xxxxxxxxxx

Danelec systemsSolid • Safe • Simple

WHITE PAPERON VDR CYBER SECURITY

xxxxxxxxxx15.08.2016 DNL00075

White Paper on VDR Cyber SecurityThe shipping industry is increasingly embracing Big Data

and the Internet of Things (IoT) in a move to transform

and streamline many aspects of ship operations. This

means connecting computers and sensors on ships at

sea with shoreside IT networks, typically through secure

Internet links. While these technical innovations can

bring big benefi ts in terms of greater visibility into the

performance of assets and improved e� ciency, they also

can create new risks in terms of vulnerability to cyber

attacks on the shipboard and shoreside IT infrastructure.

The cyber threat is real and universal. News headlines

daily reveal successful hacks into supposedly secure

databases at hospitals, government agencies, insurance

carriers, banks and large enterprises, resulting in mas-

sive identity thefts for individuals and billions of dollars

stolen. Hackers have the knowledge, means and moti-

vation to mount attacks. Ships and shipping companies

are especially vulnerable. In the past, shipboard systems

were designed and installed with little awareness of

cyber security. As these ship systems are being connect-

ed via Internet with shoreside networks, new points of

vulnerability are created, which can be exploited by cyber

attackers to acquire sensitive information, disable vital

equipment, steal identities, assist in smuggling goods and

even hijacking a ship, its crew and its cargo.

Cyber security has already begun to get greater scrutiny

in the maritime industry. Existing standards and recom-

mendations for cyber security include:

• US National Institute of Standards and Technology

(NIST) – 800 Series on Cyber Security

• ISO/IEC 27001 and 27002 – Information Security

Management Systems (ISMS)

• ISA/IEC-62443 (formerly ISA-99) Electronically

Secure Industrial Automation and Control Systems

2

In addition, standards, guidelines and recommendations

for cyber security specifi cally related to the maritime

industry have recently been published by various organ-

izations. They include:

• IEC 61162-460 Ethernet Standard

• EU Agency for Network and Information Security

(ENISA)

• US Coast Guard – Cyber Strategy (June 2015)

• BIMCO (and others) – Guidelines on Cyber Security

on-board Ships (January 2016)

• American Bureau of Shipping (ABS) – Application

of Cyber Security Principles to Marine and O� shore

Operations (February 2016)

• IMO – Guidelines on Maritime Cyber Risk

Management (June 2016)

VDR Cyber VulnerabilityVoyage Data Recorders, which are mandatory on most

ocean-going passenger and cargo ships, gather and

store large amounts of data from the ship’s onboard

systems and sensors. While the primary function of the

VDR is to record data for accident investigators after

an incident at sea, VDR manufacturers are designing

remote access functionality into the new generation of

products to facilitate testing and servicing the system,

retrieve stored data for playback and extract data for

safety and performance purposes.

In 2015, an independent research laboratory conducted

tests on a commercial VDR product to determine its

vulnerability to hacking. The researchers discovered

that an attacker with network access to a� ected devices

could execute arbitrary commands with root privileges,

allowing for the manipulation of data captured in the

VDR. In 2012 an incident was reported in which a crew

member inserted a USB drive into a port on the VDR,

causing it to be infected with malware that caused voice

and navigation data to be overwritten. It is likely that

many older early-generation VDRs and Simplifi ed VDRs

(S-VDRs) may have similar levels of vulnerability.

In this White Paper, we will discuss the nature of cyber

threats to VDRs, best practices for securing VDR data

and security measures designed into Danelec Marine

VDR systems to protect against cyber risks.

3

Risk ManagementEliminating the risks of cyber threats imposed on marine electronic systems requires a structured

and comprehensive risk management approach. The following are steps involved in developing

and implementing a cyber risk management process:

• Identify value to protect (in this case the VDR and data stored in it)

• Identify vulnerabilities

• Identify threats

• Evaluate risk level

• Implement risk reduction/mitigation measures

• Monitor and respond to any incidents

These steps should also be integrated into the product development process.

