DOSSIER

 

Managing cyber risks of ECDIS


There have been concerns raised in the industry about cyber risks of ‘operational technology’ on-board ships, such as ECDIS. Karl Jeffery, founding editor of Digital Ship spoke with Navtor, one of the world’s leading ECDIS technology companies, about how the risks can be best managed.


The main cyber concerns are that the ECDIS operating system software can be corrupted or get a virus, a virus can be introduced using a USB stick, and the charts can be corrupted. But all of these risks can be mitigated easily by using modern technology and following procedures.

Perhaps more importantly, it should be possible to show this to other people with a stake holding in maritime safety, such as insurers, authorities and charterers, that the ECDIS is being managed in a way which eliminates cyber risks.

To put people’s concerns at rest, the whole system needs to be demonstrably secure. There is no means for any hack or corruption to occur in chart data as it flows between the hydrographic office, the electronic chart supplier and the vessel systems. There is tight control over what data can enter the ECDIS system so that only correct software updates, charts, chart updates and chart licenses are allowed. The ECDIS is running an up to date operations system with the latest patches.

But it is still important that everybody involved has some understanding of the risks, as with any other risk in shipping. It is important that seafarers have training in the basics of cybersecurity, says Anders Holme, CTO, NAVTOR.


Old operating systems

The biggest potential risk with ECDIS probably comes from the use of old equipment with operating systems which have not been updated.

Chart display systems are computers, which use the same operating systems which are in a PC.

The first systems, type approved in 1999, ran the Windows versions which were being used at the time.

You wouldn’t use 1999 Windows systems in the office, partly due to the cybersecurity concerns, with systems no longer being provided by patches by Microsoft. Most companies would not allow this. Shipping companies should not do so either.

It is rare for ships today to use ECDIS systems with old operating systems, says Tor Svanes, CEO of Navtor. This is much to do with today’s cyber risk management processes.

Every ECDIS manufacturer must make sure they keep the ECDIS software updated, Mr Svanes says.

This can be done either with personnel who go on-board after a certain amount of time to update and check the systems, or it can be done remotely, as we do with our home and office Windows computers.

When shipping companies consider a new ECDIS supplier, the ease and security of the maintenance service should be a major factor.

There is an increasing trend for ECDIS companies to use Linux rather than Windows for the operating system, says Bjørn Kristian Sæstad, chief quality officer & chief business development officer OEM at Navtor.

But there is no clear answer as to whether Windows or Linux are safer from viruses. Arguably, the Windows community has a higher vigilance about viruses, says Anders Holme, CTO of Navtor.

Perhaps the legal requirement to update ECDIS operating systems is not crystal clear, since once a system was given a “type approval” certificate, it is valid for life.

But there is a reasonably clear obligation, since ensuring up to date operating system software is one of the most important cybersecurity risks, which should be considered in any risk assessment, which shipping companies are required to do.

In addition, SOLAS Chapter V/27 says that nautical charts "shall be adequate and up to date". If the ECDIS is running older software, it may not be able to display the chart information fully, even if the chart files themselves are up to date. For example, newer features like Particularly Sensitive Areas (PSSA) and Archipelagic Sea Lanes (ASL) may not display on older ECDIS software, according to a 2016 paper by Lucian Indries of the University of Oslo (Candidate number: 8008).

Further performance standards and guidance for ECDIS systems were published by IMO, including MSC.232(82) (2006), IMO SN.1/Circ.266/Rev.1 (2010) and IMO MSC.1/Circ.1503 (2015). It states that ECDIS software "should be kept up to date such that it is capable of displaying up-to-date electronic charts correctly according to the latest version of IHO's chart content and display standards." This language is “guidance” though, not legally binding.


USB sticks and connectivity

A second concern is that viruses can be introduced with USB sticks. This concern is heightened if an older Windows version is being used for the chart display system, because there are many viruses in circulation which can attack old Windows versions.

It is not usually practical to disable USB drives on ECDIS systems, because they may be the only way to update the software and put in new virus updates (although Navtor has an alternate system for chart updates, described below).

Many chart suppliers send chart updates by e-mail attachment, which means copying them into the ECDIS with a USB stick, or by a CD.

Data communication is also needed to ‘unlock’ new chart files when a vessel is going to a new area. The chart is already stored on-board the ECDIS, but the shipping company pays for a permit to view the chart. For smaller distributors, these permits would typically be sent by e-mail, and need copying onto a USB stick.

But shipping companies should have strict procedures about how USB sticks can be used with an ECDIS, as should any service personnel who come on-board to update the software.

