Cyber risk assessment for SHips (CRASH)

Oruc, A.; Kavallieratos, G.; Gkioulos, V.; Katsikas, S.

doi:10.12716/1001.18.01.10

Artykuł - szczegóły

Tytuł artykułu

Cyber risk assessment for SHips (CRASH)

Autorzy

Oruc A. , Kavallieratos G. , Gkioulos V. , Katsikas S.

Treść / Zawartość

Pełne teksty:

Pobierz

Identyfikatory

DOI

10.12716/1001.18.01.10

Warianty tytułu

Języki publikacji

Abstrakty

The maritime industry is undergoing a digital transformation, with an increasing integration of Information Technology (IT) and Operational Technology (OT) systems on modern vessels. Its multiple benefits notwithstanding, this transformation brings with it increased cybersecurity risks, that need to be identified, assessed, and managed. Although several cyber risk assessment methodologies are available in the literature, they may be challenging for experts with a maritime background to use. In this paper we propose a simple and effective cyber risk assessment methodology, named Cyber Risk Assessment for SHips (CRASH), that can be easily implemented by maritime professionals. To showcase its workings, we assessed 24 cyber risks of the Integrated Navigation System (INS) using CRASH and we validated the method by comparing its results to those of another method and by means of interviews with experts in the maritime sector. CRASH can aid shipping companies in effectively assessing cyber risks as a step towards selecting and implementing necessary measures to enhance the cyber security of cyber-physical systems onboard their vessels.

Słowa kluczowe

risk assessment integrated navigation system information Technology cyber security cyber incidents maritime cyber security incidents maritime cyber security research operational technology

Wydawca

Faculty of Navigation, Gdynia Maritime University

Czasopismo

TransNav : International Journal on Marine Navigation and Safety of Sea Transportation

Rocznik

2024

Tom

Vol. 18 No. 1

Strony

115--124

Opis fizyczny

Bibliogr. 48 poz., rys., tab.

Twórcy

autor

Oruc A.

Norwegian University of Science and Technology (NTNU), Gjøvik, Norway

autor

Kavallieratos G.

Norwegian University of Science and Technology (NTNU), Gjøvik, Norway

autor

Gkioulos V.

Norwegian University of Science and Technology (NTNU), Gjøvik, Norway

autor

Katsikas S.