Motivations for Cyber AttackCyber attackers may be driven by any of these

motivations:

• Destroy, delete or alter data in the VDR.

• Gain unauthorized access to the logged data in the

VDR, such as bridge audio recordings, ECDIS and ra-

dar video fi les, position/speed and other ship’s data.

• Gain control over the VDR with Trojan horse malware

in order to access systems and sensors connected

to the VDR, such as ECDIS, radar, autopilot and other

»trusted« zones.

• Prevent the VDR from logging data, for instance to

eliminate incriminating data in an accident or incident.

• Attempt to take control over ship systems with the

aim of seizing the ship, its crew or its cargo.

VulnerabilitiesPoints of vulnerability to cyber attack include

the following:

• Attack via physical access to the VDR aboard ship.

This could be a crew member or an outside visitor to

the ship, such as a service technician inserting a soft-

ware upload or performing an inspection or service/

repairs to the VDR.

• Attack via on-board remote access to the VDR aboard

ship. Again, the threat could originate from a crew

member or visitor to the ship, accessing the VDR

through other systems connected to the VDR.

• Attack via remote access to the VDR from shore.

Many VDRs are designed with a capability for remote

downloads of stored data to shore o� ces through the

ship’s satellite communication terminal.

4

• Physical access to the equipment. A crew member or

visitor to the ship can attempt to feed malware into

the VDR or some piece of equipment that is connected

to the VDR. This can be intentional or unintentional.

For instance, a crew member or service technician

may insert a USB into a computer unaware that it

contains malware.

• Denial of service attacks. An attacker may attempt

to overwhelm the equipment e.g. by feeding too much

data into it. The attack may originate from the ship

or from shore. For instance, the GPS could be pro-

grammed to send massive amounts of data into the

VDR (thousands of reports per second), or if the shore

network is compromised to bombard the VDR with

rapid-fi re requests for data downloads. The VDR may

be overloaded and either slow down its processing or

cease to function altogether.

• Feed false information into the VDR. For instance, the

GPS could be spoofed so as to send incorrect position

or speed into the VDR (as well as the ECDIS, AIS,

radar, autopilot and other systems requiring position

data). Likewise, an attacker could spoof the AIS so

that it sends false data into the VDR.

• Attempt to access other ship systems through the

connections to the VDR. For instance, an attacker

may try to send malware to the other systems by

introducing it into the VDR so that it disseminates

through the data links to the connected equipment.

• Use of remote access. Remote management access

may be used by an attacker to instruct the VDR to

erase data fi les or force a confi guration change. For

instance, a »Trojan Horse« can be injected during a

remote software update. Or there could be a security

breach at the software provider, allowing a Trojan

Horse to be sneaked in during software development.

There is no technical remedy for attacks by a de-

termined adversary who has physical access to the

equipment, other than implementing and adhering to

strict physical security procedures, such as identity

checks and screening for anyone who may have access

to the VDR. Note that this includes someone posing as a

service technician boarding the ship to perform annual

performance tests (APT), trouble shoot the system or

make repairs to the VDR. This may be more di� cult

during overhauls and drydocking, when large numbers

of workers may be on the ship.

ThreatsCyber threats can originate on the ship or from shore via remote access to the VDR.

They fall into several broad categories:

radar, autopilot and other systems requiring position

data). Likewise, an attacker could spoof the AIS so

that it sends false data into the VDR.

Attempt to access other ship systems through the

connections to the VDR. For instance, an attacker

may try to send malware to the other systems by

of workers may be on the ship.

5

TRUSTED TOOLS. Danelec Marine carefully screens all

third-party software developers to ensure the highest

levels of security.

SOURCE CODE DISTRIBUTIONS. Danelec Marine does

not use any standard operating system distributions. All

software is based on authenticated source code from

trusted sources, by identifying the software developer as

a trusted partner.

TRUSTED PLATFORM MODULE (TPM). Remote interface

to VDR includes TPM chip, which allows digital signing of

software and confi guration. This allows the VDR system

to reject any software or confi guration changes without

an authorized digital signature.

