IMO has given shipowners more time to liaise with ecdis manufacturers over the implementation of the new standards introduced by the International Hydrographic Organization (IHO). Previously, ecdis manufacturers and ship operators had to ensure their systems were compliant with the new standards by the beginning of September.
The IMO sub-committee on Navigation, Communications and Search and Rescue (NCSR) has extended the transition period for software updates to existing ecdis for one year to 31 Aug 2017. The IHO requested the extension to allow more time for ecdis manufacturers to develop software updates and for owners to install them.
Cybersail asks: Where is the focus on security?
With vendors working to implement the new libraries and changes to conform to the IHO requirements, there is no mention of fixing security holes already existing in various ECDIS software, especially considering the systems hooked up-to it.
We are already aware of research and articles posted on the topic.
Example from 2014
A research team from software security consultants NCC Group discovered several weaknesses within an ECDIS demo product, which enabled them to access and modify ECDIS files and insert malicious content. If exploited in a real scenario, these vulnerabilities could cause serious environmental and financial damage.
Yevgen Dyryavyy, security consultant at NCC Group, said that access to ECDIS on vessels is somewhat restricted, but this should not be used as a sole defence mechanism. “An ECDIS could still be accessed through a USB stick or an online chart update or even sensor compromise or other systems that's connected to the vessel’s local area network.”
The published findings can be downloaded here.
Cybersail says: Will vendors fix it?
So will vendors listen and provide security fixes for ECDIS as part of their updates or purely focus on meeting the library requirements?
Even if they do, thats another 1.5 years your ECDIS system could be vulnerable to attack!