115
1 INTRODUCTION
Given that approximately 80% of world trade by
volume is carried out by vessels, sea transportation
has a privileged place compared to other
transportationmodes[48].Themaritimesectorhasfor
some time been actively engaged with the
digitalizationofbothshoreandonboardsystemsand
operations,
leading to the digitally transformed
shippingindustry,alsocalledʺShipping4.0ʺ[25].
Its multiple benefits notwithstanding, this
transformationbringswithitincreasedcybersecurity
risks. Several cyber attacks have occurred in the
maritime industry, and some of them have been
suspectedtobestate‐sponsored[37].Forexample,in
2019, it was
reported that 1,311 civilian ships were
affectedbyGlobalNavigationSatelliteSystem(GNSS)
spoofingattacksbetween2016and2018[10].InApril
2016, a Global Positioning System (GPS) jamming
attack impacted around 280 vessels off the coast of
SouthKorea[14].InJune2017, morethan20vessels
were exposed
to a GPS jamming attack in the Black
Sea [13]. In February 2017, malicious actors took
control of the navigation system of an 8,250 TEU
containervesselsenroutefromCyprustoDjiboutifor
10hours [8]. In April2017,a modernU.S. destroyer
had all its RAdio Detection And Ranging
(RADAR)
sets disabled by a Russian jet (Su‐24) [34].
Additionally, the Electronic Chart Display and
InformationSystem(ECDIS)onadrybulkvesselwas
infected with malware, resulting in financial losses
duetodelaysinsailingandinECDISrepaircosts[7].
In another case, the power management system
and
administrative network of two different ships were
infected with malware via a USB flash drive [7]. A
more comprehensive account is given by Meland et
Cyber Risk Assessment
f
or SHips (CRASH)
A.Oruc,G.Kavallieratos,V.Gkioulos&S.Katsikas
NorwegianUniversityofScienceandTechnology(NTNU),Gjøvik,Norway
ABSTRACT:Themaritimeindustryisundergoingadigitaltransformation,withanincreasingintegrationof
InformationTechnology(IT)andOperationalTechnology(OT)systemsonmodernvessels.Itsmultiplebenefits
notwithstanding, this transformation brings with it increased cybersecurity risks, that need to be identified,
assessed,andmanaged.Althoughseveralcyberriskassessmentmethodologiesareavailableintheliterature,
theymaybechallengingforexpertswithamaritimebackgroundtouse.Inthispaperweproposeasimpleand
effectivecyberriskassessmentmethodology,namedCyberRiskAssessmentforSHips(CRASH),thatcanbe
easily
implemented by maritime professionals. To showcase its workings, we assessed 24 cyber risksof the
IntegratedNavigationSystem(INS)usingCRASHand wevalidatedthe methodbycomparingitsresultsto
those of another method and by means of interviews with experts in the maritime sector. CRASH can aid
shippingcompanies
ineffectivelyassessingcyberrisksasasteptowardsselectingandimplementingnecessary
measurestoenhancethecybersecurityofcyber‐physicalsystemsonboardtheirvessels.
http://www.transnav.eu
the International Journal
on Marine Navigation
and Safety of Sea Transportation
Volume 18
Number 1
March 2024
DOI:10.12716/1001.18.01.10
116
al., who discuss 46 maritime cyber incidents that
occurredbetween2010and2020[32].
Inlightofthesefindings,oftheincreasedfinancial
value of the sector [27], and of the multitude of
potential attackers, including such with advanced
capabilities, the promotion of cyber security and
safety of the
maritime ecosystem becomes very
important.Maritimeisahighlystandardizedsectors,
andmaritimefunctionsandoperationsaregoverned
bycorrespondingstandardsandregulations.In2017,
the IMO published a circular to promote safe and
secureshippingagainstcyberrisks[23].Accordingto
thecircular,maritimecompaniesmustaddresscyber
risksin
theirSafetyManagementSystem(SMS)by01
January2021.Asof02January2021,thisrequirement
startedtobeverifiedintheDocumentofCompliance
(DOC) audits of maritime companies. The
International Electrotechnical Commission (IEC)
publishedastandardin2021tospecifyrequirements,
testing methods, and required test results against
cyber incidents for shipborne navigational
components,shipborneradioequipmentformingpart
of the Global Maritime Distress and Safety System
(GMDSS), shipborne navigational aids, and Aids to
Navigation(AtoN)[19].
