A Study on Cyber Security Threats in a Shipboard Integrated Navigational System

: The integrated navigational system (INS) enhances the e ﬀ ectiveness and safety of ship navigation by providing multifunctional display on the basis of integration of at least two navigational functions, the voyage route monitoring with Electronic Chart Display and Information System (ECDIS) and collision avoidance with radar. The INS is essentially a software platform for fusion of data from the major ECDIS and radar systems with sensors for the additional navigation functions of route planning, status and data display, and alert management. This paper presents a study on cyber security resilience examination of a shipboard INS installed on a RoPax ship engaged in international trade. The study was based on a mixed-method approach, combining an interview of the ship’s navigational ranks and cyber security testing of the INS using an industry vulnerability scanner. The identiﬁed threats were analyzed qualitatively to study the source of cyber risks threatening the INS. The results obtained point out cyber threats related to weaknesses of the INS underlying operating system, suggesting a need for occasional preventive maintenance in addition to the regulatory compliance required.


Introduction
Ship navigation systems have been increasingly relying on cyber technologies to improve the effectiveness and safety of navigation, which has consequently resulted in a need for safeguarding the shipping from cyber threats .Therefore, the International Maritime Organization (IMO) has published the guidelines on maritime cyber risk management [22], and has also included cyber security assessment in the International Safety Management (ISM) code to be introduced on ships by the beginning of the year 2021 [23].In addition, the IMO is preparing in collaboration with the International Electrotechnical Commission (IEC), a new standard for maritime navigation and radio-communication equipment and systems, IEC 63154 "Cybersecurity-General Requirements, Methods of Testing and Required Test Results" [24].
The integrated navigational system (INS) is a composite system, whose purpose is to enhance the effectiveness and safety of ship navigation by providing the multifunctional display on the basis of integration of at least two navigational functions [25]-collision avoidance using a radar sensor and voyage route monitoring using the Electronic Chart Display and Information System (ECDIS) [26].The INS is essentially a software platform for fusion of data from the major radar and ECDIS systems with sensors for the additional navigation functions of route planning, status and data display, and alert management.The INS is recognized as the one type of equipment by IMO and its functionality is standardized with the performance standards [26].
systems, they are installed as an individual equipment, providing their basic functionality.This paper reports on an examination of the cyber security resilience of a shipboard INS.The examined INS is installed on a roll-on/roll-off ship for freight vehicle transport with passenger accommodation (RoPax), which is engaged in international trade (Figure 1).The examination is based on a mixedmethod approach, combining an interview of the ship's navigational ranks to identify implemented safeguards and cybersecurity testing of the INS to detect existing vulnerabilities.The threats identified were qualitatively analyzed to determine the level of cyber risks threatening the INS.

The Integrated Navigational System
The INS examined is the NACOS MULTIPILOT Platinum 2017 of the manufacture Wärtsilä SAM Electronics GmbH.Navigational tools integrated are ECDIS, radar, and conning.The INS is IMO compliant, and the technical specification is given in Table 1.

The Integrated Navigational System
The INS examined is the NACOS MULTIPILOT Platinum 2017 of the manufacture Wärtsilä SAM Electronics GmbH.Navigational tools integrated are ECDIS, radar, and conning.The INS is IMO compliant, and the technical specification is given in Table 1.The examined INS architecture configuration is shown on Figure 2. The integration is based on the sensor adapter, which acts as a central medium for gathering all of the sensors data via serial interfaces that collectively feed to the INS via the high speed local area network (LAN).Sensors integrated include ECDIS mandatory sensors (position DGPS, heading gyrocompass, and speed log), radar x-band scanner and additional sensors, AIS, Navtex, EPFS, echo sounder, and anemometer.The INS software, including ECDIS and radar software, meets IMO performance standards for each of the individual navigation equipment [26][27][28].

Network
Ethernet local area network (LAN) Chart update USB Remote maintenance Possible The examined INS architecture configuration is shown on Figure 2. The integration is based on the sensor adapter, which acts as a central medium for gathering all of the sensors data via serial interfaces that collectively feed to the INS via the high speed local area network (LAN).Sensors integrated include ECDIS mandatory sensors (position DGPS, heading gyrocompass, and speed log), radar x-band scanner and additional sensors, AIS, Navtex, EPFS, echo sounder, and anemometer.The INS software, including ECDIS and radar software, meets IMO performance standards for each of the individual navigation equipment [26][27][28].

