CyberShip-IoT: A Dynamic and Adaptive SDN-Based Security Policy Enforcement Framework for Ships

Rishikesh Sahay, Weizhi Meng*, Daniel Alberto Sepúlveda Estay, Christian D. Jensen, Michael Bruhn Barfod

*Corresponding author for this work

Research output: Contribution to journalJournal articleResearchpeer-review

Abstract

With the wide adoption of Information and Communication Technology (ICT) in the marine environment, ship systems are increasingly similar to other networked computing systems. The integration of positioning systems with navigational and propulsion control systems and the increasing reliance on Supervisory Control And Data Acquisition (SCADA) systems for monitoring the ship’s performance makes modern ships vulnerable to a wide range of cyber security issues. Moreover, frequent or permanent onshore connection makes the ship’s communication network a potential target for cyber-criminals. Such attacks can incapacitate the vessel, i.e., through a ransomware attack, or greatly degrade the performance of the ship systems, i.e., causing delays in the propagation of control messages between critical components within the ship. Furthermore, crew members and marine engineers are challenged with the task of configuring security policies for networked devices , using low-level device specific syntax, which is an error prone and time consuming process. In addition to this, crew members must also be familiar with the specific syntax for low-level network management task, which exacerbates the problem. The emergence of Software-Defined Networking (SDN) helps reduce the com-plexity of the network management tasks and we believe that a similar approach may be used to address the larger problem. We therefore propose the CyberShip-IoT framework to provide a network level defense for the communication network component of ship systems. CyberShip-IoT offers a highlevel policy language and a translation mechanism for automated policy enforcement in the ship’s communication network. The modular design of the framework provides flexibility to deploy detection mechanism according to their requirements. To evaluate the feasibility and effectiveness of this framework, we develop a prototype for a scenario involving the communication network of a typical ship. The experimental results demonstrate that our framework can effectively translate high-level security policies into OpenFlow rules of the switches without incurring much latency, ultimately leading to efficient attack mitigation and reduced collateral damage.
Original languageEnglish
JournalElsevier
Volume100
Pages (from-to)736-750
ISSN0922-3444
DOIs
Publication statusPublished - 2019

Cite this

@article{b41baa8e6a0b42278030886b2861bda8,
title = "CyberShip-IoT: A Dynamic and Adaptive SDN-Based Security Policy Enforcement Framework for Ships",
abstract = "With the wide adoption of Information and Communication Technology (ICT) in the marine environment, ship systems are increasingly similar to other networked computing systems. The integration of positioning systems with navigational and propulsion control systems and the increasing reliance on Supervisory Control And Data Acquisition (SCADA) systems for monitoring the ship’s performance makes modern ships vulnerable to a wide range of cyber security issues. Moreover, frequent or permanent onshore connection makes the ship’s communication network a potential target for cyber-criminals. Such attacks can incapacitate the vessel, i.e., through a ransomware attack, or greatly degrade the performance of the ship systems, i.e., causing delays in the propagation of control messages between critical components within the ship. Furthermore, crew members and marine engineers are challenged with the task of configuring security policies for networked devices , using low-level device specific syntax, which is an error prone and time consuming process. In addition to this, crew members must also be familiar with the specific syntax for low-level network management task, which exacerbates the problem. The emergence of Software-Defined Networking (SDN) helps reduce the com-plexity of the network management tasks and we believe that a similar approach may be used to address the larger problem. We therefore propose the CyberShip-IoT framework to provide a network level defense for the communication network component of ship systems. CyberShip-IoT offers a highlevel policy language and a translation mechanism for automated policy enforcement in the ship’s communication network. The modular design of the framework provides flexibility to deploy detection mechanism according to their requirements. To evaluate the feasibility and effectiveness of this framework, we develop a prototype for a scenario involving the communication network of a typical ship. The experimental results demonstrate that our framework can effectively translate high-level security policies into OpenFlow rules of the switches without incurring much latency, ultimately leading to efficient attack mitigation and reduced collateral damage.",
author = "Rishikesh Sahay and Weizhi Meng and {Sep{\'u}lveda Estay}, {Daniel Alberto} and Jensen, {Christian D.} and Barfod, {Michael Bruhn}",
year = "2019",
doi = "10.1016/j.future.2019.05.049",
language = "English",
volume = "100",
pages = "736--750",
journal = "Elsevier",
issn = "0922-3444",
publisher = "Reed Business bv",

}

CyberShip-IoT: A Dynamic and Adaptive SDN-Based Security Policy Enforcement Framework for Ships. / Sahay, Rishikesh; Meng, Weizhi; Sepúlveda Estay, Daniel Alberto; Jensen, Christian D.; Barfod, Michael Bruhn.

