Rogue NMEA device detection method and system

The active and passive methods for detecting rogue NMEA devices in ship networks address the unmet cybersecurity requirements by identifying and preventing unauthorized devices, ensuring compliance with IACS UR E26 standards through packet forwarding, alarm setup, and inventory comparison.

JP2026520909APending Publication Date: 2026-06-25HANWHA OCEAN CO LTD (KR) +1

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
HANWHA OCEAN CO LTD (KR)
Filing Date
2024-05-31
Publication Date
2026-06-25

AI Technical Summary

Technical Problem

Existing NMEA gateways in ship networks cannot verify if NMEA devices are included in the Computer Based System (CBS) inventory list, posing a risk of cyberattacks by unauthorized devices, which is a requirement unaddressed by the International Association of Classification Societies (IACS) UR E26 cybersecurity standards.

Method used

An active and passive method for detecting rogue NMEA devices involves packet forwarding, alarm device setup, and administrator server comparison to identify matching packets, as well as message processing, PGN extraction, and inventory comparison to determine normal/abnormal devices.

Benefits of technology

Minimizes the cyberattack surface by identifying and preventing unauthorized NMEA devices, ensuring compliance with IACS UR E26 cybersecurity requirements by determining and tracing abnormal devices.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026520909000001_ABST
    Figure 2026520909000001_ABST
Patent Text Reader

Abstract

The present invention relates to active and passive methods and systems for detecting rogue NMEA devices that can identify normal / abnormal NMEA devices in a ship network equipped with an NMEA gateway and prevent cyberattacks by unauthorized NMEA devices on board a ship.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to a method and system for detecting active and passive Rogue NMEA devices that can identify normal / abnormal NMEA devices in a ship network where an NMEA gateway is installed and prevent cyberattacks by unauthorized NMEA devices in the ship.

Background Art

[0002] In recent years, all sensor equipment used in ships conducts integrated operation and automation of each equipment using the NMEA 2000 communication protocol. The NMEA 2000 protocol based on CAN communication was officially announced under the leadership of NMEA in the United States in October 2001 and has been adopted in recent years as the sensor network standard for e-navigation, a ship integrated monitoring and monitoring solution.

[0003] In ship networks, while the requirements for Ethernet, USB, Serial communication, and wireless communication (such as Wifi and Bluetooth) are increasing, an NMEA gateway is installed for mutual communication with NMEA 2000-based navigation and communication equipment.

[0004] The NMEA gateway performs the function of converting messages using an interface that performs bidirectional conversion between the NMEA protocol and protocols such as Ethernet, USB, and Wifi.

[0005] In the identification of the cyber security requirements of the International Association of Classification Societies (IACS) UR E26, it is required to identify the inventory list of the CBS (Computer Based System) in the ship.

[0006] However, the NMEA gateway, being connected to n NMEA-based navigation and communication devices and transmitting and receiving CAN-based NMEA messages converted to protocols via interfaces such as Ethernet, had the problem of not being able to verify whether an NMEA device was included in the CBS inventory list required by the International Classification Society's cybersecurity requirements, or whether it was a rogue NMEA device installed by an unauthorized party.

[0007] Related prior art includes Patent Document 1, Korean Patent No. 10-1321081 (October 23, 2013), Patent Document 2, Korean Patent No. 10-1528547 (June 12, 2015), and Patent Document 3, Korean Patent Application Publication No. 10-2006-0057756 (May 29, 2006). [Overview of the Initiative] [Problems that the invention aims to solve]

[0008] The object of the present invention is to provide active and passive methods and systems for detecting rogue NMEA devices that can identify normal / abnormal NMEA devices in a ship network equipped with an NMEA gateway, thereby minimizing the cyberattack surface by unverified NMEA devices, preventing cyberattacks by unauthorized NMEA devices on board ships, and ultimately fulfilling the identification requirements of the International Association of Classification Ships (IACS) UR E26 cybersecurity requirements. [Means for solving the problem]

