Beruflich Dokumente
Kultur Dokumente
University of Virginia
Department of Systems and Information Engineering
151 Engineer's Way, Charlottesville, VA, 22903
raj2u@virginia.edu, bh8e@virginia.edu
attacks and 19 hijackings [2]. To date, piracy may not include
cyber attacks, but just as cyber crime on land has increased,
there exists the potential for future shipboard piracy to employ
cyber attacks.
B. Terrorism
Opportunities for terrorist attacks include obtaining control
of or grounding of vessels carrying hazardous cargo; e.g.
liquefied natural gas or petroleum. The energy stored in a
liquefied natural gas carrier is a potential terrorist target, if
one tank of the five on board were to spill and ignite, the
energy release would still equal more than 10 Hiroshima
bombs.[3] In 2010, the most serious environmental incident
involving ships was due to an unintentional grounding and not
the result of a cyber attack. In this case, the grounded vessel
spilled 800 tons of oil [4]. An Ultra Large Crude Container
(ULCC) carries hundreds of thousands of tons of oil. When one
considers the potential for larger spills, the great risk exposure
for environmental damage argues for vigilance.
I.
INTRODUCTION
C. Cyber Warfare
The US Navy has increasing concerns regarding adversaries
employing cyber attacks as part of warfare. In 2010, the Navy
established a U.S. Fleet Cyber Command which coordinates
with other naval, coalition and joint task forces to execute the
full spectrum of cyber, electronic warfare, information
operations and signal intelligence capabilities and missions
across the cyber, electromagnetic and space domains. [5]
Preventing a naval vessel from performing its mission could be
part of a cyber warfare scenario.
99
Over the last few years new forms of cyber attack have
become more prevalent, including insider and supply chain
injected infections. It has been recognized that much of the
commercial technology referred to above are produced by
industries that are potential sources of such attacks.[10] As a
result new solutions are called for in order to protect against
these types of attacks on ships with modern commercial control
equipment. In addition, the number of ships that connect their
systems to the Internet is increasing. This is because shipboard
connection to the Internet serves a variety of purposes ranging
from providing the crew with Internet access for personal use,
to providing access for the remote control and monitoring of
engines. For example, Wartsila is a well known company
which provides remote engine monitoring. [11]
IV.
100
Operator
Interface
2
Network
Switch 1
Network
Switch 2
Propulsion
Controller 1
Propulsion
Controller 2
Engine
1
Engine
2
Network
Switch 1
Model A
Propulsion
Controller
1
Engine
1
Operator
Interface
2
Network
Switch 2
Model B
Propulsion
Controller
2
Engine
2
Hopper
Figure 2.
Operator
Interface
1
101
Fig. 3 shows the number of UDP packets lost per 10,000 for
a series of ten separate experimental runs for configuration
hopping at rates of five, ten and twenty seconds. A
reconfiguration rate of five seconds was chosen as being
sufficiently fast enough to detect the erroneous behavior of a
network switch before permanent damage could be caused to
the ships systems. Ten and twenty second reconfiguration rates
were selected to assess the relationship between performance
impact of reconfiguration and its impact on performance.
Figure 3. UDP packets lost per 10,000 sent due to configuration hopping for
a set of 10 experiments. The packet losses for each experiment are shown for
reconfiguration rates of five, ten, and twenty seconds.
102
Operator
Interface
2
Network
Switch 1
Model A
Propulsion
Controller
1
Network
Switch 2
Model B
Propulsion
Controller
2
Network
Switch 2
Model C
Network
Switch 2
Model B
Operator
Interface
2
Network
Switch 2
Model C
Hopper
D. Voting
In the example shown in Fig. 2, there are two network
switches. If a problem is detected, one may not know which of
the network switches had been compromised. As discussed
previously, a mechanism is needed to isolate the network
switch producing the erroneous results. One such mechanism is
voting. Voting would require a third switch and a method to
assign the correct answer as that coming from two of the three
switches. Voting can also be compromised but again, the
difficulty is increased. Fig. 4 illustrates a revised system with a
third network switch and a voter added.
Operator
Interface
1
Network
Switch 1
Model A
Operator
Interface
1
Propulsion
Controller
1
Engine
1
Propulsion
Controller
2
Engine
2
Voter
VI.
Engine
1
Engine
2
Voter
103
REFERENCES
[1]
[2]
Security Factors
Cost Factors
Collateral
Life
Real Time
System
Implement. Cycle Security Cost
Deterrence Defense Restoration Impacts
Costs
Costs Score
Score
weight
0.4
0.4
0.2
0.5
0.25
0.25
1
1
Baseline
1
1
1
10
10
10
1
10
Hopping
Only
5
4
1
4
4
4
3.8
4
Voting
Only
4
5
8
8
6
6
5.2
7
Hopping
With
Voting
8
7
8
4
3
3
7.6
3.5
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
Figure 7. Evaluation of Security Options
[14]
VII. CONCLUSION
[15]
104