cyber security og sikker integrasjon...

CYBER SECURITY OG SIKKER INTEGRASJON OM BORDCYBER SECURITY IN MERCHANT SHIPPING - CYSIMS

Ørnulf Jan RødsethSeniorforsker, SINTEF Ocean

Presenter

Presentation Notes

Bildet illustrerer: · bredden i SINTEFs ekspertise, fra havrom til verdensrom. · hvilke områder og bransjer vi jobber innen for å realisere visjonen Teknologi for et bedre samfunn. Bildestilen er basert på stikkordene fremtidsrettet, teknologi og norsk natur (naturressurser). SINTEFs visuelle univers er utviklet for SINTEF av Headspin Productions AS.

Shipping blir mer og mer digitalisert

• Mer integrasjon om bord

• Mer datautveksling

2

• Mer trafikkstyring fra land

• Mot ubemannede skipData Analytics

MANAGEMENT HQ

PERFORMANCE• TCI Efficiency• TCI Balance• TCI Degradation

TeCoMan

Ship Performance Registrations

Report: Performance Assessment / Support

SHIP

Internet ofServices at Sea

Internet of Things at Sea

Simulation and Optimization

Robotics andAutonomy

© SINTEF Ocean

Augmented reality

Shipping4.0

Computation

Cyber-physical systems

Cyber Security

Open systemintegration

Engine Cargo

Reporting

FW/GW

ProcessLayer

AdministrativeLayer

AutomationNavigation

Administrative

Infotainment

Accomodation

Energy management

FW/GW

ISCLayer

Crewing

Performance monitoring

INS

FW/GW

FW/GW

Fire alarm

SafetyFW/GW

InstrumentLayer

Safety Management

ECDIS

Integrated Ship Control (ISC)

3Med økende kompleksitet i elektroniske system

… og mer følsomt for angrep

HackersMisfits/States Economic espionage/attacks

Pirates

Fraud

"Container ship loading" by Stan Shebs.

Smuggling

Det er mange digitale systemer på et skip

5

RADAR Engine Cargo

Cargo Reporting

FW/GW

ProcessLayer

AdministrativeLayer


Administrative FW/GW

Infotainment

AccomodationEnergy

management

FW/GW

Integrated Ship Control (ISC) Layer

Crewing


INS

FW/GW

FW/GW

Fire alarm

Safety

FW/GW

InstrumentLayer

Safety Management

OwnerManagerChartererAuthorities

Systems

FW/GW

LandInternet

ICS

VHF Data Exchange System - VDES

Kommersielt/person-sensitivt

Sikkerhetsmessig sensitivt

… og mange angrepspunkter

6

RADAR Engine Cargo

Cargo Reporting

FW/GW

ProcessLayer

AdministrativeLayer



Infotainment

AccomodationEnergy

management

FW/GW


Crewing


INS

FW/GW

FW/GW

Fire alarm

Safety

FW/GW

InstrumentLayer

Safety Management


Systems

FW/GW

LandInternet

ICS


… som er viktige for CySiMS

7

RADAR Engine Cargo

Cargo Reporting

FW/GW

ProcessLayer

AdministrativeLayer



Infotainment

AccomodationEnergy

management

FW/GW


Crewing


INS

FW/GW

FW/GW

Fire alarm

Safety

FW/GW

InstrumentLayer

Safety Management


Systems

FW/GW

LandInternet

ICS


Bakgrunn for prosjektet

CySiMS: Cyber Security for Merchant Shipping

• Kongsberg Seatex AS (Prosjekteier)

• Kongsberg Maritime AS

• Kongsberg Defence and Aerospace AS

• DNV GL AS

• SINTEF Digital

• SINTEF Ocean AS

• Navtor AS

• Kystverket

• Sjøfartsdirektoratet

CySiMS har hovedfokus på meldingssikkerhet

Physical access threats

• Direct physical access to systems.

• Networked peripheral devices: PA or CCTV units using VoIP or IP.

• Diagnostic ports on equipment.

• Removable storage devices: USB sticks, CDs and DVDs.

• USB devices in general: May transfer malware.

• Short range wireless: Blue-tooth, WiFi and other.

• RFID or QR codes: As complexity grows.

Currently an ongoing activity in IMO with contributions both in FAL and MSC. BIMCO et al. has recently published a security guide for these issues and submitted it to IMO MSC.

Canada et al. plans a similar submission to IMO FAL.

Break-in via communication links (Internet)

Uncontrolled network

Uncontrolled network

450-Node w/SNGF

460-Switch 460-Switch 460-Switch

Uncontrolled networks (off ship)

IEC 61162-1/2 device(s)

IEC 61162-460 network

460-Forwarder

OtherOther

460-Network

Controlled network460-Node

System Management

Function

450-Node

460-Gateway

Network Monitoring Function

460-Node

460-Wireless gatewayOtherWireless Networks

IEC 61162-460

ICS

Shore systems

E-mail server

FTP server

Other transfer systems

Ma

nu

fact

ure

r sp

eci

fic p

art

of

ICS

No

t co

vere

d b

y st

an

da

rd.