The first step towards strengthening the cyber
security and resilience of an ecosystem is to
understand,analyze,andmanagethecyberrisks
that
itfaces.Severalcyberriskassessmentmethodologies
are available in the literature, some of them
specifically adapted to fit the needs of risk
assessmentsinCyberPhysicalSystems(CPS),suchas
thosefoundonboardvessels.However, theymaybe
challengingtouseforexpertswithamaritimerather
than
a cybersecurity background. It must be noted
that the involvement of sector experts in and their
engagement with the assessment of cyber risks is
paramount to obtaining accurate results. Note also
that statistical data regarding cyber incidents in
maritimeisnotavailableintheliteratureandvarious
risk assessment methods make
certain assumptions,
regarding likelihood of occurrence, cost, and
malicious actors. Therefore, their results depend
heavily on expert judgement. To the best of our
knowledge, a method that is easy for maritime
domain experts to employ whilst also minimizing
subjectivity,isyettobeproposed.
In this paper we propose such
a simple and
effectivecyberriskassessmentmethod,namedCyber
Risk Assessment for SHips (CRASH), that can be
easilyappliedbymaritimeprofessionals.CRASHwas
designedtoreducetheneedforexpertjudgementsin
thecyberriskassessmentprocessformarinesystems.
CRASH employs unveiled cyber threats and
vulnerabilities in the
literature, previous cyber
incidents and shipborne system architectures, to
assesscyberrisks.
The remaining of the paper is organized as
follows: Section 2 presents a review of the related
literature.TheCRASHmethodispresentedinsection
3. Section 4 showcases the workings of CRASH by
applyingittoassess
cyberrisksoftheINS.Insection
5,wepresentthemethodologyforverifyingCRASH
andtheresultsofapplyingit.Finally,section6offers
a summary and recommends some possible future
researchdirections.
2 RELATEDWORK
Severalriskassessmentmethodshavebeenproposed
intheliterature,including[47,2,28,
1,17,4,31]and
several cyber risk assessments by using diverse
methods, including Fine‐Kinney, Attack Tree,
STRIDE,andDREAD,havebeencarriedoutbothfor
conventional vessels and autonomous ships [24, 25,
26,38,42,44].Moreover,worksproposingnovelrisk
assessmentmethodsagainstcyberrisksonboardships
have also appeared in the literature [9, 33, 46]. A
guideline [24] publishedby iTrustpresentspotential
cyber risks and mitigation measures for
communication, navigation, cargo management,
propulsion machinery, and power control systems.
Svilicic et al. [44] present a risk assessment for the
ECDISonatrainingvessel.Shangetal.
[42]offereda
cyber risk assessment method and applied it to a
cyber risk scenario of the ship control system.
Kavallieratosetal.[25,26]adaptedandappliedwell‐
establishedmethods,namelySTRIDEandDREAD,to
assess the cyber risks of CPSs onboard autonomous
ships.Anothermethodforassessingcyber
risksatsea
isCYber‐RiskAssessmentforMarineSystems(CYRA‐
MS),proposedbyBolbotetal.[9].
Cybersecurityriskisassociatedwiththepotential
thatthreatswill exploitvulnerabilitiesof an assetor
group of assets and thereby cause harm to an
organization. Cyber risk is assessed in terms
of the
likelihood of a threat occurring, the extent of the
vulnerabilitiestothethreat,andthemagnitudeofthe
impactshouldthethreatmaterialize;theseconstitute
theelementsofcyberrisk.However,otherchoicesfor
theelementsofriskarepossible.TheSEPmethod[47]
considers Severity, Exposure, and
Probability as
elements of risk. Severity describes potential
consequences,suchasoccupationalillness,injury,and
death. Exposure reflects the required resources for a
consequence,suchastheamountoftime,numberof
cycles, andnumber of people. Probability is defined
asthelikelihoodofaconsequenceoccurring.Severity
and Probability assume
values in the [1, 5] range,
while the value of Exposure ranges in [1, 4]. The
overall risk is calculated as the product of all three
values. The Failure Modes and Effects Analysis
(FMEA) method [2] assesses the failure risk of a
componentorsystem.LikeSEP,italsoassumes
three
elements of risk, namely Severity, Occurrence, and
Detection. Occurrence is the likelihood of failure.
