Connected ships and data flows: from the on-board sensor to the cloud
Vincent Rubiolo - OSXP - November 10th 2021
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 2
About me
● Architect @ IoT.bzh (cloud, embedded Linux)● Previous/current lives :
– Kubernetes (AWS/Google), React/Java– Hypervisors, certified systems (DO-178C,
IEC61508)– RTOSes (incl. VxWorks)– Shell, loaders, debugging tools– Linux since 2002 (Mandrake, Gentoo, ..., Fedora)
● [email protected]● https://www.linkedin.com/in/vincentrubiolo/
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 3
IoT.bzh at a glance
European CyberSecurity Organisation Cyber
Valleys mapping
Our locationBrittany
Our 30-year OS backgroundWind River (1990) - Intel (2009) - IoT.bzh (2015)
Our expert team~30 engineers
1st tech contributor 2016-2020
(inc. security model)
n°1 OS in TV marketLead by Intel in Brittany
Real Time OS leader
Worldwide recognition within Open Source community
Our new product redpesk® is a pre-integrated « ready-to-use » SW factory generating a custom & secure OS long term maintained for embedded markets (automotive, mil-aero, maritime, energy etc)
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 4
Agenda
● Business environment and marine industrial requirements● Anatomy of a typical modern, connected boat● Seanatic, a smart boat project● Implementation used for a secure sensor data path● Recap, Perspectives and Q&A
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 5
Business Requirements
Many similarities with automotivebut a few structuring differences
● Ships last longer than cars (average cargo ships age is 25 years)
● Most ships are unique: except for small units, almost no “real” sister-ship
● Shipyards are far smaller companies than automotive OEMs (use standard equipments)
● Due to ship global high cost, time to market, new features are more important than hardware cost.
Imag
e C
redi
ts P
irio
u
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 6
Industrial Environment● Ships operate longer than cars. If possible 24/7
● Very unfriendly hardware environment: sea water, cold/hot temperatures, shocks/vibrations, ...
● More a CIP (Civil Infrastructure Platform) than a typical consumer technological object
● Expensive enough to duplicate most of the equipments(resilience to breakdown, no single point of failure)
● Very little to no software expertise (like automotive, maritime industry still mostly focus on mechanics)
Imag
e C
redi
ts P
irio
u
Alternators
Engine Room
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 7
The modern, connected boat
● Connection topologies– Multiple protocols and buses involved
● NMEA2k, Modbus, CAN/J1939 (or older protocols like J1708)
● Multiple connectivity means, unreliable or random– Wifi (only usable at port range), 4G GSM
(up to 15-30 miles from the shore w/ amplifier), SATCOM always on (from 2Mib/s to 150 KiB/s)
– We need to manage link quality and prioritize data queues
● Cybersecurity is paramount
Imag
e C
redi
ts M
aret
ron
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 8
Seanatic: a smart boat example
● First step towards autonomous vessel– Feed sensor data into AI for predictive
maintenance– ADEME project, consortium between indus. and
univ.● Demonstrator: ALMAK (Concarneau)
– 44m long, 10m wide, 25 people onboard● Data collection
– Main engines + diesel generator (via J1708/NMEA2k) + simulated models
– Data goes to Siemens ET200SP I/O system/PLC● connected to main gateway via Modbus
– Cloud connectivity w/ prioritized data queues
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 9
Internet
Cloud Publication Service
Cloud publication
binding
Data filtering
Redis
Redis Binding
SignalsSubscription
Data Collection
Redis Binding
Sig
nalli
ng B
ind
er
Database Binding
Data Model
WebApp
MyBoat Portal
Micro-service Application Framework
Cloud publication
binding
Redis
MQTT
CoAP
App
lica
tion
Fra
mew
ork
SQL Binding
Redis Binding
LXD container
OVH
Azure
Data path design
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 10
OpenID Connect Secure Gateway
● Allows complex, role or context-driven security scenarios
● Maps between– OpenID IDP security labels– and local microservices privileges
● Checks microservice WebSocket inputs against– LOA (Level of Assurance)– IDP security attributes
CynagoraACLs-DB
µBinder
High level APIs
Wifi Storage
Audio Network
GraphicsHID
Secure-GatewayACL hooks
Session Mngt.
Permission Agent
Federated Identity
Config.json
IdentityStore
Micro-service Framework
TLS REST/WebSocket
Linux Embedded Target
Social identity
Second FactorAuth.
RTOS
SELinux Firewall
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 11
Recap
● Modern marine vessels relies on a lot of connectivity– often unreliable and or/choppy– can generate a massive amount of sensor data
● Cybersecurity is critical– both in-vessel, at port and on the cloud infra.
● Our design of a secure, end-to-end boat to cloud data path– implementated on the Seanatic project– leverages redpesk microservice framework + OpenID Connect
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 12
Interested ?
● Source code for boat to cloud publication microservice available– https://github.com/redpesk-common/cloud-publication-binding– https://docs.redpesk.bzh/docs/en/master/redpesk-core/cloud-pub/1-Architecture.html
● OpenID Connect secure gateway source code– https://github.com/redpesk-common/sec-gate-oidc– https://docs.redpesk.bzh/docs/en/master/redpesk-core/secure-gate/1-architecture-presentation.ht
ml● Ready-to-use redpesk binary builds are available for major distros and supported boards
– https://docs.redpesk.bzh/docs/en/master/redpesk-marine/boards/docs/boards/download-images.html
● Contributions and feedback are very welcome– Support via redpesk-core/redpesk-marine Element/Riot channels
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 13
Links
● Redpesk:– Website: https://www.redpesk.bzh– Documentation: https://docs.redpesk.bzh– Sources: https://github.com/redpesk-core
● IoT.bzh:– Website: https://iot.bzh/– Microservice Application Framework fundamentals:
https://iot.bzh/en/publications/101-lesson-ensta-2019.html– Github: https://github.com/iotbzh
● Seanatic: https://www.seanatic.bzh
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 14
Documents links● Cybersecurity ships UK:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/642598/cyber-security-code-of-practice-for-ships.pdf
● Cybersecurity ships IMO: https://www.ics-shipping.org/wp-content/uploads/2020/08/guidelines-on-cyber-security-onboard-ships-min.pdf
● Ports - IMO: https://maritime-executive.com/editorials/the-imo-2021-cyber-guidelines-and-the-need-to-secure-seaports
● Ports – CISA (USA): https://www.cisa.gov/sites/default/files/publications/port-facility-cybersecurity-risks-infographic_508.pdf
OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 15
Q&A
Lorient Harbour, South Brittany, France
Thi
s p
ictu
re is
an
orig
inal
pic
ture
ta
ken
by J
ack
Mam
ele
t in
200
6. I
t is
un
der
the
GN
U F
ree
Doc
ume
ntat
ion
Lic
ense
an
d th
e C
reat
ive
Com
mo
ns A
ttrib
utio
n.
Top Related