Journal is indexed in following databases:



2023 Journal Impact Factor - 0.7
2023 CiteScore - 1.4



HomePage
 




 


 

ISSN 2083-6473
ISSN 2083-6481 (electronic version)
 

 

 

Editor-in-Chief

Associate Editor
Prof. Tomasz Neumann
 

Published by
TransNav, Faculty of Navigation
Gdynia Maritime University
3, John Paul II Avenue
81-345 Gdynia, POLAND
www http://www.transnav.eu
e-mail transnav@umg.edu.pl
Cyber Risk Assessment for SHips (CRASH)
1 Norwegian University of Science and Technology, Gjøvik, Norway
ABSTRACT: The maritime industry is undergoing a digital transformation, with an increasing integration of Information Technology (IT) and Operational Technology (OT) systems on modern vessels. Its multiple benefits notwithstanding, this transformation brings with it increased cybersecurity risks, that need to be identified, assessed, and managed. Although several cyber risk assessment methodologies are available in the literature, they may be challenging for experts with a maritime background to use. In this paper we propose a simple and effective cyber risk assessment methodology, named Cyber Risk Assessment for SHips (CRASH), that can be easily implemented by maritime professionals. To showcase its workings, we assessed 24 cyber risks of the Integrated Navigation System (INS) using CRASH and we validated the method by comparing its results to those of another method and by means of interviews with experts in the maritime sector. CRASH can aid shipping companies in effectively assessing cyber risks as a step towards selecting and implementing necessary measures to enhance the cyber security of cyber-physical systems onboard their vessels.
REFERENCES
Emre Akyüz. “Application of fuzzy FMEA to perform an extensive risk analysis in maritime transportation engineering”. In: International Journal Maritime Engineering 159.A1 (2017). DOI: 10.5750/ijme.v159iA1. 1013. - doi:10.5750/ijme.v159iA1
Emre Akyüz and Erkan Çelik. “A quantitative risk analysis by using interval type-2 fuzzy FMEA approach: the case of oil spill”. In: Maritime Policy & Management 45.8 (2018), pp. 979–994. ISSN: 0308-8839. DOI: 10.1080/03088839.2018.1520401. - doi:10.1080/03088839.2018.1520401
Andrej Androjna et al. “Assessing cyber challenges of maritime navigation”. In: Journal of Marine Science and Engineering 8.10 (2020), p. 776. DOI: 10.3390/jmse8100776. - doi:10.3390/jmse8100776
H. Arabian-Hoseynabadi, H. Oraee, and P. J. Tavner. “Failure Modes and Effects Analysis (FMEA) for wind turbines”. In: International Journal of Electrical Power & Energy Systems 32.7 (2010), pp. 817–824. ISSN: 01420615. DOI: 10.1016/j.ijepes.2010.01.019. - doi:10.1016/j.ijepes.2010.01.019
Marco Balduzzi, Alessandro Pasta, and Kyle Wilhoit. “A security evaluation of AIS Automated Identification System”. In: ACSAC’14: Proceedings of the 30th Annual Computer Security Applications Conference. Ed. by Charles N. Payne et al. New York, NY, USA: Association for Computing Machinery, 2014, pp. 436–445. DOI: 10.1145/2664243.2664257. - doi:10.1145/2664243.2664257
Jahshan Bhatti and Todd E. Humphreys. “Hostile control of ships via false GPS signals: Demonstration and detection”. In: Journal of the Institute of Navigation 64.1 (2017), pp. 51–66. DOI: 10.1002/navi.183. - doi:10.1002/navi.183
BIMCO et al. The guidelines on cyber security onboard ships. 2020. URL: https://www.ics-shipping.org/ wp-content/uploads/2021/02/2021-Cyber-Security-Guidelines.pdf (visited on 04/16/2023).
Tanya Blake. Hackers took ‘full control’ of container ship’s navigation systems for 10 hours - IHS Fairplay. 2017. URL: https://rntfnd.org/2017/11/25/hackers-took-full-control-of-container-ships- navigation-systems-for-10-hours-ihs-fairplay/ (visited on 04/16/2023).
Victor Bolbot et al. “A novel cyber-risk assessment method for ship systems”. In: Safety Science 131 (2020). ISSN: 09257535. DOI: 10.1016/j.ssci.2020.104908. - doi:10.1016/j.ssci.2020.104908
C4ADS. Above us only stars. 2019. URL: https : / / c4ads . org / wp - content / uploads / 2022 / 05 / AboveUsOnlyStars-Report.pdf (visited on 04/15/2023).
Northern California Area Maritime Security Committee. Cyber security newsletter. 2014. URL: https://www. sfmx.org/wp- content/uploads/2017/03/Cyber- Security- Newsletter- 2014- 1.pdf (visited on 04/16/2023).
