Internet connections on boats has become extremely common, and cyber-attacks are happening. The first line of cyber defense is to know the products installed on your customer’s vessel and how to prevent cyber issues at time of installation and commissioning. GPS, AIS, VHF Radios, EPIRBs are all technologies in place to help the boater communicate in a life critical event. The main challenge is the position information received on older systems can be hacked or spoofed. Navigation equipment should be routinely checked for any known issues with software/firmware. To take this to the next level of complexity, information provided by NMEA 2000 and ethernet based systems deliver virtually all vessel vitals to help navigate, control, and assess conditions on the water. This data going to the cloud creates additional cyber security considerations.
The NMEA would like to highlight these technologies, their vulnerabilities, and what you can do to help protect your customers. See below considerations for the boater, installer, boat builder, and equipment manufacturer as a start. A full technical reference published by NMEA called NMEA Protocols Vulnerability to Cyberattacks and Mitigation" is available upon request to members. Email [email protected] to obtain your copy.
Boater Considerations
Marine Electronics Installer Considerations
Boat Builder Installer Considerations
NMEA Equipment Manufacturer Considerations
Things to consider when creating new networked products:
Contributors
Dr. Chris Quigley Warwick Controls.
Paul Sumpner Digital Yacht
Andrew Bazan Brunswick, Mercury Marine Engineering
Nate Karstens Garmin International
Dr. Jeremy Daily, PH.D.,P.E Colorado State University
Ryan Pickren PH.D Cyber-Physical Security Lab-Georgia-Tech
The NMEA would like to highlight these technologies, their vulnerabilities, and what you can do to help protect your customers. See below considerations for the boater, installer, boat builder, and equipment manufacturer as a start. A full technical reference published by NMEA called NMEA Protocols Vulnerability to Cyberattacks and Mitigation" is available upon request to members. Email [email protected] to obtain your copy.
Boater Considerations
- Do you have an internet connection on your vessel?
- If so, check that the equipment has a minimum of WPA2 Wi-Fi security settings.
- Look to facilitate a WPA3-capable router and check your router manufacturer for firmware updates to WPA3.
- Create a Password; make strong passwords.
- Routers: Existing used routers given or purchased should be manually reset by the new user. Do not use the router if you cannot find the user's manual or reset operation.
- Understand the different networks on your boat and the potential for network outages due to rogue device addition.
- Know where all your devices are installed and have the means to unplug them.
- Update devices with the latest security firmware or software from the manufacturer.
- Use a personal PC in a private Wi-Fi network for personal security.
- Read the disclosure of mobile or computer application permissions before accepting the developer's agreement terms.
- Avoid applications with malware; read the application's public comments.
- Consider purchasing dedicated or purpose-built hardware from a reputable marine electronics company.
- If you are using a personal computer for navigation, consider making this dedicated to just navigation and disable internet connectivity.
- Ensure any personal computer connected to the internet, has latest Anti-Virus and Malware protection software installed.
- Consider having two separate ethernet networks, one for navigation and one for internet connectivity.
Marine Electronics Installer Considerations
- Look to facilitate a WPA3-capable router and check your router manufacturer for firmware updates to WPA3.
- Select popular updatable products and teach the user how to use them.
- Physically label the device's location and include it in an accessible diagram they can use to locate and unplug the equipment.
- Electronically Label the NMEA 2000 products on the network using PGN 126998 (Configuration Information) to help identify and locate devices connected to the network and the process for their removal if/when necessary.
- Configure cyber information alerts- if available.
- create alerts to Detect any monitored PGNs for Data not available. - Install diagnostic test connections, gateways and NMEA 2000 T-Pieces in locked areas.
- Vessel commissioning reports generated for the captain or owner can be helpful.
- Consider fitting a latest Network Intrusion Detection device that validates and records the status of the network when commissioned and provides early warning detection of potentially, nefarious devices being added to the network after commissioning.
Boat Builder Installer Considerations
- Ensure the product selection includes NMEA certified products with the latest security installed.
- Attempt to install products in secured locations. Ensure the product update ports are easily accessible to the user or technician.
- Ensure Manufactured systems meet the minimum statutory requirements (check a device for a CE mark, ETSI 303, NIST, FCC, IEC 62443 ).
- Install diagnostic test connections, gateways and NMEA 2000 T-Pieces in locked areas this may include lock boxes.
- Boatbuilders integrating white labeled products need to ensure these products transmit the boatbuilder’s manufacturer code.
- Consider fitting the latest Network Intrusion Detection device that validates and records the status of the network when commissioned and provides early warning detection of potentially nefarious devices being added to the network after commissioning.
NMEA Equipment Manufacturer Considerations
Things to consider when creating new networked products:
- Gateway Security (use trusted Source solutions).
- Advanced Gateway Requirements- add 2nd-level application protection using a password.
- Define Security Level Requirements – Disclose risk levels to users (do not connect the system to the internet notice).
- Manufacturer website for discovered vulnerabilities to be reported (contact details & acknowledge of receipt notice).
- Manufacturers should securely publish all software updates and provide full information for users.
- Verify that your IT specialist secured and monitored the maintenance backdoors of any telematic or telemetric systems.
- Manufacturers should provide a product end-of-support period for security patches.
- No universal default passwords (unique per device, generated in a random way).
- Securely store sensitive security parameters (tamperproof/encrypted storage).
- Communicate securely (use best practice in cryptography).
- Minimize exposed attack surfaces (unused network interfaces disabled, debug etc.).
- Ensure software integrity (secured by boot mechanism, alert if tampered).
- Ensure that personal data is secure (best practice cryptography).
- Make systems resilient to outages (clean recovery, no corruption).
- Examine system telemetry or vessels data recordings (look for security anomalies).
- Make it easy for users to delete user data (provide a simple method).
- Make installation and maintenance of devices easy (best practice, minimal user decisions).
- Validate input data
Contributors
Dr. Chris Quigley Warwick Controls.
Paul Sumpner Digital Yacht
Andrew Bazan Brunswick, Mercury Marine Engineering
Nate Karstens Garmin International
Dr. Jeremy Daily, PH.D.,P.E Colorado State University
Ryan Pickren PH.D Cyber-Physical Security Lab-Georgia-Tech