Sta

nd

ard

inte

rfa

ces

of

ICS On-board data

provider(e.g. Route plan)

On-board data consumer

(e.g. Charts)

IMAP

SMTP

HTTPS server

Sh

ip-s

ho

reco

mm

un

ica

tion

syst

em

s

IEC 62940

Currently being addressed through standards organizations.

To forskjellige kommunikasjonskanaler

13

Ship Space segmentUplink Downlink Internet SCCEarth station

Ship VDES data link Trunk VTSShore station

Ship VDES data link Ship

I realiteten er bildet noe mer komplisert…

14

Maritime Authorities

Port/terminal

Pilot, tugs

Shore representative (Agent, Owner)

Commercial partiesVDES

Satellite

VSAT

Other shipsVTS, Ship reporting

NAVTEX, NAVDAT

VDES LTE, 4/5G

Inspector

Internet

Direct

VSAT / MSS / Mobile dataVery Small Aperture Terminal / Mobile Satellite Service

• Generell tjeneste via Internet

• 128-512 kbps

• Asymmetrisk (VSAT spesielt)

VHF Data Exchange System

16

Vesensforskjellige kanaler

17

VSAT VDESSanntid Ikke så kritisk KritiskTransmisjon Unicast BroadcastMeldingsstørrelse "Ubegrenset" BegrensetBåndbredde "Ubegrenset" BegrensetFrekvensbånd Ku/Ka VHFAntenne Fokusert Unidireksjonal

Primært på jakt etter datasikring

• End to end på "meldinger" – uavhengig av transport

• Elektronisk signering / kryptering

• Public Key Cryptography – Elliptic Curve Cryptography

• Public Key Infrastructure?• Hvem tar rollen?

• Hva koster det?

• Blir det enkelt nok?

• Blir det kompakt nok?18

Viktig del er å kartlegge behov og finne "riktig" løsning

Behovsanalyse

• Risikovurderinger av anvendelsen

• Risikovurderinger av infrastruktur

• Økonomiske og politiske akseptkriterier

• Strategi for etablering

20

Risikovurdering er komplisert

MaritimSpesialist

Sikkerhet (Security)Spesialist

Risikovurdering for bruker

Unwanted Event

Consequence

Consequence

Consequence

Data lostData manipulatedData stolenData not trusted

Scenario 1Scenario 2

…Scenario n

Risikovurdering for bruker

Unwanted Event Consequence

Data manipulated

Scenario 1Scenario 2

…Scenario n

Use cases

24

Flag state Ship Port stateinspection

ElectronicCertificates

Flag stateinspectionShip reporting Ship Port/coast state

authorities

Operational coordination

Ship Coast stateauthorities

Other ship

Navigational data updates

Ship Data providers

Private data exchanges

Ship Ship/Cargo ownerand management

ConfigurationShip Ship or shore systems

Stereotype scenario

25

Scenario 1: Navigational Real Time Information to ShipScenario 2: Nautical Documents Update to ShipScenario 3: Ship reporting to VTS or similarScenario 4: Mandatory ship documentation and reports to portScenario 5: Nautical advice to shipScenario 6: Nautical commands to shipScenario 7: Remote control of tugs, etc.Scenario 8: Operational voyage instructions and reportsScenario 9: TelemedicineScenario 10: Search and RescueScenario 11: Configuration of equipment or systemScenario 12: Network management

44,44%

11,11%16,67%

5,56%

22,22%

0,0%

10,0%

20,0%

30,0%

40,0%

50,0%

60,0%

70,0%

80,0%

90,0%

100,0%

Several times a day(n=8)

Several times a week(n=2)

Several times a month(n=3)

Several times a year(n=1)

Rarer (n=4)

How often does this scenario occur (per ship) ?

Scenario 1: Navigational real-time information to shipThe ship receives updated navigational information from shore. Examples are weather or ice information and forecast, lists of aids to navigations that are not working, floating containers, whale observations, wrecks etc. Today this is typically maritime safety information (MSI) received by NAVTEX or Safety-Net. Wave, tide or virtual aids to navigation received over AIS.

33,33%

55,56%

5,56% 5,56%

0,0%

10,0%

20,0%

30,0%

40,0%

50,0%

60,0%

70,0%

80,0%

90,0%

100,0%

Data changed (n=6) Data lost (n=10) Data overheard (n=1) Data not trusted (sender andreceiver disagrees on data

actually being sent or on thecontent of the message) (n=1)

What communication fault is likely to cause a negative outcome?

Scenario 1: Navigational real-time information to shipThe ship receives updated navigational information from shore. Examples are weather or ice information and forecast, lists of aids to navigations that are not working, floating containers, whale observations, wrecks etc. Today this is typically maritime safety information (MSI) received by NAVTEX or Safety-Net. Wave, tide or virtual aids to navigation received over AIS.

22,22%

38,89%27,78%

11,11%

0,0%

10,0%

20,0%

30,0%

40,0%

50,0%

60,0%

70,0%

80,0%

90,0%

100,0%

Individual Injury (n=4) Commercial (n=7) Environmental (n=5) Reputational (n=2)

What type of outcome will you classify this to be of?