Maritime Executive. Tests show ease of hacking ECDIS, RADAR and machinery. 2017. URL: https://www. maritime-executive.com/article/tests-show-ease-of-hacking-ecdis-radar-and-machinery (visited on 04/16/2023).
Dana Goward. Mass GPS spoofing attack in Black Sea? 2017. URL: https://www.maritime-executive. com/editorials/mass-gps-spoofing-attack-in-black-sea (visited on 04/16/2023).
Luke Graham. Shipping industry vulnerable to cyber attacks and GPS jamming. 2017. URL: https://www.cnbc. com/2017/02/01/shipping- industry- vulnerable- to- cyber- attacks- and- gps- jamming.html (visited on 04/16/2023).
Alan Grant et al. “GPS jamming and the impact on maritime navigation”. In: Journal of Navigation 62.2 (2009), pp. 173–187. DOI: 10.1017/S0373463308005213. - doi:10.1017/S0373463308005213
Stanisław Gucma and Wojciech S´ la˛czka. “Comprehensive method of formal safety assessment of ship manoeu- vring in waterways”. In: Scientific Journals of the Maritime University of Szczecin 54.126 (2018), pp. 110–119. URL: https://repository.am.szczecin.pl/handle/123456789/2473 (visited on 04/16/2023).
Muhammet Gül and Erkan Çelik. “Fuzzy rule-based Fine-Kinney risk assessment approach for rail transportation systems”. In: Human and Ecological Risk Assessment: An International Journal 24.7 (2018), pp. 1786–1812. ISSN: 1080-7039. DOI: 10.1080/10807039.2017.1422975. - doi:10.1080/10807039.2017.1422975
Todd E. Humphreys et al. “Assessing the spooing threat: Development of a portable GPS civilian spoofer”. In: Proceedings of the 21st International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2008). ION, 2008, pp. 2314–2325. URL: https://www.ion.org/publications/abstract. cfm?articleID=8132 (visited on 04/16/2023).
IEC. IEC 63154 Maritime navigation and radiocommunication equipment and systems - Cybersecurity - General requirements, methods of testing and required test results. Geneva, Switzerland, 2021.
IMO. International Safety Management (ISM) Code: Part A Chapter 10 Maintenance of the ship and equipment. London, UK, 2008.
IMO. MSC 105/8/2 Measures to enhance maritime security. Voluntary cyber risk management guidelines for shipboard operational technology (OT) systems. London, UK, 2022.
IMO. Resolution MSC.252(83) Adoption of the revised performance standards for Integrated Navigation Systems (INS), Introduction, Contents, Module A-B. London, UK, 2018.
IMO. Resolution MSC.428(98) Maritime cyber risk management in Safety Management Systems. London, UK, 2017.
iTrust. Guidelines for cyber risk management in shipboard operational technology systems. 2022. URL: https:// itrust. sutd. edu. sg/ news- events/ news/ guidelines- for- cyber- risk- management- in- shipboard-ot-systems/ (visited on 04/16/2023).
Georgios Kavallieratos and Sokratis Katsikas. “Managing cyber security risks of the cyber-enabled ship”. In: Journal of Marine Science and Engineering 8.10 (2020), p. 768. DOI: 10.3390/jmse8100768. - doi:10.3390/jmse8100768
Georgios Kavallieratos, Sokratis Katsikas, and Vasileios Gkioulos. “Cyber-attacks against the autonomous ship”. In: Computer Security. Ed. by Sokratis K. Katsikas et al. Vol. 11387. Lecture Notes in Computer Science. Cham: Springer International Publishing, 2019, pp. 20–36. DOI: 10.1007/978-3-030-12786-2_2. - doi:10.1007/978-3-030-12786-2_2
G. Fine Kinney and A. D. Wiruth. Practical risk analysis for safety management. China Lake, California, USA, 1976. URL: https://apps.dtic.mil/sti/citations/ADA027189 (visited on 04/16/2023).
Mass Soldal Lund, Odd Sveinung Hareide, and Øyvind Jøsok. “An attack on an Integrated Navigation System”. In: Necesse 3.2 (2018), pp. 149–163. DOI: 10.21339/2464-353x.3.2.149.
Mass Soldal Lund et al. “Integrity of Integrated Navigation Systems”. In: 2018 IEEE Conference on Communica- tions and Network Security (CNS). IEEE, 2018. DOI: 10.1109/CNS.2018.8433151. - doi:10.1109/CNS.2018.8433151
B. Malekmohammadi and L. Rahimi Blouchi. “Ecological risk assessment of wetland ecosystems using Multi Criteria Decision Making and Geographic Information System”. In: Ecological Indicators 41 (2014), pp. 133– 144. ISSN: 1470160X. DOI: 10.1016/j.ecolind.2014.01.038. - doi:10.1016/j.ecolind.2014.01.038
