9.1 Blocking Transmission at the Antenna
9.2 Disruption of power supply
9.3 Physical Removal of VLD
9.4 Duplication of VLD
9.5 Transmission of False Position
Security of VMS data is a major issue for the fishing industry. It is also a major issue for a monitoring agency since it is probable that the agency will have a responsibility to ensure security through legislation, a contract, or an international agreement. Security is broader than protecting data from non-disclosure and its importance in implementing a VMS will therefore be extremely high.
There are a number of concepts that can be included in the general heading of security. Concepts relevant to VMS include the following.
Integrity - whether or not data has been altered or the function of a process is as intended.
Authenticity - whether or not the source of data can be positively identified and accepted as valid.
Privacy - whether or not an unauthorised person can view data.
Non Repudiation - whether or not the sender or receiver of data, can fraudulently deny sending or receiving that data.
Audit Capability - the extent to which all facets of security may be verified by the examination of records.
Without being specific to particular VMS components or functions, all of the above concepts should be considered in the design of a VMS.
Though a paper on VMS norms and standards might seem an unusual forum for a detailed discussion of VMS security, the issue is of vital relevance. If VMS operators are not convinced of the integrity of the data they are receiving during normal operation, the use of VMS for fisheries management will be seriously compromised.
Furthermore, in the context of international operations where the vessels of a given flag state are licensed to operate in the waters of a different coastal state, that state must be assured of the integrity of data coming from any installation aboard a foreign vessel.
Finally, it must be recognized that VMS is most often used as a fisheries protection tool. Fisheries protection is nothing but a specialized variety of police work. A vessel operator might reap substantial monetary awards by avoiding monitoring, therefore it is essential that VLD equipment be designed to be, inasmuch as reasonably possible, invulnerable to wilful corruption of data or other forms of cheating.
The response of some fisheries authorities (e.g. Portugal, Spain, Argentina, Morocco) to this challenge has been to create at VLD which is virtually an armoured unit: it is installed aboard a vessel in a reinforced, metal case and offers a shipboard interface with the minimum functionality necessary to carry out its two-way communication and, perhaps, catch reporting responsibilities.
Whilst this might appear to be a viable solution, it is the opinion of the authors of this paper that such approaches are unsound for a number of reasons. The most important is that the additional security added by such installations fails a fair test of value for additional cost.
The objective of protecting the system in this way, is to render it foolproof, invulnerable to any kind of tampering. Nonetheless, as we shall see below, the most common kind of tampering consists of blocking transmission at the level of the antenna, and no kind of armour or safety device can avoid such action.
Furthermore, each of these VLDs costs several times the price of a standard unit, and the fact that they are built to custom designs means that production will always be small and prices will always be relatively high. In addition, service or replacement is problematical, to say the least, particularly in the context of highly mobile, distant water vessels.
Proponents of this approach will argue that the solution is to develop norms and standards for just such an VLD. However it is difficult to believe that, in a world where fisheries managers have difficulty agreeing upon a simple format for the presentation of position and catch data, they could reach agreement on a project with as many parameters and variables as the new design for a VLD. Furthermore, that hardware would have to correspond to a technological “impossible dream”: the ability operate with all existing and future satellite systems to avoid becoming obsolete in more than a few years.
It must be pointed out that VMS is a means to efficient fisheries management, not an end in itself. By using standard equipment which conforms to reasonable norms of both manufacture and installation, it is possible to hinder all but the most resourceful attempts at VMS cheating, in both the technological and economic sense. One must expect that even the most resourceful will be finally detected by an efficient fisheries protection operation.
With the additional data on the movements of fleets made available through VMS, it should only be a matter of time before someone who is corrupting data transmitted by his VLD will be observed by a patrol vessel or a patrol aircraft in a position very different from that which he is reporting. If the authority responsible for protecting the fishery in which that vessel is operating does not impose penalties of sufficient severity to serve as a deterrent against future contravention of its VMS scheme, the commitment of that authority to assuring the long-term viability of its natural resource must be put into question.