In: Elsevier, Vol. 100, 2019, p. 736-750.

Research output: Contribution to journalJournal articleResearchpeer-review

TY - JOUR

T1 - CyberShip-IoT: A Dynamic and Adaptive SDN-Based Security Policy Enforcement Framework for Ships

AU - Sahay, Rishikesh

AU - Meng, Weizhi

AU - Sepúlveda Estay, Daniel Alberto

AU - Jensen, Christian D.

AU - Barfod, Michael Bruhn

PY - 2019

Y1 - 2019

N2 - With the wide adoption of Information and Communication Technology (ICT) in the marine environment, ship systems are increasingly similar to other networked computing systems. The integration of positioning systems with navigational and propulsion control systems and the increasing reliance on Supervisory Control And Data Acquisition (SCADA) systems for monitoring the ship’s performance makes modern ships vulnerable to a wide range of cyber security issues. Moreover, frequent or permanent onshore connection makes the ship’s communication network a potential target for cyber-criminals. Such attacks can incapacitate the vessel, i.e., through a ransomware attack, or greatly degrade the performance of the ship systems, i.e., causing delays in the propagation of control messages between critical components within the ship. Furthermore, crew members and marine engineers are challenged with the task of configuring security policies for networked devices , using low-level device specific syntax, which is an error prone and time consuming process. In addition to this, crew members must also be familiar with the specific syntax for low-level network management task, which exacerbates the problem. The emergence of Software-Defined Networking (SDN) helps reduce the com-plexity of the network management tasks and we believe that a similar approach may be used to address the larger problem. We therefore propose the CyberShip-IoT framework to provide a network level defense for the communication network component of ship systems. CyberShip-IoT offers a highlevel policy language and a translation mechanism for automated policy enforcement in the ship’s communication network. The modular design of the framework provides flexibility to deploy detection mechanism according to their requirements. To evaluate the feasibility and effectiveness of this framework, we develop a prototype for a scenario involving the communication network of a typical ship. The experimental results demonstrate that our framework can effectively translate high-level security policies into OpenFlow rules of the switches without incurring much latency, ultimately leading to efficient attack mitigation and reduced collateral damage.

AB - With the wide adoption of Information and Communication Technology (ICT) in the marine environment, ship systems are increasingly similar to other networked computing systems. The integration of positioning systems with navigational and propulsion control systems and the increasing reliance on Supervisory Control And Data Acquisition (SCADA) systems for monitoring the ship’s performance makes modern ships vulnerable to a wide range of cyber security issues. Moreover, frequent or permanent onshore connection makes the ship’s communication network a potential target for cyber-criminals. Such attacks can incapacitate the vessel, i.e., through a ransomware attack, or greatly degrade the performance of the ship systems, i.e., causing delays in the propagation of control messages between critical components within the ship. Furthermore, crew members and marine engineers are challenged with the task of configuring security policies for networked devices , using low-level device specific syntax, which is an error prone and time consuming process. In addition to this, crew members must also be familiar with the specific syntax for low-level network management task, which exacerbates the problem. The emergence of Software-Defined Networking (SDN) helps reduce the com-plexity of the network management tasks and we believe that a similar approach may be used to address the larger problem. We therefore propose the CyberShip-IoT framework to provide a network level defense for the communication network component of ship systems. CyberShip-IoT offers a highlevel policy language and a translation mechanism for automated policy enforcement in the ship’s communication network. The modular design of the framework provides flexibility to deploy detection mechanism according to their requirements. To evaluate the feasibility and effectiveness of this framework, we develop a prototype for a scenario involving the communication network of a typical ship. The experimental results demonstrate that our framework can effectively translate high-level security policies into OpenFlow rules of the switches without incurring much latency, ultimately leading to efficient attack mitigation and reduced collateral damage.

UR - http://orbit.dtu.dk/en/projects/cyber-resilience-for-the-shipping-industry-cybership(666b8477-992f-4bd7-82d3-e89fddb4c87d).html

U2 - 10.1016/j.future.2019.05.049

DO - 10.1016/j.future.2019.05.049

M3 - Journal article

VL - 100

SP - 736

EP - 750

JO - Elsevier

JF - Elsevier

SN - 0922-3444

ER -