In an increasingly connected world our customers need operational data about their vessels at their fingertips in order to make well-informed and clear decisions. This poses the immediate question of how to securely transmit data from the ship to the shore side. For most of the history in seafaring, vessels have been independent and totally isolated environments. This, however, is no longer the case. By connecting the vessel to the outside world, new risks and challenges have arisen. How do we do this while providing peace of mind? This is where our Ship-to-Shore solution comes into play. We provide simple and safe data transmission technology following highest security standards such as the European General Data Protection Regulation (GDPR).
With Hoppe Marine's Ship-to-Shore solution, we treat our customers' assets as our own. We consider cybersecurity to be a core element of our services and are continuously evolving along with the marine and software industries' best practices in this regard.
Cybersecurity is a first-class citizen of our design processes, not an afterthought, and this can be seen in all aspects of our solution, from end to end. This is why we fully embraced the CIA triad as our three design pillars: Confidentiality, Integrity and Availability (CIA) are the fundamental objectives of our data transmission and storage solution.
How do we protect your floating asset from cyberattacks? First and foremost, we do not allow incoming traffic to the vessel at any time. Our data transmission solution solely works with outgoing connections which are actively established from the ship side.
Both our ship and our shore clients communicate exclusively over encrypted channels secured with TLS and elliptic curve cryptography.
Our ship clients only communicate out through a single port on dedicated IP addresses, providing an extremely narrow attack surface, and are not susceptible to DNS spoofing man-in-the-middle attacks. This not only provides great security but also makes the firewall configuration onboard simple and straightforward. Our data collection units use private keys that are never exposed for authentication and for package signing, and we use a technique called "device pinning" to prevent spoofing attacks.
Harsh environments like sea going vessels and other floating structures require thoughtful selection of hardware, in particular when it comes to data logging. This is why we opted for our class-approved embedded industrial PC system, HOMIP2, which is fully compliant with IEC 60945:2002 and IEC 61162:2010. The data logger is class-approved by DNV, Lloyd's Register, Bureau Veritas and American Bureau of Shipping. That way we can ensure that temperature variations, mechanical vibrations and electromagnetic interference do not interrupt or affect our data logging on board or its transmission to shore.
The Highest Data Integrity Assured
All packages delivered to or from the shore are cryptographically signed and will not be accepted without verification.
In order to install updates, change configurations or debug our onboard systems we allow remote commands to be issued. Remote commands are managed by the ship clients, not the shore, and only a limited selection of non-intrusive allow-listed commands are executed by the client. This ensures that the crew always has full control over all devices and no remote activity can override this control.
Shore Side Access and Storage
Our shore clients make use of AWS Cognito and JWT based authentication, keeping our data protected with the latest industry standards. Additionally, we require hardware keys for two-factor authentication for all administrative access. Once authenticated, our authorization protocols operate on role-based access that adheres to the Principle of Least Privilege.
Aside from secure channels for data transmission, once delivered to shore all data is protected with at-rest encryption using AES-256.
Technological solutions are only as reliable as the people who operate them: some of the biggest threats we face today are in the form of social engineering. At Hoppe Marine, we invest in the continuous education of our employees, with frequent security audits, briefings and training.
We believe that our customers are our partners in this regard, and that it is our duty not just to inform them of any events that may occur, but to proactively include them in our investigations and our learnings. Good security comes from good practices, and we strive to make good practices the easy option for our customers and our developers wherever possible.
About the Authors
When not coding or parenting he likes to bury himself in writing poetry and comics.
Dr. Klaus Hueck is lead developer at Hoppe Marine's R&D department. He has been responsible for leading the development of Hoppe's cloud infrastructure and the Ship-to-Shore data transmission technology. With a strong background in software development and physics he enjoys breaking down complex tasks into workable packages to build tailor made solutions focused on our customers needs.
In his free time, he is a passionate sailor and beekeeper.