Maritime security lab helps defend against cyber attacks

Cyber attacks on industry and critical infrastructure are on the rise across the globe. Targets also include ships, which, by transporting billions of tons of goods around the world each year, form part of international supply chains — yet their onboard IT systems often lack secure protection.

For six days in 2021, the Suez Canal — a narrow waterway connecting the Red Sea and the Mediterranean Sea and an important trade route between locations such as China and Europe — was blocked by the container ship Ever Given. A single stricken cargo vessel caused tremendous congestion, with several hundred other container ships stuck as they waited to get through. This in turn had implications for international trade, as the resulting delays led to a shortage of containers at ports, threw schedules into several months of disarray and held up shipments.

This incident showed just how dependent we are on maritime bottlenecks like the Suez Canal: if a key trade route is blocked for more than a few days, this has a direct and disruptive impact on production and supply. And while Ever Given did not run aground because of a cyber attack, it is not hard to imagine what could happen in the event of a successful attack on the digital navigation and communication systems onboard one or more cargo ships.

To raise awareness of the risks of inadequate cybersecurity at sea and help develop defensive solutions for guarding against cyber attacks, the Maritime Cyber Security research group at the Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE has teamed up with the Fraunhofer Center for Maritime Logistics and Services CML to set up a modular maritime security lab. This simulates cyber attacks on ships to find ways to detect and defend against attacks.

Ships as potential targets

Ships increasingly require networking technology in general — whether for finding the best way to navigate routes, monitoring goods or allowing the crew to contact home. This makes maritime systems all the more vulnerable to cyber attacks. As explained by Dr Jan Bauer, Head of the Maritime Cyber Security research group, three different kinds of attacks are conceivable.

“Generic attacks are not aimed specifically at ships and are therefore the most common threat,” Bauer said, highlighting the example of a USB stick infected with ransomware being connected to the onboard computer. “Targeted attacks that are carried out with a high degree of expertise and can make ships simply vanish from radar, for example, are far more dangerous.”

Another possible type of attack involves what is known as electronic warfare. This is not strictly a cyber attack, but it can have a similar impact in that it affects systems such as GPS by means of interfering with transmitters or using high-frequency radio waves (‘jamming’ or ‘spoofing’).

A realistic test environment

Researchers at Fraunhofer FKIE can simulate these different kinds of cyber-physical attacks, ie, attacks that impact the real world, in a maritime security lab. The true-to-life stationary ship’s bridge under development at Fraunhofer CML in Hamburg is currently being expanded to create a cybersecurity lab as part of the MaCy (maritime cybersecurity lab) project. This onshore facility features all the tools and systems usually found at sea: the bridge hardware, marine radio and AIS (automatic identification system) transceivers, a radar unit and the ECDIS (electronic chart display and information system), which is used for navigation, among other things. Within this realistic and controlled test environment, the research group is using a variety of developments to detect, investigate and, ideally, avert IT security breaches.

The Bridge Attack Tool (BRAT) makes it possible to carry out effect-based simulations. Developed as an offensive security tool, BRAT has the capability to carry out various attacks itself — such as denial-of-service (DoS) attacks or disrupting and manipulating radar and positioning systems — and show the tangible impact they have on the onboard systems. With a subsequent analysis, the researchers can then highlight existing weaknesses in software systems to industry partners and help them rectify these issues and develop countermeasures by drawing on areas such as cryptography.

Manipulation of the radar image by the Bridge Attack Tool (BRAT) in a simulation scenario in the Rostock-Warnemünde area. Image ©Fraunhofer FKIE

To help detect cyber attacks on ships as early as possible, the team has designed a maritime intrusion detection system that automatically spots anomalies. This Cyber Incident Monitor (CIM) evaluates potential attacks and provides information and guidance to the crew over an ergonomic user interface.

“In stressful situations, warnings and recommendations for the ship’s crew need to be simple and straightforward to implement,” said Florian Motz, Head of the Organizational Ergonomics research group at Fraunhofer FKIE.

“That’s why, when developing CIM, we paid particular attention to ensuring that audible warnings, for example, are only triggered when urgent action is needed, and that alarms and warnings come with information and aids for making decisions — such as advice not to trust the GPS for the time being. The alarm and warning concept is in line with performance standards for bridge alarm management from the International Maritime Organization (IMO).”

The team has been working on CIM and parts of the development of BRAT in collaboration with the company BM Bergmann Marine under the SINAV research project — a study on integrating and processing sensory, navigational, communication and automation information for semi- and fully autonomous ship operation in order to guarantee safe navigation — on behalf of the German Federal Ministry for Digital and Transport.

Raising awareness and developing measures

The researchers’ objective is to use the maritime security lab to raise awareness among companies, authorities and nautical experts of the dangers of cyber attacks at sea and to work with industrial partners to develop protective measures. On the one hand, they can test and upgrade existing systems. On the other, they can provide research data to develop new solutions and thus help establish an approach based on the concept of security by design. Bauer believes that systematic prevention combined with effective methods for detecting potential cyber attacks offers the best protection from harm.

“We mustn’t be lured into a false sense of security just because cyber attacks on ships have not been widely reported,” he said. “Particularly, the systems on older cargo vessels, which have been in use for decades now, are in urgent need of upgrading.”

Top image: The navigation simulator at Fraunhofer CML running a simulation in the Port of Hamburg. Image ©Fraunhofer CML