[0009] An active rogue NMEA device detection system according to one aspect of the present invention for achieving the aforementioned technical problems includes: a ship network detector that forwards packets to the NMEA network in order to detect NMEA devices in the Ethernet network inside a ship; an alarm device that sets an alarm for the received NMEA device when any one of a plurality of NMEA devices receives a packet forwarded from the ship network detector; and an administrator server that compares the packet received by the alarm device with a packet sent from the ship network detector. The administrator server can determine that the ship Ethernet network is connected to the NMEA of the ship's OT (Operational Technology) network if the packet received by the alarm device matches the packet sent from the ship network detector, and can determine that it is a rogue NMEA if the packet received by the alarm device does not match the packet sent from the ship network detector.

[0010] Furthermore, in an active rogue NMEA device detection system according to one aspect of the present invention, the data frame of the Ethernet packet received from the ship network detector may include a CAN packet, and the source address of the CAN packet may be set as an alarm device.

[0011] Furthermore, an active method for detecting rogue NMEA devices according to another aspect of the present invention may include: a packet forwarding step of forwarding packets from a ship network detector to the NMEA network in order to detect an NMEA device in the Ethernet network inside a ship; an alarm device configuration step of configuring an NMEA device that has received a packet through the packet forwarding step as an alarm device; a comparison step of an administrator server comparing the packet received in the alarm device configuration step with a packet sent from the ship network detector; and a determination step of determining, through the comparison step, that if the packet received in the alarm device configuration step matches the packet sent from the ship network detector, the ship Ethernet network is connected to the NMEA of the ship's OT (Operational Technology) network, and if the packet received in the alarm device configuration step does not match the packet sent from the ship network detector, the device is determined to be a rogue NMEA.

[0012] Furthermore, in another aspect of the present invention, the detection method for an active rogue NMEA device may, during the alarm device setting stage, include a CAN packet in the data frame of the Ethernet packet received from the ship network detector, and the source address of the CAN packet may be set as the alarm device.

[0013] Furthermore, a passive method for detecting a rogue NMEA device according to yet another aspect of the present invention may include: an input step in which a signal of protocol data transmitted to an Ethernet interface via an NMEA gateway is input to a message processing unit; a data frame extraction step in which the message processing unit checks whether the signal input through the input step is in NMEA format, and if the signal input through the input step is in NMEA format, it extracts a data frame stored in the payload area from the protocol data; a PGN processing step in which the PGN processing unit extracts an NMEA-ID from the data frame extracted in the data frame extraction step, and extracts a PGN value and source address from the extracted NMEA-ID; a determination step in which the PGN identification unit compares the PGN value and source address extracted in the PGN processing step with the CBS inventory, and the PGN determination unit determines that it is a rogue NMEA device if the PGN value and source address extracted in the PGN processing step are not in the CBS inventory; and an abnormal signal output step in which, if it is determined to be a rogue NMEA device through the determination step, it outputs an abnormal signal from the abnormal signal output unit to notify the user.

[0014] Furthermore, in a passive method for detecting rogue NMEA devices according to yet another aspect of the present invention, the abnormal signal output step can recognize the source address included in the header and the PGN value and source address identified in the payload by the PGN identification unit as rogue NMEA devices and output the abnormal signal.

[0015] Furthermore, a passive method for detecting rogue NMEA devices according to yet another aspect of the present invention may further include an NMEA path tracing step in which, if a device is determined to be a rogue NMEA device before the abnormal signal output step, the NMEA path is traced and any unconfirmed NMEA devices are identified as abnormal NMEA devices.

