IEEE CNS 2018 - IEEE International Workshop on Cyber-Physical Systems Security (CPS-SEC)

Integrity of Integrated Navigation Systems

Mass Soldal Lund∗ , Jørgen Emil Gulland† , Odd Sveinung Hareide‡§ , Øyvind Jøsok∗¶ , Karl Olav Carlsson Weum†
∗ Norwegian
Defence University College, Cyber Academy
† NorwegianDefence University College, Royal Norwegian Naval Academy
‡ Royal Norwegian Navy, Navigation Competence Center
§ Norwegian University of Science and Technology, Joint Research Program in Nautical Operations
¶ Inland Norway University of Applied Sciences, Faculty of Social and Health Sciences

Abstract—Computerized systems are revolutionizing modern ECDIS software has functionality for route planning and route
ships’ bridges and maritime operations. Central components in monitoring.
this are Integrated Navigation Systems (INS) and Electronic It seems obvious that the integrity of INS’s is of great
Chart Display and Information Systems (ECDIS) which provide
the maritime navigator with the ship’s position and displays it importance for safe and secure operations in the maritime
in electronic charts. The integrity of these systems if of great domain [2], [6], [7]. Still, little concrete is said about this
importance for the safety and security of maritime operations, in the emerging literature on maritime cyber security. Much
but is a little studied topic. In this paper we investigate the of what is written is on a general level, e.g. applying general
integrity of navigation systems, though a survey of INS’s on the cyber security considerations to maritime systems, or focusing
market (n=22), a survey of known cyber incidents and attacks
targeting the integrity of navigation systems, and a discussion of mainly on policy (see e.g. [8] or [9] for several examples of
cryptographical measures to ensure the integrity of navigation both categories). In particular, references to reported incidents,
data in INS’s. attacks and vulnerabilities are scarce and the same few exam-
ples are cited again and again.
I. I NTRODUCTION In this paper we present a survey of the security of INS’s,
with an emphasis on integrity. We start by surveying INS’s
Modern ships are equipped with Integrated Bridge Systems available on the market (n=22) in Section II. Based on the
(IBS). An IBS is “a combination of systems which are findings we describe a prototypical INS. Then, in Section III
interconnected in order to allow centralized access to sensor we survey reported attacks and incidents targeting the integrity
information or command/control from workstations, with the of INS’s, while in Section IV we discuss cryptographic coun-
aim of increasing safe and efficient ship’s management by termeasures. Finally, in Section V we provide conclusions.
suitably qualified personnel” [1]. In other words, an IBS is an
integration of systems that enables monitoring and control of a II. I NTEGRATED NAVIGATION S YSTEMS (INS)
ship and its operation from the bridge. The systems integrated An INS is an integration of navigation sensors with worksta-
usually include navigation systems, communication systems tions equipped with ECDIS. This section documents a survey
and engine control systems, but may also be surveillance into INS’s. We start by describing the method of the survey
systems (CCTV), entertainment systems, and in the case of before we go on to present the findings. Finally, the findings
naval ships, damage control systems and weapon systems. are used to define a prototypical INS.
These computerized ship’s bridges represent a technological
revolution for the maritime navigation. Historically, the main A. Method
task for the navigator was to find and fix the position of the One INS was studied in detail as part of the development of
vessel, while today’s navigator monitors the vessel’s position a maritime cyber security demonstration (see Section III). For
obtained by navigation sensors and presented by navigation this INS we had access to an installation of the system, experts
software [2]. on the system, technical documentation, and capture of internal
This paper concentrates on navigation systems. Maritime network traffic (see [2], [10] for details). Through Internet
navigation systems connected through onboard networks are searches we identified further 34 providers of navigation and
referred to as Integrated Navigation Systems (INS) [3]. In an bridge systems and gathered as much information of their
INS, sensors used in navigation such as GPS, gyroscope, depth systems as possible. This resulted in a catalog of mostly
sensors, etc. are connected to workstations equipped with brochures, but in some instances also quite detailed technical
software for displaying electronic charts, known as Electronic documentation. These brochures and other documents were an-
Chart Display and Information Systems (ECDIS) [4]. The alyzed to extract information on a number of topics (identical
ECDIS software shows the position of the vessel in the to the sub-sections of Section II-B).
chart using data from the navigation sensors, as well as the Among the 35 providers there is a wide range in what is
positions of nearby vessels based on data received through offered, from full ship integration to navigation sub-systems.
the Automatic Identification System (AIS) [5]. In addition, In theory it makes sense to view an IBS as a system of systems

