cyber security og sikker integrasjon...
TRANSCRIPT
CYBER SECURITY OG SIKKER INTEGRASJON OM BORDCYBER SECURITY IN MERCHANT SHIPPING - CYSIMS
Ørnulf Jan RødsethSeniorforsker, SINTEF Ocean
Shipping blir mer og mer digitalisert
• Mer integrasjon om bord
• Mer datautveksling
2
• Mer trafikkstyring fra land
• Mot ubemannede skipData Analytics
MANAGEMENT HQ
PERFORMANCE• TCI Efficiency• TCI Balance• TCI Degradation
TeCoMan
Ship Performance Registrations
Report: Performance Assessment / Support
SHIP
Internet ofServices at Sea
Internet of Things at Sea
Simulation and Optimization
Robotics andAutonomy
© SINTEF Ocean
Augmented reality
Shipping4.0
Computation
Cyber-physical systems
Cyber Security
Open systemintegration
Engine Cargo
Reporting
FW/GW
ProcessLayer
AdministrativeLayer
AutomationNavigation
Administrative
Infotainment
Accomodation
Energy management
FW/GW
ISCLayer
Crewing
Performance monitoring
INS
FW/GW
FW/GW
Fire alarm
SafetyFW/GW
InstrumentLayer
Safety Management
ECDIS
Integrated Ship Control (ISC)
3Med økende kompleksitet i elektroniske system
… og mer følsomt for angrep
HackersMisfits/States Economic espionage/attacks
Pirates
Fraud
"Container ship loading" by Stan Shebs.
Smuggling
Det er mange digitale systemer på et skip
5
RADAR Engine Cargo
Cargo Reporting
FW/GW
ProcessLayer
AdministrativeLayer
AutomationNavigation
Administrative FW/GW
Infotainment
AccomodationEnergy
management
FW/GW
Integrated Ship Control (ISC) Layer
Crewing
Performance monitoring
INS
FW/GW
FW/GW
Fire alarm
Safety
FW/GW
InstrumentLayer
Safety Management
OwnerManagerChartererAuthorities
Systems
FW/GW
LandInternet
ICS
VHF Data Exchange System - VDES
Kommersielt/person-sensitivt
Sikkerhetsmessig sensitivt
… og mange angrepspunkter
6
RADAR Engine Cargo
Cargo Reporting
FW/GW
ProcessLayer
AdministrativeLayer
AutomationNavigation
Administrative FW/GW
Infotainment
AccomodationEnergy
management
FW/GW
Integrated Ship Control (ISC) Layer
Crewing
Performance monitoring
INS
FW/GW
FW/GW
Fire alarm
Safety
FW/GW
InstrumentLayer
Safety Management
OwnerManagerChartererAuthorities
Systems
FW/GW
LandInternet
ICS
VHF Data Exchange System - VDES
… som er viktige for CySiMS
7
RADAR Engine Cargo
Cargo Reporting
FW/GW
ProcessLayer
AdministrativeLayer
AutomationNavigation
Administrative FW/GW
Infotainment
AccomodationEnergy
management
FW/GW
Integrated Ship Control (ISC) Layer
Crewing
Performance monitoring
INS
FW/GW
FW/GW
Fire alarm
Safety
FW/GW
InstrumentLayer
Safety Management
OwnerManagerChartererAuthorities
Systems
FW/GW
LandInternet
ICS
VHF Data Exchange System - VDES
Bakgrunn for prosjektet
CySiMS: Cyber Security for Merchant Shipping
• Kongsberg Seatex AS (Prosjekteier)
• Kongsberg Maritime AS
• Kongsberg Defence and Aerospace AS
• DNV GL AS
• SINTEF Digital
• SINTEF Ocean AS
• Navtor AS
• Kystverket
• Sjøfartsdirektoratet
CySiMS har hovedfokus på meldingssikkerhet
Physical access threats
• Direct physical access to systems.
• Networked peripheral devices: PA or CCTV units using VoIP or IP.
• Diagnostic ports on equipment.
• Removable storage devices: USB sticks, CDs and DVDs.
• USB devices in general: May transfer malware.
• Short range wireless: Blue-tooth, WiFi and other.
• RFID or QR codes: As complexity grows.
Currently an ongoing activity in IMO with contributions both in FAL and MSC. BIMCO et al. has recently published a security guide for these issues and submitted it to IMO MSC.
Canada et al. plans a similar submission to IMO FAL.
Break-in via communication links (Internet)
Uncontrolled network
Uncontrolled network
450-Node w/SNGF
460-Switch 460-Switch 460-Switch
Uncontrolled networks (off ship)
IEC 61162-1/2 device(s)
IEC 61162-460 network
460-Forwarder
OtherOther
460-Network
Controlled network460-Node
System Management
Function
450-Node
460-Gateway
Network Monitoring Function
460-Node
460-Wireless gatewayOtherWireless Networks
IEC 61162-460
ICS
Shore systems
E-mail server
FTP server
Other transfer systems
Ma
nu
fact
ure
r sp
eci
fic p
art
of
ICS
No
t co
vere
d b
y st
an
da
rd.
