**EXERCISE NEPTUNE: MARITIME CYBERSECURITY TRAINING USING THE NAVIGATIONAL
SIMULATORS**

Authors: Kieren Nicolas Lovell, Dan Heering Tallinn University of
Technology kieren.lovell@taltech.ee, dan.heering@taltech.ee

INTRODUCTION

The maritime industry is the backbone of the global economy. In 2017 the
volumes of cargo that was transported with the ships around the world
reached 10.7 billion tons (Asariotis et al. 2018). During 2017 the global
tonnage has increased by 42 million gross tons, which is equivalent to a
3.3 percent growth rate. In January 2018, the world fleet reached a
carrying capacity of 1.9 billion dead-weight tons (dwt). In light of these
numbers, the importance of maritime transportation cannot be
overemphasized.

The maritime industry has entered the new digital era of its evolution.
New technological developments allow shipowners to operate the ships more
safely and securely, optimize the sailing routes and save fuel. Smart
shipping solutions are supporting crews and are improving the performance
of the fleets. One of the biggest changes has also been the rollout of the
internet connection onboard ships. The Maritime Labour Convention
recommends that reasonable access to ship-to-shore telephone
communications, email and internet facilities should be available to
seafarers, with any charges for the use of these services being reasonable
in amount (International Labour Organization 2006).

According to the findings of the survey carried out by the Nautilus
International, the union for maritime professionals, seafarers are
increasingly making employment choices based on the availability of
internet access (Nautilus International 2017). Nearly two-thirds of
respondents said that they would consider changing the shipping company if
it provided better onboard connectivity. The survey included 1,125 people
from the UK, 665 from the Netherlands and as well as representatives of 18
companies giving the total sample size of nearly 2,000.

With continuous access to internet resources, social media, and emails,
the seafarers, ships, and shipowners have become targets for motivated
cybercriminals. In general, there are two categories of cyber attacks,
which may affect companies and ships: untargeted and targeted (BIMCO et
al. 2018). Targeted attacks are more sophisticated and can include the
tools and techniques which are specifically created for targeted shipping
companies or ships. These tools and techniques may include distributed
denial of service (DDoS) attacks, spear-phishing, subverting the supply
chain, social engineering, impersonating a legitimate employee and others.
The Port of Antwerp case in 2011 has shown that the collaboration of
organized criminals and cybercriminals can lead to dangerous consequences
for the community and the ports (Bateman 2013).

Untargeted attacks are likely to occur due to the employment of tools and
techniques available on the internet (scanning, water holing, phishing,
malware, etc.). These types of cyber attacks may cause costly collateral
damage for the shipping companies. In June 2017 the worlds largest
container shipping company, A.P. Mller-Maersk was one of the companies
which was hit by the malware NotPetya (Greenberg 2018).

This paper gives an overview of the exercise developed and carried out in
June 2018 at a Cyber Security Summer School, which was organized by
Tallinn University of Technology (TalTech). The novelty of this paper is
to present a different approach to cybersecurity-related education and
training of the seafarers and to point out the threats that emerge from
the lack of cybersecurity awareness and cyber hygiene training, and the
misuse of social media at sea. All participants were MSc and PhD students.

METHODOLOGY

Simulator-based training is one of the key factors in maritime education
and training (MET) institutions (Sellberg 2017). The environment created
with the simulators allows the cadets to practice the skills and
competencies that are needed for their future jobs. Navigational
simulators also allow putting the cadets and seafarers in situations and
conditions they would normally not encounter during their service at sea.
Failures occurring in the simulated environment are incomparable to
consequences on the real ship.

TalTech Estonian Maritime Academy has a modern Simulator Centre with the
navigational, maritime communication, engine room, refrigeration training,
marine pollution control, and other simulators. The navigational
simulator consists of four bridge simulators imitating the sailing of an
actual ship.

Exercise Neptune was developed to test the security of the legacy systems
within the maritime navigational systems and to gather intelligence data
of the real target ships sailing at sea during the time of the exercise
and look for the possible cyber attack vectors (open-source intelligence
(OSINT) exercise) (Rajamki, Sarlio-Siintola, and Simola 2018).

The equipment and tools used during the simulator exercise:

4 Transas bridge simulators (Navi-Trainer Professional Simulator NTPRO
5000) 8 laptops with Windows 10 and PC-based chart plotter software Sea
Clear II Wireless network without access to the internet

The participants were divided into two divisions, four ships in each.
Each group or ship received a laptop with preinstalled Sea Clear II
software.

The aim of the Exercise Neptune is to simulate a threat aggressor in the
closest possible way to a realistic terrorist-type group. The easiest way
to achieve this is to place the students into a cause. In this case, a
civil war within Estonia was simulated, with two major factions having
been formed. The reason for this kind of scenario is to take the
participants out of their comfort zones and to get them to focus on their
enemy and the purpose, but in a way where they work closely with other
teams, making them exchange data securely and advancing their OSINT
posture to the whole collective picture.

It is simulated to originally place the teams against each other. As the
exercise plays out, it forces the teams to come together into one task
force. This achieves two objectives. First, to create a highly focused
team that is working on a number of ways to exploit the OSINT data and
the vulnerabilities that they have assessed in the system and then bring
that together in one attack plan. When they exchange their data and
results with others, it provides the creativity required to exchange
their ideas, to adapt and make their respective attacks achievable. This
is aided by the Gamemaster making the exercise a high tempo environment,
rather than just a game.