978-1-5386-4586-4/18/$31.00 ©2018 IEEE

 IEEE CNS 2018 - IEEE International Workshop on Cyber-Physical Systems Security (CPS-SEC)

with the INS as one of its systems. I practice, however, not understand the means by which data from sensors such as
all providers make a clear distinction between an INS and an GPS, gyroscope, echo sounder or AIS receiver are provided
IBS – perhaps because navigation is such an integral part of to the workstations. These sensors have serial output, usually
the daily work on a bridge. In order to have a criterion for the conforming to the IEC 61162-1/NMEA 0183 standard for
inclusion or exclusion of any given provider’s system (hence- maritime navigation devices [12]. The large majority (18)
forth referred to as a “solution”) in the study, we decided that of the solutions in the study provide some kind of sensor
the minimum requirement to be included was that a solution integration unit, though given different names such as Data
provide at least navigation hardware (e.g. workstations and Distribution Unit, Data Acquisition Unit, Data Collection Unit,
sensors) and navigation software (e.g. ECDIS). This can be Sensor Concentration Unit, etc. Common for these units is
seen as a working definition of INS’s for the purpose of this that they receive data from the navigation sensors though
study, even though it may differ from definitions given by the serial interfaces and provide a single source of sensory data
International Maritime Organization (IMO) [3]. for the workstations. Three of the solutions do not provide
Of the initial 35 solution we excluded one providing mar- sensor integrator units and thus the sensors have direct serial
itime computers but no navigation system as such (e.g. no nav- connections to the workstations.
igation software), one providing ship integration systems but 3) Network: One of the solutions is a standalone ECDIS
no navigation system, and one providing navigation software workstation with sensors connected to serial ports. However,
but no hardware. Of the remaining 32 solutions, we judged any solution more complex than this will need various compo-
that for ten of them the information we were able to find was nents communicating somehow; thus the rest of the solutions
too scarce to provide useful answers. These ten solutions were are networked in one way or another. Their networks connect
therefore excluded from the study, and we ended up with a sensor integration units to the workstations, they interconnect
selection of 22 solutions. A list of the providers of the included workstations for exchange of data (e.g. sensor data, routes
solutions is given in the Appendix. and chart updates), and they connect the INS to other onboard
systems such as the ship’s communication system. The exact
B. Findings configuration varies, but in 19 of the solutions the network is
In the following the findings of the survey are presented, some sort of IP-based Ethernet LAN. Also in the standalone
divided into six topics: Workstations, sensor integration, net- solution, the workstation is fitted with Ethernet ports enabling
work, radar, autopilot, and Internet connection. IP-based networking. That IP-based Ethernets are the domi-
1) Workstations: All 22 solutions provide workstations for nating networking technology in navigation networks is also
