429
1 INTRODUCTION
Cybersecurityvulnerabilities,exploits,andthreatsare
on the rise across all critical infrastructure sectors,
particularly transportation. In previous work, the
authors proposed a graphbased, communications
oriented framework and taxonomy with which to
create adversarial models, risk mitigation, and
resiliency plans for the aviation sector (Haass,
Craiger, &
Kessler, 2018). We propose to apply this
framework and taxonomy to maritime systems in
ordertodemonstratethegeneralapplicabilityofthe
methodology.
There are many analogues between the aviation
andmaritimetransportationsectors;whereasaviation
has airport operations, air traffic control, airline
operations,aircraftoperations,andunmannedaircraft
systems,
maritime has port operations, vessel traffic
services (VTS), shipping line operations, vessel
operations, and unmanned maritime systems,
respectively.Bothsectorshavemanufacturing,cargo
andpassengertransport,andhandoffsofpassengers
andcargotoothermodesoftransportation.Bothhave
a broad variety of users, including commercial,
military,individual,corporate,andpublic
sectorcraft.
And both are subject to attack by a variety of cyber
actors, ranging from criminals and hacktivists, to
spies, terrorists, and information warriors. Indeed,
there are similarities to other transportation sectors
(e.g.,truckingandrailroads),aswellasothercritical
infrastructuresectors.
Numerous maritimespecific communications
systems are
used for navigation, shiptoship and
shiptoshore information exchange, vessel
management and control, cargo scheduling and
management, passenger entertainment, and safety.
Most of these systems were created without
cybersecurityinmindandwellbeforethewidespread
cyberattacksthatarenowsocommonontheInternet.
Frommaritimeautomated
navigationsystemsandthe
Automatic Identification System (AIS) to Global
Navigation Satellite Systems (GNSS) and the Long
RangeIdentificationandTracking(LRIT)network,it
is clear that it is important to design, deploy, and
maintain critical maritime systems with appropriate
adversarial models, risk frameworks, and resiliency
plans(Kessler,2019).
A Taxonomy Framework for Maritime Cybersecurity:
A Demonstration Using the Automatic Identification
System
G.C.Kessler,J.P.Craiger
EmbryRiddleAeronauticalUniversity,DaytonaBeach,FL,UnitedStates
J
.C.Haass
EmbryRiddleAeronauticalUniversity,Prescott,AZ,UnitedStates
ABSTRACT:Themaritimetransportationsystemisincreasinglyatargetofcyberattacks.Thispaperdescribes a
taxonomy that supports the creation of adversarial cyber models, risk mitigation, and resiliency plans as
applied to the maritime industry, using the Automatic Identification System as a
specific illustration of the
approach. This method has already been applied to the aviation sector; retooling it for a maritime example
demonstratesitsbroadapplicabilitytothetransportationsector,ingeneral.
http://www.transnav.eu
the International Journal
on Marine Navigation
and Safety of Sea Transportation
Volume 12
Number 3
September 2018
DOI:10.12716/1001.12.03.01
430
Using a general systemofsystems approach
outlinedinareviewpaper by Haass, Sampigethaya,
and Capezzuto (2016) and an aviationspecific
applicationoftheapproachdescribedbyHaassetal.
(2018), this paper provides a framework for
addressing maritime cybersecurity challenges in a
systematicfashion,ratherthanonan
isolatedandad
hoc systembysystem or protocolbyprotocol basis
(Mansouri,Gorod,Wakeman,&Sauser,2009).Where
possible,asystemwillbeisolatedandreflectedinthe
decision tree taxonomy. Dependencies and shared
assumptionscanbeexpressedwithalanguageuseful
for the many constituents within the maritime
environment. Through the application of this
framework, many cybersecurity issues can be
addressed, including communication challenges that
will be particularly important as unmanned and
autonomoussystemsareincorporatedintotheshared
maritimespace(MarEx,2018;Ridden,2018).
2 THEMARITIMESYSTEM
Theimportanceofthemaritimetransportationsystem
(MTS)tothe
globalandnationaleconomycannotbe
overstated. Globally, roughly 94,000 ships, with an
assetvalueofnearly$1.5trillion,transportmorethan
$19trillionof cargo each year, with an annual trade
value increase of about 3% (Barki & DélèzeBlack,
2017).
In the U.S. alone, 53% of imports
and 38% of
exports are by ship, and maritime represents the
largest import/export transportation modality.
Furthermore, the U.S. has been the largest importer
andsecond largestexporterofcontainerizedcargofor
most of the last decade (World Shipping Council,
n.d.).Maritimecargocontributesatleast$649billion
annually to the U.S.
gross domestic product and
supportsmorethan13millionjobs.TheU.S.MTSalso
includes 25,000 miles of navigable channels, more
than 360 ports, at least 3700 marine terminals, and
morethan12millionrecreationalboats(DOT,n.d.).
Figure1.Componentsandcommunicationpathwayswithin
the AIS system, and dependencies upon the Global
Navigation Satellite System and Radio Frequency(RF)
Network.
The global maritime system ‐‐ including all
civilian, commercial, and military ship traffic ‐‐ is
actually a system of systems. Each system can be
described as a set of components and the
communicationpathwaysbetweenthosecomponents.
Of course, one system can also be seen as having
dependenciesuponothersystemsasall
ofthesystems
intercommunicate(Figure1).