Severity reflects the severity of a consequence, and
Detection represents the detectability of a potential
failure.Scoresforeachelementrangebetween1and
5, and the overall risk score‐called Risk Priority
Number(RPN)‐is
calculatedbymultiplyingthethree
element scores. The Fine‐Kinney method [28] also
assumes three risk elements, namely Consequence,
Likelihood, and Exposure. Consequence reflects
undesirable incidents such as minor first‐aid
accidents, serious injuries, disabilities, and fatalities.
Likelihoodmeasuresthepossibilityofaconsequence,
and Exposure reflects the frequency (e.g.,
daily,
weekly, and monthly) of a potential consequence.
Consequenceisscoredbetween1and100,Likelihood
between0.1and10,andExposurebetween0.5to10.
The risk level is determined by multiplying these
scores.All thesemethods are quantitativeanduse a
linearcombinationofthevaluesoftherisk
elements
117
tocalculatetheoverallriskscore.WhileSEPandFine‐
Kinneyareusedforsafetyriskassessments,FMEAis
mostly used for the risk assessment of failures. A
combinationofFMEAandFine‐Kinneywithfuzzyset
theoryisalsoavailableintheliterature[1,17].
3 CRASH:CYBER
RISKASSESSMENTFORSHIPS
Severalstudiesintheliteratureestimaterisklevelsby
considering a combination of safety, financial,
environmental, or reputation impact. However, each
impact type may result in a different risk level.
Therefore, assessing impacts individually would
resultinamoreaccurateriskassessment,asshownin
[16].The
CRASHapproachfocusesonlyonthesafety
impact of cyber attacks against components and
systems onboard ships. In this study, safety impact
referstotheoccurrenceofasituationthatmayleadto
a marine accident causing harm to people or the
environment [36]. Potential consequences other than
safety,such
asfinancial,environmental,orreputation,
are beyond the scope of the method. Risk
management,includingriskmitigationmeasuresand
reassessingrisks,isalsooutsidethescope.
3.1 Elementsofrisk
CRASH assumes three elements of risk, namely
Severity, Probability, and Criticality. These are
discussedindetailinsubsequentsections.Theoverall
cyber risk is calculated according to equation 1. The
correspondence between numerical risk scores and
qualitativerisklevelsinCRASHisdepictedinTab1.
Risk=Severity(S)×Probability(P)×Criticality(C) (1)
Table1.RisklevelinCRASH
________________________________________________
RiskScoreRiskLevel
________________________________________________
1‐20Low
21‐40Medium
41‐60High
________________________________________________
3.1.1 Severity
Severity is a measure of the impact caused by a
cyber attack against systems onboard a ship. Two
distinct flows are distinguished in marine systems,
namely information flows and control flows. Both
informationandcontrolsignalsmaysufferfromloss
ormanipulation. Lossrefersto potentialdamagesto
availability and manipulation refers to potential
damagestointegrity.Inassessingtheseverityvalue,
several aspects should be considered, as discussed
below.
The criticality of each information and control
signal depends on the functionsand operations that
thesignalisbeingusedby.Forinstance,theposition
ofownshipis
morecriticalcomparedtothevolume
control or volume information of a GPS receiver.
Further, the importance level varies under different
threat scenarios. Accordingly, many factors such as
ship type, position, weather and sea conditions, etc.
shouldbeconsideredduringacyberriskassessment.
IntheCRASHapproach,theexpert
shoulddetermine
whether the loss/manipulation of control or
information is critical or not for ship operations.
Manipulation of control/information is more
dangerousthanthelossofcontrol/informationatthe
same criticality level because it is more difficult to
detect by seafarers or systems onboard ships. For
instance,GPSspoofing(manipulationof
information)
[6]isriskierthanGPSjamming(lossofinformation)
[15] because it is harder to detect by the Officer On
Watch(OOW)[18].Loss/manipulationofinformation
can be observed during an operation. However,
loss/manipulationofcontrolisnoticedonlywhenthe
control is required. Undoubtedly, both information
andcontrol
couldbecriticalforshipsafetyoperations.
However, particularly in case of an emergency,
control is typically more important because of the
timeconstrainttotakeaction.
