Conference PaperPDF Available

Exercise Neptune: Maritime Cybersecurity training using the Navigational Simulators

Authors:

Abstract

This paper gives an overview of the exercise developed and carried out in June 2018 at a Cyber Security Summer School, which was organized by Tallinn University of Technology (TalTech). The novelty of this paper is to present a different approach to cybersecurity-related education and training of the seafarers and to point out the threats that emerge from the lack of cybersecurity awareness and cyber hygiene training, and the misuse of social media at sea.
34
5th INTERDISCIPLINARY CYBER RESEARCH CONFERENCE 29th OF JUNE 2019
exercise nePtune: MaritiMe
cybersecurity training using
the navigational siMulators
Kieren Niĉolas Lovell, Dan Heering
Tallinn University of Technology
kieren.lovell@taltech.ee, dan.heering@taltech.ee
IntroductIon
The maritime industry is the backbone of the global economy. In 2017 the volumes of car-
go, that was transported with the ships around the world, reached 10.7 billion tons (Asa-
riotis et al. 2018). During 2017 the global tonnage has increased by 42 million gross tons,
whichisequivalenttoa3.3percentgrowthrate.InJanuary2018,theworldeetreached
a carrying capacity of 1.9 billion dead-weight tons (dwt). In light of these numbers, the
importance of maritime transportation cannot be overemphasized. The maritime industry
has entered the new digital era of its evolution. New technological developments allow
shipowners to operate the ships more safely and securely, optimize the sailing routes and
save fuel. Smart shipping solutions are supporting crews and are improving the perform-
anceoftheeets.Oneofthebiggestchangeshasalsobeentherolloutoftheinternetcon-
nection onboard ships. The Maritime Labour Convention recommends that “reasonable
access to ship-to-shore telephone communications, email and internet facilities should
be available to seafarers, with any charges for the use of these service being reasonable
in amount” (International Labour Organization 2006). According to the ndings of the
survey carried out by the Nautilus International, the union for maritime professionals,
seafarers are increasingly making employment choices based on the availability of inter-
net access (Nautilus International 2017). Nearly two-thirds of respondents said that they
would consider changing the shipping company if it provided better onboard connectivity.
The survey included 1,125 people from the UK, 665 from the Netherlands and as well as
representatives of 18 companies giving the total sample size of nearly 2,000.
With continuous access to internet resources, social media, and e-mails, the seafarers,
ships, and shipowners have become targets for motivated cybercriminals. In general, there
are two categories of cyber attacks, which may affect companies and ships: untargeted and
targeted (BIMCO et al. 2018). Targeted attacks are more sophisticated and can include
thetoolsandtechniques,whicharespecicallycreatedfortargetedshippingcompanyof
ships. These tools and techniques may include a distributed denial of service (DDoS) at-
tacks, spear-phishing, subverting the supply chain, social engineering, impersonating a
legitimate employee and others. The Port of Antwerp case in 2011 has shown that the col-
laboration of organized criminals and cybercriminals can lead to dangerous consequences
for the community and the ports (Bateman 2013). Untargeted attacks are likely to occur
due to the employment of tools and techniques available on the internet (scanning, water
holing, phishing, malware, etc.). These types of cyber attacks may cause costly collateral
damage for the shipping companies. In June 2017 the world’s largest container shipping
company, A.P. Møller-Maersk was one of the companies, which was hit by the malware
NotPetya (Greenberg 2018).
This paper gives an overview of the exercise developed and carried out in June 2018 at a
Cyber Security Summer School, which was organized by Tallinn University of Technology
(TalTech). The novelty of this paper is to present a different approach to cybersecurity-
related education and training of the seafarers and to point out the threats that emerge
from the lack of cybersecurity awareness and cyber hygiene training, and the misuse of
social media at sea. All participants were MSc and PhD students.
35
5th INTERDISCIPLINARY CYBER RESEARCH CONFERENCE 29th OF JUNE 2019
Methodology
Simulator-based training is one of the key factors in maritime education and training
(MET) institution (Sellberg 2017). The environment created with the simulators allows
the cadets to practice the skills and competencies that are needed for their future jobs.
