Upload
duongdang
View
236
Download
0
Embed Size (px)
Citation preview
xxxxxxxxxx
Danelec systemsSolid • Safe • Simple
WHITE PAPERON VDR CYBER SECURITY
xxxxxxxxxx15.08.2016 DNL00075
White Paper on VDR Cyber SecurityThe shipping industry is increasingly embracing Big Data
and the Internet of Things (IoT) in a move to transform
and streamline many aspects of ship operations. This
means connecting computers and sensors on ships at
sea with shoreside IT networks, typically through secure
Internet links. While these technical innovations can
bring big benefi ts in terms of greater visibility into the
performance of assets and improved e� ciency, they also
can create new risks in terms of vulnerability to cyber
attacks on the shipboard and shoreside IT infrastructure.
The cyber threat is real and universal. News headlines
daily reveal successful hacks into supposedly secure
databases at hospitals, government agencies, insurance
carriers, banks and large enterprises, resulting in mas-
sive identity thefts for individuals and billions of dollars
stolen. Hackers have the knowledge, means and moti-
vation to mount attacks. Ships and shipping companies
are especially vulnerable. In the past, shipboard systems
were designed and installed with little awareness of
cyber security. As these ship systems are being connect-
ed via Internet with shoreside networks, new points of
vulnerability are created, which can be exploited by cyber
attackers to acquire sensitive information, disable vital
equipment, steal identities, assist in smuggling goods and
even hijacking a ship, its crew and its cargo.
Cyber security has already begun to get greater scrutiny
in the maritime industry. Existing standards and recom-
mendations for cyber security include:
• US National Institute of Standards and Technology
(NIST) – 800 Series on Cyber Security
• ISO/IEC 27001 and 27002 – Information Security
Management Systems (ISMS)
• ISA/IEC-62443 (formerly ISA-99) Electronically
Secure Industrial Automation and Control Systems
2
In addition, standards, guidelines and recommendations
for cyber security specifi cally related to the maritime
industry have recently been published by various organ-
izations. They include:
• IEC 61162-460 Ethernet Standard
• EU Agency for Network and Information Security
(ENISA)
• US Coast Guard – Cyber Strategy (June 2015)
• BIMCO (and others) – Guidelines on Cyber Security
on-board Ships (January 2016)
• American Bureau of Shipping (ABS) – Application
of Cyber Security Principles to Marine and O� shore
Operations (February 2016)
• IMO – Guidelines on Maritime Cyber Risk
Management (June 2016)
VDR Cyber VulnerabilityVoyage Data Recorders, which are mandatory on most
ocean-going passenger and cargo ships, gather and
store large amounts of data from the ship’s onboard
systems and sensors. While the primary function of the
VDR is to record data for accident investigators after
an incident at sea, VDR manufacturers are designing
remote access functionality into the new generation of
products to facilitate testing and servicing the system,
retrieve stored data for playback and extract data for
safety and performance purposes.
In 2015, an independent research laboratory conducted
tests on a commercial VDR product to determine its
vulnerability to hacking. The researchers discovered
that an attacker with network access to a� ected devices
could execute arbitrary commands with root privileges,
allowing for the manipulation of data captured in the
VDR. In 2012 an incident was reported in which a crew
member inserted a USB drive into a port on the VDR,
causing it to be infected with malware that caused voice
and navigation data to be overwritten. It is likely that
many older early-generation VDRs and Simplifi ed VDRs
(S-VDRs) may have similar levels of vulnerability.
In this White Paper, we will discuss the nature of cyber
threats to VDRs, best practices for securing VDR data
and security measures designed into Danelec Marine
VDR systems to protect against cyber risks.
3
Risk ManagementEliminating the risks of cyber threats imposed on marine electronic systems requires a structured
and comprehensive risk management approach. The following are steps involved in developing
and implementing a cyber risk management process:
• Identify value to protect (in this case the VDR and data stored in it)
• Identify vulnerabilities
• Identify threats
• Evaluate risk level
• Implement risk reduction/mitigation measures
• Monitor and respond to any incidents
These steps should also be integrated into the product development process.
