Journal of the Korean Society of Marine Environment & Safety (해양환경안전학회지)

The Korean Society of Marine Environment and safety (해양환경안전학회)
권호 표지
DOI QR코드

DOI QR Code

Cyber Threat and Vulnerability Analysis-based Risk Assessment for Smart Ship

  • Jeoungkyu Lim (Cyber Certification Team, Korean Register) ;
  • Yunja Yoo (Division of Navigation Convergence Studies, Korea Maritime and Ocean University)
  • Received : 2024.05.07
  • Accepted : 2024.05.29
  • Published : 2024.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

The digitization of ship environments has increased the risk of cyberattacks on ships. The smartization and automation of ships are also likely to result in cyber threats. The International Maritime Organization (IMO) has discussed the establishment of regulations at the autonomous level and has revised existing agreements by dividing autonomous ships into four stages, where stages 1 and 2 are for sailors who are boarding ships while stages 3 and 4 are for those not boarding ships. In this study, the level of a smart ship was classified into LEVELs (LVs) 1 to 3 based on the autonomous levels specified by the IMO. Furthermore, a risk assessment for smart ships at various LVs in different risk scenarios was conducted The cyber threats and vulnerabilities of smart ships were analyzed by dividing them into administrative, physical, and technical security; and mitigation measures for each security area were derived. A total of 22 cyber threats were identified for the cyber asset (target system). We inferred that the higher the level of a smart ship, the greater the hyper connectivity and the remote access to operational technology systems; consequently, the greater the attack surface. Therefore, it is necessary to apply mitigation measures using technical security controls in environments with high-level smart ships.

Keywords

Acknowledgement

This work was supported by the Korea Maritime and Ocean University Research Fund in 2022.

References

  1. ABS(2016), Cybersecurity implementation for the marine and offshore industries. Vol. 2, American Bureau of Shipping, Houston, USA.
  2. Ananbeh, O., R. Alomari, and A. Daniell(2022), Improving ICS security through honeynets and machine learning techniques. Res Square 2022:1-5. https://doi.org/10.21203/rs.3.rs1333285/v1
  3. Antonopoulos, M., G. Drainakis, E. Ouzounoglou, G. Papavassiliou, and A. Amditis(2022), Design and proof of concept of a predic-tion engine for decision support during cyber range attack simulations in the maritime domain, vol 2022 IEEE Interna-tional Conference on Cyber Security and Resilience (CSR):305-310. https://doi.org/10.1109/CSR54599.2022.9850280
  4. BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF, WSC (2020), The guidelines on cyber security onboard ships. Ver. 4, INTERCARGO.
  5. BSI(2022), Industrial control system security - Top 10 threats and countermeasures 2022.Ver. 1.5, Bundesamt fur Sicherheit in Der Informationstechnik.
  6. BV(2018), Rules on cybersecurity for the classification of marine units. 2018 ed., Bureau Veritas.
  7. Charitos, E. D., N. A. Kounalakis, and I. Kantzavelou(2022), Cybersecurity at merchant shipping. 2022 IEEE International Confer-ence on Cyber Security and Resilience (CSR), IEEE:394-399. https://doi.org/10.1109/CSR54599.2022.9850294
  8. DCSA(2020), Implementation guide for cyber security on vessels. Ver. 1, Digital Container Shipping Association.
  9. DNV-GL(2018), Rules for classification: Ships - Sec. 21. Cyber security. 2018 ed., Det Norske Veritas-Germanischer Lloyd.
  10. ENISA(2020), Cyber risk management for ports. European Union Agency for Cybersecurity.
  11. ENISA(2023), Identifying emerging cyber security threats and challenges for 2030. European Union Agency for Cybersecurity.
  12. Guidetti, O. A., C. Speelman, and P. Bouhlas(2023), A review of cyber vigilance tasks for network defense. Front Neuroergonomics 2023(4):1104873. https://doi.org/10.3389/fnrgo.2023.1104873
  13. IACS(2021), Recommendation on incorporating cyber risk management into safety management systems. Rec. No. 171, International Association of Classification Societies.
  14. IACS(2022), Cyber resilience of ships. UR E26, International Association of Classification Societies.
  15. IAPH(2021), Cybersecurity guidelines for ports and port facilities. Ver. 1, International Association of Ports and Harbors.
  16. IEC(2020), Security risk assessment for system design. IEC 62443-3-2 edn. 1, International Electrotechnical Commission.
  17. IMO(2017), Guidelines on maritime cyber risk management. MSC-FAL.1/Circ.3 Annex. International Maritime Organization.
  18. IMO(2018a), Outcome of the regulatory scoping exercise (RSE) for the use of Maritime Autonomous Surface Ships (MASS) - Report of the correspondence group on MASS. MSC 100/5. International Maritime Organization.
  19. IMO(2018b), Revised guidelines for formal safety assessment (FSA) for use in the IMO rule-making process. MSCMEPC.2/Circ.12/Rev.2, International Maritime Organization.
  20. ISO&IEC(2013), Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001 2nd edn, International Organization for Standardization & International Elec-trotechnical Commission.
  21. ISO(2022), Assessment of onboard cyber safety risk. ISO/TC8/WG4, vol N45; ISO 23799.
  22. ISO/IEC(2018), Information technology - Security techniques - Information security risk management. ISO/IEC 27005:2018.
  23. Issa, M., A. Ilinca, H. Ibrahim, and P. Rizk(2022), Maritime autonomous surface ships: Problems and challenges facing the regula-tory process. Sustainability 14(23):15630. https://doi.org/10.3390/su142315630
  24. KASS(2023), Korea autonomous surface ship (KASS) project. Availble via http://kassproject.org/en/info/projectdetail.php Accessed 10 Mar 2023.
  25. KR(2017), Guidelines of maritime cybersecurity. Ver. 1.0, Korean Register.
  26. NK(2019), Guidelines for designing cyber security onboard ships. Ver. 1, Nippon Kaiji Kyokai.
  27. NIST(2012), Guide for conducting risk assessments, 1st revision. National Institute of Standards and Technology: SP800-830.
  28. NIST(2020), Zero trust architecture. S.P.800-207, National Institute of Standards and Technology.
  29. OCIMF(2022), The Tanker management and self-assessment (TMSA). SIRE 2.0 Question Library Part 1, 7.5. Cyber security. Oil Companies International Marine Forum.
  30. Raimondi, M., G. Longo, A. Merlo, A. Armando, and E. Russo(2022), Training the maritime security operations centre teams. 2022 IEEE International Conference on Cyber Security and Resilience (CSR); IEEE 2022:388-393. https://doi.org/10.1109/CSR54599.2022.9850324.
  31. Yoo, Y. and H. S. Park(2021), Qualitative risk assessment of cybersecurity and development of vulnerability enhancement plans in consideration of digitalized ship. J Mar Sci Eng 9(6):565. https://doi.org/10.3390/jmse9060565.