In placing constant deadlines, the participants quickly gain the Command,
Control and Communication (C3) posture that would normally be present
within a state or organized threat actor within a very short timeframe.
This is required to understand what the threat landscape really is like.
This methodology, while unorthodox, manages to create the results faster
than traditional exercises and produces the work ethic normally found in
groups that are fighting for a cause. This is an online version of the
methodology used in Royal Navy workups during the Flag Officer Sea
Training (FOST) training (Soeters, van Fenema, and Beeres 2010). First,
focus on your department, then your ship, then on your task force, and
then at the end, within the whole task group.

RESULTS

The results of the simulator exercise show that the divisions were
successful in developing cyber attacks against the opposing ships. They
were able to breach the Electronic Chart Display and Information Systems
(alter the course, manipulate with the chart data), interfere with the
Automatic Identification System (AIS) data and compromise the Global
Maritime Distress and Safety System (GMDSS).

As a result of the OSINT exercise:

The teams were able to get hold of 7536 usernames and passwords used by
the employees and crews of NATO warships. NATO ships could be tracked
using SNAPMAP, Twitter, Facebook, and other social media sites. Daily
orders and confidential orders were found on Twitter in photos. FITBIT
was being utilized by operational troops in exercise areas. Webcams in
ports were utilized to use as intelligence gathering assets (no usernames
and passwords were in place). Public relation departments were just as
much to blame as individual sailors for their recklessness. It was
recognized that mandatory policies are not being enforced.

CONCLUSION

The results of the exercise provided two major learning outcomes. One is
that the digital footprint placed by individual seafarers is impacting
the whole landscape. All of these individuals are only performing small
breaches of data, but when you merge this with the collective
intelligence, it provides a full tactical picture that can be then
further exploited to provide a full strategic overview of their
objectives.

This suggests that the way this needs to be taught to seafarers and the
maritime industry is in the same way, by demonstrating what the real
results are within a real environment. In this way, we take the
ownership of IT security from the hands of the IT security specialist
and into where it should be, everyone's responsibility within any
organisation as a whole. The maritime environment is different from a
traditional office; it cannot have the same cyber hygiene approach that
is used in this situation, as the threats and approaches are not the
same.

It also proves that the hardware used for mission critical services
(navigation, emergency communication, engine room software, etc.) can be
easily exploited. These exploits, when merged with traditional
intelligence gathering and OSINT profiling techniques, provide perfect
injection points in where these exploits can be actioned.

In further discussions with the maritime industry, it also found that,
like any other organisation, the responsibility for security positions is
held across multiple silos. For example, the responsibility of GMDSS
security is not held by the same person who is responsible for desktop
security. This means that there are holes in the whole process. This can
only be achieved by a unification of the security posture, and ownership
of the threats will be taken as one, in respect to the overall risk.

FURTHER RESEARCH

With the results from this exercise, the question is no longer are ships
exploitable but more how can we mitigate this threat when it happens,
and in a way that the maritime industry can cope with this. Maritime
industry can handle flood, fire, engine room and steering gear failures
very well. More research is needed to develop bridge and operational
procedures (kill cards) that help ship crews to identify possible cyber
threats when they happen, and indicate what initial actions are required.

Crews need to know how to escalate it to the correct authorities, and to
other units in the area. More importantly, we see the need for
establishing the drills that are required to make sure that a crews
conduct during an attack in question aids the safety of the ship, and do
not hinder the situation, and that they all understand what is going on.
With this in question, the research that is required is placing the
competent crews within the bridge simulator, arranging possible cyber
attacks and following the reactions of the participants. By repeating the
exercises within high threat situations, the results will provide a good
framework for establishing a good safety net for the shipping industry.
It allows providing a more secure approach to cyber attacks for one of
the most important industries.

KEYWORDS

Cybersecurity, Navigation, OSINT, Simulator, GMDSS.

REFERENCES

[1] R. Asariotis et al., Review of Maritime Transport 2018, UNCTAD,
2018. Available:
https://unctad.org/en/PublicationsLibrary/rmt2018_en.pdf

[2] T. Bateman, Police warning after drug traffickers cyber-attack, BBC
News Europe, Oct. 2013. Available:
https://www.bbc.com/news/world-europe-24539417

[3] BIMCO et al., The Guidelines on Cyber Security Onboard Ships, BIMCO,
2018. Available:
https://www.bimco.org/products/publications/free/cyber-security

[4] A. Greenberg, The untold story of NotPetya, the most devastating
cyberattack in history, Wired, 2018. Available:
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-
crashed-the-world/

[5] International Labour Organization, Maritime Labour Convention, 2006,
as Amended (MLC, 2006), ILO, 2006. Available:
https://www.ilo.org/dyn/normlex/en/f?p=NORMLEXPUB:91:0::NO::P91_SECT
ION:MLCA_AMEND_A3

[6] Nautilus International, An Investigation into Connectivity at Sea,
Nautilus, 2017. Available:
https://www.nautilusint.org/en/news-insight/resources/nautilus-reports
/connectivity-at-sea-whitepaper/

[7] J. Rajamki, S. Sarlio-Siintola, and J. Simola, The Ethics of Open
Source Intelligence Applied by Maritime Law Enforcement Authorities, in
European Conference on Information Warfare and Security, 2018.

[8] C. Sellberg, Simulators in Bridge Operations Training and Assessment:
A Systematic Review and Qualitative Synthesis, WMU Journal of Maritime
Affairs, 2017.

[9] J. Soeters, P. van Fenema, and R. Beeres, Managing Military
Organizations: Theory and Practice, Routledge, 2010.