Cybersecurity Onboard VLAN’s in practice
In my first article about Cybersecurity (Check it here!), I point that highly necessary is to split networks. Segmentation is highly important, if not the most important in cybersecurity. Imagine, that someone attacks Your system. But You have divided the network into subnetworks. it will appear only at the attacked part. The rest of the infrastructure will remain working. There is no perfect cybersecurity, but eliminate the risks is key to success. In past, there were used different kinds of mashed networks to keep the segmentation. This solution was expensive and useless. In this post, I will explain to You, the advantages of VLAN in Cybersecurity onboard.
This is the graphic from my previous post with the general arrangement of networks to keep the segmentation of networks and split different risk areas from each other. This was a former solution, today go get exactly the same effect we can use:
Virtual Local Area Network
In a previous post, about cybersecurity onboard, I have described 3 levels of security that are applicable for every vessel.
Gray – the less restricted network when You can connect Your private devices
Yellow – the medium restricted network. You can connect only the company equipment to this network. These devices have access to the company server data.
Blue – Highly restricted network, devices connected here are responsible for movement and safety of the vessel
Some of the ships like a cruise can have additional networks for the guest. But for each merchant or offshore vessel, these 3 are minimum.
Advantages of VLAN’s in Cybersecurity Onboard
The biggest advantage of VLANS s is that we can connect all these 3 networks in one LAN but with multiple broadcast domains. In this case, each color network has its own number. By that grey network is VLAN 1, the yellow network is VLAN 2 and the blue network is VLAN 3. Of course, the numbers of Vlans you can choose in range 1-4094 how You like. You can also have more than 3 VLANs in one network.
Trunking and 802.1Q
Switch have their limitation of sockets. It is also easier to connect all devices at the bridge to the one switch, and all devices in the engine room to another switch. However, here is coming with help organization of VLAN network with trunking and 802.1Q. Trunking is the name for connecting multiple switches with each other. You have to configure the trunk port to connect 2 switches with each other. A little bit more problematic is a situation when You like to expand Your existing network with the new switch. Most probably You will have now a different device than some years ago, maybe also a different manufacturer.
Luckily for You, this is not an issue, standard IEEE 802.1q has a special protocol ISL. This protocol allows You to connect switches, even they are done by different manufacturers.
A practical example of VLAN onboard
You have one switch with connected systems on the bridge and the second one in the ship’s office. You like to connect from one workstation on the bridge and print something in the ship’s office. No problem! The workstation is connected to the switch at the bridge. Ethernet frame is „tagged” with the correct label to another switch located in the ship’s office. The switch is routing the data package, to data arrive in the correct place. This means that a complete package of data have to be send, but this is done in ms. (milliseconds). This is how it works connection between the switches with the IEEE 802.1q.
Trunking is really great. We can connect other VLANs from the bridge and engine room into one big system. Devices from each category will see only other devices from the same category. You separate different networks from each other.
Cybersecurity onboard – arrange the VLAN’s
Managing these VLANs requires a lot of administrative work. Every time when your network will changes You have to update the configuration. For example, You are adding a new device that has to be connected to the network. Let’s name in Scrubber. These scrubbers need to receive data about the position from network X and need to operate with other devices from network Y. How to allow go data only on one side I will explain in another article in detail.
As we know that we have a new device installed onboard and we would like to connect it to our network. In major cases, we will have to configure these changes manually. Some of the Cisco switches, have VLAN Trunking Protocol which can do automatic configuration. But this is cybersecurity. I reccomend doing this always manually. You have to check the configuration. After You have finished, You have to confirm and test. To be sure that You do this correctly. I will not trust in automatic mode.
How important are backups?
Additionally, with the IT-OT networks, we need to have backups. Everyone knows how important are backups with Your own documents on your personal mobile devices or computers. Backups are the most important thing. If Your network will get attacked, You have to be prepared, to recover the system. The separation between the networks should help, but to have a complete back-up of the system stored offline, is a highly valuable thing!
Conclusion about Cybersecurity Onboard
Even that basic VLANs are showing how much perspective these technologies have onboard. Especially, when You can arrange a network with backups. With that technology, You increase the cybersecurity onboard. Of course, VLAN’s also have to be correctly secured. For example against Hopping Attacks!