AccordingtotheInternationalSafetyManagement
(ISM) Code, “The Company should identify
equipment and technical systems, the sudden
operationalfailureofwhichmayresult
inhazardous
situations” [20]. The Oil Companies International
Marine Forum (OCIMF) has classified hazardous
situationsasfollows[36]:
lossofsteering;
lossofpropulsion;
lossofpower;
lossofinertgassystem;
lossofgasmonitoringsystem;
lossofcargo/ballastingmonitoringequipment;
loss
ofmooring.
According to the OCIMF, loss of the stated
functions may cause a marine casualty, which may
harm people and/or the environment [36].
Accordingly, a potential cyber attack which may
cause loss of such functions is considered to be a
hazardous situation and it is assessed as having the
highest
severitylevel.
Basedontheabovereasoning,thematrixshownin
Figure1results.
Figure1.CRASHseveritylevels.
The value of the severity element in CRASH is
determinedasshowninTable2.Somerisksmayhave
multiplesafetyimpact,forexamplebothʺminor‐loss
ofinformationʺandʺsevere‐manipulationofacritical
controlʺ.Insuchcases,severityisassignedthehighest
value,followingtheworst‐casescenario
approach.
Table2.SeverityTable
________________________________________________
Class ImpactScore
________________________________________________
none nosafetyimpact1
minor lossofinformation,lossofcontrol, 2
manipulationofinformation
significant lossofcriticalinformation,3
manipulationofcontrol,lossof
criticalcontrol
severe manipulationofcriticalcontrol, 4
manipulationofcriticalinformation
catastrophic hazardoussituation5
________________________________________________
118
3.1.2 Probability
Probability measures the likelihood that a threat
exploitsavulnerabilityorasetofvulnerabilities[41].
Asthereisverylimitedstatisticsofcyberincidentsin
themaritimeindustry,apurelyquantitativeapproach
todeterminingthelikelihoodisnotpossible.Instead,
CRASH assumes four levels of such
likelihood,
namely None, that denotes a virtually impossible
attack;Unlikely,thatdenotestheexistenceofpossible
scenarios; Possible, that reflects cases whose
possibility of occurrence has been verified by
experimentalresearch;andLikelythatreflectscasesof
cyberincidentsthathaveactuallyoccurredinthereal
world. Table 3 depicts the
value of the probability
elementthatCRASHassigns.Ifmorethanoneoption
exists (e.g. bothʺoccurred cyber incidentʺ and
ʺexperimental research resultʺ), the higher value is
assigned.
Table3.ProbabilityTable
________________________________________________
Class DescriptionScore
________________________________________________
none virtuallyimpossible1
unlikely scenario2
possible experimentalresearchresult3
likely occurredcyberincident4
________________________________________________
3.1.3 Criticality
Criticality measures the dependence on
informationorsystemstoachievenecessaryfunctions
and operations [35]. The value of criticality depends
on two factors: redundancy and dependency.
Redundancydenotestheexistenceofa backupsystem
or component, while dependency denotes that a
component requires another component to run
reliably.
Additionally, some components may be
requiredtobeconnectedtoanothercomponentdueto
IMOrequirements.
Incaseofacyberattackagainstacomponent,the
dependentcomponentswouldbeaffectednegatively.
Accordingly, dependency is significant in terms of
chain impact. Redundancy is an essential mitigation
measure against cyber attacks as
well as against
failures. Critical systems on board ships must be
equipped with redundant components. For instance,
the steering system in the bridge might be out of
orderbecauseofafailure.Insuchacase,therudder
of the vessel can be steered from the steering room
(i.e.,the
emergencysteeringsystem).
ThevalueofthecriticalitycomponentinCRASHis
determined by considering the Criticality Matrix
depictedinTable4.Redundancymaytakeononeof
three values: available, partly, or unavailable.
Unavailable denotes no redundant component;
Availabledenotesthatanalternativecomponentthat
can carry out exactly the
same function is available
onboard the ship; and partly denotes that an
alternative component that can carry out a similar
function is available onboard the ship. Three values
for dependency are assumed: No dependent
component,OnedependentcomponentorMorethan
one dependent components for the hazardous
situations (discussed in
section 3.1.1). For
transforming the qualitative values in the table to
numeric values, low criticality is scored 1, medium
criticalityisscored2,andhighcriticalityisscored3.