[0016] Furthermore, a passive rogue NMEA device detection system according to yet another aspect of the present invention may include: a message processing unit that, after receiving a signal of protocol data transmitted to an Ethernet interface via an NMEA gateway, checks whether the input signal is in NMEA format, and if the input signal is in NMEA format, extracts a data frame stored in the payload area from the protocol data; a PGN processing unit that extracts an NMEA-ID from the data frame extracted by the message processing unit, and extracts a PGN value and source address from the extracted NMEA-ID; a PGN identification unit that compares the PGN value and source address extracted by the PGN processing unit with the CBS inventory; a PGN determination unit that, when compared by the PGN identification unit, determines that the PGN value and source address extracted by the PGN processing unit are not in the CBS inventory, determines that it is a rogue NMEA device; and an abnormal signal output unit that outputs an abnormal signal to notify if it is determined to be a rogue NMEA device through the PGN determination unit.

[0017] Furthermore, in a passive rogue NMEA device detection system according to yet another aspect of the present invention, the abnormal signal output unit can recognize the source address included in the header and the PGN value and source address identified in the payload by the PGN identification unit as a rogue NMEA device and output the abnormal signal.

[0018] Furthermore, a passive rogue NMEA device detection system according to yet another aspect of the present invention may further include an NMEA path tracking unit that, if the PGN determination unit determines that a device is a rogue NMEA device, tracks the NMEA path and identifies unconfirmed NMEA devices as abnormal NMEA devices. [Effects of the Invention]

[0019] According to the present invention, by identifying normal / abnormal NMEA devices in a ship network where an NMEA gateway is installed, the cyberattack surface by unconfirmed NMEA devices is minimized through this, cyberattacks by unapproved NMEA devices within the ship are prevented, and ultimately, it has the effect of fulfilling the identification of the cyber security requirements of the International Association of Classification Societies (IACS) UR E26.

Brief Description of the Drawings

[0020] [Figure 1] It is a block diagram showing the configuration of an active rogue NMEA device detection system in a rogue NMEA device detection system according to the present invention. [Figure 2] It is a flowchart showing the active rogue NMEA device detection method in a rogue NMEA device detection method according to the present invention. [Figure 3] It is a block diagram showing the configuration of a passive rogue NMEA device detection system in a rogue NMEA device detection system according to the present invention. [Figure 4] In a rogue NMEA device detection system according to the present invention, it is a diagram showing the process of extracting the PGN and source address of a passive rogue NMEA device detection system. [Figure 5] It is a flowchart showing the passive rogue NMEA device detection method in a rogue NMEA device detection system according to the present invention.

Modes for Carrying Out the Invention

[0021] Details regarding the object, technical configuration, and the actions and effects thereof of the present invention will be more clearly understood through a detailed description based on the drawings attached to the specification of the present invention.

[0022] The terms used in this specification are merely for explaining specific embodiments and are not intended to limit the present invention. For example, terms such as "composed of" or "including" used in this specification should not necessarily be construed as including all of the many components or many steps described in the invention. Instead, it should be construed that some of the components or some of the steps may not be included, or additional components or steps may be further included. Also, the singular expressions used in this specification include plural expressions unless the context clearly has a different meaning.

[0023] Hereinafter, the present invention will be described in detail by explaining preferred embodiments of the present invention with reference to the accompanying drawings. Each embodiment described below is provided so that those skilled in the art can easily understand the technical idea of the present invention, and it should not be construed that the present invention is limited thereby. Naturally, each embodiment of the present invention can be variously applied by an ordinary technician in this field.

[0024] Referring to FIGS. 1 to 2, a detection method and system for an active Rogue NMEA device according to the present invention will be described.

[0025] FIG. 1 shows a detection system for an active Rogue NMEA device according to the present invention. In order to detect the NMEA (National Marine Electronics Association) device 200 in the Ethernet network 10 inside the ship, a ship network detector 11 that transfers a packet to the NMEA (National Marine Electronics Association) network 20, and when any one of a plurality of NMEA devices 200 receives the packet transferred from the ship network detector 11, the received NMEA device is set as an alarm device 29, and a management server 30 that compares the packet received by the alarm device 29 with the packet sent from the ship network detector 11 can be included.

[0026] In this context, the active method refers to a method that detects rogue NMEA devices solely through packet forwarding from the Ethernet network 10 inside the ship to the NMEA network 20.

