Connected ships and data flows: from the on-board sensor to the cloud

Vincent Rubiolo - OSXP - November 10th 2021

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 2

About me

● Architect @ IoT.bzh (cloud, embedded Linux)● Previous/current lives :

– Kubernetes (AWS/Google), React/Java– Hypervisors, certified systems (DO-178C,

IEC61508)– RTOSes (incl. VxWorks)– Shell, loaders, debugging tools– Linux since 2002 (Mandrake, Gentoo, ..., Fedora)

● vincent.rubiolo@iot.bzh● https://www.linkedin.com/in/vincentrubiolo/

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 3

IoT.bzh at a glance

European CyberSecurity Organisation Cyber

Valleys mapping

Our locationBrittany

Our 30-year OS backgroundWind River (1990) - Intel (2009) - IoT.bzh (2015)

Our expert team~30 engineers

1st tech contributor 2016-2020

(inc. security model)

n°1 OS in TV marketLead by Intel in Brittany

Real Time OS leader

Worldwide recognition within Open Source community

Our new product redpesk® is a pre-integrated « ready-to-use » SW factory generating a custom & secure OS long term maintained for embedded markets (automotive, mil-aero, maritime, energy etc)

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 4

Agenda

● Business environment and marine industrial requirements● Anatomy of a typical modern, connected boat● Seanatic, a smart boat project● Implementation used for a secure sensor data path● Recap, Perspectives and Q&A

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 5

Business Requirements

Many similarities with automotivebut a few structuring differences

● Ships last longer than cars (average cargo ships age is 25 years)

● Most ships are unique: except for small units, almost no “real” sister-ship

● Shipyards are far smaller companies than automotive OEMs (use standard equipments)

● Due to ship global high cost, time to market, new features are more important than hardware cost.

Imag

e C

redi

ts P

irio

u

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 6

Industrial Environment● Ships operate longer than cars. If possible 24/7

● Very unfriendly hardware environment: sea water, cold/hot temperatures, shocks/vibrations, ...

● More a CIP (Civil Infrastructure Platform) than a typical consumer technological object

● Expensive enough to duplicate most of the equipments(resilience to breakdown, no single point of failure)

● Very little to no software expertise (like automotive, maritime industry still mostly focus on mechanics)

Imag

e C

redi

ts P

irio

u

Alternators

Engine Room

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 7

The modern, connected boat

● Connection topologies– Multiple protocols and buses involved

● NMEA2k, Modbus, CAN/J1939 (or older protocols like J1708)

● Multiple connectivity means, unreliable or random– Wifi (only usable at port range), 4G GSM

(up to 15-30 miles from the shore w/ amplifier), SATCOM always on (from 2Mib/s to 150 KiB/s)

– We need to manage link quality and prioritize data queues

● Cybersecurity is paramount

Imag

e C

redi

ts M

aret

ron

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 8

Seanatic: a smart boat example

● First step towards autonomous vessel– Feed sensor data into AI for predictive

maintenance– ADEME project, consortium between indus. and

univ.● Demonstrator: ALMAK (Concarneau)

– 44m long, 10m wide, 25 people onboard● Data collection

– Main engines + diesel generator (via J1708/NMEA2k) + simulated models

– Data goes to Siemens ET200SP I/O system/PLC● connected to main gateway via Modbus

– Cloud connectivity w/ prioritized data queues

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 9

Internet

Cloud Publication Service

Cloud publication

binding

Data filtering

Redis

Redis Binding

SignalsSubscription

Data Collection

Redis Binding

Sig

nalli

ng B

ind

er

Database Binding

Data Model

WebApp

MyBoat Portal

Micro-service Application Framework

Cloud publication

binding

Redis

MQTT

CoAP

App

lica

tion

Fra

mew

ork

SQL Binding

Redis Binding

LXD container

Google

OVH

Azure

Data path design

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 10

OpenID Connect Secure Gateway

● Allows complex, role or context-driven security scenarios

● Maps between– OpenID IDP security labels– and local microservices privileges

● Checks microservice WebSocket inputs against– LOA (Level of Assurance)– IDP security attributes

CynagoraACLs-DB

µBinder

High level APIs

Wifi Storage

Audio Network

GraphicsHID

Secure-GatewayACL hooks

Session Mngt.

Permission Agent

Federated Identity

Config.json

IdentityStore

Micro-service Framework

TLS REST/WebSocket

Linux Embedded Target

Social identity

Second FactorAuth.

RTOS

SELinux Firewall

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 11

Recap

● Modern marine vessels relies on a lot of connectivity– often unreliable and or/choppy– can generate a massive amount of sensor data

● Cybersecurity is critical– both in-vessel, at port and on the cloud infra.

● Our design of a secure, end-to-end boat to cloud data path– implementated on the Seanatic project– leverages redpesk microservice framework + OpenID Connect

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 12

Interested ?

● Source code for boat to cloud publication microservice available– https://github.com/redpesk-common/cloud-publication-binding– https://docs.redpesk.bzh/docs/en/master/redpesk-core/cloud-pub/1-Architecture.html

● OpenID Connect secure gateway source code– https://github.com/redpesk-common/sec-gate-oidc– https://docs.redpesk.bzh/docs/en/master/redpesk-core/secure-gate/1-architecture-presentation.ht

ml● Ready-to-use redpesk binary builds are available for major distros and supported boards

– https://docs.redpesk.bzh/docs/en/master/redpesk-marine/boards/docs/boards/download-images.html

● Contributions and feedback are very welcome– Support via redpesk-core/redpesk-marine Element/Riot channels

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 13

Links

● Redpesk:– Website: https://www.redpesk.bzh– Documentation: https://docs.redpesk.bzh– Sources: https://github.com/redpesk-core

● IoT.bzh:– Website: https://iot.bzh/– Microservice Application Framework fundamentals:

https://iot.bzh/en/publications/101-lesson-ensta-2019.html– Github: https://github.com/iotbzh

● Seanatic: https://www.seanatic.bzh

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 14

Documents links● Cybersecurity ships UK:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/642598/cyber-security-code-of-practice-for-ships.pdf

● Cybersecurity ships IMO: https://www.ics-shipping.org/wp-content/uploads/2020/08/guidelines-on-cyber-security-onboard-ships-min.pdf

● Ports - IMO: https://maritime-executive.com/editorials/the-imo-2021-cyber-guidelines-and-the-need-to-secure-seaports

● Ports – CISA (USA): https://www.cisa.gov/sites/default/files/publications/port-facility-cybersecurity-risks-infographic_508.pdf

OSXP - 2021-11-10From embedded Linux boat sensors to the cloud 15

Q&A

Lorient Harbour, South Brittany, France

Thi

s p

ictu

re is

an

orig

inal

pic

ture

ta

ken

by J

ack

Mam

ele

t in

200

6. I

t is

un

der

the

GN

U F

ree

Doc

ume

ntat

ion

Lic

ense

an

d th

e C

reat

ive

Com

mo

ns A

ttrib

utio

n.