It’s been modified from the original data to be more human-readable. Source messages look like this:

$CRNRX,007,001,00,TD02,1,135600,27,06,2001,241,3,A,==========================*09

$CRNRX,007,002,00,,,,,,,,,,========^0D^0AISSUED ON SATURDAY 06 JANUARY 2001.*29

$CRNRX,007,003,00,,,,,,,,,,^0D^0AINSHORE WATERS FORECAST TO 12 MILES^0D^0AOFF*0D

$CRNRX,007,004,00,,,,,,,,,,SHORE FROM 1700 UTC TO 0500 UTC.^0D^0A^0D^0ANORT*70

$CRNRX,007,005,00,,,,,,,,,,H FORELAND TO SELSEY BILL.^0D^0A12 HOURS FOREC*16

$CRNRX,007,006,00,,,,,,,,,,AST:^0D^0A^0ASHOWERY WINDS, STRONGEST IN NORTH.^0D*15

$CRNRX,007,007,00,,,,,,,,,,^0A^0A*79

From Engine Room Management to RADAR, all your systems will also have an Operating system on it. Without it, the system wouldn’t work correctly. The issue is that there are multiple different operating systems, all able to do different thing, have different features and cost different amounts to buy. This means some have different requirements in terms of hardware and what software they need on them and what security features they hold. Also some software on-board may only support certain Operating systems.

By now you should have a list of all your on-board equipment and their update status.

It is very common for Bridge equipment to use OS considered ‘dated’ by the home user, such as Windows NT, 2000 or XP (Which runs a large proportion of Navigation Software as an example)

Check the terminal vendors software update pages regularly – security fixes are often hidden in the changelog and not easy to find.

Check that the bridge, engine room, crew, Wi-Fi and business networks on board are logically separated

If a device on your vessel is compromised, segregated networks will ensure critical systems are kept safe from the hacker. Do the personal laptops of crew members on the ship network have access to the navigation systems? Have you actually checked to make explicitly sure?

The ECDIS system case must be kept in a robust locked cabinet to which only senior personnel have access. It should not be possible for other personnel to access the system case or any of the USB and network ports on it.

A source of several ECDIS security incidents has been from crew charging smartphones from the USB ports. Phones that have not been kept up to date may already be infected with malware.

Many ECDIS have USB ports present on their keyboards, as shown in the example below. Operators frequently report that, despite multiple ‘safe’ USB charging points being made available on the bridge, crew still charge phones from the ECDIS.

With this in mind, seriously consider installing USB port blockers such as the below. Whilst they are not difficult to remove, they do provide a visual deterrent to casual charging.

The ECDIS is an ideal candidate for the hacker to ‘bridge’ between the IT and OT networks on the vessel. An ECDIS consumes multiple data feeds, for example:

GPS

ARPA

Log

AIS

Gyro

Chart updates

This image shows the inside of an ECDIS computer case. The smaller wires are serial data feeds from several OT sources. The whole computer is also connected to the vessel IP network, meaning a skilled hacker could use an ECDIS as the route between the IT and OT networks.

OT and IT networks are often joined on board, often for reasons of convenience such as being able to review engine parameters and efficiency from a computer on the vessel business network.

Discuss the following with the operator and on board engineering team:

Where on board are the OT and IT networks joined?

The VDR is another common source of network convergence: the data recorder needs to monitor both sets of networks in order to gather useful telemetry for accident analysis

Subtle attacks to GPS – How to spot

Crews should be alert to the potential for more subtle attacks. A gradually increasing error in position may be far more difficult to detect. This style of attack could be used to draw a vessel in to a position of danger.

GPS data is transmitted from the above deck receiver to the various devices on the OT network that consume it. The data is unencrypted and has the potential to be tampered with.

A GPS sentence might look like this:

$GPGLL,3751.65,S,14507.36,E*77

Or

$GPGLL,4916.45,N,12311.12,W,225444,A

A hack might involve changing the GPS data on the ships network itself, rather than a broader and obvious spoofing of the GPS radio signal. This is far more subtle and much more difficult to detect.

Advanced interrogation:  Can we view the NMEA message if unsure of potential corruption through your system?