Shipboard ECDIS Cyber Security: Third-Party Component Threats

The Electronic Chart Display and Information System (ECDIS) plays a central role in safe navigation of ships. The ECDIS is basically a software package running on a general operating system that could be comprised of the third-party components. This paper presents an analysis of cyber security weaknesses of a shipboard ECDIS raising from the ECDIS software’s third-party components. The analysis is based on the cyber security testing of the shipboard ECDIS using an industry vulnerability scanner. Detected vulnerabilities are analysed regarding the protection measures implemented on the ship. The results suggest that even the type approved ECDIS system with maintained ECDIS software and the underlying operating system could be vulnerable due to weaknesses in the ECDIS software’s third-party components


Introduction
The Electronic Chart Display and Information System (ECDIS) has significantly changed the ship navigation by providing real-time navigational information and reduction of workload from paper charts (Brčić et al., 2019), and thus enhancing the efficiency and safety.The ECDIS development for about three decades into the complex computer-based system has raised a need to protect the safe navigation from cyber threats (Svilicic et Lee et al., 2017).Therefore, International Maritime Organization (IMO) has imposed to include cyber risk assessment in the International Safety Management (ISM) Code by the 1 st January 2021 (IMO, 2017a).As well, additionally to the published general guidelines for managing maritime cyber risks (IMO, 2017b), IMO in collaboration with the International Electrotechnical Commission (IEC) is developing a new related standard for maritime navigation and radiocommunication equipment and systems, IEC 63154 "Cybersecurity -General requirements, methods of testing and required test results" (IEC, 2019).
The ECDIS is basically a software package with standardized functionality by IMO performance standards (IMO, 2017c), which is running on a general operating system from a different manufacturer than the system itself.It has been shown that the ECDIS underlying operating system is a source of major cyber threats (Svilicic et al., 2019b;Svilicic et al., 2019c).However, most of the today`s software is comprised of third-party components, which are developed by an entity other than the manufactures of the software or the underlying operating system.While the usage of the third-party software components allows for acceleration and cost reduction of the development process, vulnerabilities existing in these components can represent a critical threat for the system functionality.
In this paper, cyber security of a shipboard ECDIS is tested in order to analyze cyber threats rising from the ECDIS software third-party components.The tested ECDIS was recently implemented on the training and research ship Kraljica mora of the Croatian Ministry of the Sea, Transport and Infrastructure (Figure 1).The testing method is based on the vulnerability scanning of the ECDIS using an industry leading software tool.The detected vul-nerabilities are analyzed in the context of the shipboard environment and mitigation solutions are discussed.

Shipboard ECDIS
The ECDIS that is IMO type approved displays centrally updated Electronic Navigational Chart (ENC) together with sensor data from mandatory position, heading and speed source shipboard sensors (IHO, 2018; IMO, 2017c).Additional sensor data (radar, AIS, Navtex…) are integrated in the ECDIS depending on the ship`s safety and other factors.The ECDIS represents an equivalent to paper charts and with adequate backup arrangement allows for the paperless navigation (IMO, 2017c; Brčić and Žuškin, 2018; Weintrit, 2018).The ECDIS is mandatory for all ships engaged in international trade since the year 2018 (SOLAS, 2009).
The tested ECDIS is of Wärtsilä Transas manufacturer, model Navi Sailor 4000.The ECDIS is type approved in the year 2016 and was installed on board of the ship in March 2019.Technical specification of the ECDIS is shown in Table 1.