There are many communications systems used
withintheMTSincludingallofthedatanetworking
at ports, on board ships, within a shipping line,
between supply chain partners, and more.
Communications within and between systems are
dependent upon protocols whose behavior will be
dictated
bythespecificsystem.Vulnerabilityanalysis
requiresrecognitionoftheuniquenessofeachsystem
andapplication,andneedstoincludetheexamination
of all types of disruption ranging from weather to
hostile actions; this is known as the allhazards
approach. This categorization distinguishes between
vulnerabilities that impact only cyber
systems (e.g.,
data, information, and communication) from those
that include cyberphysical threats (e.g., control,
navigation, or other systems) (Roberts, 2015;
Serpanos, 2018). Indeed, this categorization also
allows us to distinguish between vulnerabilities that
we can control or mitigate (e.g., attacks by people)
and those that we cannot control (e.g., nature,
weather,stochasticfailure).
An individual ship is itself a complex cyber
physical network node with a large variety of
communication systems for crew, passengers,
externalsources,andinternaloperations,including:
Bridge Navigation Systems (e.g., GPS, Electronic
Chart Display and Information System [ECDIS],
AIS,LRIT)
External Communication Systems (e.g.,
satellite
communications,FleetBroadband,Internet)
Mechanical Systems (e.g., main engine, auxiliary
engine,steeringcontrol,ballastmanagement)
Ship Monitoring and Security Systems (e.g.,
closedcircuit television, Ship Security Alert
System[SSAS],accesscontrolsystems,sensors)
Cargo Handling Systems (e.g., valve remote
control systems, level/pressure monitoring
systems)
Other specialized networks
(e.g., Combat
Command & Control Systems on warships,
Entertainment Systems and PointOfSale
terminals on passenger vessels; Vessel
Management Systems on commercial fishing
vessels)
Ship electronics, sensors, and actuators are all
integrated within the communication systems listed
above. InternetofThings (IoT) devices will become
increasingly ubiquitous as smart
ships and smart
ports evolve. The huge amount of information
gathered by Vessel Data Recorders (VDR)
demonstrate the complexity and number of critical
components that a cybersecurity taxonomy must
addresswhen consideringeventlogging or
cybersecurityincidents.
Theproposedframeworksupportstheassignment
oftypesofvulnerabilities,attacks, andexploits with
theirpotentialdisruptiveeffects,rangingfromcritical
(e.g., vessel stability and safety) to minor (e.g.,
reductioninentertainmentorservicequality).Cyber
components include the core software, computing,
431
andnetworkinfrastructureoftheshipitself,together
with additional shipping linespecific software
systems. Additionally, GPS, ECDIS, AIS, and other
systems include realtime updates while underway,
andcanincludedifferentnodesasthevesselcrosses
globalboundaries.
Anadversarycanbethoughtofasanotherpart‐‐
albeita
maliciousone‐‐ofthesystemofsystems.An
actorismaliciousiftheyattempttomodify,subvert,or
in any other way cause the cyber or cyberphysical
system to behave beyond the limits of its intended
operation. For purposes of the remainder of this
paper, we will explore AIS
in some detail as an
exampleoftheapplicationofthisanalysis.
3 AISBACKGROUND
The Automatic Identification System is a tracking
systemthatallowsavesseltoviewlocalmarinetraffic
(i.e., within 1020 nautical miles) and to be seen by
other nearby ships or AIS equipment installations.
AIS
wasoriginallydesignedsothatashipfittedwith
anappropriatechartplottercouldviewthelocal traffic
andquicklydetermineanygivenshipʹsname,unique
International Maritime Organization (IMO)
registrationnumber,size(i.e.,length,beam,draft,and
gross tonnage), position (latitude and longitude),
course, bearing, destination, status (e.g., anchored,
docked, underway under power, etc.), and other
information(Figure2).Morerecently,manyWebsites
collect and aggregate AIS information and have
created a database so that anyone can look up
information about any AISequipped vessel in near
realtime(Figure3).
Figure2.ChartplotterdisplayincludingAISdata,showing
shipsinthelocalarea(from
https://www.navcen.uscg.gov/images/WhatYouSeeWithAIS.jpg).
AIS was introduced in the 2002 International
Convention for the Safety of Life at Sea (SOLAS).
ChapterVoftheSOLASagreement,titledʺSafetyof
Navigation,ʺ mandates that ships of a certain size
and/or function carry AIS transceivers as an
additionalsafetymeasure(IMO,2002).Ships in U.S.
watersgenerallyfall
underU.S.CoastGuard(USCG)
regulations;33CFR164.46definesAISrequirements,
whichincludeallvesselsof1600ormoregrosstons,
commercial power vessels 65 or more feet (19.8
meters) in length, and a power vessel certified to
carry more than 150 passengers; warships are
exempted from AIS requirements
although all
modernwarshipscarryAIS(USCG,2018).
A key component of AIS is the use of precise
positioning technology. AIS does not specify ‐‐ nor
doesitdependupon‐‐whichGNSSisemployed;AIS
merely broadcasts a position using a feed from the
shipʹs navigation and positioning system. That said,
anycybersecurityvulnerabilitiesinthevesselʹsGNSS
will affect the precision of the AIS transmissions
regardinglocation.GNSSvulnerabilities,particularly
those related to GPS, are integral to AIS
vulnerabilities but will not be specifically addressed
inthispaper(exceptastheyaffectAIS)(Czaplewski
&Goward,2016).