Norwegian University of Science and Technology (NTNU), Gjøvik, Norway

Bibliografia

1. Emre Akyüz. “Application of fuzzy FMEA to perform an extensive risk analysis in maritime transportation engineering”. In: International Journal Maritime Engineering 159.A1 (2017). DOI: 10.5750/ijme.v159iA1. 1013. - doi:10.5750/ijme.v159iA1.
2. Emre Akyüz and Erkan Çelik. “A quantitative risk analysis by using interval type-2 fuzzy FMEA approach: the case of oil spill”. In: Maritime Policy & Management 45.8 (2018), pp. 979–994. ISSN: 0308-8839. DOI: 10.1080/03088839.2018.1520401. - doi:10.1080/03088839.2018.1520401.
3. Andrej Androjna et al. “Assessing cyber challenges of maritime navigation”. In: Journal of Marine Science and Engineering 8.10 (2020), p. 776. DOI: 10.3390/jmse8100776. - doi:10.3390/jmse8100776.
4. H. Arabian-Hoseynabadi, H. Oraee, and P. J. Tavner. “Failure Modes and Effects Analysis (FMEA) for wind turbines”. In: International Journal of Electrical Power & Energy Systems 32.7 (2010), pp. 817–824. ISSN: 01420615. DOI: 10.1016/j.ijepes.2010.01.019. - doi:10.1016/j.ijepes.2010.01.019.
5. Marco Balduzzi, Alessandro Pasta, and Kyle Wilhoit. “A security evaluation of AIS Automated Identification System”. In: ACSAC’14: Proceedings of the 30th Annual Computer Security Applications Conference. Ed. by Charles N. Payne et al. New York, NY, USA: Association for Computing Machinery, 2014, pp. 436–445. DOI: 10.1145/2664243.2664257. - doi:10.1145/2664243.2664257.
6. Jahshan Bhatti and Todd E. Humphreys. “Hostile control of ships via false GPS signals: Demonstration and detection”. In: Journal of the Institute of Navigation 64.1 (2017), pp. 51–66. DOI: 10.1002/navi.183. - doi:10.1002/navi.183.
7. BIMCO et al. The guidelines on cyber security onboard ships. 2020. URL: https://www.ics-shipping.org/ wp-content/uploads/2021/02/2021-Cyber-Security-Guidelines.pdf (visited on 04/16/2023).
8. Tanya Blake. Hackers took ‘full control’ of container ship’s navigation systems for 10 hours - IHS Fairplay. 2017. URL: https://rntfnd.org/2017/11/25/hackers-took-full-control-of-container-ships- navigation-systems-for-10-hours-ihs-fairplay/ (visited on 04/16/2023).
9. Victor Bolbot et al. “A novel cyber-risk assessment method for ship systems”. In: Safety Science 131 (2020). ISSN: 09257535. DOI: 10.1016/j.ssci.2020.104908. - doi:10.1016/j.ssci.2020.104908.
10. C4ADS. Above us only stars. 2019. URL: https : / / c4ads . org / wp - content / uploads / 2022 / 05 / AboveUsOnlyStars-Report.pdf (visited on 04/15/2023).
11. Northern California Area Maritime Security Committee. Cyber security newsletter. 2014. URL: https://www. sfmx.org/wp- content/uploads/2017/03/Cyber- Security- Newsletter- 2014- 1.pdf (visited on 04/16/2023).
12. Maritime Executive. Tests show ease of hacking ECDIS, RADAR and machinery. 2017. URL: https://www. maritime-executive.com/article/tests-show-ease-of-hacking-ecdis-radar-and-machinery (visited on 04/16/2023).
13. Dana Goward. Mass GPS spoofing attack in Black Sea? 2017. URL: https://www.maritime-executive. com/editorials/mass-gps-spoofing-attack-in-black-sea (visited on 04/16/2023).
14. Luke Graham. Shipping industry vulnerable to cyber attacks and GPS jamming. 2017. URL: https://www.cnbc. com/2017/02/01/shipping- industry- vulnerable- to- cyber- attacks- and- gps- jamming.html (visited on 04/16/2023).
15. Alan Grant et al. “GPS jamming and the impact on maritime navigation”. In: Journal of Navigation 62.2 (2009), pp. 173–187. DOI: 10.1017/S0373463308005213. - doi:10.1017/S0373463308005213.
16. Stanisław Gucma and Wojciech S´ la˛czka. “Comprehensive method of formal safety assessment of ship manoeu- vring in waterways”. In: Scientific Journals of the Maritime University of Szczecin 54.126 (2018), pp. 110–119. URL: https://repository.am.szczecin.pl/handle/123456789/2473 (visited on 04/16/2023).