the crew of the bridge. These are invariably standalone com- confirmed by [13]. One solution employs a CAN-bus network,
puters running software locally, i.e. what we would think of a multi-master serial bus system originally developed by the
as thick clients. In five of the solutions these workstations are automotive industry for use in cars [14]. In the remaining
ECDIS consoles, i.e. workstations used for chart display only, solution the network protocol is unknown. In nine of the
while 15 of the solutions provide multi function workstations solutions, the networks connecting sensor integration units to
(MFW). MFW’s, often also called multi function displays workstations are described as dual or redundant.
(MFD), are workstations which allow the operator to switch Which communication protocols utilized in the navigation
between ECDIS display, radar display and conning display. networks are to a large extent unspecified in the information
For the remaining two solutions it is unknown whether the collected, but TCP is used in at least three solution and UDP
workstations are ECDIS consoles or MFW’s. Some of the in at least six solutions, including two which claim to adhere
solutions are bridge systems that integrate other systems in to the IEC 61162-450 “Lightweight Ethernet (LWE)” standard
addition to navigation systems, but it seems that in most cases for shipboard networks. LWE is based on a single switched
MFW’s are still navigation workstations providing ECDIS, Ethernet and UDP multicast [12], [13].
radar and conning displays, while other functions such as 4) Radar: In 16 of the solutions, integration of radar is
engine control or CCTV have separate workstations/consoles. described. A radar is different from the other kinds of sensors
In eleven of the solutions, the operating system of the in an INS in that its data is in the form of pictures, while
workstations is specified as Microsoft Windows, nine as the other sensors transmit numerical and textual data. For this
Windows XP, Windows Vista and/or Windows 7, two as just reason radars are treated differently than other sensors, and
Windows. While it must be take into account that many of only one of the solutions has radar connected to the sensor
the documents collected in the survey are several years old, integration unit. Of the remaining 15, twelve have radars
this finding is consistent with reports that Windows XP is connected to the workstations through a network – either a
often encountered on operating ships [7], [11]. For one of the separate network or the same network as the sensor integration
solutions, the operating systems is specified as Linux, while for units – while in three of the solutions radar is connected
the remaining ten, the operating system cannot be determined directly to workstations by some other means.
from the available information. 5) Autopilot: A feature described in several (eight) of the
2) Sensor integration: A main feature of an INS is the solutions is the integration of an autopilot with the route plan-
integration, interpretation and presentation of sensory input in ning functionality of the ECDIS software, i.e. the possibility of
navigation software such as ECDIS. By sensor integration we having the autopilot steer the ship to follow a route defined in
 IEEE CNS 2018 - IEEE International Workshop on Cyber-Physical Systems Security (CPS-SEC)