Figure3. AIS information from a Web aggregator (screen
shotfromhttp://www.findship.co).
AIS communications protocols are described in
International Telecommunication Union
Radiocommunication sector (ITUR)
RecommendationsM.5857 and M.13715(ITU,2014,
2015). AIS employs a shared radiocommunication
channelusingaformoftimedivisionmultipleaccess
(TDMA). Time on the radio channel is divided into
2,250slotsperminuteso
thateachslothasaduration
of 26.67 milliseconds. The protocol defines how AIS
stations stay in synchronization so that they do not
overlaptheirtransmissionsandadvertisewhen they
willbe transmitting next. New AIS stations, such as
those on a ship coming within radio range close to
other
ships, can also be added to the lineup of
transmittersonthechannel(Wikipedia,2018).
SOLAScompliant Class A AIS transponders
employaSelfOrganizingTDMA(SOTDMA)
broadcast mode, transmitting information every 2 to
10secondswhileunderway
1
andeverythreeminutes
whileatanchor;thesetransponderscanalsotransmit
and receive safetyrelated text messages. Less
expensiveClassBAIStranspondersemployaCarrier
Sense TDMA (CSTDMA) broadcast mode,
transmitting dynamic information (e.g., position,
course, and speed) every 30180 seconds, static data
(e.g., vessel name and
IMO number) every six

1
Therateoftransmissionisdependentuponthe
shipʹsspeedandwhethertheyarechangingcourseor
not;fasterand/ormaneuveringvesselstransmitmore
frequentlythanslowervesselsthatareonasteady
course.
432
minutes,and,optionally,safetyrelatedtextmessages
(ShineMicro,n.d.;Wikipedia,2018).
AIS messages are formatted according to the
National Marine Electronics Association (NMEA)
0183serialcommunicationsprotocolstandardandare
referred to as sentences . The two common AIS
sentences are !AIVDM (data received from other
vessels) and !AIVDO
(vesselʹs transmitted
information). There are just over two dozen AIS
message types. At a data rate of 9600 bits/sec,
messages are limited to 256 bits of information per
timeslot.AISemploysmaritimeveryhighfrequency
(VHF)channels87B(161.975MHz)and88B(162.025
MHz)(Raymond,2016;Wikipedia,2018.
4
SECURITYCONCERNS
AIS improves vessel traffic management and safety
throughincreased situationalawareness.AIS
messages, however, are transmitted in plaintext,
whichintroducesapotentialsecurityrisksincethese
unencrypted AIS messages can be read by anyone
with a receiver. Add to this the Web sites with
instructions for building AIS
receivers using
inexpensive hardware
2
and open source software
3
,
and it is clear that AIS is vulnerable to a variety of
exploits.
Attacks on AIS, and information in general, can
affecttheinformation’sconfidentiality,integrity,and
availability(the socalled CIA Triad) as wellasthree
othercharacteristics,namely,possession,authenticity,
andutility;thesesixtogetheraresometimes
calledthe
ParkerianHexad(Parker,2015):
Confidentiality refers to protecting information
fromunauthorizedaccessordisclosure.
Integrity refers to the state of information being
freefrominadvertentordeliberatemanipulation.
Availability refers to the usersʹ ability to access
informationwhenneeded.
Possession (or control) refers to
thelossofdata by
the authorized user (even if theʺthiefʺ cannot
accessthedata).
Authenticity(akaauthentication)referstobeingable
toprovetheidentityofthesenderofinformation.
Utility refers to the usefulness of the data to the
user (e.g., possessing encrypted data without
a
decryption key or receiving a message to do
something after the date when the action is
requiredareexamplesoflowutility)
Plaintext messages have long been a security
vulnerabilityinthestorageofdataoncomputersand
transmission of data on networks. Various types of
protections have been implemented
in order to
protect information and information systems from
attacks on all elements of the Parkerian hexad.
Cryptography play s a particularly key role in
protecting the confidentiality, integrity, and
authenticity of information. In its most simple form,
theprocessofcreating encrypted ciphertextrequires
the original unencrypted plaintext message, an

2
E.g.,https://www.partmarine.com/blog/wireless_
ais_howto
3
E.g.,https://opencpn.org
encryptionalgorithm,andakey(or,sometimes,two
keys).Secretkeycryptographicprotocolsprotectdata
confidentiality because ciphertext is unreadable as
long as the key required to decrypt the message
remains secret. Oneway cryptographic hashes are
used to verify the integrity of a message, using a
mathematical
algorithm that provides a digital
fingerprintofthemessage;changingevenonebitina
message will cause the hash value to change,
indicating that the content of the message has
changed.Messageauthenticationcodes(MAC)usea
shared secret key and can be used to verify the
integrity of a
message, as well as providing
authentication, verifying the identity of the message
sender. Authentication can also be provided using
publickeycryptographicmethods(Kessler,2018).
TheAISprotocolsprovidenointernalmechanism
formessageintegrityandencryption.WhilesomeAIS
products have the ability to transmit and receive
using an
encryption mode, the methods are
proprietary and are designed to allow aʺfleetʺ of
shipstoseeeachotherbutnotbeseenoutsideofthe
encrypted group. Indeed, the U.S. Coast Guard has
describedEncryptedAIS(EAIS)formilitaryandlaw
enforcement purposes, although products
implementing that specification are not
generally
availabletocivilianclassesofvessels(USCG,2014).
