Cyber security and the accompanying certifications are becoming indispensable in more and more networked infrastructures. Cyber attacks are an increasing risk for companies; loss of data or manipulation of connected systems can cause considerable damage.
MAN Energy Solutions SE is the world’s leading supplier of large diesel and gas engines as well as turbomachinery. The portfolio includes two- and four-stroke engines for maritime and stationary applications as well as turbochargers and propellers, gas and steam turbines, compressors and chemical reactors
The new engine control system from MAN Energy Solutions makes ships future-proof. XITASO has contributed to the development of the control system security check with proof of security level SL1 as the basis for certification in accordance with IEC 62443 and the marine requirements IACS UR E27.
MAN Energy Solutions developed the new SaCoS 5000 engine control system to further improve the durability and digital functionalities of its predecessor. With the support of XITASO and our expertise in IT security and security research, we were able to close security gaps in the system that could lead to ships being unable to maneuver.
SaCoS 5000 makes ships future-proof by improving the performance and efficiency of the engine, providing advanced MAN CEON data services and local data logging, and providing cyber security by design.
Furthermore, SaCoS 5000 has built-in cyber security and retrofittable solutions to help ship owners and operators to keep their vessels in the best possible state of operation.
In iterative cooperation with specialists from MAN Energy Solutions, the XITASO cyber security experts specified, carried out and documented security tests on existing security concepts on existing OT hardware to demonstrate its compliance with security level SL1.
Based on the current Master Validation Plan of MAN Energy Solutions, security tests were to uncover possible bugs as well as unintentional and coincidental errors. For instance, the control system was repeatedly fed with random data (fuzzing test) at various input interfaces or checked for potential attacks from outside (vulnerability test).
Jürgen Ammer
MAN Energy Solutions
Thanks to close communication and short feedback cycles, we were able to achieve much more during the course of the project: On site, we created a virtual environment and set up a test infrastructure. From refining the test specification and setting up the test infrastructure to the concrete design and parameterization of the test runs, including the fuzzing, XITASO provided professional advice and support to the MAN Energy Solutions team.
In addition to the required tests, further specifications were queried and tested, while re-tests were also carried out. The resulting simulator and the developed test codes enable the experts at MAN Energy Solutions to replicate and repeat the necessary tests.
Using the simulator, you can check whether possible errors have been fixed or whether they need to be readjusted. The control system can be checked for safety.
Thanks to the support of XITASO, the tests for Security Level 1 in accordance to IEC 62443 have been successfully completed and the groundwork for the certification has been laid. The XITASO research team is already exploring the impact of the next generation of cryptographic procedures: they are developing methods to provide existing systems with quantum-safe cryptographic procedures in order to enable a cost-effective and rapid migration of legacy systems.
Michael Buchenberg
Phone +49 821 885 882 888
michael.buchenberg@xitaso.com