mode. Any experienced navigator knows what he has to do right away when he sees that the rudder guidance is not functioning properly. Transition to manual control. If inexplicable course deviation or wrong course indications of the gyro compass/ steering repeaters draw conclusion by experienced navigators always to compare the course data between gyro compass with magnet compass. From serious deviations between the two compass systems, the knowledge of the Deviation tables and the magnetic aberration indicated in the nautical charts, errors of the gyrocompass display can be detected relatively quickly. Magnetic compasses are based on the use of natural geomagnetism and can’t be influenced by cyber-attacks.
• The modern generations of helm systems permitting the manual shift from gyro compass to magnet compass as course sensor
· Manual data input (latitude, speed)
In case of such incidents which had hitherto staged incidents been until today, there would only be a very simple answer in an emergency. Takeover of the systems at their redundant alternatives, i.e. separation from integrated networks and back to the traditional ship’s command and navigation. It can be seen from the above alternatives that it does not take too much effort. However, this also presupposes that Ship Captains / nautical officers and ship engineers are capable of doing so, which unfortunately is becoming more and more of a problem today. The technical background knowledge leaves much to be desired.
Not only that’s a serious problem. The application of traditional navigation methods is increasingly becoming the hobbyhorse of a minority of enthusiastic navigators. The absolute majority reveals serious knowledge and practice gaps there. In an emergency, the GPS generation would be often be unable to apply and implement the basic traditional navigation techniques.
Experienced navigators, especially the old school, have no problem with that. Then you go back to the principle of depth-line navigation and can assign positions with astonishing accuracy.
Near the coast one returns to the principles of traditional terrestrial navigation under usage by sextant and telescope pelorus.
On open sea, astronomical navigation is an excellent alternative. Provided that by specialists calibrated nautical devices are present. What is questionable with the today’s pelorus and sextants aboard. Telescope pelorus are today almost familiar only in the Navy. And in some shipping companies, there are not even more sextants. If in addition, meaningful nautical charts and nautical books are you able to navigate reliable.
All possibilities of radar navigation are used. The use of VRM / EBL / PI is always possible. Today’s radar systems are usually two integrated computers, the one is for the radar display as a stand-alone unit and the other for the radar unit including its peripherals.
Position lines and positions can also be entered manually in ECDIS. And that can be continued arbitrarily.
Unfortunately, traditional radiolocation techniques, with beacons on board e.g. for the use of directional radio beacons, the proven hyperpigmentation methods such as Omega, Decca, Loran have meanwhile landed in the dustbin of history and in commercial shipping as good as no longer in use.
GMDSS communication systems for boundary waves / VHF DSC can also be used without GPS data and satellite communication, such as INMARSAT C as an element of GMDSS does not necessarily have to be equipped with GPS receivers. They are optional. However, in the context of LRIT the equipment requirement exists and is integrated into the SAT C antenna.
But much more interesting is that there are indeed contributions that want to persuade us that it is possible to tell via GPS ECDIS that the GPS receiver is located on a different position than originally specified. This is nonsense. The ECDIS software configuration is stored in a service / maintenance tool and password protected. The crew on board does not know this password, it is only reserved for the service staff. All software changes in this configuration, such as Antenna positions of AIS, RADAR, GPS can only be done via direct access to the service tool and are based on a fixed reference point. All position changes with respect to antenna positions must be related to this reference point. He is not known to outsiders. After changing and saving it requires a system reboot. Only then will the new entries become valid. Since I have received an intensive e-nautical, electronic and related IT training for integrated bridge systems and e-nautical systems as a graduated engineer for ship guidance, I allow myself to ask what value such artificially generated scenarios have.
As a reminder, the cyberattack that has plagued the APMM network has had nothing to do with engaging directly with ship’s technical systems and nautical systems and influencing ship’s command. The problems caused by the malware “NotPetya” were that it affected the IT and logistical infrastructure of the APM container terminals and caused serious failures that made it almost impossible to maintain port operation / port handling. This circumstance was used by the IT security industry to place hacker horror reports and artificially staged incidents what lead in the public to the image that it is very simple to take influence of the control in internal ship networks, operation systems and in the ship guidance. This generates a hysteric argumentation what gives the public the impression it will be easy to take over the complete extern control of ships by cyber-attacks. And watchkeeping officers/ engineers are not able to initiate effective countermeasures. Sorry, but this is a big fairy tale.
It becomes apparent that in same window of time, there is also an intense discussion on Maritime Autonomous Surface Ships (MASS) operations, which IMO adopted as one of the main item at its 99th MSC Session in May 2018. From this perspective, the discussion about cyber-attacks on ships and external influence of hackers on their operations takes a whole new dimension. However, it must be made clear that the MASS concept is intended to be fully automatic unmanned operated vessels, which are to be remotely controlled via a two-way satellite data link via a remote operations center. So there is a permanent coupled external and internal data exchange to analyze operating conditions, to optimize or to respond to disturbances. This requires extremely complex integrated artificial intelligence network solutions that can undoubtedly be the target of cyber-attacks and certainly enjoy some popularity among hackers. For whatever purpose.
For such networks, it is quite appropriate to make serious and profound thoughts to counter unwanted influence or unwanted external access and thus multiple manipulation possibilities. This need not be discussed for long.
In today’s commercial shipping, the issue of network security for internal and external networks can’t be denied. The problems exist, there is no question. Only it makes no sense to derive a hysteria from it. Most problems in today’s shipping with viruses / Trojans or Malware infections aboard ships are:
- Working too carelessly with unauthorized data carriers, such as USB sticks, external databases in internal networks and on computers intended solely for business use. Their use and handover must be completely prevented or it MUST be performed before each use a volume test.