Implemented Safeguards
The implemented safeguard measures and mechanisms were identified by interviewing the ship navigational ranks, in particular the ship's master, and first and second officers.During the interview, we focused on three elements of the safeguard regarding the INS's operating environment: the ship's security management system, INS navigation tools, and integration network system.For each of the elements, the identified safeguard measures and mechanisms, together with the description, are given in Table 2.

Implemented Safeguards
The implemented safeguard measures and mechanisms were identified by interviewing the ship navigational ranks, in particular the ship's master, and first and second officers.During the interview, we focused on three elements of the safeguard regarding the INS's operating environment: the ship's security management system, INS navigation tools, and integration network system.For each of the elements, the identified safeguard measures and mechanisms, together with the description, are given in Table 2.
The results regarding the cyber security management system showed that the cyber security was implemented only partially in the ship's security policies and procedures.However, the policies and procedures were well communicated and reviewed regularly.The ship navigational ranks training was conducted by the INS vendor, and cyber security awareness was at quite a high level.The shipboard INS navigation tools were not connected to the Internet.Strong physical protection policy was in place for unauthorized personnel, and INS hardware interfaces were kept in a locked case.The electronic navigation chart (ENC) update portable storage device was strictly controlled, the device provided by the INS vendor was used, and the ship navigational ranks cyber hygiene was at a high level.A confidentiality agreement with the vendor was in place.The LAN network for integration was also disconnected from the Internet, and strong physical protection and logical authentication policies were in place.

Cybersecurity Testing
The cybersecurity testing of the INS was conducted with the world's most widely deployed industry vulnerability scanner, Nessus Professional version 8.0.1 [29].Vulnerability scanning is a passive method of reviewing the INS to gain comprehensive insight into all vulnerabilities that are already known to the cybersecurity community, attackers, and software developers [6,30].A laptop with the installed vulnerability scanner was connected directly to the INS with a crossover Ethernet cable.The INS software was running with administrative rights, whereas the remote scanning was conducted without administrative permission.Figure 3 shows the testing setup.During the testing, the ship was docked in a port.The INS was activated to use the ECDIS as the base display layer, together with the radar and conning data (Figure 3).
The scanning report summary is shown on Figure 4.In total, 4 vulnerabilities and 27 pieces of information were detected.According to the severity level, the report showed that 1, 1, and 2 vulnerabilities were assigned under the critical, high, and medium severity, respectively.Table 3 shows descriptions and possible solutions of the INS cyber-vulnerabilities detected.The critical vulnerability detected (Table 3, vulnerability 1) alerts that a vulnerable version of the Server Message Block (SMB) service is running on the INS.Namely, the underlying operating system of the INS software is Microsoft Windows 7 Professional (Service Pack 1), and the SMB is its default service for file and printer sharing.By following the manufacturer's recommendation, immediate implementation of a security update for the INS underlying operating system is required [31].This vulnerability is particularly interesting because of one of the most recognized maritime cyber security incidents, the NotPetya attack on Maersk container shipping company [32].NotPetya is a malicious ransomware program that was rapidly spreading worldwide by utilizing the SMB version 1 vulnerabilities [33].Although the INS underlying operating system update recommended by the manufacturer is relatively complex to implement in a ship environment, it offers reactive protection, such as is provided with anti-malicious code security programs.A proactive solution would be secure setup of the INS underlying operating system by blocking or disabling the SMB service version 1.However, it is very important to point out that the update of the underlying operating system could significantly impact the INS software functionality [26] and should be only conducted by INS vendor authorized personnel.The scanning report summary is shown on Figure 4.In total, 4 vulnerabilities and 27 pieces of information were detected.According to the severity level, the report showed that 1, 1, and 2 vulnerabilities were assigned under the critical, high, and medium severity, respectively.Table 3 shows descriptions and possible solutions of the INS cyber-vulnerabilities detected.The critical vulnerability detected (Table 3, vulnerability 1) alerts that a vulnerable version of the Server Message Block (SMB) service is running on the INS.Namely, the underlying operating system of the  The scanning report summary is shown on Figure 4.In total, 4 vulnerabilities and 27 pieces of information were detected.According to the severity level, the report showed that 1, 1, and 2 vulnerabilities were assigned under the critical, high, and medium severity, respectively.Table 3 shows descriptions and possible solutions of the INS cyber-vulnerabilities detected.The critical vulnerability detected (Table 3, vulnerability 1) alerts that a vulnerable version of the Server Message Block (SMB) service is running on the INS.Namely, the underlying operating system of the INS software is Microsoft Windows 7 Professional (Service Pack 1), and the SMB is its default service for file and printer sharing.By following the manufacturer's recommendation, immediate implementation of a security update for the INS underlying operating system is required [31].This vulnerability is particularly interesting because of one of the most recognized maritime cyber security incidents, the NotPetya attack on Maersk container shipping company [32].NotPetya is a malicious The vulnerabilities with high and medium severities detected (Table 3, vulnerabilities 2-4) are related to weaknesses of services running on the INS underlying operating system, allowing possible remote code execution and unauthorized access gaining.As in the case of the critical vulnerability detected, the vulnerable services are not necessary for the INS operational functionality.The solution includes underlying operating system update with a security patch released by the manufacturer and secure setup by disabling or blocking the vulnerable services and forcing strong cryptography.These activities are also to be conducted by the INS vendor authorized personnel.Operating system secure setup by forcing strong cryptography.

