15 May 2020
From Ship to Shore: Securing Maritime Transport
Further to the recent news posting ‘Composing a Picture from the Puzzle Pieces’, this is the first of seven pieces that describe in more detail the make up of the puzzle and covers the maritime transport demonstrator. The goal of each demonstrator is to ‘put the correct pieces together’ which are firstly described through concrete use cases.
The Use Cases
Although the security requirements of maritime transport are vast and cover multiple areas of cyber security controls, based on the requirements’ analysis and the maritime transport research and development roadmap developed in earlier stages of the project, we have identified four concrete security services (use cases) that will be integrated and later demonstrated.
We identified targeted threats and risks for maritime transport that include various other use cases, which describe all the distinctive phases, such as:
- critical maritime assets & services identification;
- vulnerability management;
- threat modelling & scenarios specification;
- maritime transport risk analysis;
- attack paths representation; and
- maritime transport risk management.
2. Maritime system software hardening
Applications used in the maritime domain, such as software running on a moving vessel, usually utilize legacy code which is hard to update and sometimes even harder to replace. An attractive option is software hardening, whereby a program is re-written in order to avoid memory-related vulnerabilities. Re-writing the code can be done either by re-compiling the source (where possible) or by reconstructing the binary. Note that this re-writing is focused on the security properties of software and not on its base functionality. Hardening can be applied much more easily than a total replacement of the code.
3. Secure maritime communications
We examined the secure exchange of various types of information, including maritime-specific systems such as:
- VHF data exchange system (VDES) frequencies;
- automatic identification system (AIS) information;
- maritime mobile service identity (MMSI), time, ship position, speed, course etc.;
- vessel voyage information (such as route plans and mandatory ship reports);
- maritime single window reporting information (e.g. ship certificates, log books, passengers’ lists and crew lists); and
- port to vessel information, such as weather reports, passenger or cargo manifestos.
4. Trust infrastructure for secure maritime communication
As various types of information are exchanged/transmitted between different maritime stakeholders and actors at sea and on shore, designing a specially crafted trust infrastructure is vital. However, it is not straightforward to set up and operate a typical public key infrastructure (PKI) solution, since there are constraints associated with the maritime transport domain. The communication bandwidth of ship networks have to be taken into account. For example, the SATCOM component of VDES is expected to become a bottleneck in ship communication, due to its low capacity. In addition, it is not rare for ships to sail for long periods of time without any Internet connectivity at all; and, as shipping is a low cost business, this imposes strict limitations on what solutions will be acceptable to the industry. Here we will research those constraints and design and demonstrate a PKI service specifically adapted to fit the needs of the maritime domain.
The Demonstrator Set-up
Here is what the three demonstrators will illustrate:
(A) Threat modelling and risk analysis for maritime transport services using a web application utilising multiple modules to give a complete risk assessment process. The sequence of information insertion will ultimately lead to a complete asset map and multiple informative risk assessment result output forms.
(B) Maritime system software hardening firstly by enhancing the risk analysis framework realised in (A), and then hardening unsafe components used in (C).
(C) Secure maritime communications and trust infrastructure for secure maritime communication initially implementing the PKI service described in (4) and in the next phase will be extended to demonstrate the secure maritime communications, described in (3).
For more information on this phase of all the demonstrators, detailed descriptions can be found here.
Panayiotis Kotzanikolaou, University of Piraeus