Motivations for Cyber AttackCyber attackers may be driven by any of these
motivations:
• Destroy, delete or alter data in the VDR.
• Gain unauthorized access to the logged data in the
VDR, such as bridge audio recordings, ECDIS and ra-
dar video fi les, position/speed and other ship’s data.
• Gain control over the VDR with Trojan horse malware
in order to access systems and sensors connected
to the VDR, such as ECDIS, radar, autopilot and other
»trusted« zones.
• Prevent the VDR from logging data, for instance to
eliminate incriminating data in an accident or incident.
• Attempt to take control over ship systems with the
aim of seizing the ship, its crew or its cargo.
VulnerabilitiesPoints of vulnerability to cyber attack include
the following:
• Attack via physical access to the VDR aboard ship.
This could be a crew member or an outside visitor to
the ship, such as a service technician inserting a soft-
ware upload or performing an inspection or service/
repairs to the VDR.
• Attack via on-board remote access to the VDR aboard
ship. Again, the threat could originate from a crew
member or visitor to the ship, accessing the VDR
through other systems connected to the VDR.
• Attack via remote access to the VDR from shore.
Many VDRs are designed with a capability for remote
downloads of stored data to shore o� ces through the
ship’s satellite communication terminal.
4
• Physical access to the equipment. A crew member or
visitor to the ship can attempt to feed malware into
the VDR or some piece of equipment that is connected
to the VDR. This can be intentional or unintentional.
For instance, a crew member or service technician
may insert a USB into a computer unaware that it
contains malware.
• Denial of service attacks. An attacker may attempt
to overwhelm the equipment e.g. by feeding too much
data into it. The attack may originate from the ship
or from shore. For instance, the GPS could be pro-
grammed to send massive amounts of data into the
VDR (thousands of reports per second), or if the shore
network is compromised to bombard the VDR with
rapid-fi re requests for data downloads. The VDR may
be overloaded and either slow down its processing or
cease to function altogether.
• Feed false information into the VDR. For instance, the
GPS could be spoofed so as to send incorrect position
or speed into the VDR (as well as the ECDIS, AIS,
radar, autopilot and other systems requiring position
data). Likewise, an attacker could spoof the AIS so
that it sends false data into the VDR.
• Attempt to access other ship systems through the
connections to the VDR. For instance, an attacker
may try to send malware to the other systems by
introducing it into the VDR so that it disseminates
through the data links to the connected equipment.
• Use of remote access. Remote management access
may be used by an attacker to instruct the VDR to
erase data fi les or force a confi guration change. For
instance, a »Trojan Horse« can be injected during a
remote software update. Or there could be a security
breach at the software provider, allowing a Trojan
Horse to be sneaked in during software development.
There is no technical remedy for attacks by a de-
termined adversary who has physical access to the
equipment, other than implementing and adhering to
strict physical security procedures, such as identity
checks and screening for anyone who may have access
to the VDR. Note that this includes someone posing as a
service technician boarding the ship to perform annual
performance tests (APT), trouble shoot the system or
make repairs to the VDR. This may be more di� cult
during overhauls and drydocking, when large numbers
of workers may be on the ship.
ThreatsCyber threats can originate on the ship or from shore via remote access to the VDR.
They fall into several broad categories:
radar, autopilot and other systems requiring position
data). Likewise, an attacker could spoof the AIS so
that it sends false data into the VDR.
Attempt to access other ship systems through the
connections to the VDR. For instance, an attacker
may try to send malware to the other systems by
of workers may be on the ship.
5
TRUSTED TOOLS. Danelec Marine carefully screens all
third-party software developers to ensure the highest
levels of security.
SOURCE CODE DISTRIBUTIONS. Danelec Marine does
not use any standard operating system distributions. All
software is based on authenticated source code from
trusted sources, by identifying the software developer as
a trusted partner.
TRUSTED PLATFORM MODULE (TPM). Remote interface
to VDR includes TPM chip, which allows digital signing of
software and confi guration. This allows the VDR system
to reject any software or confi guration changes without
an authorized digital signature.