[0027] Furthermore, the administrator server 30 can determine that the ship's Ethernet network 10 is connected to the ship's OT (Operational Technology) network's NMEA if the packet received by the alarm device 29 matches the packet sent from the ship's network detector 11, and can determine that it is a rogue NMEA if the packet received by the alarm device 29 does not match the packet sent from the ship's network detector 11.

[0028] Furthermore, the data frame of the Ethernet packet received from the ship network detector 11 may include a CAN packet, and the source address of the CAN packet may be set as the alarm device 29.

[0029] Furthermore, an active method for detecting rogue NMEA devices according to another aspect of the present invention, as shown in Figure 2, includes a packet forwarding step (S10) in which a packet is forwarded from a ship network detector 11 to the NMEA network 20 in order to detect an NMEA device in the Ethernet network 10 inside the ship; an alarm device setting step (S11) in which an NMEA device that has received a packet through the packet forwarding step (S10) is set as an alarm device 29; a comparison step (S12) in which the administrator server 30 compares the packet received in the alarm device setting step (S11) with a packet sent from the ship network detector; and if, through the comparison step (S12), the packet received in the alarm device setting step (S11) matches the packet sent from the ship network detector 11, the ship Ethernet network 10 is set to ship OT (Operational) The system may include a determination step (S13) in which it is determined that the system is connected to the NMEA of the Technology network, and if the packet received in the alarm device setup step (S11) does not match the packet sent from the ship network detector 11, it is determined to be a rogue NMEA.

[0030] Furthermore, during the alarm device setting stage (S11), the data frame of the Ethernet packet received from the ship network detector 11 may include a CAN packet, and the source address of the CAN packet may be set as the alarm device 29.

[0031] Therefore, according to the present invention, it has the effect of being able to determine whether or not Ethernet and NMEA connections are permitted in a complex and large-scale ship IT / OT network.

[0032] Furthermore, with reference to Figures 3 to 5, a detection method and system for a passive rogue NMEA device relating to yet another aspect of the present invention will be described.

[0033] Figures 3 and 4 show the passive rogue NMEA device detection system according to the present invention and the process of extracting the PGN and source address. As shown in Figure 3, the passive rogue NMEA device detection system includes a message processing unit 100, a PGN processing unit 110, a PGN identification unit 120, a PGN determination unit 130, an NMEA path tracking unit 140, and an abnormal signal output unit 150.

[0034] In the passive rogue NMEA device detection system of the present invention, the message processing unit 100, after receiving a signal of protocol data transmitted to the Ethernet interface via the NMEA gateway, checks whether the input signal is in NMEA format, and if the input signal is in NMEA format, extracts a data frame stored in the payload area from the protocol data.

[0035] Here, NMEA is defined by the U.S. National Marine Electronics Association (NMEA) as a standard for transmitting information such as time, position, and direction.

[0036] Furthermore, the PGN processing unit 110 can extract the NMEA-ID from the data frame extracted by the message processing unit 100, and extract the PGN value and source address from the extracted NMEA-ID.

[0037] Here, the PGN (Parameter Group Number) is used to distinguish what kind of data is entered into the data field of a CAN message, and it plays the same role as the message ID in CAN communication.

[0038] Furthermore, the PGN identification unit 120 compares the PGN value and source address extracted by the PGN processing unit 110 with the CBS (Computer Based System) inventory, and the PGN determination unit 130 determines that the device is a rogue NMEA device if, when compared by the PGN identification unit 120, the PGN value and source address extracted by the PGN processing unit 110 are not found in the CBS inventory.

[0039] Furthermore, if the PGN determination unit 130 determines that an NMEA device is a rogue NMEA device, the NMEA path tracking unit 140 can track the NMEA path, identify unverified NMEA devices as abnormal NMEA devices, and identify verified NMEA devices as normal devices.

