Cybersecurity Professor: Maritime Traffic Must be Protected from Cyber Attacks

Boat shipping cargo
Location information in the current system used for tracking maritime traffic is collected by organizations who openly share or sell it — a model that makes the shipping industry especially vulnerable to cybersecurity attacks, according to Embry-Riddle professor Dr. Gary Kessler.

Cybersecurity breaches can occur in any system that operates, at least in part, by computer, which commonly puts aircraft, maritime and autonomous vehicles at risk of attack. According to Embry-Riddle Aeronautical University Professor of Cybersecurity Dr. Gary Kessler, ships are especially vulnerable. 

The maritime industry is a “hugely complex landscape,” consisting of individual ships, shipping lines, ports and manufacturers — a system, Kessler said, in which cybersecurity is difficult to maintain because it lacks one sole manager. 

In fall 2019, Kessler stepped down as chair of the Department of Security Studies & International Affairs to spend the semester as a visiting professor at the U.S. Coast Guard Academy in New London, Connecticut. There, he taught the first cohort of cadets in the academy’s new Cyber Systems major as well as a seminar in maritime cybersecurity. 

He also pursued research dealing with the lack of security protection in the automatic identification system (AIS), a situational awareness system used by ships to broadcast their position, course and speed to maritime authorities that manage vessel traffic. 

Although such information is crucial to all seafaring vessels, AIS was developed in the 1980s “without any particular security measures in place,” said Kessler. AIS information from all over the world is gathered by organizations who share or sell it, a situation that concerns Kessler. 

“Should that information be available to anyone with a checkbook?” he asked. 

The AIS network can also be hacked in real time, Kessler said, and used to send false messages of a ship’s whereabouts, since the communications have no authentication element to prove who sent them and when they were generated. 

Kessler has a commercial captain’s license and teaches a module on maritime cybersecurity at Embry-Riddle. He frequently presents on maritime cybersecurity issues to Navy ROTC members at the Daytona Beach Campus, and he serves at the national level of the U.S. Coast Guard Auxiliary as the branch chief of cyber readiness. 

His work on the cybersecurity vulnerabilities inherent in AIS involves encrypting the messages sent by systems, but doing so in a way that minimizes stress on an already bandwidth-challenged structure. 

Basically, the three cybersecurity elements that Kessler is focused on are bit integrity, time integrity and authentication. Bit integrity means making sure that the message received is the actual message that was sent, and that it has not been manipulated. Time integrity involves incorporating a time stamp so that the recipient knows the message is current. Authentication guarantees that the recipient knows the message really came from the purported sender. 

Kessler has been able to demonstrate a method that avoids using traditional digital signatures, which impose a large overhead on the transmissions but provides the same protection. His method is backward-compatible, meaning it can be implemented on current equipment. 

“What is novel is how I've taken existing ideas and put them together for this specific application," Kessler said. "I was able to show I had a viable solution. 

Kessler’s research, "Protected AIS: A Demonstration of Capability Scheme to Provide Authentication and Message Integrity," was published in TransNav: International Journal on Marine Navigation and Safety of Sea Transportation this month. 

Posted In: Security Intelligence and Safety