LV Erwan
Directeur(s): Yvon Kermarrec & Philippe Lenca
Encadrant(s): CC Xavier

Mapping, anomaly detection, and response following detection in industrial systems: application to military and civilian ships
General study context
The digitization of the maritime sector continues to grow. Without even mentioning autonomous ship projects, modern vessels are equipped with increasingly complex systems of systems. Like other industries, this massive digitization aims to reduce personnel, optimize capacities, increase operator efficiency, reduce maintenance costs, and optimize design and repairs.
This digitization brings profound changes to the economic, strategic, and cyber contexts in which both military and civilian vessels operate. The global economy is more dependent than ever on maritime transport, as the incident blocking the Suez Canal demonstrated. Strategically, certain nations are developing conflict strategies below the threshold and rely on civilian-military organizations to achieve their objectives. Cyberattacks, including jamming and spoofing actions, are part of their modus operandi, with ICS being prime targets. The Stuxnet example has widely demonstrated the vulnerability of these systems and the ability of a motivated attacker to compromise them.
The primary characteristic of digital systems on ships is their complexity: in addition to traditional office IT systems, they incorporate navigation and platform systems. The impact of compromising these systems on ship safety is increasing.
Office IT systems are similar to those found in other industries. Primarily composed of Windows or Linux workstations, they can be targeted by attacks, with the main risk being temporary operational disruption. In the maritime context, these office systems are increasingly connected to the internet and interconnected with navigation and platform systems. This interconnection increases the attack surface and makes these systems more accessible to attackers.
Navigation systems are a specific category of subsystems unique to the maritime world. They mainly consist of sensors—radar, compass, log, depth sounder, etc.—and digital radio data links such as positioning and time reference with GNSS-type systems and maritime situational awareness exchanges via AIS. They are generally centered around an ECDIS-type mapping system that centralizes and processes this information. These systems are rarely updated, often poorly protected, open to the outside world, and based on historical standards that did not originally account for cybersecurity constraints. As a result, they are prime targets for cyberattacks, whether targeted or not, and are also susceptible to informational attacks (AIS and GNSS jamming or spoofing).
Platform systems—industrial systems composed of supervisory and control interfaces (SCADA), programmable logic controllers (PLC), sensors, and actuators—are used to automate the operation and monitoring of technical installations such as engines, rudders, and various utilities. They control the ship’s physical components, and a failure, whether intentional or not, can cause significant material damage or even loss of life. These systems are designed to operate in real-time and ensure high functional safety levels. This strong constraint limits the ability to integrate IT security hardening measures. Additionally, their lifespan, which can reach several decades, results in very long software update cycles. These factors make them high-value targets that are relatively poorly protected.
As with any IT system, it is necessary to prepare and implement an appropriate and effective security strategy while considering limited human and financial resources. Given the high technical complexity, growing threats, and constrained resources, this is a major challenge. Two scenarios need to be considered: first, the development of a security strategy during the design phase, which assumes access to architectural information and some flexibility in deploying dedicated security measures. Second, the implementation of security measures after, sometimes long after, delivery. In this case, there is often little or no documentation on the installed systems, which limits the ability to add dedicated cyber monitoring equipment. In this complex and evolving context, the best-known solution for improving security—particularly for navigation and platform systems—is the deployment of network probes and associated architecture[1].
Finally, the human factor must not be overlooked. Cyber surveillance system operators often lack cybersecurity expertise if they are on board the monitored vessels. Conversely, if they are in a shore-based Security Operations Center (SOC), they may not be experts in all monitored ships. They need relevant contextual information, presented in an actionable way, to assess an alert accurately. Additionally, their decisions could be documented and even used to enhance detection algorithms.
Our goal is to propose new approaches and methods for detecting and classifying anomalies and attacks that take into account various known elements. We particularly focus on those related to detailed system mapping, its evolution, and the different security policies that define data flow controls and system component interactions. We aim to leverage these anomalies more effectively by explaining them and providing operators with precise information to mitigate the issue.
We have identified the following research questions. After a literature review and needs analysis, we will select the most relevant topics among these.
Research questions raised:
Potential benefits of this research for the French Navy
References:
[1] Jacq, O., Boudvin, X., Brosset, D., Kermarrec, Y., & Simonin, J. (2018, October). Detecting and hunting cyberthreats in a maritime environment: Specification and experimentation of a maritime cybersecurity operations centre. In 2018 2nd Cyber Security in Networking Conference (CSNet) (pp. 1-8). IEEE.