Table4.CriticalityMatrix
________________________________________________
Dependency
________________________________________________
Redundancy NoOneMorethanone
Dependent Dependent dependent
Component Component Components
________________________________________________
Available Low(1) Low(1) Medium(2)
Partly Low(1) Medium(2) High(3)
Unavailable Medium(2) High(3) High(3)
________________________________________________
Table5.ComponentsofINSandtheirRedundancy
___________________________________________________________________________________________________
ComponentRedundantResult
___________________________________________________________________________________________________
AISN/AUnavailable
AnemometerN/AUnavailable
BNWASN/AUnavailable
CentralAlertManagementHMI MFDAvailable
ControlsforM/ELocalcontrolsinengineroom(onM/EorinECR)Available
ControlsformainrudderLocalcontrolsinsteeringroomAvailable
ControlsforthrusterLocalcontrolsinthrusterroomAvailable
ECDISBack‐Up
ECDISAvailable
EchoSounder2ndEchosounderAvailable
GPS2ndGPSAvailable
Gyro‐Compass2ndGyrocompassAvailable
HCSN/AUnavailable
IndicatorsonlocalunitsAvailable
MagneticCompassGyrocompassPartly
MFDOtherMFDsAvailable
NAVTEXN/AUnavailable
RADARIfXbandRADARfails,Sbandcanbeused.Partly
IfSbandRADARfails,Xbandcanbeused.
RateofTurnIndicator(ROTI) ROTcalculationbasedonGPSPartly
Rudderpumpselectorswitch LocalcontrolsinECRorsteeringroomAvailable
Soundreceptionsystem N/A Unavailable
SpeedandDistanceSpeedOverGround(SOG)basedonGPSPartly
Measuring
Equipment(SDME)
Steeringmodeselectorswitch SteeringmodeselectorswitchinwingsAvailable
Steeringpositionselectorswitch N/AUnavailable
TCSN/AUnavailable
TransmittingHeadingDevice N/AUnavailable
___________________________________________________________________________________________________
119
4 USECASE:APPLYINGCRASHTOTHEINS
Modern vessels are equipped with various
computerized systems serving different purposes,
including navigation, propulsion, communication,
cargohandling,safety,andsecurity.Undoubtedly,the
INSisoneofthemostcriticalsystemsonboardships.
The INS supports the OOW for safe navigation, by
receiving data from several components, combining
them, and providing timely alerts regarding
dangerous situations at sea, such as geographic,
traffic,andenvironmentalhazards,orsystemfailures
[22]. The INS consists of several compulsory and
elective components, including the Automatic
Identification System (AIS), the GNSS, the
MultifunctionalDisplay(MFD),theRADAR,and
the
ECDIS.Severalstudiesrevealedthecyberthreatsand
vulnerabilities of such components as well as of the
INS as a whole [5, 6, 29]. Several cyber incidents
targeted INS and its vulnerabilities have been
extensivelyanalyzedintheliterature[39, 43, 30,29].
Accordingly, the INS was selected to
illustrate the
workingsofCRASH.
The application was performed in nine steps, as
follows:
Step 1: identification of the system and
components;
Step2:identificationofcyberrisks;
Step3:identificationoftheredundancies;
Step4:identificationofthedependencies;
Step5:determinationoftheseverity;
Step6:determinationoftheprobability;
Step7:determinationofthecriticality;
Step8:calculationoftheriskscore;
Step9:analysisofrisks.
4.1 Step1:IdentificationoftheSystemandComponents
The INS comprises 25 different components for
differentpurposes,suchasdeterminingthe
heading,
position,orspeed[40].Suchcomponentsarelistedin
Table5.
4.2 Step2:IdentificationofCyberRisks
The cyber risks of components are identified by
means of a literature review. Not only academic
papers but also other sources, such as websites,
magazines,whitepapers,andguidelines,arescanned
to
find additional cyber threats, vulnerabilities, and
incidents. Furthermore, additional cyber attack
scenarios can be designed. Identified cyber risks for
theINSaregiveninTable6.Risks#1‐18inthetable
arebasedonfindingsinthescientificliteratureandin
publiclyavailableresources.Risks#19‐24correspond
to
potentialriskscenarios.AccordingtoTable6,eight
INS components are exposed to cyber risks, namely
the AIS, the Bridge Navigational Watch & Alarm
System (BNWAS), the control for the main engine
(M/E) (i.e., revolutions per minute (rpm) controller),
the ECDIS, the GPS, the indicator (i.e., the indicator
forstartingair
pressure),theMFD,andtheRADAR.