Per Håkon Meland et al. “Assessing cyber threats for storyless systems”. In: Journal of Information Security and Applications 64 (2022), p. 103050. ISSN: 22142126. DOI: 10.1016/j.jisa.2021.103050. - doi:10.1016/j.jisa.2021.103050
Voltaire Network. What spooked the USS Donald Cook so much in the Black Sea? 2014. URL: https://www. voltairenet.org/article185860.html (visited on 04/16/2023).
NIST. Guide for conducting risk assessments. Gaithersburg, MD, USA, 2012. DOI: 10.6028/NIST.SP.800- 30r1. URL: https : / / nvlpubs . nist . gov / nistpubs / Legacy / SP / nistspecialpublication800 - 30r1.pdf.
OCIMF. Safety critical equipment and-spare parts guidance. 2018. URL: https : / / www . ocimf . org / document- libary/93- safety- critical- equipment- and- spare- parts- guidance/file (visited on 04/16/2023).
Aybars Oruc. “Claims of state-sponsored cyberattack in the maritime industry”. In: The International Naval Engineering Conference and Exhibition (INEC 2020). 2020.
Aybars Oruc. “Cybersecurity risk assessment for tankers and defence methods”. MSc. Istanbul, Turkey: Piri Reis University, 2020. URL: http://openaccess.pirireis.edu.tr/xmlui/handle/20.500.12960/52? locale-attribute=en (visited on 04/16/2023). - doi:10.5152/eurasianjmed.2020.19224
Aybars Oruc, Ahmed Amro, and Vasileios Gkioulos. “Assessing cyber risks of an INS using the MITRE ATT&CK framework”. In: Sensors 22.22 (2022). DOI: 10.3390/s22228745. - doi:10.3390/s22228745
Aybars Oruc, Vasileios Gkioulos, and Sokratis Katsikas. “Towards a Cyber-Physical Range for the Integrated Navigation System (INS)”. In: Journal of Marine Science and Engineering 10.1 (2022), p. 107. DOI: 10.3390/ jmse10010107. - doi:10.3390/jmse10010107
Celia Paulsen and Patricia Toth. Small business information security: The fundamentals. Gaithersburg, MD, USA, 2016. DOI: 10.6028/NIST.IR.7621. URL: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR. 7621r1.pdf (visited on 04/16/2023).
Wenli Shang et al. “Information security risk assessment method for ship control system based on Fuzzy Sets and Attack Trees”. In: Security and Communication Networks (2019). ISSN: 1939-0114. DOI: 10.1155/2019/ 3574675. - doi:10.1155/2019/3574675
Boris Svilicic et al. “A study on cyber security threats in a shipboard Integrated Navigational System”. In: Journal of Marine Science and Engineering 7.10 (2019), p. 364. DOI: 10.3390/jmse7100364. - doi:10.3390/jmse7100364
Boris Svilicic et al. “Maritime cyber risk management: An experimental ship assessment”. In: Journal of Navigation 72.5 (2019), pp. 1108–1120. DOI: 10.1017/S0373463318001157. - doi:10.1017/S0373463318001157
Boris Svilicic et al. “Towards a cyber secure shipboard radar”. In: Journal of Marine Science and Engineering 7.10 (2020). DOI: 10.1017/S0373463319000808. - doi:10.1017/S0373463319000808
Kimberly Tam and Kevin Jones. “MaCRA: a model-based framework for maritime cyber-risk assessment”. In:WMU Journal of Maritime Affairs 18.1 (2019), pp. 129–163. DOI: 10.1007/s13437-019-00162-2. - doi:10.1007/s13437-019-00162-2
UMT. Severity, Exposure & Probability (SEP) risk assessment model. URL: https : / / winapps . umt . edu/ winapps/ media2 / wilderness/ toolboxes/ documents/ safety/ Severity, %20Exposure% 20 &%20Probability%20(SEP)%20Risk%20Assessment%20Model.pdf (visited on 04/16/2023).
UNCTAD. Review of maritime transport 2021. New York, USA, 2021. URL: https://unctad.org/webflyer/ review-maritime-transport-2021 (visited on 04/16/2023).
Citation note:
Oruc A., Kavallieratos G., Gkioulos V., Katsikas S.K.: Cyber Risk Assessment for SHips (CRASH). TransNav, the International Journal on Marine Navigation and Safety of Sea Transportation, Vol. 18, No. 1, doi:10.12716/1001.18.01.10, pp. 115-124, 2024
Authors in other databases:

Other publications of authors:


File downloaded 350 times








Important: TransNav.eu cookie usage
The TransNav.eu website uses certain cookies. A cookie is a text-only string of information that the TransNav.EU website transfers to the cookie file of the browser on your computer. Cookies allow the TransNav.eu website to perform properly and remember your browsing history. Cookies also help a website to arrange content to match your preferred interests more quickly. Cookies alone cannot be used to identify you.
Akceptuję pliki cookies z tej strony