TY - JOUR
T1 - CyberShip-IoT: A dynamic and adaptive SDN-based security policy enforcement framework for ships
AU - Sahay, Rishikesh
AU - Meng, Weizhi
AU - Estay, D. A.Sepulveda
AU - Jensen, Christian D.
AU - Barfod, Michael Bruhn
N1 - Publisher Copyright:
© 2019 Elsevier B.V.
PY - 2019/11
Y1 - 2019/11
N2 - With the wide adoption of Information and Communication Technology (ICT) in the marine environment, ship systems are increasingly similar to other networked computing systems. The integration of positioning systems with navigational and propulsion control systems and the increasing reliance on Supervisory Control And Data Acquisition (SCADA) systems for monitoring the ship's performance makes modern ships vulnerable to a wide range of cyber security issues. Moreover, frequent or permanent onshore connection makes the ship's communication network a potential target for cyber-criminals. Such attacks can incapacitate the vessel, i.e., through a ransomware attack, or greatly degrade the performance of the ship systems, i.e., causing delays in the propagation of control messages between critical components within the ship. Furthermore, crew members and marine engineers are challenged with the task of configuring security policies for networked devices, using low-level device specific syntax, which is an error prone and time consuming process. In addition to this, crew members must also be familiar with the specific syntax for low-level network management task, which exacerbates the problem. The emergence of Software-Defined Networking (SDN) helps reduce the complexity of the network management tasks and we believe that a similar approach may be used to address the larger problem. We therefore propose the CyberShip-IoT framework to provide a network level defense for the communication network component of ship systems. CyberShip-IoT offers a high-level policy language and a translation mechanism for automated policy enforcement in the ship's communication network. The modular design of the framework provides flexibility to deploy detection mechanism according to their requirements. To evaluate the feasibility and effectiveness of this framework, we develop a prototype for a scenario involving the communication network of a typical ship. The experimental results demonstrate that our framework can effectively translate high-level security policies into OpenFlow rules of the switches without incurring much latency, ultimately leading to efficient attack mitigation and reduced collateral damage.
AB - With the wide adoption of Information and Communication Technology (ICT) in the marine environment, ship systems are increasingly similar to other networked computing systems. The integration of positioning systems with navigational and propulsion control systems and the increasing reliance on Supervisory Control And Data Acquisition (SCADA) systems for monitoring the ship's performance makes modern ships vulnerable to a wide range of cyber security issues. Moreover, frequent or permanent onshore connection makes the ship's communication network a potential target for cyber-criminals. Such attacks can incapacitate the vessel, i.e., through a ransomware attack, or greatly degrade the performance of the ship systems, i.e., causing delays in the propagation of control messages between critical components within the ship. Furthermore, crew members and marine engineers are challenged with the task of configuring security policies for networked devices, using low-level device specific syntax, which is an error prone and time consuming process. In addition to this, crew members must also be familiar with the specific syntax for low-level network management task, which exacerbates the problem. The emergence of Software-Defined Networking (SDN) helps reduce the complexity of the network management tasks and we believe that a similar approach may be used to address the larger problem. We therefore propose the CyberShip-IoT framework to provide a network level defense for the communication network component of ship systems. CyberShip-IoT offers a high-level policy language and a translation mechanism for automated policy enforcement in the ship's communication network. The modular design of the framework provides flexibility to deploy detection mechanism according to their requirements. To evaluate the feasibility and effectiveness of this framework, we develop a prototype for a scenario involving the communication network of a typical ship. The experimental results demonstrate that our framework can effectively translate high-level security policies into OpenFlow rules of the switches without incurring much latency, ultimately leading to efficient attack mitigation and reduced collateral damage.
KW - Internet-of-Things
KW - OpenFlow
KW - Policy language and enforcement
KW - SCADA system
KW - SDN
KW - Ship system
UR - http://www.scopus.com/inward/record.url?scp=85066328900&partnerID=8YFLogxK
U2 - 10.1016/j.future.2019.05.049
DO - 10.1016/j.future.2019.05.049
M3 - Journal article
AN - SCOPUS:85066328900
VL - 100
SP - 736
EP - 750
JO - Future Generation Computer Systems - The International Journal of eScience
JF - Future Generation Computer Systems - The International Journal of eScience
SN - 0167-739X
ER -