Table6.CyberRisksoftheINS
________________________________________________
IDComponent Risk
________________________________________________
1 AISShipspoofing(Receivingmessage
belongingtofakevessels)
2 AISAtoNspoofing
3 AISCollision(i.e.,ClosestPointofApproach
(CPA))spoofing
4 AISAIS‐SARTspoofing(ReceivingfakeAIS‐
SARTalert)
5 AISWeatherforecasting
6 AISAlteringEstimatedTimeofArrival(ETA)
ofownvessel
(AIShijacking)
7 AISFrequencyhoppingattack
8 AISTimingattack
9 GPSJamming
10GPSSpoofing
11RADAR EliminatingRADARtargets
12RADAR Changingthepositionofthevesselinthe
RADARdisplay
13RADAR Outoforderbecauseofmalwareinfection
14RADAR Jamming
15ECDIS Manipulationof
theship’sposition
becauseofmalwareinfection
16ECDIS Outoforderbecauseofmalwareinfection
17ECDIS ModificationofchartsofECDIS
18Unknown Lossofsteeringfunction
19RADAR BlockingchangeofRADARrange
20AISHidingthedestinationofothervessels
21Controls Blockingchangeof
rpmforaFixed‐Pitch
forM/E Propeller(FPP)vessel
22Indicator Manipulationofstartingairpressure
23BNWAS Turningoffbycrew(internalcyberattack)
24MFDDisablingcriticalfunctionscrewofall
MFDs(internalcyberattack)
________________________________________________
4.3 Step3:IdentificationoftheRedundancies
The third step involved identifying the redundant
components for the eight components identified in
step 2. The redundancy of each component was
analyzed based on whether it would be affected by
thesameattacksimultaneouslyornot.Forexample,a
RADAR unit has
a redundant RADAR unit, but
during a RADAR jamming attack, both RADARs
wouldbeaffected[34].Thus,forRisks#11,12,13,and
19, the redundancy value for RADAR risks was
determined asʺpartlyʺ, while for Risk #14, it was
determinedasʺunavailableʺ. It should be noted that
the compromised component
for Risk #18 is
unknown,butthecyberattackresultedinthelossof
steering.Therefore,theemergencysteeringsystemfor
Risk#18wasassumedtobearedundantsystem.The
redundancystatusbycyberrisksispresentedinTable
7.
4.4 Step4:IdentificationoftheDependencies
Allpossible
dependenciesbetweenthecomponentsof
an INS as per the IMO requirements have been
analyzed in [40]. However, in this study, the
simplified dependencies shown in Table 8 are
considered. In this table, the symbolʺ→ʺ stands for
dependsbetweencomponents.TheGPSandthegyro
compassarethemostcritical
componentsintermsof
dependency,asfivecomponentsdependontheGPS
andfivecomponentsdependonthegyrocompass.
120
ThecomponentsunderstudyaretheAIS,BNWAS,
control for M/E, ECDIS, GPS, indicator, MFD, and
RADAR as shown in Table 6. The components that
depend solely on the AIS or the GPS among
compromisedcomponentsareavailable,asshownin
Table9.Risk#18isahazardoussituation.
Thenumber
ofdependentcomponentsisidentifiedasʺmorethan
one dependent componentʺ, as mentioned in section
3.1.3.
Table7.RedundancybyCyberRisks
________________________________________________
ID Component Result
________________________________________________
1‐8AISUnavailable
9,10 GPSUnavailable
11‐13 RADARPartly
14 RADARUnavailable
15‐17 ECDISAvailable
18 Unknown Available
19 RADARPartly
20 AISUnavailable
21 ControlforM/E Available
22 Indicator Available
23 BNWASUnavailable
24 MFDUnavailable
________________________________________________
Table8.SimplifiedDependenciesofanINS
________________________________________________
Component AIS GPS Gyro MagneticROTISDME
Compass Compass
________________________________________________
AIS→ →→
ECDIS→ →→
GyroCompass →
HCS→→
RADAR → → →→
TCS→ →→
THD→
________________________________________________
Total 1 5 51 1 4
________________________________________________
4.5 Step5:DeterminationoftheSeverity
Theseverityvalueofeachoftheidentifiedriskswas
determined as described in Section 3.1.1. Two risks
wereassessedasʺCatastrophicʺ,fourasʺMinorʺ,eight
asʺSignificantʺ, and ten asʺSevereʺ. The loss of
steering function and the
blocking of the change of
M/ErpmwerebothclassifiedasʺCatastrophicʺrisks.