Cyber security testing
The cyber security testing of the ECDIS was performed using the industry most widely used vulnerability scanner, the Nessus Professional version 8.0.1 (Nessus, 2019).The vulnerability scanning is a computational method of detecting cyber vulnerabilities, which are known not only to the manufactures of the software and the underlying operating system, but also to potential attackers (Svilicic et al., 2019c;Svilicic et al., 2018).Figure 3 shows the testing setup.A laptop with the Nessus Professional vulnerability scanner is directly connected to the ECDIS using an Ethernet cross cable.Despite the fact that the vulnerability scanning is a passive process, the ship was docked during the testing.
The test results are shown on Figure 4.In total, fifteen vulnerabilities were detected, from which four vulnerabilities were assigned under the high severity and eleven vulnerabilities under medium severity.From 36 pieces of information, the key one is that the ECDIS software is running on the Microsoft Windows 7 Professional operating system.While the underlying operating system was timely updated with the service pack 1 and other security patches, the support for this version of the operating system will end before the end of the current year (Microsoft, 2019).This implies that the manufacturer will not release security patches for newly discovered vulnerabilities.
The detected vulnerabilities are listed in Table 2.All of the detected vulnerabilities with the high severity are related to a web server running on the ECDIS (Table 2, vulnerabilities 1-4).The web server detected is a freely available software provided by the Apache Software Foundation, and in our case represents the third-party component of the ECDIS software.The version of the web server is Apache 2.2, which is obsolete by its provider since December 2017 (Apache, 2019).As in the case of Source: Authors Microsoft operating system, Apache community does not provide support for this version of the web server, allowing an attacker to exploit newly discovered and known vulnerabilities.In addition, the support relies on help from the community members who work as volunteers.The provider's recommended solution for the detected vulnerabilities is migration to the actual version of the web server.
From the eleven medium severity vulnerabilities detected, ten are also related to the third-party web server running on the ECDIS (Table 2, vulnerabilities 5-14).One of the medium severity vulnerabilities detected (Table 2, vulnerability 15) is related to the underlying operating system and its standard component, the Server Message Block (SMB) version 1.The SMB provides file/printer sharing service.Despite the fact that the Microsoft operating system is updated with the timely security patches, the manufacturer`s recommendation is to use newer versions of the SMB due to lack of security features implemented in the version 1 (Microsoft, 2018).

Results and discussion
Even the cyber security test allows for detection of all know vulnerabilities existing in the ECDIS, the results could reflect incorrectly the real severity of threats due to specifics of the shipboard operating environment.Therefore, the test results are analyzed regarding the implemented protection measures on the ship.The implemented protections were identified by interviewing the ship's navigational ranks.The protections include the physical access controls for unauthorized personnel that are implemented, security procedures that are adhered, the crew is trained by the ECDIS's vendor, ENCs are updated in controlled manner with an USB memory stick provided by the manufacture, and the ship is continuously assessed.The identified cyber threats from the ECDIS's third-party components together with the description and possible solution are listed in Table 3.
In total, three cyber threats are identified, from which all are related to the maintenance of the ECDIS software's third-party components, in particular the fact that the third-party components are abandoned, out of date and insecurely setup.As the ECDIS is operating in the standalone configuration without connection to the Internet or an internal ship network, the identified threats represent risks that are acceptable for a short time, but require development of the mitigation plan.The threats' solving solutions include migration from the obsolete to actual version of the third-party components, patching with security updates released by the manufacturer and secure setup of the third-party components.It is important to point out that these maintenance activities not only of the ECDIS software's third-party components, but also of the underlying operating system (in our case in the close future, as shown in Chapter 3) could affect negatively the ECDIS software functionality, and therefore are to be done by the ECDIS manufacturer authorized personnel.
The results show that despite the fact that the shipboard ECDIS is the type approved, with the latest version of the ECDIS software, and running on the updated underlying operating system, significant cyber weaknesses exist on the ECDIS due to unmaintained ECDIS software's thirdparty components.It is worth noting that the web server features are not necessary needed for the regulated ECDIS software functionality, particularly not for the operation in the stand-alone configuration.This together with the significant risk from the cyber vulnerabilities suggest that the third-party components should not be used in the software's development process of the critical ship navigation systems.

Conclusion
The cyber security analysis of the ECDIS software's third-party components is presented.The analysis is based on the cyber security testing of the shipboard ECDIS with an industry leading vulnerability scanner.Three cyber threats identified that require development of the mitigation plan are related to the maintenance of ECDIS software's third-party components, in particular the migration to the actual version, patching with security updates and secure setup.The results suggest that even the ECDIS software and underlying operating system are maintained, the system could be vulnerable due to weaknesses in the ECDIS software's third-party components.The presented study contributes to development of the upcoming maritime standard IEC 63154 and indicates the testing results that should be targeted.The obtained results contribute to knowledge of ECDIS cyber security and are applicable to any shipboard navigation system.

Figure 2 Figure 1
Figure 2 Architecture of the shipboard ECDIS.

Table 1
The shipboard ECDIS specification.
Source: Authors

Table 3
Cyber threats from ECDIS's third-party components.
Source: Authors