The USB stick used for updating ECDIS systems should not be used for anything else. “If you take that stick and use it for storing movies, pictures and whatever you do, then there is a risk,” Mr Holme says. It also means a violation of procedures.

This memory stick should also only be inserted into computers with well managed security, such as virus scans and up to date operating systems.

ECDIS systems are not allowed to be connected directly to an internet communications system. There are strict rules about how they can be connected.

“Just to have one ECDIS connected to another ECDIS, even without the internet, is [subject to] very strict [regulation], whatever you do regarding communication,” says Bjørn Kristian Sæstad of NAVTOR.


Hacking chart data

A third concern is that the chart data itself can be hacked. For example, an enterprising and vicious hacker may wish to send chart data to a ship which indicates deep water in a part of the sea where, in reality, there is a shallow rock. So there needs to be a secure communications chain from the chart supplier to the ship.

A chart supplier such as Navtor does not verify the accuracy of the data itself – this is the responsibility of the hydrographic office which supplies it. In the same way, it is the hydrographic office’s responsibility to ensure that data on their paper charts is correct.

But the chart supplier will ensure that the data cannot be corrupted or hacked on its way to the vessel. Navtor’s data is protected using S-63, an International Hydrographic Organisation (IHO) standard for encrypting, securing and compressing electronic navigational chart (ENC) data.

Chart mistakes and inaccuracies made by hydrographic offices are rare, but they do happen. In one example, “a customer said there is something wrong here in the Port of Rotterdam. We took action and found the problem,” Mr Svanes says.

Note that when this happens, digital systems can be updated much faster than paper charts. “All vessels can be updated in hours,” Mr Holme says.

There is a secondary means of verifying that chart data has not been corrupted, because the ECDIS will show radar images overlayed on the chart. For example, the radar image of land will show on top of the chart showing land. If there is corruption with the chart data, they are not aligned.

The ECDIS will also sound an alarm if it identifies a problem with data input. “This is in the specification for ECDIS,” Mr Svanes says.


Electronic safer than paper

Some people may argue that the cybersecurity risks of ECDIS, although very small, mean they outweigh the benefits of using electronic charts over paper, or that paper charts should still be carried as a contingency.

But paper charts come with risks which electronic charts don’t have. “Paper can burn, or get water spilled on it,” says Navtor’s Anders Holme.

Updating digital systems, and receiving new charts, was also much easier to do than with paper charts during the COVID era, when it was harder to arrange physical deliveries to the ship, he says.


Backup to ECDIS

Under the ECDIS regulations in place since the 1990s, shipping companies cannot rely on just one ECDIS unit – they need to have a backup system. This can be a second ECDIS, or paper charts.

It would be easier for shipping companies if the backup could be a second ECDIS, so then they do not need to have to handle paper charts on-board.

Navtor provides a “planning station”, a software tool which can be used for planning routes, which uses the same ENC charts. A popular option is to use it with a 46 inch touch screen.

This planning station can also function as a third back-up, because it runs on the same software kernel and charts as the actual ECDIS system.

“Even if you have a double ECDIS and there is something wrong in both of them, you still have the planning station with the ENC. You have the backup to the backup,” Mr Svanes says.

 

Navtor’s Navbox

Navtor provides its own device to manage the connectivity between the ECDIS and the satellite communications system and the cloud, called the “Navbox”.

This is a physical device on-board the ship, which plugs into both the ECDIS and the satellite communications system.

It ensures that only bona fide chart updates, sent from Navtor, via Navtor’s cloud system, can be uploaded onto the ECDIS. So it allows the ECDIS to be connected to a network in a secure way, avoiding the need for USB sticks.

The connection between the ECDIS and the Navbox is set up with secure APIs, which ensure that only the right chart content can be exchanged.

So we can describe the Navbox solution as end to end secure, without needing any extra policies / procedures.
The Navbox is certified to meet the IEC 61162-460 standard, for cybersecurity in maritime navigation and radio communication equipment and systems – digital interfaces – Part 460: multiple talkers and multiple listeners – ethernet interconnection – safety and security.

The Navbox itself is a PC but which has its own mechanisms to only read certain content. It is possible to plug a USB stick into the Navbox, but it will only read the chart files from the USB stick.

Navbox is a component of a “fully enclosed solution” – connecting only to Navtor’s “Navcloud”, only with fully encrypted and authenticated communication. “You can't talk to it through any other channels,” says Mr Holme. And the data communication Navtor makes to the Navcloud is also very strictly controlled.

 

  

DS

 

 

 

  LMB-BML 2007 Webmaster & designer: Cmdt. André Jehaes - email andre.jehaes@lmb-bml.be