Hostname: page-component-cd9895bd7-dzt6s Total loading time: 0 Render date: 2024-12-28T11:22:42.968Z Has data issue: false hasContentIssue false

Maritime Cyber Risk Management: An Experimental Ship Assessment

Published online by Cambridge University Press:  07 February 2019

Boris Svilicic*
Affiliation:
(University of Rijeka, Faculty of Maritime Studies, Studentska ulica 2, 51000 Rijeka, Croatia)
Junzo Kamahara
Affiliation:
(Kobe University, Graduate School of Maritime Sciences, 5-1-1 Fukaeminami-machi, Higashinada-ku, Kobe, Japan)
Matthew Rooks
Affiliation:
(Kobe University, Graduate School of Maritime Sciences, 5-1-1 Fukaeminami-machi, Higashinada-ku, Kobe, Japan)
Yoshiji Yano
Affiliation:
(Kobe University, Graduate School of Maritime Sciences, 5-1-1 Fukaeminami-machi, Higashinada-ku, Kobe, Japan)
*

Abstract

The maritime transport industry is increasingly reliant on computing and communication technologies, and the need for cyber risk management of critical systems and assets on vessels is becoming critically important. In this paper, a comprehensive cyber risk assessment of a ship is presented. An experimental process consisting of assessment preparation activities, assessment conduct and results communication has been developed. The assessment conduct relies on a survey developed and performed by interviewing a ship's crew. Computational vulnerability scanning of the ship's Electronic Chart Display and Information System (ECDIS) is introduced as a specific part of this cyber security assessment. The assessment process presented has been experimentally tested by evaluating the cyber security level of Kobe University's training ship Fukae-maru. For computational vulnerability scanning, an industry-leading software tool has been used, and a quantitative cyber risk analysis has been conducted to evaluate cyber risks on the ship.

Type
Research Article
Copyright
Copyright © The Royal Institute of Navigation 2019 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

REFERENCES

Balduzzi, M., Pasta, A. and Wilhoit, K. (2014). A security evaluation of AIS automated identification system. Proceedings of the 30th Annual Computer Security Applications Conference, New Orleans, USA.Google Scholar
Baltic and International Maritime Council. (BIMCO). (2017). The guidelines on cyber security onboard ships. Version 2.0. BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.Google Scholar
Botunac, I. and Grz̆an, M. (2017). Analysis of software threats to the automatic identification system. Brodogradnja, 68, 97105.Google Scholar
Burton, J. (2016). Cyber attacks and maritime situational awareness: Evidence from Japan and Taiwan. Proceedings of the 2016 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, London, UK.Google Scholar
Det Norte Veritas – Germanischer Lloyd (DNV-GL). (2016). Cyber security resilience management for ships and mobile offshore units in operation. DNVGL-RP-0496. DNV-GL.Google Scholar
Ernstsen, J. and Nazir, S. (2018). Consistency in the development of performance assessment methods in the maritime domain. WMU Journal of Maritime Affairs, 17, 7190.Google Scholar
Hareide, O.S., Jøsok, Ø., Lund, M.S, Ostnes, R. and Helkala, K. (2018). Enhancing Navigator Competence by Demonstrating Maritime Cyber Security. The Journal of Navigation, 71, 10251039.Google Scholar
Hassani, V., Crasta, N. and Pascoal, A.M. (2017). Cyber security issues in navigation systems of marine vessels from a control perspective. Proceedings of the International Conference on Ocean, Offshore Mechanics and Arctic Engineering, Trondheim, Norway.Google Scholar
International Maritime Organization - Maritime Safety Committee (IMO-MSC). (2017a). ECDIS – Guidance for good practice. MSC.1/Circ.1503/Rev.1. International Maritime Organization.Google Scholar
IMO-MSC. (2017b). Maritime Cyber Risk Management in Safety Management Systems. MSC 98/23/Add.1. International Maritime Organization.Google Scholar
International Maritime Organization (IMO). (2013). International Ship and Port Facility Security (ISPS) Code. SOLAS/CONF.5/34. International Maritime Organization.Google Scholar
IMO. (2017c). Guidelines on maritime cyber risk management. MSC-FAL.1/Circ.3. International Maritime Organization.Google Scholar
Kobe University. (2018). Research Facilities: The training ship Fukae-maru. Available: https://www.maritime.kobe-u.ac.jp/en/study/fukaemaru_e.html.Google Scholar
Lee, Y.C., Park, S.K., Lee, W.K. and Kang, J. (2017). Improving cyber security awareness in maritime transport: A way forward. Journal of the Korean Society of Marine Engineering, 41, 738745.Google Scholar
Microsoft. (2018). Microsoft: Search product lifecycle. Available: https://support.microsoft.com/en-us/lifecycle.Google Scholar
National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. National Institute of Standards and Technology.Google Scholar
Nessus. (2018). Tenable Products: Nessus Professional. Available: https://www.tenable.com/products/nessus/nessus-professional.Google Scholar
Polatid, N., Pavlidis, M. and Mouratidis, H. (2018) Cyber-attack path discovery in a dynamic supply chain maritime risk management system. Computer Standards and Interfaces, 59, 7482.Google Scholar
Shapiro, L.R., Maras, M.-H., Velotti, L., Pickman, S., Wei, H.-L. and Till, R. (2018). Trojan horse risks in the maritime transportation systems sector. Journal of Transportation Security, 8, 119.Google Scholar
Svilicic, B. and Kras, A. (2005). Computer Systems Privacy Protection. Journal of Maritime Research Pomorstvo, 19, 275284.Google Scholar