4.6 DeterminationoftheProbability
The value of the probability of each risk was
determined as described in Section 3.1.2. No risk
probability was valued asʺNoneʺ. Risks #1, #9, and
#10 have not only been observed
in research
experiments, they have also occurred in real‐world
cyber incidents. Therefore, these risks were
consideredtobeofhigherprobability (i.e.,ʺLikelyʺ).
Thevaluesoftheprobabilityelementofallidentified
cyberrisksarepresentedinTable11,withsixvalued
asʺLikelyʺ,sixasʺUnlikelyʺ
,and12asʺPossibleʺ.
4.7 DeterminationoftheCriticality
Thecriticalityvaluesweredeterminedasdescribedin
Section3.1.3.Bothredundancies(discussedinSection
4.3)anddependencies(discussedinSection4.4)were
takenintoaccountwhendeterminingthecriticalityof
eachcomponent,asshowninTable12.
4.8 Calculation
oftheRiskScore
Thenumericriskscoresarecalculatedusingequation
1.Thequalitativerisklevelsaredeterminedbyusing
Table1andareshowninTable13.
Table9.DependencyTableofCompromisedComponents
________________________________________________
Dependent CompromisedComponents
Components A B C E G I M R
________________________________________________
AIS→
ECDIS→
GyroCompass→
RADAR →→
TCS→
________________________________________________
Total 10 0 0 5 0 0 0
________________________________________________
A‐AIS;B‐BNWAS,C‐ControlforM/E,E‐ECDIS,G‐GPS,
I‐Indicator,M‐MFD,R‐RADAR
Table10.Severityvalues
________________________________________________
IDDefinitionClass Score
________________________________________________
1 manipulationofcriticalinformation severe 4
2 manipulationofcriticalinformation severe 4
3 manipulationofcriticalinformation severe 4
4 manipulationofinformationminor 2
5 manipulationofcriticalinformation severe 4
6 manipulationofinformationminor 2
7 lossofcriticalinformationsignificant 3
8 lossofcritical
informationsignificant 3
9 lossofcriticalinformationsignificant 3
10manipulationofcriticalinformation severe 4
11manipulationofcriticalinformation severe 4
12manipulationofcriticalinformation severe 4
13manipulationofcriticalinformation severe 4
14lossofcriticalinformationsignificant 3
15manipulationofcriticalinformation
severe 4
16lossofcriticalinformationsignificant 3
17manipulationofcriticalinformation severe 4
18hazardoussituation(steering)catastrophic 5
19lossofcriticalcontrolsignificant 3
20lossofinformationminor 2
21hazardoussituation(propulsion) catastrophic 5
22manipulationofinformationminor 2
23lossofcritical
informationsignificant 3
24lossofcriticalinformationsignificant 3
________________________________________________
4.9 AnalysisofRisks
Thestudyidentifiedatotalof24risksassociatedwith
the INS. Of these, six were based on previous cyber
incidents, 15 were identified through experimental
methods,andsixwerebasedonrealisticscenarios.Of
the 24 risks, 14 were classified as low, eight as
medium,
and two as high. Two of the risks were
specificallyrelatedtotheGPSandtheAISandwere
deemedtobehigh.Agraphicalrepresentationofthe
percentageofrisksateachlevelisgiveninFigure2.
Figure2.Risklevels
121
Table11.Probabilityvalues
________________________________________________
ID Scenario Research Incident ClassScore
________________________________________________
1[5] [3] likely4
2[5]possible 3
3[5]possible 3
4[5]possible 3
5[5]possible 3
6[5]possible 3
7[5]possible 3
8[5]possible 3
9[15] [14] likely4
10[6] [13] likely4
11[12]possible 3
12[12]possible 3
13[45]possible 3
14[34] likely4
15[29]possible 3
16[7] likely4
17[11]possible 3
18[8] likely4
19 ✓unlikely 2
20 ✓unlikely 2
21 ✓unlikely 2
22 ✓unlikely 2
23 ✓unlikely 2
24 ✓unlikely 2
________________________________________________
5 VALIDATION
Methodvalidationinthiscaseconsistsoftwophases,
namelyvalidatingtheresultsandvalidatingtheuser‐
friendliness of the method. In order to validate the
results,wecomparedourfindingswiththevoluntary
guidelinesprovidedby[24].Theseguidelinescameto
theforeintheIMOin
2022[21].InadditiontoiTrust,
theMaritimeandPortAuthorityofSingapore(MPA)
contributedtothedevelopmentoftheguidelines[24].
