Cyber Operators Course (Op) – Module 8
Key loggers are programs which track all use of the keyboard and stores it into a log.
Images of key logger hidden on pc
It is important you now take the time to look for any loggers connected to your keyboard, mice, etc.
Cyber Operators Course (Op) – Module 8
USB stands for “Universal Serial Bus”. There are many different devices that use USB as a way to connect to a PC. Just about any computer that you buy today comes with one or more Universal Serial Bus connectors. These USB connectors let you attach mice, printers and other accessories to your computer quickly and easily. The operating system supports USB’s as well, so the installation of the device drivers is quick and easy. Compared to other ways of connecting devices to your computer without having to open up the case and install it yourself fiddling with major components that could cost you hundreds if you damage them, USB devices are incredibly simple.
Example of USB cleansing station
USB Attacks are major issues with USB Sticks. There are many ways that your system could be attacked via USB. A few ways would be things like key loggers and USB sticks with dangerous software that is then installed onto your system.
Cyber Operators Course (Op) – Module 7
It is clear that Navtex messages should be verified. This can be done in several ways
Online Navtex services are available – it would be trivial to check on a mobile phone when in range of land, or via a vessel satcom terminal
Check over VHF with the coastguard or other relevant authority.
Sat-C Navtex broadcasts are also available
Auto-population of the chart on an ECDIS with Navtex data is relatively rare currently, but it’s likely to become more common, primarily to avoid manual data entry mistakes in plotting Navtex alert areas when inputting coordinates.
Is that message on the ECDIS real or fake, or is an important message completely missing?
Cyber Operators Course (Op) – Module 7
Navtex messages are sent over short wave radio. Technically, it’s based on SITOR-B, probably more familiar to radio hams as AMTOR-B
Again, these messages have no message authentication or verification, so it’s possible for malicious individuals with basic radio expertise to send rogue Navtex messages to cause confuse shipping.
It may also be possible to cancel a Navtex warning. Unexploded ordnance? What message?
Navtex is also used for distress and urgency messages: there is potential to send out rogue alerts or mask genuine safety messages. What pirates?
Fortunately, generating enough RF power to send Navtex messages over long distance is very involved. However, crews should be alert to message tampering when close to port.
Cyber Operators Course (Op) – Module 7
It’s been modified from the original data to be more human-readable. Source messages look like this:
$CRNRX,007,001,00,TD02,1,135600,27,06,2001,241,3,A,==========================*09
$CRNRX,007,002,00,,,,,,,,,,========^0D^0AISSUED ON SATURDAY 06 JANUARY 2001.*29
$CRNRX,007,003,00,,,,,,,,,,^0D^0AINSHORE WATERS FORECAST TO 12 MILES^0D^0AOFF*0D
$CRNRX,007,004,00,,,,,,,,,,SHORE FROM 1700 UTC TO 0500 UTC.^0D^0A^0D^0ANORT*70
$CRNRX,007,005,00,,,,,,,,,,H FORELAND TO SELSEY BILL.^0D^0A12 HOURS FOREC*16
$CRNRX,007,006,00,,,,,,,,,,AST:^0D^0A^0ASHOWERY WINDS, STRONGEST IN NORTH.^0D*15
$CRNRX,007,007,00,,,,,,,,,,^0A^0A*79
Cyber Operators Course (Op) – Module 7
A Harbour was closed following discovery of an unexploded wartime bomb. Alerts were sent using many methods including Navtex.
The messages comply with the NMEA 0183 standard, which as discussed previously has little security. Here is an example, genuine message from the www.admiralty.co.uk service:
Do you have an image of a genuine message next to your NAVTEXT?
Do you have a way on the bridge of `spot-checking` if it is real or not?
Cyber Operators Course (Op) – Module 7
Many ECDIS have serial inputs that can take a direct feed from the Navtex receiver and automatically plot the location on the electronic chart for which the message relates. Ships crews generally trust Navtex – why would it lie?
Here’s an example of a ‘missile firing exercise’ Navtex message automatically plotted by an ECDIS. You wouldn’t want to miss that message!
Cyber Operators Course (Op) – Module 7
Discuss what processes are in place to detect and respond to a GPS incident.
Cyber Operators Course (Op) – Module 7
Subtle attacks to GPS – How to spot
Crews should be alert to the potential for more subtle attacks. A gradually increasing error in position may be far more difficult to detect. This style of attack could be used to draw a vessel in to a position of danger.
GPS data is transmitted from the above deck receiver to the various devices on the OT network that consume it. The data is unencrypted and has the potential to be tampered with.
A GPS sentence might look like this:
$GPGLL,3751.65,S,14507.36,E*77
Or
$GPGLL,4916.45,N,12311.12,W,225444,A
A hack might involve changing the GPS data on the ships network itself, rather than a broader and obvious spoofing of the GPS radio signal. This is far more subtle and much more difficult to detect.
Advanced interrogation: Can we view the NMEA message if unsure of potential corruption through your system?
Cyber Operators Course (Op) – Module 7
The risks of GPS tampering and spoofing are well known. Numerous reports have been made regarding vessels receiving incorrect position data from their GPS receivers, often in the vicinity of military bases.
GPS is a relatively weak radio signal, so jamming of the signal over an area is not difficult. It is well within the capability of an individual with some basic radio knowledge.
Spoofing of GPS signals is somewhat more complex, requiring expensive equipment, hence why it is experienced primarily around sensitive military environments, perhaps to make missile attacks harder to guide. However, equipment is also within reach of cyber criminals.
Gross GPS position errors should be easy for a crew to detect. Overlaying radar and other cross checks will reveal issues. A crew should quickly detect that they are suddenly 20nm out of position.
Various studies have been carried out by maritime authorities in to the practicality and detection of GPS attacks, showing that they are a very real threat. Some digital bridge systems have the capability to detect these attacks and alert the crew.