17. Muhammet Gül and Erkan Çelik. “Fuzzy rule-based Fine-Kinney risk assessment approach for rail transportation systems”. In: Human and Ecological Risk Assessment: An International Journal 24.7 (2018), pp. 1786–1812. ISSN: 1080-7039. DOI: 10.1080/10807039.2017.1422975. - doi:10.1080/10807039.2017.1422975.
18. Todd E. Humphreys et al. “Assessing the spooing threat: Development of a portable GPS civilian spoofer”. In: Proceedings of the 21st International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2008). ION, 2008, pp. 2314–2325. URL: https://www.ion.org/publications/abstract. cfm?articleID=8132 (visited on 04/16/2023).
19. IEC. IEC 63154 Maritime navigation and radiocommunication equipment and systems - Cybersecurity - General requirements, methods of testing and required test results. Geneva, Switzerland, 2021.
20. IMO. International Safety Management (ISM) Code: Part A Chapter 10 Maintenance of the ship and equipment. London, UK, 2008.
21. IMO. MSC 105/8/2 Measures to enhance maritime security. Voluntary cyber risk management guidelines for shipboard operational technology (OT) systems. London, UK, 2022.
22. IMO. Resolution MSC.252(83) Adoption of the revised performance standards for Integrated Navigation Systems (INS), Introduction, Contents, Module A-B. London, UK, 2018.
23. IMO. Resolution MSC.428(98) Maritime cyber risk management in Safety Management Systems. London, UK, 2017.
24. iTrust. Guidelines for cyber risk management in shipboard operational technology systems. 2022. URL: https:// itrust. sutd. edu. sg/ news- events/ news/ guidelines- for- cyber- risk- management- in- shipboard-ot-systems/ (visited on 04/16/2023).
25. Georgios Kavallieratos and Sokratis Katsikas. “Managing cyber security risks of the cyber-enabled ship”. In: Journal of Marine Science and Engineering 8.10 (2020), p. 768. DOI: 10.3390/jmse8100768. - doi:10.3390/jmse8100768.
26. Georgios Kavallieratos, Sokratis Katsikas, and Vasileios Gkioulos. “Cyber-attacks against the autonomous ship”. In: Computer Security. Ed. by Sokratis K. Katsikas et al. Vol. 11387. Lecture Notes in Computer Science. Cham: Springer International Publishing, 2019, pp. 20–36. DOI: 10.1007/978-3-030-12786-2_2. - doi:10.1007/978-3-030-12786-2_2.
27. Kessler G.C., Craiger J.P., Haass J.C.: A Taxonomy Framework for Maritime Cybersecurity: A Demonstration Using the Automatic Identification System. TransNav, the International Journal on Marine Navigation and Safety of Sea Transportation, Vol. 12, No. 3, doi:10.12716/1001.12.03.01, pp. 429-437, 2018.
28. G. Fine Kinney and A. D. Wiruth. Practical risk analysis for safety management. China Lake, California, USA, 1976. URL: https://apps.dtic.mil/sti/citations/ADA027189 (visited on 04/16/2023).
29. Mass Soldal Lund, Odd Sveinung Hareide, and Øyvind Jøsok. “An attack on an Integrated Navigation System”. In: Necesse 3.2 (2018), pp. 149–163. DOI: 10.21339/2464-353x.3.2.149.
30. Mass Soldal Lund et al. “Integrity of Integrated Navigation Systems”. In: 2018 IEEE Conference on Communica- tions and Network Security (CNS). IEEE, 2018. DOI: 10.1109/CNS.2018.8433151. - doi:10.1109/CNS.2018.8433151.
31. B. Malekmohammadi and L. Rahimi Blouchi. “Ecological risk assessment of wetland ecosystems using Multi Criteria Decision Making and Geographic Information System”. In: Ecological Indicators 41 (2014), pp. 133– 144. ISSN: 1470160X. DOI: 10.1016/j.ecolind.2014.01.038. - doi:10.1016/j.ecolind.2014.01.038.
32. Meland P.H., Bernsmed K., Wille E., Rødseth Ø.J., Nesheim D.A.: A Retrospective Analysis of Maritime Cyber Security Incidents. TransNav, the International Journal on Marine Navigation and Safety of Sea Transportation, Vol. 15, No. 3, doi:10.12716/1001.15.03.04, pp. 519-530, 2021.
