Maritime cybersecurity: civilian and military sailors embark on new challenges

When it comes to cyber security, civilian and military sailors “are in the same boat,” observed the daily paper Ouest-France on 15 September 2021. The civilian and military navies are indeed engaged in an ever increasing digitisation, which augurs new cyber risks and calls for adequate responses.

Ouest-France tackled the subject because France has just taken a new step in its ability to respond to the challenges of maritime cyber security. On 15 September, as part of the conference on the economy of the sea, France Cyber Maritime and the French Navy signed an agreement. This agreement provides for “the sharing of experience and information between the cyber incident monitoring, analysis, alert, and collection centre (M-CERT), established by France Cyber Maritime […], the French Navy’s cyber coordination authority, […] and the centre of expertise dedicated to maritime security (MICA Center).”

France Cyber Maritime, set up in November 2020 with the support of the SGMer, the French National Agency for Information Systems Security (ANSSI), and some fifteen public and private partners, has set itself the task of encouraging the development of a French cybersecurity sector of excellence and increasing the resilience of the maritime and port industry in the face of cyber risks, via the M-CERT. Currently incubated by ANSSI, this centre “already distributes comprehensive monthly bulletins on maritime cybersecurity, alerts, as well as compromise indices for the benefit of the association’s members and partners. It should join the network of French CSIRTs within InterCERT-FR during the year 2022. Its growth is consistent with organisations of this type and is expected to last until 2024. The M-CERT has already started to work with foreign counterparts to facilitate analysis and information sharing, and to better prevent attacks on the sector,” explains Olivier Jacq, technical and scientific director of France Cyber Maritime.

This French initiative is, in fact, not isolated. As early as June 2017, the International Maritime Organization (IMO) published Resolution MSC.428(98), which “constitutes a crucial step in the acculturation of maritime transport to cybersecurity issues,” noted Laurent Banitz, head of the ship safety and cybersecurity mission (sub-directorate of ship safety and ecological transition, Directorate of Maritime Affairs [DAM], Ministry of Ecological Transition), in a publication of the CyberCercle. In his understanding, this resolution sets out the main lines of a security policy, using a risk analysis to deduce the rules and means of protection and defence of critical elements (for example, the ship’s navigation and propulsion management systems). However, he remains cautious, stating that “the picture is still at the sketch stage.” Olivier Jacq shares his view: “Resolution MSC.428(98), which came into force on 1 January 2021, still has a lot of concrete results to bear. I also expect a lot from version 2 of the NIS Directive.” The France Cyber Maritime expert also noted in his recent thesis, devoted to the concept of ‘Cyber Situational Awareness’ applied to the maritime world, that “from now on, processes exist to ensure the reporting of a maritime cyber event within the framework of the Voluntary Naval Cooperation (VNC). However, several studies agree that the level of cybersecurity in the maritime sector remains insufficient.” 

The challenge of remote control

Maritime cybersecurity is a very broad field, which is by nature difficult to grasp. Naval systems are “complex and highly computerised. Travels are governed by a long time frame, and the geographical area covered is global. We move from one continent to another, and there can be a lot of intermingling and interventions,” recalls David Brosset, lecturer and head of cybersecurity research at the French Naval Academy, in an interview published in September by the Brest-Iroise technology park. “The main difficulty in managing cybersecurity at sea is that there are no experts on board the ships. The cost would be too high for companies, against a risk that is still difficult to assess and integrate into normal practices. Moreover, since maritime systems are designed to operate for decades, securing old digital systems is a real challenge.”

Ships are exposed to many threats, including ransomware intrusion on board—a widespread attack today. A malicious program, introduced via a USB memory stick or email attachment, could, in addition to encrypting data, render many commands inoperable: “access to cabins, services and leisure; passenger boarding; propulsion; navigation; etc.,” details David Brosset. In 2017, Naval Dome, an Israeli cyberdefence solution provider, provided an edifying example of this type of attack, publishing the results of an experiment conducted on the Zim Genova, a 260-metre container ship. A single email that infected the captain’s computer was enough to compromise the ship’s navigation system, radars, and engine room management system. This was enough to divert the ship from its initial course, modify the radar displays on the bridge, and disable the engines…

Drones and autonomous ships at the forefront

The rise of maritime drones and of partially or fully automated ships is a new source of concern. Some key systems for these ships, such as the Automatic Identification System (AIS) and satellite positioning systems, can be subject to deception and jamming. “Jamming consists of transmitting on the same frequency and with a higher power than legitimate systems in order to deny access to the service: the loss of position and of knowledge of the environment can cause difficulties for ships,” explains Olivier Jacq. Deception is a more devious action: it consists of issuing false information either of position or time in the case of GPS, or much more extensive (falsification of the type of vessel, creation of ghost ships, etc.) in the case of AIS. “This last technique is often used for piracy, smuggling, or even for military purposes by certain countries,” continues the France Cyber Maritime expert. “These events, which we monitor within M-CERT, are quite frequent and can have unexpected consequences: stopping the operation of cargo landing cranes in ports (in 2013), as some brands depend on GPS to position themselves. There have also been recent cases of AIS deception in the Mediterranean, off the coast of California and, more frequently, near conflict zones.”

In the introduction to his thesis, Olivier Jacq imagined the scenario of a cruise ship, carrying several thousand people, falling victim to ‘digital hostage-taking’: “the captain can no longer manoeuvre, and all the screens on the bridge and in the engine control room display an unequivocal message: the shipowner must pay a high ransom or the ship will run aground on the coast at full speed.” Cybersecurity professionals must work hand in hand with maritime organisations, national navies, shipowners, port authorities, and equipment manufacturers to anticipate, prevent and, as a last resort, prepare for the mitigation of the effects of such scenarios.