TABLE I [18], [19]. While GPS spoofing can pose a threat toward the
S UMMARY OF F INDINGS integrity of the GPS position calculated by the vessel’s GPS
Workstations Multi function ECDIS Unknown
receiver and thus a threat toward the integrity of the position
15 5 2 displayed in the electronic charts of the vessel, it is not a threat
Operating system Windows Linux Unknown toward the integrity of an INS itself.
11 1 10 However, there also exist examples of threats to the integrity
Sensor integration Yes No Unknown of navigation systems. Electronic charts are often updated
18 3 1 using USB flash drives. E.g. [15] reports of a case in which
Networking Ethernet CAN-bus Unknown an ECDIS console on board a large tanker was infected by
20 1 1 malware when charts were updated in such a way. As we have
Radar Networked Direct Unknown seen, INS’s are increasingly often connected to the Internet for
13 3 6 online chart updates. In [11], it is demonstrated how this can
ECDIS controlled Yes Unknown be exploited to launch an attack on navigation software.
autopilot 8 14 In a maritime cyber security demonstration conducted in
Internet connection Yes Unknown August 2017, we infected a workstation of an INS using a USB
12 10 device simulating mouse and keyboard. The malware installed
could intercept and manipulate GPS coordinates transmitted
to the workstation from the sensor integration unit through
the ECDIS. This obviously means that the autopilot unit has to the network. Thus, the malware could alter the position that
receive commands from a workstation, and for a couple of the appeared in the ECDIS software (see [2], [10] for details).
solutions these commands are described as being transmitted A demonstration similar to ours, though using an Internet
over the network. Unfortunately, the information collected is connection for delivery, was reported in December 2017 [20].
too sparse say anything more concrete on this topic. During our demonstration we also experimented with con-
6) Internet connection: Navigation charts are updated on necting a small computer (Raspberry Pi) to a switch in the
a regular basis; navigation systems therefore need to receive network of the INS. By sending GPS coordinates to the
regular chart updates. Furthermore, third party software such network we showed that the workstations were not able to
as the Windows operating system, is also in need of regular distinguish these coordinates from GPS coordinates sent by
updates and patching. It has been common to install updates the sensor integration unit. Furthermore, by increasing the
using physical media such as CDs or USB flash drives. frequency of the transmissions we were in effect able to
However, ships are now increasingly being equipped with override the sensor integration unit.
Internet connections over satellite and/or 4G broadband (for
IV. C RYPTOGRAPHIC COUNTERMEASURES
use when sailing close to shore) [11], [15], [16]. Of the
solutions in the study, twelve report the possibility of providing The performance standards for INS’s from the IMO requires
the INS with an Internet connection for online chart updates, that the systems implement “integrity monitoring” in the
in most cases by providing a gateway from the network of the form of comparison between redundant sources of navigation
INS to the communication system of the ship. In five of the data [3]. While this may be sufficient to safeguard against
cases it is specified that this gateway is also a firewall. malfunctioning devices, it seems insufficient for protection
against cyber attacks; if an INS is compromised there is no
C. Summary reason while data from several sources cannot be manipulated.
The findings are summarized in Table I. While there clearly In the following we discuss potential crypographic means
are variations in the concrete configurations of the different to protect the integrity of data in an INS. We restrict the
INS’s, it is also possible to identify a number of typical traits. discussion to data sent from the sensor integration unit to
We use these to describe a prototypical INS, illustrated in the workstations, though similar challenges will apply to data
Fig. 1. The typical situation is that one or more Ethernets sent from radar to workstations, between workstations, or
are employed to connect the various components of the INS. from workstations to the autopilot. Based on the prototyp-
The most central of these components are (multi function) ical INS described in Section II-C and the threats implied
workstations and a sensor integration unit (or sometimes two by Section III, certain requirements for the cryptographic
for redundancy), but also radar and autopilot may be connected countermeasures can be derived: (1) It seems reasonable to
to the network. In addition there may be a gateway to other assume that data is distributed by multicast; thus the coun-
systems on the ship, which may also include an Internet termeasures should be suited for multicasts. (2) Although we
connection. have documented that Internet connections are increasingly
common, this cannot always be assumed; we therefore want
III. ATTACKS AND I NCIDENTS the countermeasures to work also for offline/air-gapped sys-
The largest concern with navigation systems has so far been tems. (3) The countermeasures should protect against man-in-
the threat of GPS spoofing, i.e. attacks where navigation sys- the-middle attacks (manipulation or fabrication of navigation
tems are fooled by the transmission of false GPS signals [17], data). (4) The countermeasures also should protect against
 IEEE CNS 2018 - IEEE International Workshop on Cyber-Physical Systems Security (CPS-SEC)