Risk Level Determination
The INS cyber risk determination was conducted on the basis of a qualitative analysis of cyber threats identified by the interview and vulnerability scanning conducted.Whereas the vulnerabilities scan is used to detect all known vulnerabilities existing in the INS, the used vulnerability scanner is a general industry tool, and the results could inaccurately reflect the actual severity of threats due to specifics of the ship environment.Therefore, the scan results were studied in the context of the INS's operating environment and implemented safeguards on the ship.On the basis of the interview and vulnerability scan results, we conducted the identification of cyber threats.Table 4 shows the list of the identified cyber threats together with our estimation of the threats' impact magnitude and likelihood.The impact magnitude represented a damage resulting from a threat execution, and was given with a value from 0 (no impact) to 100 (total impact).The threat likelihood represented a probability that a threat was executed, and the likelihood rate was given with a value from 0 up to 1. Four of the eight determined cyber threats were assigned with the highest impact magnitude (Table 4, threats 1, 2, 5, 6).The threats were related to the INS underlying operating system being out of date and setup insecurely, as well as establishment of the Internet connection and unauthorized access.The middle impact magnitude was assigned to two threats (Table 4, threats 3 and 4) that were related to the ship training and awareness.The low impact magnitude was assigned to the threats raised from lack of cyber security-dedicated policies and procedures, and continuous assessment and improvement (Table 4, threats 7 and 8).Five of the eight determined cyber threats were assigned with the low likelihood level (Table 4, threats 3-6, 8).The threats assigned with middle likelihood level (Table 4, threats 1, 2, 7) were related to the INS underlying operating system being out of date and having insecure setup, as well as lack of cyber security dedicated policies and procedures.The given values of the impact magnitude and likelihood are discussed with the risk level analysis in the following part of the chapter.
The INS cyber risk levels were calculated by multiplying the impact magnitude value with the likelihood value.The given result represented the qualitative cyber risk level: (i) acceptable low risk (product of the multiplication was lower than 25), (ii) medium risk that is acceptable for a short time (product of the multiplication was between 25 and 50), (iii) high risk demanding a risk mitigation plan (product of the multiplication was between 50 and 75), and (iv) critical risk demanding instant action (product of the multiplication was higher than 75). Figure 5 shows the cyber risk-level radar graph of the results obtained with the qualitative risk analysis.The risk level radar graph (Figure 5) indicated that two cyber threats that were determined were classified as medium risk (the highest risk level assigned) for the ship INS cyber security.The threats were related to the INS underlying operating system, in particular to the operating system update and secure setup.The out-of-date INS underlying operating system implied that an attacker can exploit a known vulnerability using publicly available instructions without significant expertise in ship navigation and computing technologies (analyzed in detail in Chapter 4).Securing the underlying operating system by disabling unnecessary services provides proactive protection from from unknown vulnerabilities and threats, and also could improve the performance of the INS because of additional resources released.On the other hand, relying on reactive protection solution and having out-of-date supporting software, cyber risk level over time will probably increase.In the case of the tested INS, the manufacturer of the underlying operating system will discontinue support and strongly recommend moving to next generation before the end of the current year (2019) [34].The identified cyber threats corresponded to the previous findings with shipboard ECDIS and radar systems, indicating the same cyber risk threatening each of the navigation systems that are from different manufacturers and are installed on different types of ships [1,21].
The low (acceptable) risk level was assigned to most of the threats determined (six of eight), which are shown in Figure 5.The cyber threats were related to the ship navigational ranks training and awareness, physical protection controls, the cyber security-dedicated policy and procedure development, and periodic assessment and improvements.One of the threats assigned with the lowest risk level was related to the establishment of the Internet connection (Table 4, threat 5).The tested INS was not connected to the Internet and operated in the environment with strong physical protection and logical authentication control policies; thus, the Internet connection by installation of a network device was very unlikely to happen.Although disconnection from the Internet prevents outside threats, the vulnerabilities rising from the unmaintained operating system (its update and secure setup) could be triggered by inside actors (the ship's crew), either unintentionally or The risk level radar graph (Figure 5) indicated that two cyber threats that were determined were classified as medium risk (the highest risk level assigned) for the ship INS cyber security.The threats were related to the INS underlying operating system, in particular to the operating system update and secure setup.The out-of-date INS underlying operating system implied that an attacker can exploit a known vulnerability using publicly available instructions without significant expertise in ship navigation and computing technologies (analyzed in detail in Chapter 4).Securing the underlying operating system by disabling unnecessary services provides proactive protection from from unknown vulnerabilities and threats, and also could improve the performance of the INS because of additional resources released.On the other hand, relying on reactive protection solution and having out-of-date supporting software, cyber risk level over time will probably increase.In the case of the tested INS, the manufacturer of the underlying operating system will discontinue support and strongly recommend moving to next generation before the end of the current year (2019) [34].The identified cyber threats corresponded to the previous findings with shipboard ECDIS and radar systems, indicating the same cyber risk threatening each of the navigation systems that are from different manufacturers and are installed on different types of ships [1,21].
The low (acceptable) risk level was assigned to most of the threats determined (six of eight), which are shown in Figure 5.The cyber threats were related to the ship navigational ranks training and awareness, physical protection controls, the cyber security-dedicated policy and procedure development, and periodic assessment and improvements.One of the threats assigned with the lowest risk level was related to the establishment of the Internet connection (Table 4, threat 5).The tested INS was not connected to the Internet and operated in the environment with strong physical protection and logical authentication control policies; thus, the Internet connection by installation of a network device was very unlikely to happen.Although disconnection from the Internet prevents outside threats, the vulnerabilities rising from the unmaintained operating system (its update and secure setup) could be triggered by inside actors (the ship's crew), either unintentionally or maliciously.However, it should be noted that with the INS connection to the Internet, risk level of all of the cyber threats determined would raise to the critical level, demanding instant action.