Navigational simulators also allow putting the cadets and seafarers in situations and con-
ditions they would normally not encounter during their service at sea. Failures occurring
in the simulated environment are incomparable to consequences on the real ship. TalTech
Estonian Maritime Academy has a modern Simulator Centre with the navigational, mari-
time communication, engine room, refrigeration training, marine pollution control, and
other simulators. The navigational simulator consists of four bridge simulators imitating
the sailing of an actual ship (Figure 1).
Figure 1. Bridge simulator at TalTech Estonian Maritime Academy.
Exercise Neptune was developed to test the security of the legacy systems within the mari-
time navigational systems and to gather intelligence data of the real target ships sailing
at sea during the time of the exercise and look for the possible cyber attack vectors (open-
source intelligence (OSINT) exercise) (Rajamäki, Sarlio-Siintola, and Simola 2018).
The equipment and tools used during the simulator exercise:
• 4 Transas bridge simulators (Navi-Trainer Professional Simulator NTPRO 5000)
• 8 laptops with Windows 10 and PC-based chart plotter software Sea Clear II
• wireless network without access to the internet
The participants were divided into two divisions, four ships in each. Each group/ship re-
ceived the laptop with preinstalled Sea Clear II software.
The aim of the Exercise Neptune is to simulate a threat aggressor in the closest possible
way to a realistic terrorist type group. The easiest way to achieve this is to place the stu-
dents into a cause. In this case, a civil war within Estonia was simulated, with two major
factions having been formed. The reason for this kind of scenario is to take the partici-
pants out of their comfort zones and to get them to focus on their enemy and the purpose,
but in a way where they work closely with other teams, making them exchanging data se-
curely, and advancing their OSINT posture to the whole collective picture. It is simulated
to originally place the teams against each other.
As the exercise plays out, it forces the teams to come together into one task force. This
achieves two objectives. First, to create a highly focused team that is working on a number
of ways to exploit the OSINT data and the vulnerabilities that they have assessed in the
36
5th INTERDISCIPLINARY CYBER RESEARCH CONFERENCE 29th OF JUNE 2019
system and then bring that together in one attack plan. When they exchange their data
and results with others, it provides the creativity required to exchange their ideas, to
adapt and make their respective attacks achievable. This is aided by the “Gamemaster”
making the exercise a “high tempo” environment, rather than just a game. In placing
constant deadlines, the participants quickly gain the Command, Control and Communica-
tion (C3) posture that would normally be present within a state or organised threat actor
within a very short timeframe. This is required to understand what the threat landscape
really is like. This methodology, while unorthodox, manages to create the results faster
than traditional exercises and produces the work ethic normally found in groups that
areghtingforacause.ThisisanonlineversionofthemethodologyusedinRoyalNavy
workupsduringtheFlagOfcerSeaTraining(FOST)training(Soeters,vanFenema,and
Beeres 2010). First, focus on your department, then your ship, then on your task force, and
then at the end, within the whole task group.
results
The results of the simulator exercise show, that the divisions were successful in developing
cyber attacks against the opposing ships. They were able to breach the Electronic Chart
Display and Information Systems (alter the course, manipulate with the chart data), in-
terferewith the Automatic IdenticationSystem(AIS)dataandcompromisetheGlobal
Maritime Distress and Safety System (GMDSS).
As a result of the OSINT exercise:
• the teams were able to get hold of 7536 usernames and password used by the employees
and crews of NATO warships;
• NATO ships could be tracked using SNAPMAP (map.snapchat.com), Twitter, Facebook
and other social media sites;
• dailyordersandcondentialorderswerefoundonTwitterinphotos;
• FITBIT was being utilized by operational troops in exercise areas;
• webcams in ports were utilized to use as intelligence gathering assets (no usernames
and passwords were in place);
• public relation departments were just as much to blame as individual sailors for their
recklessness;
• it was recognised that mandatory policies are not being enforced.
conclusIon
The results of the exercise provided two major learning outcomes. One is that the digital
footprint placed by individual seafarer is impacting the whole landscape. All of these indi-
viduals are only performing small breaches of data, but when you merge this with the col-
lective intelligence, it provides a full tactical picture that can be then further exploited to
provide a full strategic overview of their objectives. This suggests that the way this needs
to be taught to seafarers and the maritime industry is in the same way, by demonstrating
what the real results are within a real environment. In this way, we take the ownership
of IT security from the hands of the IT security specialist and into where it should be: eve-
ryone’s responsibility within any organisation as a whole. The maritime environment is
differentfromatraditionalofce;itcannothavethesamecyberhygieneapproachthatis
used in this situation, as the threats and approaches are not the same.
