Navionics customers could no longer access the Navionics server through their login credentials. L’application Navionics Boating, the chart installer and the Navionics chart viewer were all impacted. products could no longer be purchased directly from the Navionics website. Chartplotters could still be used as stand-alone devices during this Garmin failure, but the maps could no longer be downloaded or updated.
Jonathon Sweeney, program director at Red Sky Alliance, a partner of the British Maritime Safety Company Dryad Global in the field of cybersecurity, interviewed by the magazine Yachting Monthly spoke about the security of online navigation systems and the steps sailors can take to protect themselves against a cyber attack (see Sources)
Q. In light of the recent Garmin outage, how vulnerable is online browsing to a cyber attack ?
There is no online service that is not vulnerable to a cyber attack. Even devices that are " air-gapped » (intentionally disconnected from a network for security reasons) may be vulnerable to cyber attacks.
GPS consists of three parts : the receivers, satellites and ground stations. Each of these parts is vulnerable to attack. For example, if a hacker can tamper with the GPS receiver of a cell phone, it can make the device believe it is in another location, even if satellites and ground stations are not affected. It could affect an individual user.
If an attacker successfully activates ransomware (ransomware) on systems that keep the ground station running, it may interfere with the GPS capabilities of multiple users, unless redundant ground stations are available.
With the increase in operational technologies (OT – hardware and software that detect or cause a change through monitoring and / or direct control of devices, physical processes and events), Internet of Things technologies (IoT : the network of physical objects " things »Which are integrated into sensors, software and other technologies for the purpose of connecting and exchanging data with other devices and systems on the Internet), and the increase in connected devices, these systems will only become more vulnerable.
Q. How vulnerable is the GPS network to attacks, such as GPS spoofing ?
It's not something any teenager in their basement is likely to target. Although it is possible, hacking a GPS network requires a relatively high level of skill. As students from the University of Texas at Austin demonstrated in 2013, GPS spoofing can be achieved by neutralizing signals from satellites and replacing them with the hacker's signal. As we saw during the Garmin failure, it was a "WastedLocker" ransomware attack (¹) Thought to be carried out by an organized group known as EvilCorp, and not from any lucky individual.
The greatest vulnerability in this chain of systems is at the receiver. It is possible to hack a satellite and / or ground systems, but it is much easier to target the receptor, and much less likely to trigger intrusion alarms.
Q. What is the probability that the above scenarios will happen ?
In a word, it's unlikely. There has been evidence of feasibility, but attackers do not seem to target these systems. This is because there are other, simpler and easier ways to make a profit or harm a business. The easier it will be to target these systems, the more likely the attacks will become. The most likely scenario would be that of a hostile country spoofing a ship's GPS to induce it to wander in restricted territory. He could then seize this ship for political reasons, financial or other, by claiming that it entered its territorial waters illegally.
Another scenario is where hackers target a ship with innocent civilians and interfere with GPS for the sake of notoriety or profit.. Here again, the more companies that depend on connected systems for their GPS, the more likely an attacker will benefit from it.
Q. Are the government and the private sector doing enough to mitigate the threat of an attack on online browsing networks ?
No. Neither the public nor the private sector are doing enough to reduce the threat to navigation systems. If history is to be believed, it will take a much larger event than the Garmin outage to trigger a change in this area.
If a cruise ship were to run aground in the middle of the ocean without a navigation system due to a cyber attack, it might make people pay more attention. But with all that's going on in the world, many companies and public agencies are already strained.
If Garmin and other public sector organizations did enough to secure their systems, there might still have been a cyber attack, but the damage would not have resulted in a breakdown, and even less the Garmin outage which lasted several days.
This is where redundancy and backups come in., but which cost time, money, and other resources are strained.
Governments are also not doing enough to prosecute abusers. Groups like EvilCorp are so successful because they can stay safe in their country and they can commit cyber attacks knowing they will not be prosecuted or punished.. The pressure exerted on these safe countries is far from sufficient for these aggressors to be handed over to the competent authorities.
As with all aspects of navigation, following "best practices" is the safest way to ensure your route is planned.. Most of us navigate using multifunction devices, phones and tablets, and even drones. But can electronic backup devices replace them…?
Q. Should boaters be concerned about the threat of a cyber attack and its impact on online browsing ?
For the moment, I wouldn't be worried as a competent sailor. First of all, boaters are much less likely to be targeted, because an aggressor would gain little from attacking an individual (unless it is rich and / or famous). In addition, if a recreational sailor gets stranded, he can call the surveillance and rescue services to assist him. If an attacker targets the GPS of a maritime rescue vessel, the situation can become much more complex.
At last, boaters should already know how to operate their boat in the event of an electronics failure, which would make them a less attractive target (²).
Q. How can a boater recognize that their electronic navigation has been compromised ?
The short answer is that a boater probably wouldn't know until it is too late., that is, it has reached a wrong destination. The problem with identity theft is that the receiver "thinks" that it is still working fine and therefore can never display an alarm that something is wrong.. Here are some things to watch out for :
- abnormally functioning systems (providing unusual data, making abnormal noises, displaying security alerts, aso.)
- Screen navigation does not match visual navigation (the trajectory of the vessel seems incorrect).
- Damage to systems : overheating of devices, apps / software not loaded, aso.)
A "good" sailor would always have navigation charts, a mobile phone and a VHF radio on board his pleasure boat.
Q. What measures can boaters take to remedy this situation? ?
Buy systems from suppliers who have implemented a certain level of security in their systems. Be attentive and aware of the threats common to these types of systems. They are not a big target at the moment, but again, this may change in the future. Keep all systems online up to date with the latest updates and software patches. This is often difficult for the uninitiated, but many attackers take advantage of vulnerabilities that have been public for years.
Q. Can Online Surfing Be Really Safe ?
Sure ? Yes. Inviolable ? No ! Nothing that is "online" is ever invincible to cyber attacks, but there are ways to secure communications between the three systems, like strong encryption. It is necessary to remove the default passwords from all navigation systems. It is also essential to create redundant backup systems and non-digital safes as often as possible..
Ironically, one of the ways many businesses secure themselves is to pay someone to break into these systems and then tell them how to stop an attacker from doing the same. (what is called a penetration test).