Cyberattacks and boating

Garmin was the victim of a cyber attack that began on 23 last July and lasted several days. The resulting outage disrupted many of its online services.

Navionics customers could no longer access the Navionics server via their login credentials. L’application Navionics Boating, the Navionics chart installer and chart viewer have all been impacted. products could no longer be purchased directly from the Navionics website. Chartplotters could still be used as standalone devices during this Garmin outage, but the maps could no longer be downloaded or updated.

Jonathon Sweeney, Program Director at Red Sky Alliance, A partner of the British Maritime Safety Society Dryad Global in the field of cybersecurity, interviewed by the magazine Yachting Monthly spoke about the security of online navigation systems and the steps that seafarers can take to protect themselves against a cyber-attack (see : Source)

Q. In light of the recent Garmin outage, How vulnerable is online browsing to a cyber-attack ?

There is no online service that is not vulnerable to a cyber-attack. Even devices that are " air-gapped » (intentionally disconnected from a network for security reasons) may be vulnerable to cyber-attacks.

GPS consists of three parts : Receptors, satellites and ground stations. Each of these parties is vulnerable to attack. For example, whether a hacker can tamper with a mobile phone's GPS receiver, it can trick the device into thinking it's in another location, even if satellites and ground stations are not affected. This could affect an individual user.

If an attacker successfully activates ransomware (ransomware) on the systems that keep the ground station in operation, this can interfere with the GPS capabilities of multiple users, unless redundant ground stations are available.

With the increase in operational technologies (OT – hardware and software that detect or cause change through direct monitoring and/or control of devices, Physical processes and events), Internet of Things technologies (Iot : The network of physical objects " Things " that are integrated into sensors, computer software and other technology for the purpose of connecting and exchanging data with other devices and systems on the Internet), and the rise of connected devices, These systems will only become more vulnerable.

Q. How vulnerable is the GPS network to attacks, such as GPS spoofing ?

It's not something that any teenager in their basement is likely to target. Although this is possible, hacking a GPS network requires a relatively high level of skill. As students at the University of Texas at Austin demonstrated in 2013, GPS spoofing can be carried out by neutralizing signals from satellites and replacing them with the hacker's signal. As we saw during the Garmin outage, It was a " WastedLocker (¹) " believed to be the work of an organized group known as EvilCorp, and not from any lucky individual.
The biggest vulnerability in this chain of systems is at the receiver level. It is possible to hack into a satellite and/or ground systems, But it's much easier to target the receptor, and much less likely to trigger intrusion alarms.

Q. How likely are the above scenarios to come true? ?

In a nutshell, It's unlikely. There has been proof of feasibility, But the attackers do not seem to be targeting these systems. This is because there are other, simpler and easier ways to make a profit or hurt a business. The easier it will be to target these systems, the more likely attacks will become. The most likely scenario would be that of a hostile country spoofing a ship's GPS to encourage it to wander in restricted territory. He could then seize this ship for political reasons, financial or other, claiming that it has illegally entered its territorial waters.

Another scenario is where hackers target a ship with innocent civilians and interfere with the GPS for the sake of notoriety or profit. Here again, the more companies that depend on connected systems for their GPS, the more likely it is that an attacker will take advantage of it.

Q. Are governments and the private sector doing enough to mitigate the threat of an attack on online browsing networks? ?

No. Neither the public nor the private sector is doing enough to reduce the threat to navigation systems. If history is to be believed,, it will take a much bigger event than the Garmin failure to trigger a change in this area.
If a cruise ship were to run aground in the middle of the ocean without a navigation system because of a cyber-attack, This could encourage people to pay more attention. But with everything that's going on in the world, Many companies and public agencies are already under strain.
If Garmin and other public sector organizations were doing enough to secure their systems, There might have been another cyber-attack, But the damage would not have led to a breakdown, and even less the failure of Garmin which lasted several days.
This is where redundancy and backups come into play, but which cost time, Money, and other resources are being stretched.

Governments also do not do enough to prosecute abusers. Groups like EvilCorp are so successful because they can stay safe in their country and they can commit cyber-attacks knowing that they won't be prosecuted or punished. The pressure exerted on these countries is far from sufficient for these aggressors to be handed over to the competent authorities.

As with all aspects of navigation, Following "best practices" is the surest way to ensure your route is planned. Most of us navigate using multifunction devices, Phones and tablets, and even drones. But can electronic backup devices replace it?…?

Q. Should boaters be worried about the threat of a cyber-attack and its impact on online browsing? ?

For now, I wouldn't be worried as a competent recreational sailor. First of all, Boaters are much less likely to be targeted, because an aggressor would not gain much by attacking an individual (unless the latter is rich and/or famous). In addition, If a recreational sailor gets stuck, He can call the surveillance and rescue services to assist him. If an attacker targets the GPS of a maritime rescue vessel, The situation can become much more complex.
Finally, Boaters should already know how to operate their boat in the event of an electronics failure, which would make it a less attractive target (²).

Q. How can a boater recognize that their e-navigation has been compromised ?

In short, the answer is that a boater probably wouldn't know until it's too late, that is, that he has reached a wrong destination. The problem with spoofing is that the receiver "thinks" that it is still working properly and therefore can never display an alarm that something is wrong. Here are a few things to watch out for :

  • abnormally functioning systems (providing unusual data, emitting abnormal noises, displaying security alerts, aso.)
  • On-screen navigation does not match visual navigation (The ship's trajectory appears to be incorrect).
  • System Damage : Overheating of devices, Unloaded applications/software, aso.)

A "good" sailor would always have navigational charts, a mobile phone and a VHF radio on board his pleasure boat.

Q. What steps can boaters take to alleviate this situation? ?

Purchase systems from vendors that have implemented a certain level of security in their systems. Be alert and aware of the threats common to these types of systems. They are not a major target at the moment, but then again, This is likely to change in the future. Keep all online systems up to date with the latest software updates and patches. This is often difficult for the uninitiated, But many attackers take advantage of vulnerabilities that have been public for years.

Q. Can online browsing be really safe ?

Safe ? Oui. Inviolable ? No ! Nothing "online" is ever invincible to cyber-attacks, But there are ways to secure communications between the three systems, like strong encryption. It is necessary to remove default passwords from all navigation systems. It is also essential to create redundant backup systems and non-digital vaults as often as possible.
Ironically, One of the ways many companies secure themselves is by paying someone to break into these systems and then telling them how to stop an attacker from doing the same (what is called a penetration test).

(Source) Yachting Monthly via Geogarage blog

———
(¹) Ransomware: Everything you need to know
(²) About alignments and sextant
———

Facebooktwitterlinkedinmail

One Reply to "Cyber-attacks and boating”

Comments are closed.