Multi Multi Multi

function function … function
Sensors with serial workstation workstation workstation
interfaces
Ethernet LAN
GPS

Gyro
Sensor
Gateway to
AIS integration Radar Autopilot
other systems
unit
…

Fig. 1. Prototypical Integrated Navigation System

replay attacks (navigation data captured and retransmitted at means of verification (CCA is case of (A) and i in the case of
a later point in time). (5) While the sensor integration unit (B)) must be ensured once installed in the workstations, but
may be assumed to be a hardware device, workstations must requirement (5) prevents us from relying on their operating
be assumed to be regular computers running (potentially old system for this. We suggest the solution may be to store
and unpatched) Windows installations; we therefore want the these values in tamper proof Hardware Security Modules
countermeasures to provide protection even when workstations (HSM) [23] from which the ECDIS software can retrieve them
are compromised. (or possibly perform the verification in a secure environment).
Requirements (1) and (3) point toward a solution using Application of removable HSM’s may also ease the distribu-
public key cryptography. The sender (i.e. the sensor integration tion and installation of the certificates or identities.
unit) cryptographically signs the messages with a private Clearly, none of the options provide a 100 % guarantee for
key while the multiple receivers (workstations) verify the the integrity of the navigation data. Under the assumption that
signatures using a copy of the corresponding public key. the workstations may be compromised, no such guarantees
Requirement (4) can be obtained by including a sequence are possible. If an adversary can manipulate the operating
number or time stamp in the signed messages. Requirement (2) system of the workstations, then he/she can potentially also
will rule out a standard PKI solution relying on an online manipulate the navigation software. However, we still hold
Certificate Authority (CA). Drawing on insights from wireless that the suggested cryptographic countermeasures will add
sensor networks (WSN) there seem to be two main options: a layer of security, as we can reasonably assume that the
(A) A simplified PKI solution with a single root CA, or (B) manipulation of an proprietary ECDIS application will be
an identity-based signature scheme [21]. harder than the manipulation of an insufficiently protected
In option (A), a key-pair of a secure key sk and a public key Windows installation.
pk is generated and installed in the sensor integration unit. pk
is signed by the secure key skCA of an offline root CA (e.g. V. C ONCLUSIONS
the INS provider or the shipowner) to produce a certificate As Integrated Navigation Systems (INS) and Electronic
C for the sensor integration unit. C is installed in the sensor Chart Display and Information Systems (ECDIS) become the
integration unit and distributed to the workstations through standard on modern seagoing vessels replacing the traditional
the network. The certificate CCA of the CA is installed in paper chars, the integrity of these systems become increasingly
the workstations, which use CCA to verify C and C to verify important for the safety and security of maritime operations.
messages from the sensor integration unit. This paper has made an investigation into the integrity of
Option (B) is an identity-based signature scheme [22]. In currently available INS’s. This investigation has taken the
this scheme the secret key sk is generated by a offline key form of a survey into 22 INS’s available on the market, as
generator center (again, the INS provider or shipowner) from well as a survey of known cyber incidents and attacks with
a random seed known only to the center, and the identity i consequences for the integrity of navigation systems. These
of the sensor integration unit (e.g. a serial number or MAC surveys show that in general, the integrity of INS’s is not
address). As in (A), pk is installed in the sensor integration sufficiently protected.
unit, which uses it to sign messages. In difference from (A), Based on the survey of INS’s we described a prototypical
the identity i is in itself the public key; no certificate is needed INS. This prototypical INS was used as the basis for a dis-
as its authenticity can be assured by inspection. i is installed cussion of cryptographical measures to improve the protection
in the workstations and used to verify the messages of the of the integrity of navigation data in INS’s. This discussion
sensor integration unit. provided a set of requirements, and two possible option for
One challenge remains. In both cases the integrity of the their fulfillment: A simplified PKI solution and an identity-
 IEEE CNS 2018 - IEEE International Workshop on Cyber-Physical Systems Security (CPS-SEC)