Conclusions
The comprehensive cyber security resilience examination of the INS installed on the RoPax ship engaged in international trade was presented.The examination was based on the mixed-method approach, combining an interview of the ship's navigational ranks and the following cyber security testing of the INS.The test was conducted using the industry vulnerability scanner, and the results were studied in the context of the INS's operating environment and implemented safeguards on the ship.While six determined threats were classified with acceptable risk level, the two medium risk level threats are related to the maintenance of the INS's underlying operating system, in particular its update and secure setup.The satisfactory risk level was attributed not only to maritime traditionally strong physical protection controls, navigational ranks' training, and adherence to security policies and procedures, but also to the INS's disconnection from the Internet.
The results from this study advance understanding of the source of cyber risks threatening the INS, and are applicable to any shipboard integrated system or type of ship.The results indicate the importance of the cyber security test performing as well as the analysis of the detected vulnerabilities regarding the ship operating environment.The cyber vulnerabilities detected with the passive scanning method suggest significance of the cyber security testing for the proactive protection by disabling unnecessary services.In addition, the findings contribute to the development of the new testing standard IEC 63154 and suggest the testing results that should be targeted.The study implies the need for occasional preventive maintenance of the underlying operating system to address weaknesses, despite the care taken for the purpose of regulatory compliance.

Figure 1 .
Figure 1.The RoPax ship engaged in international trade.

Figure 1 .
Figure 1.The RoPax ship engaged in international trade.

Figure 2 .
Figure 2. The shipboard INS architecture configuration.LAN: local area network.

Figure 2 .
Figure 2. The shipboard INS architecture configuration.LAN: Local area network.

Figure 3 .
Figure 3. Testing setup for the INS cyber-vulnerability scanning.

Figure 4 .
Figure 4.The vulnerability scanning summary report.

Figure 3 .
Figure 3. Testing setup for the INS cyber-vulnerability scanning.

Figure 3 .
Figure 3. Testing setup for the INS cyber-vulnerability scanning.

Figure 4 .
Figure 4.The vulnerability scanning summary report.

Figure 4 .
Figure 4.The vulnerability scanning summary report.

Figure 5 .
Figure 5. Risk level radar graph of the cyber threats determined for the INS.

Figure 5 .
Figure 5. Risk level radar graph of the cyber threats determined for the INS.

Table 1 .
The shipboard integrated navigational system (INS) specification.

Table 1 .
The shipboard integrated navigational system (INS) specification.

Table 3 .
Results of the vulnerability scan.

Table 4 .
The identified INS cyber threats.