AIS was designed to assist vessels in situational
awarenessbyprovidingthemknowledgeofmaritime
trafficbeyondtheirabilitytovisualizeitandbeyond
the capability of traditional radar. By the nature of
AIS broadcasts, then, a lot of information can
be
receivedbyanyonewhojustwantstoknowwhatis
going on in their proximity, which might include
individuals with nefarious intent such as pirates,
terrorists, or other criminal actors. But this level of
informationleakageisnothingcomparedtoaggregation
sites that broadcast on the Web the location of
thousands of ships around the globe, such as
FindShip, MarineTraffic, VesselFinder, Vesseltracker,
andmanymore.TheIMOMaritimeSafetyCommittee
warnedaboutthedangersofthisinformationleakage
asfarbackas2004,notingthatʺthepublicationonthe
worldwide web... of AIS data transmitted by ships
could be
detrimental to the safety and security of
ships and port facilities and was undermining the
effortsofthe Organization and its Member Statesto
enhance the safety of navigation and security in the
international maritime transport sectorʺ (IMO, 2018,
para.1).
5 THREATASSESSMENTS
There are a variety of approaches to
examining the
security threat landscape in any system. We will
examineseveralhereandapplythemtoAIS.Figure4
provides a graphical overview of AIS components,
communicationpathways,andthreatvectors.In this
description,eachcomponent‐‐includingbadactors‐‐
isshownalongwithcommunicationlinkscomposed
of valid messages,
softwarebased threats, and radio
frequencybased threats. This is a similar approach
takenby graph theory, by identifying the
communicating elements and the communication
433
links(Boukhtouta, Mouheb, Debbabi, Alfandi, Iqbal,
&ElBarachi,2015).
Figure4. AIS components, communication pathways, and
attack vectors (modified from Balduzzi, Wilhoit, & Pasta,
2014)
As mentioned earlier in the paper, there are
lessons that the various transportation sectors can
learn from each other in terms of cybersecurity. A
great deal of work has gone into studying security
vulnerabilitiesofAutomaticDependentSurveillance
Broadcast(ADSB),asystemforprovidingaircraftin
flight with the same
situational awareness as AIS
provides ships at sea. It has been instructive to see
howsomeoftheADSBsecurityliteratureappliesto
themaritimedomain.
BaseduponathreatassessmentmodelforADSB
described by Gauthier and Seker (2018), we can
identify three primary types of intentional,
human
initiatedcyberattacksonAIS:
DisruptionofGPS
4
signals
Jammingofthewirelesscommunications
ManipulationofAIStransmissions
This perspective is very much in line with the
system of systems approach; each of the three main
categoriesactuallyrepresents a different system that
mustbesecuredinordertosecureAIS;namely,GNSS
or other positioning
systems, radiocommunication
propagation paths, and AIS transceivers. We can
furthersubdividetheAIScategoryaboveinto:
Messageinjection(spoofing)
Messagedeletion(denialof‐service)
Message modification (alteration of message
contents(datadiddling)
Strohmeier et al. (2015) identified five primary
threatcategoriestoADSBthatcanalsoapply
toAIS;
the first is a passive attack and the remaining are
activeattacks:
Eavesdropping is a simple, passive attack that can
beeasilyaccomplishedsinceAISis,bydefinition,
a broadcast radio system. Furthermore, messages
aregenerallytransmittedinanunencryptedstate.
Jammingcanoccuratboth
thegroundstationlevel
or at the vessel level, and can include an attack
accomplished by jamming radio signals or a

4
AnyreferencestoGPSalsoappliestoanyGNSS.
denialofservice attack making AIS transmission
slotsunavailable.
Message injection involves inserting spurious
messages into the vessel traffic communication
system.ThisispossiblebecauseAISmessagesare
unencryptedandthesourceofthemessageisnot
authenticated.
Message
deletion is accomplished through
destructive or constructive interference, the latter
of which is accomplished by producing a
significant number of bit errors in the message,
causing the receiving party to drop the message
duetodatacorruption.
Message modification is initiated by altering a
messageʹsbitstream,generallyby
bitflipping(i.e.,
changinga0toa1ora1toa0)orovershadowing
(i.e., using a highpower transmission source to
overwritepartof,oranentire,targetmessage).
In an effort to apply these two approaches, plus
the Parkerian Hexad described earlier, we need to
identify some specific potential information security
vulnerabilitiesinAIS.Combiningattackdescriptions
from a variety of sources (including Balduzzi et al.,
2014; Gauthier & Seker, 2018; Purton, Abbass, &
Alam, 2010; and Strohmeier, Lenders, & Martinovic,
2015),wecan identifythefollowing cyber threatsto
AIS:
1 GPSsignaljamming
2
GPSdevicefailureorpoorqualitytransmissions
3 AISdevicepowereddown
4 AISdevicemalfunction
5 AISprogrammingerror
6 AISradiochanneljamming
7 AISradiotransmissionbiterrors
8 AISvesselspoofing
9 AIStrafficeavesdropping
10 AISsystemflooding
11 Ghostvessel
12 ClosestPointof
Approach/AISSearchandRescue
Transponder(CPA/AISSART)spoofing
13 Vesseldisappearance
14 AidstoNavigation(AtoN)spoofing
15 Datadiddling
16 Weatherforecastspoofing
Table1summarizesthesecyberthreatstoAISand
classifies them according to the Parkerian Hexad
vulnerability, and using the systems approach and
categoriesdescribedabove.