It also proves that the hardware used for mission critical services (navigation, emergency
communication, engine room software, etc.) can be easily exploited. These exploits, when
mergedwithtraditionalintelligencegatheringandOSINTprolingtechniques,provides
perfect injection points in where these exploits can be actioned.
In further discussions with the maritime industry, it also found that, like any other organ-
isation, the responsibility for security positions is held across multiple silos. For example,
the responsibility of GMDSS security is not held by the same person who is responsible
for Desktop security. This means that there are holes in the whole process. This can only
beachievedbyaunicationofthesecurityposture,andownershipofthethreatswillbe
taken as one, in respect to the overall risk.
37
5th INTERDISCIPLINARY CYBER RESEARCH CONFERENCE 29th OF JUNE 2019
further research
With the results from this exercise, the question is no longer “are ships exploitable” but
more “how can we mitigate this threat when it happens, and in a way that the maritime
industrycancopewiththis”.Maritimeindustrycanhandleood,re,engineroomand
steering gear failures very well. More research is needed to develop bridge and operational
procedures (kill cards) that help ship crews to identify possible cyber threats when they
happen, and indicate what initial actions are required. Crews need to know how to esca-
late it to the correct authorities, and to other units in the area. More importantly, we see
the need for establishing the drills that are required to make sure that a crew’s conduct
during an attack in question aids the safety of the ship, and do not hinder the situation,
and that they all understand what is going on. With this in question, the research that is
required is placing the competent crews within the bridge simulator, arranging possible
cyber attacks and following the reactions of the participants. By repeating the exercises
within high threat situations, the results will provide a good framework for establishing
a good safety net for the shipping industry. It allows providing a more secure approach to
cyber attacks for one of the most important industries.
Keywords: Cybersecurity, Navigation, OSINT, Simulator, GMDSS
references
• Asariotis, Regina et al. 2018. Review of Maritime Transport 2018.
https://unctad.org/en/PublicationsLibrary/rmt2018_en.pdf.
• Bateman,ByTom.2013.“PoliceWarningafterDrugTrafckers’Cyber-Attack.”
BBC News Europe (October): 2–5. https://www.bbc.com/news/world-europe-24539417.
• BIMCO et al. 2018. The Guidelines on Cyber Security Onboard Ships.
https://www.bimco.org/products/publications/free/cyber-security.
• Greenberg, Andy. 2018. “The Untold Story of NotPetya, the Most Devastating
Cyberattack in History.” Wired. https://www.wired.com/story/notpetya-cyberattack-
ukraine-russia-code-crashed-the-world/.
• International Labour Organization. 2006. “Maritime Labour Convention, 2006,
as Amended (MLC, 2006).” https://www.ilo.org/dyn/normlex/en/
f?p=NORMLEXPUB:91:0::NO::P91_SECTION:MLCA_AMEND_A3.
• Nautilus International. 2017. An Investigation into Connectivity at Sea.
https://www.nautilusint.org/en/news-insight/resources/nautilus-reports/connectivity-
at-sea-whitepaper/.
• Rajamäki, J., S. Sarlio-Siintola, and J. Simola. 2018. “The Ethics of Open Source
Intelligence Applied by Maritime Law Enforcement Authorities.” In European
Conference on Information Warfare and Security, ECCWS.
• Sellberg, Charlott. 2017. “Simulators in Bridge Operations Training and Assessment:
A Systematic Review and Qualitative Synthesis.” WMU Journal of Maritime Affairs.
• Soeters, Joseph, Paul van Fenema, and Robert Beeres. 2010. “Managing Military Or-
ganizations: Theory and Practice.”
... Due to security and privacy concern, British navy banned its usage on its ships in early 2017 [82]. In a recent maritime cybersecurity exercise, it was identified that the location of maritime vessels under NATO command can be identified using social media services specially snapchat [83]. The issues with snapchat were already known by the military service. ...
Article
Full-text available
Open-source intelligence (OSINT) tools are used for gathering information using different publicly available sources. With the rapid advancement in information technology and excessive use of social media in our daily lives, more public information sources are available than ever before. The access to public information from different sources can be used for unlawful purposes. Extracting relevant information from pools of massive public information sources is a large task. Multiple tools and techniques have been developed for this task, which can be used to identify people, aircraft, ships, satellites, and more. In this paper, we identify the tools used for extracting the OSINT information and their effectiveness concerning each other in different test cases. We mapped the identified tools with Cyber Kill Chain and used them in realistic cybersecurity scenarios to check their effusiveness in gathering OSINT.
