It is imperative that the ECDIS computer is subject to regular updates to its operating system. During vessel security audits, we have discovered ECDIS still running Windows NT, an operating system so old that Microsoft stopped supporting it in 2004! That means that any new security flaws in the software will NEVER be fixed.

Windows XP and Windows 7 are also commonly found on bridge systems. Even as recently as April 2018, Microsoft released 22 vulnerabilities rated ‘critical’. These updates must be applied, as hackers will quickly ‘reverse engineer’ the updates and work out how to exploit the security flaw.

Not all ECDIS are based on Microsoft operating systems. A smaller subset of vendors use Linux based operating systems, which require updating in just the same way.

Whilst downloading updates at sea over satellite can be expensive, the operator should determine how critical a new patch is to their systems. Truly urgent patches, such as the ‘Heartbleed’ flaw from 2014 would merit the expense of patching whilst at sea, though most could likely wait until the next port of call and updating over shore Wi-Fi.

All computers should be subject to ‘hardening’ during installation. This describes the process whereby it is configured to be as secure as possible; it should deliver minimum functionality in order to deliver its role as an ECDIS. For example, one would not expect Microsoft games to be present on an ECDIS, nor would one expect administrator passwords to be blank or simple

The Center for Internet Security publishes free CIS Benchmarks which offer good practice guides and checklists for hardening systems. Their web site is at www.cisecurity.org

An ECDIS is usually just a desktop computer. It may have a rugged case, screen and keyboard, but it is fundamentally just a PC.

Just like any computer, it requires updates to be applied, both to the underlying operating system, to its ECDIS software and to the digital charts. If any of those are omitted for any period of time, cyber security vulnerabilities creep in.

ECDIS are increasingly being connected to vessel networks to facilitate online chart updates, integration with other bridge systems and remote maintenance. Security flaws that did not matter so much in the past through a lack of connectivity are now becoming very important.

Even having dual redundant ECDIS on the bridge is no guarantee of availability: during research we discovered similar security flaws on multiple ECDIS brands. A hacker would have little difficulty in compromising both.

An operating system is the most important software that runs on a computer. It manages the computer’s memory and processes, as well as all of its software and hardware. It also allows you to communicate with the computer without knowing how to speak the computer’s language. Without an operating system, a computer is useless. A main task for the OS is that several different computer programs running at the same time all need to access the computer’s central processing unit (CPU), memory, and storage. The operating system coordinates all of this to make sure each program gets what it needs.

Operating systems usually come pre-loaded on any computer you buy. This is the same for a ships computer.

Most people use the operating system that comes with their computer, but it’s possible to upgrade or even change operating systems. The three most popular and used operating systems for personal computers are Microsoft Windows, Mac OS X, and Linux. Modern operating systems use a graphical user interface or GUI). A GUI lets you use your mouse to click icons, buttons, and menus, and everything is clearly displayed on the screen using a combination of graphics and text. Remember your phone will also use an Operating System but mobile devices generally aren’t as fully featured as those made for desktop and laptop computers, and they aren’t able to run all of the same software. However, you can still do a lot of things with them, like watch movies, browse the Web, manage your calendar, and play games.

It is important to note that for explanation purposes this module is focused on the Bridge.  This is purely as an example of an `isolated` area.  However, as we saw at the begging on this course there are many departments on board from Passenger management to Cargo depending on the type of vessel you are on.  The concept remains the same though, each department must be assessed and procedures documented for Cyber.  This module concentrates on the bridge but it is strongly advised that the module is repeated when considering each other department.