Connected ships and data flows: from the on-board sensor ...
15
Connected ships and data flows: from the on-board sensor to the cloud Vincent Rubiolo - OSXP - November 10 th 2021
Transcript of Connected ships and data flows: from the on-board sensor ...
Connected ships and data flows: from the on-board sensor to the cloud
Vincent Rubiolo - OSXP - November 10th 2021
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 2
About me
â—Ź Architect @ IoT.bzh (cloud, embedded Linux)â—Ź Previous/current lives :
– Kubernetes (AWS/Google), React/Java– Hypervisors, certified systems (DO-178C,
IEC61508)– RTOSes (incl. VxWorks)– Shell, loaders, debugging tools– Linux since 2002 (Mandrake, Gentoo, ..., Fedora)
â—Ź [email protected]â—Ź https://www.linkedin.com/in/vincentrubiolo/
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 3
IoT.bzh at a glance
European CyberSecurity Organisation Cyber
Valleys mapping
Our locationBrittany
Our 30-year OS backgroundWind River (1990) - Intel (2009) - IoT.bzh (2015)
Our expert team~30 engineers
1st tech contributor 2016-2020
(inc. security model)
n°1 OS in TV marketLead by Intel in Brittany
Real Time OS leader
Worldwide recognition within Open Source community
Our new product redpesk® is a pre-integrated « ready-to-use » SW factory generating a custom & secure OS long term maintained for embedded markets (automotive, mil-aero, maritime, energy etc)
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 4
Agenda
â—Ź Business environment and marine industrial requirementsâ—Ź Anatomy of a typical modern, connected boatâ—Ź Seanatic, a smart boat projectâ—Ź Implementation used for a secure sensor data pathâ—Ź Recap, Perspectives and Q&A
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 5
Business Requirements
Many similarities with automotivebut a few structuring differences
â—Ź Ships last longer than cars (average cargo ships age is 25 years)
● Most ships are unique: except for small units, almost no “real” sister-ship
â—Ź Shipyards are far smaller companies than automotive OEMs (use standard equipments)
â—Ź Due to ship global high cost, time to market, new features are more important than hardware cost.
Imag
e C
redi
ts P
irio
u
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 6
Industrial Environmentâ—Ź Ships operate longer than cars. If possible 24/7
â—Ź Very unfriendly hardware environment: sea water, cold/hot temperatures, shocks/vibrations, ...
â—Ź More a CIP (Civil Infrastructure Platform) than a typical consumer technological object
â—Ź Expensive enough to duplicate most of the equipments(resilience to breakdown, no single point of failure)
â—Ź Very little to no software expertise (like automotive, maritime industry still mostly focus on mechanics)
Imag
e C
redi
ts P
irio
u
Alternators
Engine Room
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 7
The modern, connected boat
● Connection topologies– Multiple protocols and buses involved
â—Ź NMEA2k, Modbus, CAN/J1939 (or older protocols like J1708)
● Multiple connectivity means, unreliable or random– Wifi (only usable at port range), 4G GSM
(up to 15-30 miles from the shore w/ amplifier), SATCOM always on (from 2Mib/s to 150 KiB/s)
– We need to manage link quality and prioritize data queues
â—Ź Cybersecurity is paramount
Imag
e C
redi
ts M
aret
ron
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 8
Seanatic: a smart boat example
● First step towards autonomous vessel– Feed sensor data into AI for predictive
maintenance– ADEME project, consortium between indus. and
univ.â—Ź Demonstrator: ALMAK (Concarneau)
– 44m long, 10m wide, 25 people onboard● Data collection
– Main engines + diesel generator (via J1708/NMEA2k) + simulated models
– Data goes to Siemens ET200SP I/O system/PLC● connected to main gateway via Modbus
– Cloud connectivity w/ prioritized data queues
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 9
Internet
Cloud Publication Service
Cloud publication
binding
Data filtering
Redis
Redis Binding
SignalsSubscription
Data Collection
Redis Binding
Sig
nalli
ng B
ind
er
Database Binding
Data Model
WebApp
MyBoat Portal
Micro-service Application Framework
Cloud publication
binding
Redis
MQTT
CoAP
App
lica
tion
Fra
mew
ork
SQL Binding
Redis Binding
LXD container
OVH
Azure
Data path design
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 10
OpenID Connect Secure Gateway
â—Ź Allows complex, role or context-driven security scenarios
● Maps between– OpenID IDP security labels– and local microservices privileges
● Checks microservice WebSocket inputs against– LOA (Level of Assurance)– IDP security attributes
CynagoraACLs-DB
µBinder
High level APIs
Wifi Storage
Audio Network
GraphicsHID
Secure-GatewayACL hooks
Session Mngt.
Permission Agent
Federated Identity
Config.json
IdentityStore
Micro-service Framework
TLS REST/WebSocket
Linux Embedded Target
Social identity
Second FactorAuth.
RTOS
SELinux Firewall
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 11
Recap
● Modern marine vessels relies on a lot of connectivity– often unreliable and or/choppy– can generate a massive amount of sensor data
● Cybersecurity is critical– both in-vessel, at port and on the cloud infra.
● Our design of a secure, end-to-end boat to cloud data path– implementated on the Seanatic project– leverages redpesk microservice framework + OpenID Connect
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 12
Interested ?
● Source code for boat to cloud publication microservice available– https://github.com/redpesk-common/cloud-publication-binding– https://docs.redpesk.bzh/docs/en/master/redpesk-core/cloud-pub/1-Architecture.html
● OpenID Connect secure gateway source code– https://github.com/redpesk-common/sec-gate-oidc– https://docs.redpesk.bzh/docs/en/master/redpesk-core/secure-gate/1-architecture-presentation.ht
mlâ—Ź Ready-to-use redpesk binary builds are available for major distros and supported boards
– https://docs.redpesk.bzh/docs/en/master/redpesk-marine/boards/docs/boards/download-images.html
● Contributions and feedback are very welcome– Support via redpesk-core/redpesk-marine Element/Riot channels
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 13
Links
● Redpesk:– Website: https://www.redpesk.bzh– Documentation: https://docs.redpesk.bzh– Sources: https://github.com/redpesk-core
● IoT.bzh:– Website: https://iot.bzh/– Microservice Application Framework fundamentals:
https://iot.bzh/en/publications/101-lesson-ensta-2019.html– Github: https://github.com/iotbzh
â—Ź Seanatic: https://www.seanatic.bzh
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 14
Documents linksâ—Ź Cybersecurity ships UK:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/642598/cyber-security-code-of-practice-for-ships.pdf
â—Ź Cybersecurity ships IMO: https://www.ics-shipping.org/wp-content/uploads/2020/08/guidelines-on-cyber-security-onboard-ships-min.pdf
â—Ź Ports - IMO: https://maritime-executive.com/editorials/the-imo-2021-cyber-guidelines-and-the-need-to-secure-seaports
● Ports – CISA (USA): https://www.cisa.gov/sites/default/files/publications/port-facility-cybersecurity-risks-infographic_508.pdf
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 15
Q&A
Lorient Harbour, South Brittany, France
Thi
s p
ictu
re is
an
orig
inal
pic
ture
ta
ken
by J
ack
Mam
ele
t in
200
6. I
t is
un
der
the
GN
U F
ree
Doc
ume
ntat
ion
Lic
ense
an
d th
e C
reat
ive
Com
mo
ns A
ttrib
utio
n.