BUILT-IN NETWORK PROCESSOR. This processor acts

as a »gatekeeper« for data fl owing into the VDR from

connected systems and sensors via Ethernet according

to IEC 61162-450 standard. In case of a denial of service

attack, this processor will react and manage the fl ow of

data into the VDR. The network processor also protects

the VDR if any device on the network should fail, creating

bursts on the network.

NO AUTO-EXECUTION. Danelec Marine’s operating

system will not permit auto execution from an external

source, such as a USB or laptop.

SECURE REMOTE MANAGEMENT CONNECTIONS.

Remote management connections are encrypted using

HTTPS instead of open HTTP protocols. An attacker

who succeeds in hacking into the line will not be able to

decode the encrypted data.

LOG DATA MONITORING. The VDR data log cannot be

deleted. Any attempt to modify or delete log data is auto-

matically detected.

DANELECCONNECT REMOTE SERVER ACCESS GATEWAY.

Remote access to the VDR can only take place through

the DanelecConnect hardware module. There is no direct

connection into the VDR for remote management. The

DanelecConnect module has multiple levels of built-in

security, including a physical switch that must be activat-

ed manually by an authorized person aboard the ship to

allow remote access to the VDR.

Risk Reduction and Mitigation MeasuresDanelec Marine has already designed and is on a continuous basis designing new protection meas-

ures against these threats into its DM100 VDR and S-VDR product lines. They include the following:

bursts on the network.

6

Cyber Security as a Way of LifeDanelec Marine subscribes to a doctrine under which all employees, suppliers, developers and service partners »think

security«. Multiple levels of cyber security, described above, are designed into the products from their inception.

Cyber attackers are constantly refi ning their tactics and methods, and Danelec Marine has an ongoing program of

monitoring and responding to threats as they are identifi ed. In the event any new point of vulnerability is identifi ed,

Danelec Marine provides appropriate software updates to counter the threat.

7

HIGH QUALITYPRODUCT DESIGN

• Dependable operation | Equipment that is built to be at sea

Danelec products are based on an application-specific design to ensure

extreme reliability. Fewer components mean fewer points of failure, resulting in

the highest MTBF in the industry.

• Future proof | Never obsolete, always supported

We guarantee serviceability of our products during their lifetime for a minimum

of 10 years. Since our products are developed in-house, we have full control

over all components.

-45 45

00.14˚

Roll

-45

45

00.68˚

Pitch

0

0

OPERATION & MAINTENANCE• Information at your fingertips | Capture shipboard data and put it to use

Our range of remote management solutions enable instant and cost-optimized

access from shore to ship, so that you can harness the power of big data for

informed decisions and more e�cient asset management.

• Maximize uptime | Rest assured your ship sails on schedule

Our exclusive SWAP technology™ enables fast and easy replacement of equipment

in case of failure, without reinstalling software and reconfiguring the system.

SAFETYFIRST

OPTIMIZATIONOF OPERATIONS

TOTAL COSTOF OWNERSHIP

Safety at sea is priority #1 Enhance fleet operational e�ciency Maximize return on investment

SERVICE & SUPPORT• Immediate support anywhere | There is always a service tech near your ship

Our extensive global network of service centers carry spare parts and provide

service repairs 24/7 with 500+ factory-certified techs in 50+ countries.

• World class service | Consistent, e�cient and transparent

Danelec eService platform™ automates and streamlines traditional manual

processes, bringing unprecedented levels of consistency and e�ciency to

shipboard service.

Danelec Marine A/S • Blokken 44 • 3460 Birkeroed Denmark • T: +45 4594 4300 • www.danelec-marine.com

Danelec systemsSolid • Safe • Simple

WE PROVIDE THE MOST EFFICIENT PRODUCT AND SERVICE SOLUTION TO THE MARITIME INDUSTRY

High quality Danish design

10+ years service guarantee

24/7 worldwide service & parts

Danelec eService platform™

Remote management solutions

SWAP technology™