Network Setup & Security

General Information

Integration and connection of TELSCOPE to Ships IT-Infrastructure shall be done in cooperation with and be approved by the ship owners IT-department securing that the Installation complies to IT and Cyber Security rules and recommendations. 

TELSCOPE can work as a "Stand Alone" system with one TELSCOPE server also acting as a TELSCOPE Workstation with  connections to Internet or be part of a larger ships network.

This chapter provides a guide to different level of TELSCOPE network integration. 

TELSCOPE have four network adapters that are configured so  that traffic is separated and traffic between the networks are blocked.

  

TELSCOPE Network ports standard configuration

A standard TELSCOPE installation only requires that port enp3s0 (marked as LAN1 in the diagram above) be connected to a network with internet access. The remaining ports can be left unconfigured. TELSCOPE is configured to disallow any forwarding between networks, this is enforced by a firewall.

TELSCOPE Shore Connection

All TELSCOPE installations require a connection to shore via ships internet.

The following services will be available in TELSCOPE via the ship-shore connection:

  • Software updates and remote configuration
  • Synchronization of data and records between ship and shore
  • Two-ways exchange of data and reports ship-shore-ship

TELSCOPE doesn't require general internet access, only access to a handful of IP addresses. TELSCOPE will only make encrypted connections to the these IP addresses. Once configured TELSCOPE will establish a persistent encrypted VPN (virtual private network) with the shoreside system, where all further communication will take place. Both TELSCOPE and the shoreside system has firewalls in place to ensure that only explicitly allowed communication can occur. 

Requirement

TELSCOPE shall be connected to internet in one of the following ways.

  • Direct connection to the ships communication system. 
  • Connection to ships admin network (or other suitable network) via a managed switch that provide separation of traffic, firewall and cyber security. 

 

TELSCOPE Accessible from work stations via ships network

Ships crew can access TELSCOPE via a network client from any workstation connected to ships admin network by navigating to any of the following addresses:

  • https://imo-number.telscope.online
  • https://call-sign.telscope.online
  • https://a.b.c.d (TELSCOPE LAN IP, e.g. 192.168.10.100)

We recommend that TELSCOPE is accessed by the address containing the IMO number or the call sign as these will present a certificate signed by a trusted certificate authority.
Access may also be done using the TELSCOPE server's LAN IP address, though this is discouraged.
TELSCOPE only allows incoming HTTPS traffic (HTTP connections will be force upgrade to HTTPS), which means that any communication with TELSCOPE will be encrypted and protected.

Requirement

  • TELSCOPE shall be connected to ships admin network  via a managed switch that provide separation of traffic, firewall and cyber security.  
  • Access to ships network to be protected in addition to TELSCOPE Login  
  • A DNS server shall be available in Ships admin network.  

 

TELSCOPE Accessible from Mobile Units via ships WLAN.

Ships crew can access TELSCOPE from a mobile device via ships WLAN (if available) by navigating to any of the following addresses:

  • https://imo-number.telscope.online
  • https://call-sign.telscope.online
  • https://a.b.c.d (TELSCOPE LAN IP, e.g. 192.168.10.100)

We recommend that TELSCOPE is accessed by the address containing the IMO number or the call sign as these will present a certificate signed by a trusted certificate authority.
Access may also be done using the TELSCOPE server's LAN IP address, though this is discouraged.
TELSCOPE only allows incoming HTTPS traffic (HTTP connections will be force upgrade to HTTPS), which means that any communication with TELSCOPE will be encrypted and protected.
 

Requirement

Following is required to access TELSCOPE  from a mobile device   

  • One ore several protected wireless access points allowing access to Ships Admin network  
  • A Separate protected wireless network WLAN on the Bridge or in the Engine Area
     

 

TELSCOPE Connection to - 450 Network.

Bridge Alert Management System (BAM) or other Bridge sensors or systems that provide data exchange via protocol in compliance to IEC 61162-450 can be connected directly to LAN port 2 if it is a single source.

For connection of several sources via -450 it is recommended to connect via a switch that manage and controls the traffic. If the supplier of the Navigation network provides a switch/Gateway and set up of network according to the requirements in IEC61162-460 it is recommended to connect TELSCOPE via this device  

Requirement

For connection to Bridge Network or data via 450-network the following is required

  • Point to Point information exchange via -450 network shall be connected to Lan Port 2
  • Point to Point information exchange with ECDIS shall be connected to LAN Port 3

The above connection can be seen as part of a secure zone.

  • Connection to  several providers  of Data via -450 network shall be connected via a managed Switch
  • Connection to  Dual ECDIS, INS, RADAR, Stability system, Automation System, Tank System etc shall be done via managed Switch.

The last two connections shall comply to the requirements stated in IEC 61162-460 where systems are logically separated in zones based on operational needs and security risk.    

 

TELSCOPE Connection to 3rd Party Systems

TELSCOPE can be connected to 3rd party systems for sharing of or receiving information via network.
This can be done either via data protocol other than described above or via an API. 

Requirement 

If information is shared via the Ships Admin network, security rules to be defined by Ship Owner IT-department.

If information is shared via Navigation or Bridge Network  security to be managed in the same way as for 450-data i.e. Compliance to IEC61162-460 is required.