MaCRA: a model-based framework for maritime cyber-risk assessment

In the current economy, roughly 90% of all world trade is transported by the shipping industry, which is now accelerating its technological growth. While the demand on mariners, ship owners, and the encompassing maritime community for digital advances (particularly towards digitization and automation) has led to efficient shipping operations, maritime cyber-security is a pertinent issue of equal importance. As hackers are becoming increasingly aware of cyber-vulnerabilities within the maritime sector, and as existing risk assessment tools do not adequately represent the unique nature of maritime cyber-threats, this article introduces a model-based risk assessment framework which considers a combination of cyber and maritime factors. Confronted with a range of ship functionalities, configurations, users, and environmental factors, this framework aims to comprehensively present maritime cyber-risks and better inform those in the maritime community when making cyber-security decisions. By providing the needed maritime cyber-risk profiles, it becomes possible to support a range of parties, such as operators, regulators, insurers, and mariners, in increasing overall global maritime cyber-security.

[1]  Mathias Ekstedt,et al.  The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures , 2013, IEEE Systems Journal.

[2]  Graham D. Lees,et al.  Global Maritime Distress and Safety System (GMDSS) , 2020 .

[3]  Petros A. Ioannou,et al.  Automated container transport system between inland port and terminals , 2006, TOMC.

[4]  Asaf Degani,et al.  Taming HAL: Designing Interfaces Beyond 2001 , 2004 .

[5]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[6]  Richard O. Lane,et al.  Maritime anomaly detection and threat assessment , 2010, 2010 13th International Conference on Information Fusion.

[7]  Marshall Conley,et al.  Canadian shipping policies and the United Nations Conference on Trade and Development: an analysis of UNCTAD V , 1982 .

[8]  Fabrizio Ruggeri,et al.  Robustness for Adversarial Risk Analysis , 2016 .

[9]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[10]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[11]  Monica Lundh,et al.  Managing unruly technologies in the engine control room: from problem patching to an architectural thinking and standardization , 2018, WMU Journal of Maritime Affairs.

[12]  Kevin Jones,et al.  Cyber-Risk Assessment for Autonomous Ships , 2018, 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security).

[13]  Kevin D. Jones,et al.  Threats and Impacts in Maritime Cyber Security , 2012 .

[14]  David L. Banks,et al.  Modeling Opponents in Adversarial Risk Analysis , 2016, Risk analysis : an official publication of the Society for Risk Analysis.

[15]  Elizabeth Bodine-Baron,et al.  Improving the Cybersecurity of U.S. Air Force Military Systems Throughout Their Life Cycles , 2015 .

[16]  Jakub Montewka,et al.  A framework for risk assessment for maritime transportation systems - A case study for open sea collisions involving RoPax vessels , 2014, Reliab. Eng. Syst. Saf..

[17]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[18]  Floris Goerlandt,et al.  Vessel TRIAGE: A method for assessing and communicating the safety status of vessels in maritime distress situations , 2016 .

[19]  Davood Mohammadi Souran,et al.  Cyber security of smart grid and SCADA systems, threats and risks , 2016 .

[20]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[21]  A. Kroepfl,et al.  DIGITAL SELECTIVE CALLING (DSC) - DSP BASED SOFTWARE RADIO FOR THE GLOBAL MARITIME DISTRESS AND SAFETY SYSTEM (GMDSS) , 2001 .

[22]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[23]  Jakub Montewka,et al.  Maritime transportation risk analysis: Review and analysis in light of some foundational issues , 2015, Reliab. Eng. Syst. Saf..

[24]  A. Weintrit Activities in Navigation : Marine Navigation and Safety of Sea Transportation , 2015 .

[25]  Ernest Foo,et al.  A Survey and Analysis of the GNSS Spoofing Threat and Countermeasures , 2016, ACM Comput. Surv..

[26]  Sam Bateman,et al.  Regional maritime security: threats and risk assessments , 2010 .

[27]  Tor Stålhane,et al.  An Experimental Comparison of System Diagrams and Textual Use Cases for the Identification of Safety Hazards , 2014, Int. J. Inf. Syst. Model. Des..

[28]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[29]  Fabio Massacci,et al.  An experiment on comparing textual vs. visual industrial methods for security risk assessment , 2014, 2014 IEEE 4th International Workshop on Empirical Requirements Engineering (EmpiRE).

[30]  Michael Rossi,et al.  Failure Mode, Effects, and Criticality Analysis (FMECA) , 1993 .

[31]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[32]  Kevin D. Jones,et al.  Maritime cybersecurity policy: the scope and impact of evolving technology on international shipping , 2018 .

[33]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[34]  N. Ward,et al.  GPS Jamming and the Impact on Maritime Navigation , 2009, Journal of Navigation.

[35]  Monica Lundh,et al.  Assessing a maritime service website prototype in a ship bridge simulator: navigators’ experiences and perceptions of novel e-Navigation solutions , 2018, WMU Journal of Maritime Affairs.

[36]  Samrat Ghosh,et al.  Seafarers’ perceptions of competency in risk assessment and management: an empirical study , 2018, WMU Journal of Maritime Affairs.

[37]  Andrei Costin,et al.  Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations , 2016, TrustED@CCS.