Five forms of action to thwart the normal operation of a VLD can be clearly identified. Each will be described before discussing the kinds of norms and standards that can be imposed upon VLD design, manufacture and installation so as to neutralize such actions.
9.1.1 Defending against a blocked antenna
This is the most obvious and most common way of neutralizing a VLD. As is the case with many simple techniques, it is highly efficient and difficult to counter. In practice, the blocking most often takes place by covering the antenna with an object built of material that destroys the line-of-sight with the satellite. Almost anything will do, an object in the form of a bucket being the most common.
The sight of a covered antenna could cause unwanted curiosity, so an alternative, more discreet approach, is to coat the antenna with a fluid substance, like metal-based paint. This latter approach does pose, however, the problem of easy removal. Another solution, from the point of view of a vessel operator intent on blocking transmission of his position, is to disconnect the antenna cable from either the antenna or the communications unit.
When an antenna is blocked by any means, transmission of position information is impossible. The key to solving this conundrum lies in configuring the base station to which vessels report in such a way that an expected position report which is not received (the reporting interval is known at the base station) is treated by the base station as an “event”. With the position of the vessel known at its previous report, a broadcast to patrol vessels and aircraft that the vessel in question has ceased reporting, increases the possibility of being observed.
Furthermore, the imposition of “interrupted service” messages as part of the VLD specification give the fisheries manager subsequent input as to the vessel’s movement and the exact time that it was out of contact. While it is overly optimistic to expect that the majority of vessels which block transmission will be observed “in the act”, those which carry on the practice regularly, will be providing data to the fisheries management service that may well be used to discern a pattern.
It is worth noting that triggering the “interrupted service” message should carry a tolerance of, say, 15 or 30 minutes, depending upon the conditions in which the vessel normally operates. This will avoid sending such an alert when the antenna in legitimately blocked by passing under a bridge or steaming next to a tall structure (ship, cliff, etc.).
In the case of disconnecting the antenna, security sealed connectors on the antenna cable can make disconnection impossible without leaving physical evidence of the tampering.
9.2.1 Defending against disrupted power supply
Disruption of power supply entails interrupting the power necessary for the operation of a VLD in a manner other than turning the unit off in the normal way. The effect of such disruption is similar to that of blocking the antenna in that the monitoring station loses all contact with the vessel.
As the effect of a disrupted power supply is similar to that of a blocked antenna, so is the remedy. Everything said in section 9.1.1 is valid in this case. There is, however, an additional precaution that can dissuade the action of disconnecting the VLD from its power supply. This is to specify in the norms and standards for an installation that there be an auxiliary, battery power supply dedicated to the VLD.
A unit thus installed can send an emergency service message when its power supply is cut, and can, as a function of the power of the battery, continue in service for a considerable time. To specify a 100 amp hour marine battery as auxiliary power supply would assure service for several weeks. Using security connectors (similar to those for the antenna in 9.1.1) would discourage tampering.
The requirement for a complementary power supply has the added advantage of compensating for accidental power outages, a occurrence not uncommon aboard a fishing vessel.
9.3.1 Discouraging physical removal of VLD
As a VLD transmits its own position, rather than that of the vessel on which it is mounted, physically removing it from a vessel is a very efficient way of separating the real movements of a vessel from its monitored position. The most insidious ramification of this kind of deception is that the operation appears to be completely normal, from the monitoring centre.
Once again, the most persuasive deterrent to physical removal of a terminal is the imposition of severe penalties if detected in the course of normal fisheries protection operations. There are means of discouraging this kind of activity by establishing specific norms for the installation of an VLD.
By requiring that both the antenna and the communications unit as well as the antenna connections of the VLD be mounted with security seals (this operation can be as simple as using specially designed security adhesive tape) that must be broken in order to move the elements, and by requiring that the antenna cable pass through an aperture in the vessel bulkhead smaller than either of the elements that it connects, it is possible to assure that the equipment cannot be removed and replaced in an undetectable manner.