Table
1 suggests that while the Parkerian Hexad
provides a useful way to generally categorize the
impactofvulnerabilities,itisnotusefulindescribing
specific threat vectors and vulnerabilities in given
cyber systems. This said, this table does seem to
suggest that there are more threats to integrity and
authenticity
than to availability, which is not
surprisinggiventhelack ofintegrityand
authenticationchecksinAIS.Wealsoseethatmodels
that focus only on humaninitiated attacks are not
sufficient to describe the suite of threats to
informationwithinagivensystem.
434
Table1.AISCyberRiskSummaryUsingDescriptorsfromtheParkerianHexad(Parker,2015),SystemsApproach(Gauthier
&Seker,2018),andThreatCategoryApproach(Strohmeieretal.,2015).
__________________________________________________________________________________________________
AttackParkerianHexadSystemsThreatCategory
__________________________________________________________________________________________________
GPSjammingAvailabilityGPS/JammingJamming
GPSfailure/poortransmission AvailabilityGPS(nature,installation)
AISdeviceoffAvailability(humanerror)(humanerror)
AISmalfunctionAvailability(nature)(nature)
AISbaddataIntegrity,Availability,Utility(humanerror)(humanerror)
AISjammingAvailabilityJammingJamming
AISbiterrorsAvailability(nature)(nature)
VesselspoofingIntegrity,AuthenticityMsg.
injectionMsg.injection
EavesdroppingConfidentiality,Authenticityn/aEavesdropping
FloodingAvailabilityMsg.injectionMsg.injection
GhostvesselIntegrity,Authenticity,UtilityMsg.injectionMsg.injection
CPA/AISSARTspoofingIntegrity,Authenticity,UtilityMsg.injectionMsg.injection
DisappearanceIntegrity,AvailabilityMsg.deletionMsg.deletion
AtoNspoofingIntegrity,Authenticity,UtilityMsg.injectionMsg.injection
Data
diddlingIntegrity,Availability,Authenticity,Utility Msg.mod i fication Msg.modification
WeatherspoofingIntegrity,Authenticity,UtilityMsg.injectionMsg.injection
__________________________________________________________________________________________________
Table 1 also suggests that while theʺsystems of
systemsʺ method is an inviting approach to
understanding the vulnerabilities in the system in
question‐‐here,AIS‐‐itdoesnotnecessarilyhelpin
the defense of that system. In particular, an AIS
devicevendororsoftwaredesignermustbeawareof
AIS
dependencies on GPS and radio frequency (RF)
vulnerabilities but, in fact, cannot do anything to
controlthem.Asanexample,AISwillfailifsomeone
turnsofftheGPSreceiveryetnoAISprotectionscan
defendagainstthateventuality.Indeed, ifwewereto
analyze every GPS and radio transmission
vulnerability in order to understand AIS, we would
havetoconsideradditionalsystemsʹvulnerabilitiesas
they might impact GPS and radio. Ultimately,
someonedesigningAISequipmenthastobeawareof
thedependencyonGPS,forexample,andmayeven
put in some mechanisms to test the integrity of the
GPS
feed, but cannot protect AIS from all of the
problemsthatGPSmighthave.
6 RISKASSESSMENTANDMANAGEMENT
The threats identified above include intentional
attacksfromhumanbadactorsaswellaserrorsdue
tonaturalcauses.Inordertoprepareappropriaterisk
managementplans,aproperriskassessment
mustbe
performed. Common risk management analysis for
information systems includes accounting for natural
threats or hazards (e.g., hurricanes, floods, and
blizzards) as well as equipment failure. This all
hazards approach speaks to the fact that a natural
disaster is as devastating as a deliberate attack but,
from the perspective of
initial response, all that
matters is the immediate impact of an event rather
thantheactualattackvector.
Identifyingvulnerabilitiesis onlythe first step in
buildingacyberdefenseandunderstandingthetrue
potential impact of these vulnerabilities. Not all
vulnerabilities are equally exploitable or likely;
therefore, a risk
assessment must be conducted on
eachvulnerability so that one can determine howto
manage these risks. Unless clear quantitative
measures are available, a qualitative approach is
commonly employed to describe such characteristics
as a vulnerabilityʹs likelihood of exploit, severity
should the exploit be realized, ease of attack, and
whether
it is a humaninitiated attack (including
humanerror)oranaturalhazard(Table2).Notethat
these categorizations are relative to the AIS system
ratherthanthevesselitself;i.e.,avulnerabilitythatis
criticaltoAISisbadnewsfortheshipbut,byitself,
notcriticalto
itsoperation.
Table2.RiskManagementApproach.