5,56% 5,56%

33,33%38,89%

11,11%5,56%

0,0%

10,0%

20,0%

30,0%

40,0%

50,0%

60,0%

70,0%

80,0%

90,0%

100,0%

None (n=1) Negligible (n=1) Moderate (n=6) High (n=7) Critical (n=2) Catastrophic (n=1)

What severity has this outcome?

Verktøy for å analysere risiko 1/2

28

Stereotype Characteristics Data Lost Data manipulated Data stolen Data not trustedSC 1: Navigational real-time information to ship

Received “real-time” safety information that can be critical to operations. Maritime Safety Information (MSI) Highly relevantHighly relevant Relevant Highly relevant

SC2: Nautical document updates to ship

Updates to documents that are required to be carried by the ship. Relevant Highly relevant Relevant RelevantSC3: Ship reporting to VTS, coastguard or similar

Required short reports in VTS or ship reporting areas. Relevant Highly relevant Relevant RelevantSC4: Mandatory ship documentation and reports to port

Documents from ship or agent to authorities that are mandatory, e.g. for calling in a port. Failure to provide correct documents can cause detentions, fines or other. Relevant Relevant Relevant Relevant

SC5: Nautical advice to shipAdvice that is the basis for new plans generated on ship based on received and other navigational information. Relevant Relevant Relevant Relevant

SC6: Nautical commands to shipReal time commands to ship from VTS or other ships. Master can ignore, but at a penalty. Relevant Highly relevant Relevant Relevant

SC7: Remote control of ship, tugs or other port operation

Direct control of own ship or other, e.g. tug. Highly relevantHighly relevant Highly relevantSC8: Operational voyage instructions and reports

Information to or from the ship with commercial and operational importance. Relevant Relevant Highly relevantRelevant

SC9: Telemedicine. Critical exchange of personal information with shore experts. Highly relevantHighly relevant Relevant Highly relevant

SC10: Search and Rescue (SAR) Critical coordination of search and rescue operations. Highly relevantHighly relevant Highly relevant

SC11: Configuration Configuration of bridge equipment from shore or from other locations on ship. Relevant Highly relevant

SC12: Network management Message exchanges used to coordinate use of network (mostly VDE). Relevant Relevant Relevant Relevant

Loss Event Types

Verktøy for å analysere risiko 2/2

29

Scenario Main Unwanted EventScenario 1: Navigational Real Time Information to Ship Data lost Catastrophic 5 Possible 3Scenario 2: Nautical Documents Update to Ship Data lost Critical 4 Possible 3Scenario 3: Ship reporting to VTS or similar Data changed High 3 Likely 4Scenario 4: Mandatory ship documentation and reports to port Data lost High 3 Always 5Scenario 5: Nautical advice to ship Data changed High 3 Possible 3Scenario 6: Nautical commands to ship Data changed High 3 Likely 4Scenario 7: Remote control of tugs, etc. Data changed Catastrophic 5 Possible 3Scenario 8: Operational voyage instructions and reports Data changed High 3 Likely 4Scenario 9: Telemedicine Data changed Critical 4 Likely 4Scenario 10: SAR Data changed Critical 4 Always 5Scenario 11: Configuration Data changed Catastrophic 5 Possible 3Scenario 12: Network management Data changed High 3 Possible 3

Impact Frequency of ImpactStandard Impact Level

Verktøy videre utvikling

• Baseres på svar fra brukerundersøkelser

• Integrere venstre side av bow-tie (årsak til data problem)

• Mulighet for manuell justering av trusselbilde

• Legge inn barrierer

• Iterativ analyse ved å eliminere "verste" tilfeller først

30

Må også se på krav til infrastruktur og implementering

Maritime krav

• Skalerbar: 80 000 skip, 171 stater, 110 000 havner

• Internasjonal: Åpen teknologi, Internasjonal konsensus

• Kostnadseffektiv: Skip, flaggstat, havnestat, kommunikasjon, systemer

32

Hazard identification for infrastructure

• Private key lost/need replacement: Revokation service• Stolen on its way to the ship

• Stolen from the ship

• Ship changes flag or owner

• Ship certificates revoked or owner in liquidation

• Pirates has taken over the ship

33

Baserer systemet på tilsvarende for sivil luftfart?

Operative krav til løsning

• Billig og må kunne etter-installeres

• Antagelig basert på smartkort for signering/kryptering i eksisterende utstyr – Byttes hvert 3. år?

• Må antagelig ha to uavhengige utstyr for å signere/kryptere

• PKI er ennå ikke bestemt• Utstedelse knyttet til MMSI

• Tilbaktetrekkingsliste (med årsak)

35

Konklusjoner

• Forslag til løsning i versjon 1, basert på Iris

• Brukerundersøkelse utført, verktøy for analyse utvikles

• HazId påbegynt

• Politiske og operasjonelle argumenter påbegynt

• Relevant og viktig arbeide!

36

Teknologi for et bedre samfunn