Such practice, in the context of a fisheries management operation which requires regular verification of VMS installations and imposes suitable penalties for non compliance, should all but eliminate the probability of physical removal of the antenna.
9.4.1 Defending against cloning
This is a practice known as cloning and consists of creating a duplicate VLD which functions like the original. Having done that, the producer of the clone can make it appear to the VMS system as if his vessel is anywhere he would like, so long as he can arrange for the clone to be transported to that position. Functionally, from the VMS point of view, this is the equivalent of removing the VLD from a vessel, but without the inconvenience of having to break the security seals.
From the VMS operator’s point of view there is some comfort to be drawn from the fact that cloning a satellite communications terminal is no trivial task, either from a technical or an economic perspective. To assure that it is not, is essentially the responsibility of the manufacturer of the terminal and the VMS operator.
The most reliable way of avoiding cloning is for communications in a system by any terminal, both in transmission and reception mode, to be based on unique, internal identifiers that are known only to the terminal manufacturer and the system operator. From the point of view of a VMS operator, it is important to require that this identifier be embedded in the system firmware in unreadable form. If such norms are established, the cloning of a terminal, whilst perhaps not impossible, will not be economically viable as a means of fisheries fraud.
9.5.1 Defending against false position transmission
This is the one that first comes to mind when thinking about possible VMS fraud. A vessel operator finds a way of changing the position that is transmitted by his VLD from the correct one, calculated by his GPS, to the one that indicates where he wants the fisheries managers to think where he is.
There are two ways that one can imagine this happening: in the first, the vessel operator finds a way to effect a manual input of position which is transmitted in the place of the GPS output. In the other, he simulates a GPS signal, using a programmable GPS or some other kind of computer simulation, and substitutes the output signal for that of his VLD’s real GPS.
The effect of such action from a VMS point of view is similar to that of a removed or cloned VLD in that the monitoring centre is receiving positions that do not correspond to the monitored vessel’s position.
As is the case with cloning, finding a way to input a false position to a satellite communications terminal designed to resist such tampering is far from a trivial task. Responsibility for defending against this rests, therefore, with the equipment manufacturer, requiring him to shore the defences against tampering on two fronts: system hardware and software.
On the hardware front is essential to assure that the interface between the GPS receiver/decoder is not clearly visible and that the protocol governing the exchange of data not be a standard one. The use of a GPS on a printed circuit board separate from the communications hardware and connected to it through, say, a standard (e.g. NMEA 0183) interface, is simply inviting tampering.
On the other hand, the integration of the GPS components on the same printed circuit board as the communications components and connected to them by a priority interface/protocol, means that a potential tamperer is virtually obliged to reverse engineer the entire VLD. This, once again, would tend to make the cost of the tampering not economically viable.
Likewise, the system software, which will almost certainly permit the manual input of a position for distress and safety reasons, should be written in such a way that the entity receiving a position report is alerted as to when the report is entered by the crew. Embedding this function in the system firmware essentially assures that manual input of position data will not result in successful corruption of VMS data.
From the VMS operator point of view, the necessary action to take is in specifying norms for VLD manufacture that build in sufficient safeguards against this type of tampering supported by the manufacturer’s guarantee. Furthermore, a security seal which restricts opening the VLD coupled with a regulation forbidding such action, will provide added assurance.
Table 9.1 VMS security concerns
|
Type of security infringement |
Remedial action |
|
Blocked antenna |
interrupted service message; security seals on antenna
connectors |
|
Disconnection from power supply |
interrupted service message; auxiliary power supply; security
seal on power connectors |
|
Physical removal |
strict installation guidelines; security seals on
installation |
|
Duplication/cloning |
manufacturing standard makes unique code unreadable |
|
Input false position |
manufacturing standard makes GPS interface invulnerable;
security seal prevents equipment tampering |