_______________________________________________
AttackSource LikelihoodSeverityEase
_______________________________________________
GPSjammingA 42 3
GPSfailure/poor H 33 n/a
transmission
AISdeviceoffA 41 1
AISmalfunction H 51 n/a
AISbaddataA 33 1
AISjammingA 52 3
AISbiterrorsH 33 n/a
Vesselspoofing A 4
2 2
Eavesdropping A 14 1
FloodingA 43 3
GhostvesselA 43 3
CPA/AISSART A 52 3
spoofing
Disappearance A 42 3
AtoNspoofing A 42 3
DatadiddlingA 32 3
Weatherspoofing A 43 3
_______________________________________________
Source:A=humaninitiatedattack,H=naturalhazard
Likelihood:1=Frequent,2=Probable,3=Occasional, 4=
Remote,5=Unlikely
Severity:1=Catastrophic,2=Critical,3=Marginal,4=
Negligible
Easeofattack:1=Trivial,2=Simple,3=Difficult,
4=Very
difficult
There are a number of conclusions that can be
drawn from Table 2. First, while there are more
potential intentional threats than natural hazards,
theytendtohaveaboutthesamelikelihood(hazards:
=3.67, =1.15; intentional threats: =3.77, =1.01).
Second,themostvulnerableattackvectorsonAISare
those
where data can be inserted into the system;
many of these attacks can be realized in software
generatedtransmissions ratherthanbyattacking the
radiofrequenciesthemselves.Third,themostsevere
attackonAISiswhentheAISreceiverisoff;atthat
point, a vessel is driving blind with
respect to AIS
information. Fourth, the most significant
435
vulnerabilitiesinAISaffectindividualAISmessages
ratherthantheentireAISsystemitself.Finally,most
oftheintentionalthreatsresultdirectlyfromthefact
that AIS messages are neither encrypted nor
authenticated, coupled with the lack of integrity
checkingandbiterrorcorrectionmechanisms.
Finally,easeofattack is,
insome sense, themost
difficulttoquantifybecausethefeasibilityofanattack
oftendependsupon theadversary.Anattack thatis
beyondthemeansofaʺpedestrianʺhackermightbe
wellwithinthecyberattacktoolkitofanationstate.In
anycase,thistableseemstosuggestthat
noneofthe
identifiedvulnerabilitiesinAISareʺverydifficultʺto
exploit.
7 FUTURERESEARCH
Understanding the vulnerabilities of AIS provides a
numberofideasaboutwheretoshoreupthesystem.
There are a variety of directions that might lead to
added security in AIS; some of these ideas are
borrowedfromtheaviationindustry.Consider:
Some form of physical (radio transmission) layer
authentication. This methodology varies in its
difficulty,cost,andscalability,andwouldrequire
additional AIS software and/or hardware, but
would not change the AIS protocol itself
(Strohmeieretal.,2015).
Use of Kalman filtering or
other techniques to
track relative signal strength of individual ship
transmissionsinordertodetectpossiblespoofing
ofthatshipbyanattacker.Thecostanddifficulty
for such an approach would be low although
scalability might be difficult. As above, no new
AIS messages would be required (Strohmeier et
al.,
2015).
EncryptedAIS(EAIS)hasalreadybeenproposed
(USCG,2014)andsomevariantsareinlimiteduse
for specialpurpose fleets. EAIS, however, has
limited utility for any vessel outside of the
ʺtrustedʺ group. Using some form of lightweight
publickey infrastructure (PKI) for AIS
communication security, not terribly
unlike the
useofcertificatesintheSecureSocketsLayer(SSL)
already in widespread use on the Web, could
prevent certain types of attacks, such as manin
themiddle spoofing. The downside to this
approachisthehighdegreeofdifficultytodesign
and implement, and likely high cost
to deploy
widely(Strohmeieretal.,2015).
AnAISpositionmessagecontainsashipʹslatitude,
longitude, course (bearing), rate and direction of
turn,andspeed. Therateatwhichthesemessages
are transmitted is based upon the vesselʹs speed
andwhetheritismaneuvering;inanycase,a
ship
will change position by no more than about 230
feet (69 meters) between sequential reports. It
should be relatively simple, therefore, for a
receiver to predict the senderʹs approximate
location at the next transmission. Predictive AIS
has been described by a number of sources as a
wayto
usehistoricAISinformationtopredictthe
pathofothervessels(Hexeberg,Flåten,Eriksen,&
Brekke, 2017; Last, Bahlke, HeringBertram, &
Linsen, 2014; Mazzarella, Arguedas, & Vespe,
2015), and these methods are already used for
research and practice for additional collision
avoidancetechniquesandbetterunderstandingof
trafficpatterns.But
ifastationstorestheposition
atjustthelasttransmission,itcanpredictarange
where the sender should be at the next
transmission. If the next announced position, or
any of the associated message parameters, vary
greatlyfromtheprediction,thatcouldindicatean
integrity problem. This type
of capability would
require additional software, but would be
relatively simple and inexpensive to deploy, and
could be a simple addon to existing equipment
withoutrequiringanychangetotheAISprotocol.
8 CONCLUSIONS
Wehaveallbecomemoreandmoredependentupon
technology. Many younger mariners do not recall
a
dayat sea without radar, GPS, AIS, ECDIS, and the
other myriad data, communication, and navigation
systems aboard todayʹs large ships. Indeed, the U.S.