[0040] Furthermore, the abnormal signal output unit 150 can output an abnormal signal to notify the user if it is determined to be a rogue NMEA device through the PGN determination unit.

[0041] Furthermore, as shown in Figure 4, the abnormal signal output unit 150 can recognize the source address included in the header and the PGN value and source address identified in the payload by the PGN identification unit as a rogue NMEA device and output the abnormal signal.

[0042] In other words, when a signal of protocol data transmitted to the Ethernet interface via the NMEA gateway is input to the message processing unit 100, the data frame stored in the payload area is extracted from the protocol data.

[0043] Next, the PGN processing unit 110 extracts the NMEA-ID from the extracted data frame, and then extracts the PGN and source address from the extracted NMEA-ID.

[0044] Furthermore, the PGN identification unit 120 compares the PGN value and source address with the CBS inventory, and the PGN determination unit 130 determines that it is a rogue NMEA device if the PGN value and source address are not found in the CBS inventory.

[0045] Furthermore, the abnormal signal output unit 150 can recognize the source address included in the header and the PGN value and source address identified in the payload by the PGN identification unit as a rogue NMEA device and output the abnormal signal.

[0046] Figure 5 is a flowchart showing the passive method for detecting a rogue NMEA device according to the present invention. As shown in Figure 5, the process involves an input step (S100) in which a signal of protocol data transmitted to the Ethernet interface via the NMEA gateway is input to the message processing unit, a data frame extraction step (S120) in which the message processing unit 100 checks whether the signal input through the input step is in NMEA format, and if the signal input through the input step is in NMEA format, a data frame extraction step (S120) in which a data frame stored in the payload area is extracted from the protocol data, and a PGN processing unit 110 extracting the NMEA-ID from the data frame extracted in the data frame extraction step (S130). The system may include a PGN processing step (S140) in which a PGN value and source address are extracted from the NMEA-ID; a determination step (S150) in which the PGN identification unit compares the PGN value and source address extracted in the PGN processing step (S140) with the CBS inventory, and the PGN determination unit determines, if the PGN value and source address extracted in the PGN processing step (S140) are not found in the CBS inventory, that the system is a rogue NMEA device; and an abnormal signal output step (S180) in which the abnormal signal output unit 150 outputs an abnormal signal to notify the system if the system is determined to be a rogue NMEA device through the determination step (S160).

[0047] Furthermore, in a passive method for detecting a rogue NMEA device according to one aspect of the present invention, the abnormal signal output step (S180) recognizes the source address included in the header and the PGN value and source address identified in the payload by the PGN identification unit as a rogue NMEA device and outputs the abnormal signal.

[0048] Furthermore, a passive method for detecting rogue NMEA devices according to one aspect of the present invention may include an NMEA path tracking step (S170) in which, if a device is determined to be a rogue NMEA device before the abnormal signal output step, the NMEA path is traced and any unconfirmed NMEA devices are identified as abnormal NMEA devices. [Explanation of Symbols]

[0049] 10 Ethernet Network 11. Ship Network Detector 20 NMEA Network 21, 22, 23, 24 NMEA equipment 29 Alarm devices 30 Administrator Server 100 Message Processing Unit 110 PGN Processing Unit 120 PGN Identification Unit 130 PGN Judgment Department 140 NMEA Route Tracking Unit 150 Abnormal signal output section

Claims

1. A ship network detector that forwards packets to the NMEA network in order to detect NMEA devices on the ship's internal Ethernet network; An alarm device that sets an alarm in the receiving NMEA device when any one of the multiple NMEA devices receives a packet forwarded from the aforementioned ship network detector; and Includes an administrator server that compares packets received by the alarm device with packets sent from a ship network detector; A detection system for rogue NMEA devices, wherein the administrator server determines that the ship's Ethernet network is connected to the NMEA of the ship's OT (Operational Technology) network if the packet received by the alarm device matches the packet sent from the ship's network detector, and determines that it is a rogue NMEA if the packet received by the alarm device does not match the packet sent from the ship's network detector.