- Authorized data carriers are insufficiently checked for data by IT security / anti-virus software after downloads of updates for ECDIS and e-nautical documentation. It must become the standard that every update / download must be checked by security programs. Unknown mail senders, unknown or undefined attachments should not be opened. If you have any doubts, first ask the shipping company’s own IT team.
- Shipping companies must equip the ships with effective security software and, above all, keep them up-to-date by updating. Unfortunately it is still to determine that the cheapest security package (best freeware) is just good enough and the update intervals do not meet security requirements. Here is money saved in the wrong place.
- The use of exclusive monthly update CD’s authorized by the shipping companies is also a way to increase IT security, of course this has the disadvantage that updates can always be realized only with a time delay
- Shipping companies must make it to their mission to train the on-board management staff in the use / handling of internal networks, through the use of security software and software maintenance. Too often it can be seen that the on-board staff has little knowledge of IT security issues and is overwhelmed with certain IT-specific issues.
- ALL office computers on board must be subjected to a full security check of all drives at least once a week. This point can even be included in the weekly maintenance program, the corresponding logs can be attached to the maintenance report. It would give the IT department ashore the opportunity to undertake corrective actions when vessels aren’t following the IT company policies.
The enforcement of these points already ensure that the risk would be significantly reduced with an infection of viruses / Trojans / malware and would also be cost-effective and the bureaucratic effort minimal.
As far as the GPS Spoofing reports are concerned, they must be taken seriously. GPS positions / data simplified explained, are fixes based on signal transit time measurements of different satellites on fixed frequencies. Ship movement data transmitted via GPS, e.g. speed, taking advantage of the Doppler Effect and the ship course under using the earth’s magnetic field by means of so-called magnetometer (electronic magnetic compasses) determined. It is possible today with relatively simple and low cost means connected to produce so-called virtual satellites (up to 12 in number are possible) and spread GPS beacon signals for the falsification of position data, but all of which are applicable only from the ground. However, this can be relatively easily technically solved, with used so-called direction-sensitive GPS antennas, which receive their GPS signals only from satellites with a relative high elevation and not respond to GPS signals from the ground or from the side.
Another possibility to influence GPS signals is that from electronic warfare known jamming. It using a jammer on a fixed frequency band with a defined bandwidth. The GPS signal is completely suppressed by noise and can no longer be used.
However, both methods have no access to internal data networks, such as CAN bus or communication channels such as NMEA 0183, what is based on ASCII data records. Only satellite signals are manipulated or completely disturbed.
In conclusion, it can be stated that the issue of cyber-attacks on ships must certainly be given great attention. However, the church in the village must be left as well. In today’s shipping, the ghostly conjured scenarios of IT security companies are exaggerated in my view. Undoubtedly, their effect is to raise awareness of the topic on board and in shipping companies. This is urgently required.
All the cases and reports I’ve found so far about influencing navigation systems and technical operating systems are based on artificially induced tests by the IT industry. They did not consider the in reality existing possibilities of using existing redundant systems by the on board Nautical Officer and Engineers with the aim of preventing network attacks by switch on substitute procedures which integrated networks are not require.
However, it must be critically noted that especially the younger generation of navigators and engineers have significant gaps in the handling of redundant procedures and more in-depth technical understanding of on-board technical systems because of the greater emphasis placed on technical hearing, rather than the ability of traditional methods to be able to apply
To this day, I know of no case of GPS spoofing operating in the middle of the ocean. That does not work either, because that requires the necessary platform. All depictions of GPS / GNSS spoofing of drones, yachts, and ships took place offshore and were based on land-initiated platforms. Spoofing is possible under normal conditions only in the quasi-optical area. This is based on the nature of spoofing systems that can only be operated at ground level / sea level. It might be not ruled out that in an increasing number GPS spoofing might take also more influence in offshore areas. Because today the computer games industry celebrates GPS as a new games innovation and of course works on the same GPS frequency as commercial shipping / aviation. Using GPS with virtual GPS satellites can negatively affect the use of GPS. Here must urgently be remedied to avoid disabilities and incidents for commercial shipping and air industry.
In the future, this topic cyber-attacks will play an acute role in fully automatic unmanned transport systems at sea, as these systems are particularly susceptible to cyberattacks due to their internal and external networks and permanent two-way data exchange for monitoring and control and require a powerful IT security capability to avoid abusive takeover system control.
I see presently no reasonable argument to lay the world wide shipping only in the hand of robots and only automated unmanned systems. We should learn: Humans are unable to outwit nature. Shipping is since more as 4000 years an open air spectacle and it need a versatility qualification and experience to manage ships under extreme heavy weather condition. This experience you can win only at sea on vessels and not in control centers ashore. No technical system is able to substitute human decision making processes knowledge gained in practice.
At the moment I am inclined to say:
Best Regards from Jule Verne
This has no influence in the fact that cyber criminality in shipping has to be under close consideration. Presently are logistic chains and infrastructure systems ashore much more threated by cyber-attack as ships.
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
Above article has been initially published in Capt. Gunter Schütze LinkedIn account and is reproduced here with author’s kind permission
Written by Capt. Gunter Schütze ,
Capt. Gunter Schütze holds a Master Degree of Engineering in Ship Guidance. He currently serves as a freelancer author, while he also contributed in follow-up and completion work on study about the crisis in the German and international shipping, until its publication as e-book in German book trade. He further serves as an active captain aboard of large container vessels.