Navy stopped teaching celestial navigation in 1996
duetotheprevalenceofGPS;theybroughtitback20
years later most likely due to
the susceptibility of
cyber threats against GPS (Hrala, 2016). Hardware
engineers, software developers, protocol designers,
and researchers must maintain awareness of the
potential cyber threats and vulnerabilities in all
systems that they build and this security awareness
mustbebuiltinfromthebeginningofaproject.The
framework and taxonomy
proposed here are small
steps that demonstrate that these methods can be
employed throughout the transportation sector and,
presumably,appliedtoothercriticalinfrastructures.
The model described here focuses on identifying
vulnerabilitiesinoursystemsratherthanidentifying
threat actors. A wellknown cybersecurity maxim
states,ʺIfyouknowthe
vulnerabilities(weaknesses),
youʹve got a shot at understanding the threats (the
probability that the weaknesses will be exploited,
how, and by whom)... But if you focus only on the
threats,youʹrelikelytobeintroubleʺ(Johnston,2018,
p.10).Theobjectlessonisthatifyouconcentrateon
whoistryingtoattackyou,youwillmostlylikelyget
itwrongbecauseitishardtocorrectlypredictthreats
and, in any case, as suggested above, threats are
beyond your control. Vulnerabilities, on the other
hand,areeasiertoidentify,particularlyifyouthink
likeanattacker.
In
terms of the improved situational awareness
promisedbyAIS,itisimportanttorealizethatwhile
loss of AIS decreases safety in the immediate area,
therearemanyothermechanismsto compensate for
its loss, such as radar, radio, increased human
lookouts,etc.AIS,then,isanimportantpartofvessel
safetybutitsabsencedoesnotcausesafetyatseato
fall apart. The potential devastating impact of AIS
vulnerabilities would come about if attackers
relentlessly exploited the lack of integrity and
authentication checking, and bombarded the system
with enough bogus messages so as to threaten the
veryveracityof
thesystem.Indeed,inthislattercase,
AIScouldbeviewedasdoingmoreharmthangood,
andifonlyatinyfractionofAISmessagesarefake,
userswillloseconfidenceintheentiresystem.
436
REFERENCES
Balduzzi,M.,Wilhoit, K., & Pasta, A.(2014, December). A
SecurityEvaluationofAIS.TrendMicroResearchPaper.
Retrieved from https://www.trendmicro.com/cloud
content/us/pdfs/securityintelligence/whitepapers/wp
asecurityevaluationofais.pdf
Barki, D., & DélèzeBlack, L. (Eds.) (2017). Review of
MaritimeTransport2017.UnitedNationsConferenceOn
Trade And Development, UNCTAD/RMT/2017.
New
York: United Nations. Retrieved from
http://unctad.org/en/PublicationsLibrary/rmt2017_en.pd
f
Boukhtouta, A., Mouheb, D., Debbabi, M., Alfandi, O.,
Iqbal, F., & El Barachi, M. (2015). Graphtheoretic
characterization of cyberthreat infrastructures. Digital
Investigation, 14, S3S15. Retrieved from
https://www.dfrws.org/sites/default/files/session
files/papergraphtheoretic_characterization_ of_cyber
threat_infrastructures.pdf
Czaplewski, K., & Goward, D. (2016,
June). Global
Navigation Satellite Systems Perspectives on
Development and Threats to System Operation.
TransNav,The International Journal on MarineNavigation
and Safety of Sea Transportation, 10(2), 183192.
https://doi.org/10.12716/1001.10.02.01
Gauthier, R., & Seker, R. (2018, January). Addressing
OperatorPrivacyinAutomaticDependentSurveillance‐
Broadcast (ADSB). In Proceedings
of the 51st
Hawaii
International Conference on System Sciences (HICSS),
WaikoloaVillage,HI,USA,pp.5261.
Haass,J.,Craiger,J.P.,&Kessler,G.C.(2018).AFramework
andTaxonomyforAviationCybersecurity.In
Proceedings of the 2018 IEEE National Aerospace &
ElectronicsConference (NAECON) 2018, July2326, 2018,
Dayton,Ohio.LosAlamitos(CA):IEEEPress.
Haass,J.C.,Sampigethaya,K.,&Capezzuto,V.(2016,July).
Aviation Cybersecurity: Opportunities for Applied
Research. Transportation Research Board TR News
Magazine,(304)3943.
Hexeberg, S., Flåten, A.L., Eriksen, B.H., & Brekke, E.F.
(2017). AISBased Vessel Trajectory Prediction. In
Proceedings of the 2017
20th International Conference on
Information Fusion (Fusion), Xiʹan, pp. 18.
https://doi.org/10.23919/ICIF.2017.8009762
Hrala, J. (2016, February 12). The Scary, Practical Reason
The US Navy Is Once Again Teaching Celestial
Navigation. Science Alert Web site. Retrieved from
https://www.sciencealert.com/thescarypractical
reasonthenavyisonceagainteachingcelestial
navigation
International
Maritime Organization (IMO). (2002, July 1).
International Convention for the Safety of Life at Sea
(SOLAS), Chapter V (Safety of Navigation), Regulation
19 (Carriage requirements for shipborne navigational
systems and equipment). Retrieved from
https://mcanet.mcga.gov.uk/public/c4/solas/index.html
International Maritime Organization (IMO). (2018).
