Detecting and Hunting Cyberthreats in a Maritime Environment: Specification and Experimentation of a Maritime Cybersecurity Operations Centre

The vast majority of worldwide goods exchanges are made by sea. In some parts of the world, the concurrence for dominance at sea is very high and definitely seen as a main military goal. Meanwhile, new generation ships highly rely on information systems for communication, navigation and platform management. This ever-spreading attack surface and permanent satellite links have grown a concern about the potential impact of cyberattacks on a ship at sea or on naval shore infrastructures. Therefore, on top of the usual cyberprotection measures taken for safety reasons, it is essential to implement an ongoing cyber monitoring of ships in order to detect, react accordingly, and stop any incoming threat. In this paper, we explain the specific constraints when trying to assess the cyber situation awareness of maritime information systems. As we will demonstrate, those systems combine physical and logical constraints which complexify their cyber monitoring process and architecture. Gathering valuable data while having a limited and controlled impact on the satellite bandwidth, maintaining a high level of integrity on remote systems in production are, for instance, thriving challenges for both civilian and military ships. We have designed and set up a research platform which fulfils those specifications to streamline the cyber monitoring process. We will then describe the architecture used to detect cyber-threats and collect potential Indices of Compromise from naval systems, as well as the results we have currently achieved.