33. Per Håkon Meland et al. “Assessing cyber threats for storyless systems”. In: Journal of Information Security and Applications 64 (2022), p. 103050. ISSN: 22142126. DOI: 10.1016/j.jisa.2021.103050. - doi:10.1016/j.jisa.2021.103050.
34. Voltaire Network. What spooked the USS Donald Cook so much in the Black Sea? 2014. URL: https://www. voltairenet.org/article185860.html (visited on 04/16/2023).
35. NIST. Guide for conducting risk assessments. Gaithersburg, MD, USA, 2012. DOI: 10.6028/NIST.SP.800- 30r1. URL: https : / / nvlpubs . nist . gov / nistpubs / Legacy / SP / nistspecialpublication800 - 30r1.pdf.
36. OCIMF. Safety critical equipment and-spare parts guidance. 2018. URL: https : / / www . ocimf . org / document- libary/93- safety- critical- equipment- and- spare- parts- guidance/file (visited on 04/16/2023).
37. Aybars Oruc. “Claims of state-sponsored cyberattack in the maritime industry”. In: The International Naval Engineering Conference and Exhibition (INEC 2020). 2020.
38. Aybars Oruc. “Cybersecurity risk assessment for tankers and defence methods”. MSc. Istanbul, Turkey: Piri Reis University, 2020. URL: http://openaccess.pirireis.edu.tr/xmlui/handle/20.500.12960/52? locale-attribute=en (visited on 04/16/2023). - doi:10.5152/eurasianjmed.2020.19224.
39. Aybars Oruc, Ahmed Amro, and Vasileios Gkioulos. “Assessing cyber risks of an INS using the MITRE ATT&CK framework”. In: Sensors 22.22 (2022). DOI: 10.3390/s22228745. - doi:10.3390/s22228745.
40. Aybars Oruc, Vasileios Gkioulos, and Sokratis Katsikas. “Towards a Cyber-Physical Range for the Integrated Navigation System (INS)”. In: Journal of Marine Science and Engineering 10.1 (2022), p. 107. DOI: 10.3390/ jmse10010107. - doi:10.3390/jmse10010107.
41. Celia Paulsen and Patricia Toth. Small business information security: The fundamentals. Gaithersburg, MD, USA, 2016. DOI: 10.6028/NIST.IR.7621. URL: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR. 7621r1.pdf (visited on 04/16/2023).
42. Wenli Shang et al. “Information security risk assessment method for ship control system based on Fuzzy Sets and Attack Trees”. In: Security and Communication Networks (2019). ISSN: 1939-0114. DOI: 10.1155/2019/ 3574675. - doi:10.1155/2019/3574675.
43. Boris Svilicic et al. “A study on cyber security threats in a shipboard Integrated Navigational System”. In: Journal of Marine Science and Engineering 7.10 (2019), p. 364. DOI: 10.3390/jmse7100364. - doi:10.3390/jmse7100364.
44. Boris Svilicic et al. “Maritime cyber risk management: An experimental ship assessment”. In: Journal of Navigation 72.5 (2019), pp. 1108–1120. DOI: 10.1017/S0373463318001157. - doi:10.1017/S0373463318001157.
45. Boris Svilicic et al. “Towards a cyber secure shipboard radar”. In: Journal of Marine Science and Engineering 7.10 (2020). DOI: 10.1017/S0373463319000808. - doi:10.1017/S0373463319000808.
46. Kimberly Tam and Kevin Jones. “MaCRA: a model-based framework for maritime cyber-risk assessment”. In:WMU Journal of Maritime Affairs 18.1 (2019), pp. 129–163. DOI: 10.1007/s13437-019-00162-2. - doi:10.1007/s13437-019-00162-2.
47. UMT. Severity, Exposure & Probability (SEP) risk assessment model. URL: https : / / winapps . umt . edu/ winapps/ media2 / wilderness/ toolboxes/ documents/ safety/ Severity, %20Exposure% 20 &%20Probability%20(SEP)%20Risk%20Assessment%20Model.pdf (visited on 04/16/2023).
48. UNCTAD. Review of maritime transport 2021. New York, USA, 2021. URL: https://unctad.org/webflyer/ review-maritime-transport-2021 (visited on 04/16/2023).

Uwagi

Opracowanie rekordu ze środków MNiSW, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2024).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-f2fa2d9e-690c-431a-87ea-a0041d14c591