Maritime Security‐AIS Ship Data. AIS Transponders
Web page. Retrieved
from
http://www.imo.org/en/OurWork/Safety/Navigation/Pa
ges/AIS.aspx
International Telecommunication Union (ITU). (2014,
February). Technical Characteristics for an Automatic
Identification System Using Time Division Multiple Access
in the VHF Maritime Mobile Frequency Band. MSeries:
Mobile, radiodetermination, Amateur and Related
Satellite Services. ITUR Recommendation M.13715.
Retrievedfrom https://www.itu.int/dms_pubrec/itu
r/rec/m/RRECM.13715201402
I!!PDFE.pdf
International Telecommunication Union (ITU). (2015,
March). Assignment and Use of Identities in the Maritime
Mobile Service. MSeries: Mobile, radiodetermination,
Amateur and Related Satellite Services. ITUR
Recommendation M.5857. Retrieved from
https://www.itu.int /dms_pubrec/itur/rec/m/RREC
M.5857201503I!!PDFE.pdf
Johnston, R.G. (2018, August). Vulnerabilities Trump
Threats
Maxim. Security Maxims. Right Brain Sekurity.
Retrieved from http://rbsekurity.com/Papers/security
maximswithaxe.pdf
Kessler, G.C. (2018, August 11). An Overview of
Cryptography. Retrieved from
https://www.garykessler.net/library/crypto.html
Kessler, G.C. (Inpress, expected 2019, Spring).
CybersecurityintheMaritimeDomain.Proceedingsofthe
USCGMarineSafety&SecurityCouncil.
Last,P.,Bahlke,C.,
HeringBertram,M.,&Linsen,L.(2014,
September). Comprehensive Analysis of Automatic
Identification System (AIS) Data in Regard to Vessel
Movement Prediction. The Journal of Navigation, 67(5),
791809.https://doi.org/10.1017/S0373463314000253
Mansouri, M., Gorod, A., Wakeman, T.H., & Sauser, B.
(2009).ASystemsApproachtoGovernanceinMaritime
Transportation System of
Systems. Proceedings of the
IEEE International Conference on System of Systems
Engineering(SoSE).Albuquerque,NM.
MarEx.(2018,April3).KongsbergandWilhelmsenLaunch
AutonomousShipping JV. The Maritime Executive.
Retrieved from https://www.maritime
executive.com/article/kongsbergandwilhelmsen
launchautonomousshippingjv
Mazzarella, F., Arguedas, V.F., & Vespe, M. (2015).
KnowledgeBased
Vessel Position Prediction Using
Historical AIS Data. In Proceedings of 2015 Sensor Data
Fusion:Trends,Solutions,Applications(SDF), Bonn, 2015,
pp.16.https://doi.org/10.1109/SDF.2015.7347707
Parker, D.B. (2015). Toward a New Framework for
InformationSecurity?InS.Bosworth,M.E.Kabay,&E.
Whyne (Eds.), Computer Security Handbook, 6th ed. (pp
3.1
3.23).Hoboken,NJ:JohnWiley&Sons,Inc.
Purton,L.,Abbass, H., &Alam, S.(2010). Identification of
ADSBSystemVulnerabilitiesandThreats.In
Proceedings of the Australasian Transport Research Forum
2010, 29 September‐1 October 2010, Canberra,
Australia.
Raymond, E.S. (2016, August). AIVDM/AIVDO Protocol
Decoding. Version 1.52. Retrieved
from
http://catb.org/gpsd/AIVDM.html
Ridden, P. (2018, September 4). Unmanned Surface Vessel
Successfully Crosses Atlantic. New Atlas Web site.
Retrieved from https://newatlas.com/offshoresensing
sailbuoymetatlantic/56204/
Roberts, F.S. (2015, January). Vulnerabilities of Cyber
Physical Systems: From Football to Oil Rigs. Retrieved
from http://www.dimacs.rutgers.edu/People/Staff/
froberts/CyberPhysicalSystemsFootballOilRigs13
15.pptx.pdf
Serpanos, D. (2018, March). The Cyber
Physical Systems
Revolution.Computer,51(3),7073.
Shine Micro. (n.d.). AIS Overview. Retrieved from
https://www.shinemicro.com/aisoverview/
Strohmeier,M.,Lenders,V.,&Martinovic, I.(2015).Onthe
Security of the Automatic Dependent Surveillance
Broadcast Protocol. IEEE Communications Surveys &
Tutorials,17(2),10661087.
U.S. Coast Guard (USCG). (2014, June
4). Encrypted
Automatic Identification System (EAIS) Interface Design
Description (IDD). Command, Control, and
CommunicationsEngineeringCenter(C3Cen).Retrieved
from https://epic.org/foia/dhs/uscg/nais/EPIC150529
USCGFOIA20151030Production2.pdf
U.S. Coast Guard (USCG). (2018, July 24). AIS
Requirements. USCG Navigation Center Web site.
Retrieved from
https://www.navcen.uscg.gov/?pageName=AISRequire
mentsRev
U.S. Department of Transportation (DOT). (n.d.).
Marine
TransportationSystem(MTS).Maritime Administration
(MARAD) Web site. Retrieved from
437
https://www.marad.dot.gov/ports/marine
transportationsystemmts/
Wikipedia.(2018,July17).AutomaticIdentificationSystem.
Retrieved from https://en.wikipedia.org
/wiki/Automatic_identification_system
World Shipping Council. (n.d.). Trade Statistics. Retrieved
from http://www.worldshipping.org/aboutthe
industry/globaltrade/tradestatistics