By Zhang Yang, CCS Information Center

With the development of the industria internet, the traditional Internet security threats have gradually permeated into  the  industrial  sector,  resulting  in intertwined  security problems, complex security situations and increasingly severe security risks . Security risk prevention has been the important basic guaranteeing for digitalization .  Security problems in the process of ship digital transformation have attracted more and more attention of the industrial community .

Status and security risks of  digital transformation in the ship industry

Digital transformation is a brand-new stage of the information development, and is a complex long-term process . As indicated by the current development, there have been some scenarios for the digital transformation of the ship industry .

The  first  is  intelligent  ships .  On those ships, new-generation information technologies are utilized to enable the ships to have the functions including autonomously sensing  the  internal  and  external environment, autonomously obtaining data,autonomously processing and analyzing data, and fulfilling the intelligent shipping,intelligent  operation  and  maintenance and intelligent transportation . The second is the digital collaborative research and development . The digital design, simulation and manufacturing are integrated, and one 3D model drawing can be used throughout the whole process, opening up the collaborative network  development  and breaking the barrier between designers and manufacturers .The third is the digital production . Focusing on the digital production process, the fusion between digital technologies and shipbuilding process is advanced, and the new-generation information technologies  are  applied to the ship production process, promoting the digital transformation of production and manufacturing modes for ship products . The fourth is the intelligent shipping . With the continuous development of technologies in information storage and data mining, the informatization of shipping enterprises is gradually developing to intellectualization,involving the shipping based on customer differences,  the  shipping based  on  the business process reengineering, the shipping based on ship-shore information integration and the shipping based on the globalization of the information network . The fifth is the smart management of enterprises . In combination with the information integration technology and advanced manufacturing philosophy, ship enterprises are driven by both business and data to transform towards digital operation and management, where the core is the modern shipbuilding modes,business process modeling and customer

demand .

In the digital transformation, the security risk challenges encountered by the  ship industry are mainly reflected in the following

aspects .

1. Risks of intelligent equipment and associated risks of equipment

Compared with traditional environment,in the digital mode, the networking and intelligence degrees of ship equipment are higher, especially intelligent ships . On those ships, application function units, such as the embedded operating system, control system and sensors, are integrated, and new security risks are brought about in addition to the opened-up data sharing and circulation as well as data empowering . Firstly, the intelligent equipment faults or defects will cause risks .For example, there may be safety risks, such as vulnerabilities, defects and backdoor, in the intelligent I0, chips, embedded operating system, codes and the third-party software .Secondly, more and more heterogeneous devices are networked and involved in cloud operation, and both connection conditions and connection modes are diverse and complex .There are many unsecured interfaces, and security challenges will be encountered in the certification of massive heterogeneous device connection, further enhancing the risks of the invasive attacks from the Internet terminal to the production terminal . Thirdly,there are application risks of edge computing equipment .  In  different  application scenarios, there are diverse edge computing equipment and software . The upgrading and protection strategies are hard to be unified .Short-distance wireless communications technologies are generally adopted for edge nodes, massive heterogeneous devices and resource -limited devices . The message -oriented middleware or network visualization technology  is  mostly  adopted  between the edge node  and cloud platform . The

security measures, such as encryption and certification, are also challenges .

2. Security risks in platform application

As digital transformation is advanced,the fusion of ship industry with the industrial Internet is deepened . The digital collaborative development, digital production and various industrial Internet platforms will be the main force of application management .More  and more equipment  and data  are connected  to  the  system  and platform,imposing unexpectedly increasing platform security protection pressure and generating increasingly prominent security risks . Firstly, the information system and platform will inevitably encounter vulnerabilities and attacks . Once there is any attack, the system will be affected, and the attack towards the  whole  network  may  be  conducted using the  system  as the  “springboard” .Secondly, the security isolation capability of the visualization technologies for the

industrial  Internet platform  is  limited,which may lead to the risks including the isolation failure between multiple tenants and unauthorized resource access . Thirdly,under the environment of the industrial Internet platform, any vulnerability in the virtualization software or operating system may be utilized by malicious attackers to conduct attacks, such as rooting, malicious code injection and data exfiltration, causing hazards to the  systems  and  application programs  on  the  platform  and  even threatening the security of the lower-level cascaded equipment in the platform . Fourthly,the industrial Internet bears the applications and services, such as the industrial data modeling analysis and business process decision commanding; attackers can take a distributed denial-of-service (DDoS) attack,causing the resource exhaustion, network paralysis, and other consequences to the platform .

3. Network security risks

The promotion of intelligent shipping and smart management of ship enterprises makes the  cloud  and  network the  most important bases for development . More network  security  challenges  will  be encountered as the network develops in the direction of virtual, flat, wireless and flexible networking . Firstly, the virtual development of the internal network of the industrial enterprises makes increasing network attack means possible . The risks from the Internet sector extend to the internal production network . However, the flat development of the network topology makes the network security boundary extension more unpredictable .Secondly, the application of wireless tools like wireless sensors is prone to the threats of the authentication attack, illegal invasion,information leakage, denial of service, etc .Thirdly, there are network security risks of the  new - generation  communication technologies . For example, the flexible 5G network slicing mechanism is encountered with the risks including information leakage,interference and attacks between slices as well as unauthorized access of slicing . The introduction of software-defined networking (SDN) brings in the risks including the data packet dropout or data transferring error .Fourthly, the identification interpreting application brings in new network security risks . The identification interpreting system has hierarchical tree architecture, mainly consisting of root nodes, national top nodes,secondary nodes, common recurrence nodes and client . Each node may encounter DDoS attacks and other risks . Any problem in the node will pose a threat to the security of the whole identification interpreting network .