... Bridge simulators are used for the training of cadets and seafarers to improve their navigational skills. Moreover, researchers from Tallinn University of Technology also used bridge simulators for maritime cybersecurity training [42], and researchers from Plymouth University discussed the combination of a cyber range and a full mission bridge simulator for technical aspects of cybersecurity research [43]. Further, researchers from Genova University announced that a full mission bridge simulator will be used for cybersecurity studies [44]. ...
Article
Full-text available
The e-navigation concept was introduced by the IMO to enhance berth-to-berth navigation towards enhancing environmental protection, and safety and security at sea by leveraging technological advancements. Even though a number of e-navigation testbeds including some recognized by the IALA exist, they pertain to parts only of the Integrated Navigation System (INS) concept. Moreover, existing e-navigation and bridge testbeds do not have a cybersecurity testing functionality, therefore they cannot be used for assessing the cybersecurity posture of the INS. With cybersecurity concerns on the rise in the maritime domain, it is important to provide such capability. In this paper we review existing bridge testbeds, IMO regulations, and international standards, to first define a reference architecture for the INS and then to develop design specifications for an INS Cyber-Physical Range, i.e., an INS testbed with cybersecurity testing functionality.
... A training session can be interrupted at any time and resumed later on. However, the assessment can only be performed once [6]. Assorted users' data and results can be called on the screen (Figure 1). ...
... Our study likewise explores similar ''off-label'' uses for the SNS. The previous work (Lovell and Heering, 2019) as seen in (Bay et al., 2020) introduced Snapchat as a method to track NATO maritime vessels. Eriksson et al. (2019) correctly identified that Snapchat's Snap Map can be scraped to extract user-generated content and location data; however, they excluded it from their study due to the inability to access a public API. ...
Conference Paper
Full-text available
Social Networking Sites (SNS) are a rich source of open-source intelligence in the form of publicly available images, video and text. Privacy concerns have led to many sites removing metadata attached to multimedia on upload, effectively losing information of interest from intelligence perspectives. In this paper, we describe the exploitation of Snapchat's Snap Map (a web based portal to access media items uploaded to Snapchat's platform) as a surveillance tool to monitor the social unrest in Minneapolis - Saint Paul following the death of George Floyd, making specific use of the manner in which Snapchat presents Snaps on a publicly accessible map. We demonstrate how our technique can be used as a distributed surveillance system supplementing traditional CCTV footage where none would be available. We note a heavy reliance on trust is implied on the geolocation metadata and the resolution of the uploaded media. As a result, our process is vulnerable to database poisoning attacks. We therefore recommend that alternative forensic methods be used to verify and validate surveillance using our method.
Article
Full-text available
This article presents a systematic review and qualitative synthesis of the use of simulators in maritime education and training (MET), with a focus on bridge operations during navigation training and assessment. The review found 34 articles published in a wide range of academic journals, displaying a global field of research consisting of three main disciplines: Maritime professionals (n = 15), Human factors (n = 13) and Education (n = 6). An important conclusion made after synthesising the results of the studies is that while the potential of using simulators in training and assessment are clear, little is known about which instructional practices would ensure valid and reliable results of simulator-based education. Since MET institutions train their students for one of the most safety-critical industries in the world, there is a need for empirical studies that explore the use of simulator-based training and assessment further to lay the foundation for an evidence-based educational practice.
  • Regina Asariotis
Asariotis, Regina et al. 2018. Review of Maritime Transport 2018. https://unctad.org/en/PublicationsLibrary/rmt2018_en.pdf.
Simulators in Bridge Operations Training and Assessment: A Systematic Review and Qualitative Synthesis
  • J Rajamäki
  • S Sarlio-Siintola
  • J Simola
• Rajamäki, J., S. Sarlio-Siintola, and J. Simola. 2018. "The Ethics of Open Source Intelligence Applied by Maritime Law Enforcement Authorities." In European Conference on Information Warfare and Security, ECCWS. • Sellberg, Charlott. 2017. "Simulators in Bridge Operations Training and Assessment: A Systematic Review and Qualitative Synthesis." WMU Journal of Maritime Affairs.