Sta
nd
ard
inte
rfa
ces
of
ICS On-board data
provider(e.g. Route plan)
On-board data consumer
(e.g. Charts)
IMAP
SMTP
HTTPS server
Sh
ip-s
ho
reco
mm
un
ica
tion
syst
em
s
IEC 62940
Currently being addressed through standards organizations.
To forskjellige kommunikasjonskanaler
13
Ship Space segmentUplink Downlink Internet SCCEarth station
Ship VDES data link Trunk VTSShore station
Ship VDES data link Ship
I realiteten er bildet noe mer komplisert…
14
Maritime Authorities
Port/terminal
Pilot, tugs
Shore representative (Agent, Owner)
Commercial partiesVDES
Satellite
VSAT
Other shipsVTS, Ship reporting
NAVTEX, NAVDAT
VDES LTE, 4/5G
Inspector
Internet
Direct
VSAT / MSS / Mobile dataVery Small Aperture Terminal / Mobile Satellite Service
• Generell tjeneste via Internet
• 128-512 kbps
• Asymmetrisk (VSAT spesielt)
VHF Data Exchange System
16
Vesensforskjellige kanaler
17
VSAT VDESSanntid Ikke så kritisk KritiskTransmisjon Unicast BroadcastMeldingsstørrelse "Ubegrenset" BegrensetBåndbredde "Ubegrenset" BegrensetFrekvensbånd Ku/Ka VHFAntenne Fokusert Unidireksjonal
Primært på jakt etter datasikring
• End to end på "meldinger" – uavhengig av transport
• Elektronisk signering / kryptering
• Public Key Cryptography – Elliptic Curve Cryptography
• Public Key Infrastructure?• Hvem tar rollen?
• Hva koster det?
• Blir det enkelt nok?
• Blir det kompakt nok?18
Viktig del er å kartlegge behov og finne "riktig" løsning
Behovsanalyse
• Risikovurderinger av anvendelsen
• Risikovurderinger av infrastruktur
• Økonomiske og politiske akseptkriterier
• Strategi for etablering
20
Risikovurdering er komplisert
MaritimSpesialist
Sikkerhet (Security)Spesialist
Risikovurdering for bruker
Unwanted Event
Consequence
Consequence
Consequence
Data lostData manipulatedData stolenData not trusted
Scenario 1Scenario 2
…Scenario n
Risikovurdering for bruker
Unwanted Event Consequence
Data manipulated
Scenario 1Scenario 2
…Scenario n
Use cases
24
Flag state Ship Port stateinspection
ElectronicCertificates
Flag stateinspectionShip reporting Ship Port/coast state
authorities
Operational coordination
Ship Coast stateauthorities
Other ship
Navigational data updates
Ship Data providers
Private data exchanges
Ship Ship/Cargo ownerand management
ConfigurationShip Ship or shore systems
Stereotype scenario
25
Scenario 1: Navigational Real Time Information to ShipScenario 2: Nautical Documents Update to ShipScenario 3: Ship reporting to VTS or similarScenario 4: Mandatory ship documentation and reports to portScenario 5: Nautical advice to shipScenario 6: Nautical commands to shipScenario 7: Remote control of tugs, etc.Scenario 8: Operational voyage instructions and reportsScenario 9: TelemedicineScenario 10: Search and RescueScenario 11: Configuration of equipment or systemScenario 12: Network management
44,44%
11,11%16,67%
5,56%
22,22%
0,0%
10,0%
20,0%
30,0%
40,0%
50,0%
60,0%
70,0%
80,0%
90,0%
100,0%
Several times a day(n=8)
Several times a week(n=2)
Several times a month(n=3)
Several times a year(n=1)
Rarer (n=4)
How often does this scenario occur (per ship) ?
Scenario 1: Navigational real-time information to shipThe ship receives updated navigational information from shore. Examples are weather or ice information and forecast, lists of aids to navigations that are not working, floating containers, whale observations, wrecks etc. Today this is typically maritime safety information (MSI) received by NAVTEX or Safety-Net. Wave, tide or virtual aids to navigation received over AIS.
33,33%
55,56%
5,56% 5,56%
0,0%
10,0%
20,0%
30,0%
40,0%
50,0%
60,0%
70,0%
80,0%
90,0%
100,0%
Data changed (n=6) Data lost (n=10) Data overheard (n=1) Data not trusted (sender andreceiver disagrees on data
actually being sent or on thecontent of the message) (n=1)
What communication fault is likely to cause a negative outcome?
Scenario 1: Navigational real-time information to shipThe ship receives updated navigational information from shore. Examples are weather or ice information and forecast, lists of aids to navigations that are not working, floating containers, whale observations, wrecks etc. Today this is typically maritime safety information (MSI) received by NAVTEX or Safety-Net. Wave, tide or virtual aids to navigation received over AIS.
22,22%
38,89%27,78%
11,11%
0,0%
10,0%
20,0%
30,0%
40,0%
50,0%
60,0%
70,0%
80,0%
90,0%
100,0%
Individual Injury (n=4) Commercial (n=7) Environmental (n=5) Reputational (n=2)
What type of outcome will you classify this to be of?