4. Data security risk

Data driving is the necessary condition for digital transformation . Data have been the key factors and production factors for enhancing  competitive  force,  and  data security has been the top priority for security .For the whole life cycle of data, there is security risk in every link . Firstly, for the data acquisition stage, as the data interface rules, communications mechanisms  and other aspects cannot be unified completely,it is difficult to fulfill effective, unified protection measures,  and  attackers may conduct tampering during data acquisition .Secondly, for the data transmission stage,restricted by the network conditions during shipping,  traditional  highly  encrypted transmission  is  difficult to be  applied,imposing great challenges to the mechanisms,such as encryption, signature, identification and  certification,  in  data transmission .Additionally, multi-path trans-organization data flowing enhances the risks in data interception and leakage . Thirdly, for the data storage stage, the deficient classified data isolation measures and authorized access mechanism lead to the situation where the

risks of unauthorized access, exfiltration and tempering of stored data are hardly to be controlled . Fourthly, for the data use stage,due to the data fragmentation, diversification and other characteristics, traditional data cleaning and parsing and other measures have insignificant effects . Additionally, the risks of data leakage and damage caused by internal personnel’s abuse and negligence should be prevented and controlled . Fifthly, for the data sharing stage, it is a great challenge to make the identity permissions of persons and equipment correspond to the security levels of the application, platform and data .Additionally, more attention should also be paid to the sensitive information risks in data sharing . Sixthly, for the data destruction stage, there are the risks of the remaining sensitive data on the database, servers and

terminals as well as the mining and leakage of private data slots .

Coping strategy against security risks

According to the above security risk analysis, CCS can help customers to fulfill security protection in the following aspects .

1. System establishment

Establish techical  security  systems,including the equipment layer, network layer, system platform layer and application layer . Establish the security management system, including the security system and security  awareness  training .  Establish security  auditing  mechanism  to  take practical  measures to  conduct  drilling,and implement risk assessment . Gradually develop the security capability integrating security identification, security protection,security detection and security response .Enhance the organizational leadership and overall planning . Enhance the construction of systems and standards, and guarantee the investment in security, so as to form an all-round security management system of the personnel and organization, technical systems as well as processes and regimes .

2. Equipment protection

Enhance the security considerations in equipment design and development . Consider security factors important throughout the whole equipment production cycle,  and reduce the security risks of the equipment .Additionally, regular  safety  assessment should  be  conducted  for  equipment  to find out the potential security hazards of equipment, and fulfill analysis, repair and rectification without delay, so as to reduce potential attack surface and improve the equipment security .

3. Security protection for platform and application

For  the  platform  and  application ,vulnerability  scanning  and  security reinforcement should be conducted, and the security of the virtualization software should be enhanced, so as to ensure the security of the virtual domain application, service and data and provide multiple tenants with the security isolation capabilities meeting the need . Properly conduct the  security detection for the application and service on the industrial Internet platform, and conduct security testing and reinforcement of the interfaces for the application and service .

4. Network protection

Fulfill  zoning  based  on  different levels  and  business  needs,  and  deploy the measures, such as network isolation, boundary protection and monitoring early- warning . Conduct audit of the exchanged and circulated data through the network isolation to reduce the threats, including unauthorized operation,  Trojan  horse  attacks,  virus infection and information leakage . Fulfill the boundary intrusion detection, attack interdiction and other operation through the boundary protection to prevent the trans- regional risk spread . Find out network threats by monitoring early-warning to enhance the ex-ante risk prevention capability .

5. Data security protection

Implement  the  classified data management system, and take differentiated protection measures based on classificationfor the full life cycle of data . ake clear therange and methods of data acquisition, andfuilfill the acquisition by adopting securedteminals, tools and interfaces . The securityduring data transmission should be enhancedusing the technologies of digital signatures.password and masking as well as SSL andother security protocols . For data storage.the safe encryption algorithm should beused, and the data storage security should beensuired by means like auxiliary sensitive dataidentification, authorization control and riskaudits  The purpose of data use protection is to ensure that data can be accessed and processed within the authorization scope,and to ensure data use safety through access control. data leakage prevention, sensitive data protection, etc . At the data sharing link the measures including monitoring and source tracing should be deplowed and the controllable sharing range and risktraceability should be guaranteed . Proper filing protection and recording should be conducted when data are destructed .

Currently, the digital development ofships is continuously accelerating . Enterprises must properly respond to the security risks during digital development . CCS is willing to..cooperate with the industrial community to fulfill collaborative imnovation and provide.assistance for the safe development of ship digitalization.