based solution, both combined with the use of Hardware [6] C. Demchak, K. Patton, and S. J. Tangredi, “Why are our
Security Modules (HSM). While guaranteed security is un- ships crashing? Competence, overload, and cyber considerations,”
Center for International Maritime Security, Aug. 25, 2017. [Online].
obtainable, we believe cryptographic countermeasures as we Available: http://cimsec.org/ships-crashing-competence-overload-cyber-
have sketched represent a potential for improving the integrity considerations
of INS’s. [7] K. D. Jones, K. Tam, and M. Papadaki, “Threats and impacts in maritime
cyber security,” Engineering & Technology Reference, Apr. 22, 2016.
A PPENDIX [8] Proceedings of the Marine Safety & Security Council, the Coast Guard
Journal of Safety & Security at Sea. Special Issue on Cybersecurity,
Navigation system providers included in the study: vol. 71, no. 4, U. S. Coast Guard, Winter 2014–2015.
[9] J. Direnzo, III, N. K. Drumiller, and F. S. Roberts, Eds., Issues in
Maritime Cyber Security. Westphalia Press, 2017.
Astronautics Böning [10] M. S. Lund, O. S. Hareide, and Ø. Jøsok, “An attack on an Integrated
Consilium Danelec Marine Navigation System,” in review, 2018.
Furuno GEM [11] Y. Dyryavyy, Preparing for Cyber Battleships – Electronic Chart
Display and Information Systems Security, NCC Group, 2014.
iXblue Kelvin Hughes [12] Ø. J. Rødseth, M. J. Christensen, and K. Lee, “Design challenges
Kongsberg L3 MAPPS and decisions for a new ship data network,” in Proc. International
Larsen & Toubro Marine Technologies Symposium Information on Ships (ISIS 2011). Deutsche Gesellschaft
für Ortung und Navigation e.V., 2011, pp. 149–168.
Northrop Gruman Sperry Marine OSI Maritime Systems [13] M. J. Christensen and Ø. J. Rødseth, “Lightweight Ethernet – a new
Praxis Raytheon Anchütz standard for shipboard networks,” Digital Ships, Dec. 2010.
Rolls-Royce SIMRAD [14] CAN in Automation (CiA). CAN knowledge. [Online]. Available:
https://www.can-cia.org/can-knowledge/
Tokyo Keiki Transas [15] C. Baraniuk, “How hackers are targeting the shipping
Wärtsilä Valmarine YALTES industry,” BBC News, Aug. 18, 2017. [Online]. Available:
http://www.bbc.com/news/technology-40685821
ACKNOWLEDGMENTS [16] Maritime cyber-risks: Virtual pirates at large on the cyber seas,
Whitepaper, CyberKeel, 2014.
The work on which this paper reports was partially funded [17] D. Goward, “Mass GPS spoofing attack in Black Sea?” The
by the Norwegian Armed Forces CD&E grant EP1710 and Maritime Executive, Jul. 11, 2017. [Online]. Available: http://maritime-
partially by the Royal Norwegian Naval Academy R&D grant. executive.com/editorials/mass-gps-spoofing-attack-in-black-sea
[18] L. Kugler, “Why GPS spoofing is a threat to companies, countries,”
R EFERENCES Commun. ACM, vol. 60, no. 9, pp. 18–19, 2017.
[19] M. L. Psiaki and T. E. Humphreys, “GPS lies,” IEEE Spectr., vol. 58,
[1] Resolution MSC.64(67): Adaption of new and amended performance no. 8, pp. 26–32, 52–53, 2016.
standars, International Maritime Organization (IMO), 1996. [20] V. Wee, “Naval Dome exposes vessel vulnerabilities to cyber
[2] O. S. Hareide, Ø. Jøsok, M. S. Lund, K. Helkala, and R. Ostnes, attack,” Seatrade Maritime News, Dec. 22, 2017. [Online].
“Enhancing navigator competence by demonstrating maritime cyber Available: http://www.seatrade-maritime.com/news/europe/naval-dome-
security,” Journal of Navigation, 2018, to appear. exposes-vessel-operational-vulnerabilities-to-cyber-attack.html
[3] Resolution MSC.252(83): Adoption of the Revised Performance Stan- [21] K.-A. Shim, “A survey of public-key cryptogtaphic primitives in wireless
dard for Integrated Navigation Systems (INS), International Maritime sensor networks,” IEEE Commun. Surveys Tuts., vol. 18, no. 1, pp. 577–
Organization (IMO), 2007. 601, 2016.
[4] Resolution MSC.232(82): Adoption of the Revised Performance Stan- [22] A. Shamir, “Identity-based cryptosystems and signature schemes,” in
dards for Electronic Chart Display and Information Systems (ECDIS), Proc. Advances in Cryptology (CRYPTO’84), ser. Lecture Notes in
International Maritime Organization (IMO), 2006. Computer Science, no. 196. Springer, 1985, pp. 47–53.
[5] A. Norris, Integrated Bridge Systems Vol 1: Radar and AIS. The [23] L. Sustek, “Hardware Security Module,” in Encyclopedia of Cryptogra-
Nautical Institute, 2008. phy and Security. Springer, 2011, pp. 535–538.