5,56% 5,56%
33,33%38,89%
11,11%5,56%
0,0%
10,0%
20,0%
30,0%
40,0%
50,0%
60,0%
70,0%
80,0%
90,0%
100,0%
None (n=1) Negligible (n=1) Moderate (n=6) High (n=7) Critical (n=2) Catastrophic (n=1)
What severity has this outcome?
Verktøy for å analysere risiko 1/2
28
Stereotype Characteristics Data Lost Data manipulated Data stolen Data not trustedSC 1: Navigational real-time information to ship
Received “real-time” safety information that can be critical to operations. Maritime Safety Information (MSI) Highly relevantHighly relevant Relevant Highly relevant
SC2: Nautical document updates to ship
Updates to documents that are required to be carried by the ship. Relevant Highly relevant Relevant RelevantSC3: Ship reporting to VTS, coastguard or similar
Required short reports in VTS or ship reporting areas. Relevant Highly relevant Relevant RelevantSC4: Mandatory ship documentation and reports to port
Documents from ship or agent to authorities that are mandatory, e.g. for calling in a port. Failure to provide correct documents can cause detentions, fines or other. Relevant Relevant Relevant Relevant
SC5: Nautical advice to shipAdvice that is the basis for new plans generated on ship based on received and other navigational information. Relevant Relevant Relevant Relevant
SC6: Nautical commands to shipReal time commands to ship from VTS or other ships. Master can ignore, but at a penalty. Relevant Highly relevant Relevant Relevant
SC7: Remote control of ship, tugs or other port operation
Direct control of own ship or other, e.g. tug. Highly relevantHighly relevant Highly relevantSC8: Operational voyage instructions and reports
Information to or from the ship with commercial and operational importance. Relevant Relevant Highly relevantRelevant
SC9: Telemedicine. Critical exchange of personal information with shore experts. Highly relevantHighly relevant Relevant Highly relevant
SC10: Search and Rescue (SAR) Critical coordination of search and rescue operations. Highly relevantHighly relevant Highly relevant
SC11: Configuration Configuration of bridge equipment from shore or from other locations on ship. Relevant Highly relevant
SC12: Network management Message exchanges used to coordinate use of network (mostly VDE). Relevant Relevant Relevant Relevant
Loss Event Types
Verktøy for å analysere risiko 2/2
29
Scenario Main Unwanted EventScenario 1: Navigational Real Time Information to Ship Data lost Catastrophic 5 Possible 3Scenario 2: Nautical Documents Update to Ship Data lost Critical 4 Possible 3Scenario 3: Ship reporting to VTS or similar Data changed High 3 Likely 4Scenario 4: Mandatory ship documentation and reports to port Data lost High 3 Always 5Scenario 5: Nautical advice to ship Data changed High 3 Possible 3Scenario 6: Nautical commands to ship Data changed High 3 Likely 4Scenario 7: Remote control of tugs, etc. Data changed Catastrophic 5 Possible 3Scenario 8: Operational voyage instructions and reports Data changed High 3 Likely 4Scenario 9: Telemedicine Data changed Critical 4 Likely 4Scenario 10: SAR Data changed Critical 4 Always 5Scenario 11: Configuration Data changed Catastrophic 5 Possible 3Scenario 12: Network management Data changed High 3 Possible 3
Impact Frequency of ImpactStandard Impact Level
Verktøy videre utvikling
• Baseres på svar fra brukerundersøkelser
• Integrere venstre side av bow-tie (årsak til data problem)
• Mulighet for manuell justering av trusselbilde
• Legge inn barrierer
• Iterativ analyse ved å eliminere "verste" tilfeller først
30
Må også se på krav til infrastruktur og implementering
Maritime krav
• Skalerbar: 80 000 skip, 171 stater, 110 000 havner
• Internasjonal: Åpen teknologi, Internasjonal konsensus
• Kostnadseffektiv: Skip, flaggstat, havnestat, kommunikasjon, systemer
32
Hazard identification for infrastructure
• Private key lost/need replacement: Revokation service• Stolen on its way to the ship
• Stolen from the ship
• Ship changes flag or owner
• Ship certificates revoked or owner in liquidation
• Pirates has taken over the ship
33
Baserer systemet på tilsvarende for sivil luftfart?
Operative krav til løsning
• Billig og må kunne etter-installeres
• Antagelig basert på smartkort for signering/kryptering i eksisterende utstyr – Byttes hvert 3. år?
• Må antagelig ha to uavhengige utstyr for å signere/kryptere
• PKI er ennå ikke bestemt• Utstedelse knyttet til MMSI
• Tilbaktetrekkingsliste (med årsak)
35
Konklusjoner
• Forslag til løsning i versjon 1, basert på Iris
• Brukerundersøkelse utført, verktøy for analyse utvikles
• HazId påbegynt
• Politiske og operasjonelle argumenter påbegynt
• Relevant og viktig arbeide!
36
Teknologi for et bedre samfunn