2. The Ethernet packet data frame received from the aforementioned ship network detector includes a CAN packet; The detection system for a rogue NMEA device according to claim 1, wherein the source address of the CAN packet is set as an alarm device.

3. The packet forwarding phase involves transferring packets from the ship's network detector to the NMEA network in order to detect NMEA devices within the ship's internal Ethernet network; An alarm device setting step in which an NMEA device that has received a packet through the packet forwarding step is set as an alarm device; A comparison step in which the administrator server compares the packets received during the alarm device setup stage with the packets sent from the ship's network detector; and A method for detecting a rogue NMEA device, comprising: a determination step in which, through the comparison step, if the packet received in the alarm device setup step matches the packet sent from the ship network detector, it is determined that the ship Ethernet network is connected to the NMEA of the ship's OT (Operational Technology) network; and if the packet received in the alarm device setup step does not match the packet sent from the ship network detector, it is determined that it is a rogue NMEA.

4. During the alarm device setup phase, The method for detecting a rogue NMEA device according to claim 3, wherein the data frame of the Ethernet packet received from the ship network detector includes a CAN packet, and the source address of the CAN packet is set as an alarm device.

5. The input stage is when the protocol data signal transmitted to the Ethernet interface via the NMEA gateway is input to the message processing unit; The message processing unit checks whether the signal input through the input step is in NMEA format, and if the signal input through the input step is in NMEA format, a data frame extraction step is performed to extract the data frame stored in the payload area from the protocol data; A PGN processing step in which the PGN processing unit extracts the NMEA-ID from the data frame extracted in the aforementioned data frame extraction step, and extracts the PGN value and source address from the extracted NMEA-ID; The PGN Identification Unit compares the PGN value and source address extracted in the PGN processing stage with the CBS inventory, and the PGN Determination Unit determines that the device is a rogue NMEA device if the PGN value and source address extracted in the PGN processing stage are not found in the CBS inventory; and A method for detecting a rogue NMEA device, comprising: an abnormal signal output step in which, if the device is determined to be a rogue NMEA device through the aforementioned determination step, an abnormal signal output unit outputs an abnormal signal to notify the user;

6. The aforementioned abnormal signal output stage is, A method for detecting a rogue NMEA device according to claim 5, wherein the source address included in the header and the PGN value and source address identified in the payload by the PGN identification unit are recognized as a rogue NMEA device and output.

7. Prior to the abnormal signal output stage, A method for detecting a rogue NMEA device according to claim 5, further comprising an NMEA path tracing step of tracing the NMEA path and identifying unverified NMEA devices as abnormal NMEA devices if the device is determined to be a rogue NMEA device.

8. After receiving a signal of protocol data transmitted to the Ethernet interface via the NMEA gateway, the message processing unit checks whether the input signal is in NMEA format, and if it is, extracts the data frame stored in the payload area from the protocol data; A PGN processing unit extracts an NMEA-ID from the data frame extracted by the message processing unit, and extracts a PGN value and source address from the extracted NMEA-ID; A PGN identification unit compares the PGN value extracted by the PGN processing unit with the source address in the CBS inventory; A PGN determination unit determines that a rogue NMEA device is present if, when compared by the PGN identification unit, the PGN value extracted by the PGN processing unit and the source address are not present in the CBS inventory; and A detection system for a rogue NMEA device, including an abnormal signal output unit that outputs an abnormal signal to notify the system if the PGN determination unit determines that the device is a rogue NMEA device.

9. The abnormal signal output unit is, A detection system for a rogue NMEA device according to claim 8, which recognizes and outputs the source address included in the header and the PGN value and source address identified in the payload by the PGN identification unit as a rogue NMEA device.

10. The rogue NMEA device detection system according to claim 8, further comprising an NMEA path tracking unit that tracks the NMEA path and identifies unverified NMEA devices as abnormal NMEA devices if the PGN determination unit determines that the device is a rogue NMEA device.