BUILT-IN NETWORK PROCESSOR. This processor acts
as a »gatekeeper« for data fl owing into the VDR from
connected systems and sensors via Ethernet according
to IEC 61162-450 standard. In case of a denial of service
attack, this processor will react and manage the fl ow of
data into the VDR. The network processor also protects
the VDR if any device on the network should fail, creating
bursts on the network.
NO AUTO-EXECUTION. Danelec Marine’s operating
system will not permit auto execution from an external
source, such as a USB or laptop.
SECURE REMOTE MANAGEMENT CONNECTIONS.
Remote management connections are encrypted using
HTTPS instead of open HTTP protocols. An attacker
who succeeds in hacking into the line will not be able to
decode the encrypted data.
LOG DATA MONITORING. The VDR data log cannot be
deleted. Any attempt to modify or delete log data is auto-
matically detected.
DANELECCONNECT REMOTE SERVER ACCESS GATEWAY.
Remote access to the VDR can only take place through
the DanelecConnect hardware module. There is no direct
connection into the VDR for remote management. The
DanelecConnect module has multiple levels of built-in
security, including a physical switch that must be activat-
ed manually by an authorized person aboard the ship to
allow remote access to the VDR.
Risk Reduction and Mitigation MeasuresDanelec Marine has already designed and is on a continuous basis designing new protection meas-
ures against these threats into its DM100 VDR and S-VDR product lines. They include the following:
bursts on the network.
6
Cyber Security as a Way of LifeDanelec Marine subscribes to a doctrine under which all employees, suppliers, developers and service partners »think
security«. Multiple levels of cyber security, described above, are designed into the products from their inception.
Cyber attackers are constantly refi ning their tactics and methods, and Danelec Marine has an ongoing program of
monitoring and responding to threats as they are identifi ed. In the event any new point of vulnerability is identifi ed,
Danelec Marine provides appropriate software updates to counter the threat.
7
HIGH QUALITYPRODUCT DESIGN
• Dependable operation | Equipment that is built to be at sea
Danelec products are based on an application-specific design to ensure
extreme reliability. Fewer components mean fewer points of failure, resulting in
the highest MTBF in the industry.
• Future proof | Never obsolete, always supported
We guarantee serviceability of our products during their lifetime for a minimum
of 10 years. Since our products are developed in-house, we have full control
over all components.
-45 45
00.14˚
Roll
-45
45
00.68˚
Pitch
0
0
OPERATION & MAINTENANCE• Information at your fingertips | Capture shipboard data and put it to use
Our range of remote management solutions enable instant and cost-optimized
access from shore to ship, so that you can harness the power of big data for
informed decisions and more e�cient asset management.
• Maximize uptime | Rest assured your ship sails on schedule
Our exclusive SWAP technology™ enables fast and easy replacement of equipment
in case of failure, without reinstalling software and reconfiguring the system.
SAFETYFIRST
OPTIMIZATIONOF OPERATIONS
TOTAL COSTOF OWNERSHIP
Safety at sea is priority #1 Enhance fleet operational e�ciency Maximize return on investment
SERVICE & SUPPORT• Immediate support anywhere | There is always a service tech near your ship
Our extensive global network of service centers carry spare parts and provide
service repairs 24/7 with 500+ factory-certified techs in 50+ countries.
• World class service | Consistent, e�cient and transparent
Danelec eService platform™ automates and streamlines traditional manual
processes, bringing unprecedented levels of consistency and e�ciency to
shipboard service.
Danelec Marine A/S • Blokken 44 • 3460 Birkeroed Denmark • T: +45 4594 4300 • www.danelec-marine.com
Danelec systemsSolid • Safe • Simple
WE PROVIDE THE MOST EFFICIENT PRODUCT AND SERVICE SOLUTION TO THE MARITIME INDUSTRY
High quality Danish design
10+ years service guarantee
24/7 worldwide service & parts
Danelec eService platform™
Remote management solutions
SWAP technology™