The traditional risk assessment formula, Risk =
Severity×Likelihood, was used in the study to assess
risks at three levels: high, medium, and low. We
compared the risk levels
in [24] to those derived by
CRASHandfoundthatsevenofthemwerethesame,
as shown in Table 14. Moreover, five of these risks
wereassessedatthesamerisklevel.
In the second phase of the validation process we
testedtheuser‐friendlinessof our method by means
ofinterviewswith10marineprofessionals,asshown
in Table 15. The Table also depicts the reason for
selectingeachindividualinterviewee,soastoensure
abroadspectrumofexpertiseandexperience.
Wepreparedapresentationintwoparts.Thefirst
partdescribedthemethod.Thesecondpartpresented
an example risk assessment for GPS jamming and
GPS spoofing attacks. The presentation was sent to
intervieweesvia e‐mail before the interview. During
the interviews a different example, not seen by the
interviewees before the interview, was used. In the
interviews, we first explained how CRASH works.
Then, we discussed
how the cyber risks of GPS
jammingandGPSspoofingwereassessed.Finally,the
interviewees were invited to assess the risk of AIS
shipspoofingbyapplyingCRASHontheirown.
Table15.ListofIntervieweesintheFocusGroup
________________________________________________
# Competency Reasonforselection
________________________________________________
1 Oceangoing ShipCyberSecurityOfficer;
Watchkeeping Givingtrainingonboardtoseafarers
Officeraboutthecyberrisksofships.
2 Oceangoing Maritimecybersecurityconsultant;
ChiefEngineer (Ex)CompanyCyberSecurityOfficer;
DevelopingCyberSecurityPlan,
includingriskassessment;
Givingtrainingonboardandatthe
officeto
seafarersaboutthecyberrisks
ofships.
3 Oceangoing CompletedM.Sc.thesisonmaritime
Mastercybersecurity
4 Oceangoing DevelopingaCyberSecurityPlan,
Masterincludingriskassessment.
5 Oceangoing Experiencedinsafetyriskassessments.
ChiefEngineer
6 Oceangoing Givingtrainingattheofficetoseafarers
Masterabout
thecyberrisksofships.
7 Oceangoing DevelopingCyberSecurityPlan,
ChiefOfficer includingriskassessment.
8 Oceangoing ShipCyberSecurityOfficer;
ChiefOfficer Givingtrainingonboardtoseafarers
aboutthecyberrisksofships.
9 (Ex)OceangoingOngoingPhDthesisonmaritimecyber
Watchkeeping security.
Officer
10
(Ex)OceangoingOngoingPhDthesisonmaritimecyber
Watchkeeping security.
Officer
________________________________________________
Table12.Criticalityvalues
________________________________________________
IDComponent Redundancy NumberofDC ClassScore
________________________________________________
1 AISunavailable 1high 3
2 AISunavailable 1high 3
3 AISunavailable 1high 3
4 AISunavailable 1high 3
5 AISunavailable 1high 3
6 AISunavailable 1high 3
7 AISunavailable 1high 3
8 AISunavailable 1high 3
9 GPSunavailable
5high 3
10GPSunavailable 5high 3
11RADAR partly 0low 1
12RADAR partly 0low 1
13RADAR partly 0low 1
14RADAR unavailable 0medium2
15ECDIS available 0low 1
16ECDIS available 0low 1
17ECDIS available 0low
1
18unknown available hazardous medium2
situation
19RADAR partly 0low 1
20AISunavailable 1high 3
21Controls available 0low 1
forM/E
22Indicator available 0low 1
23BNWAS unavailable 0low 1
24MFDunavailable 0low 1
________________________________________________
DC:DependentComponent
________________________________________________
The interviewees, except for those among them
that are Ph.D. candidates, were not familiar with
technicalaspectsofcybersecurityattackssuchasGPS
spoofing, GPS jamming, and AIS ship spoofing.
However,theyhadexperiencedGPSjammingattacks
during their sea services and were aware of
hazardous situations, such as loss of
steering,
propulsion,andinertgassystem.Theywerealsonot
familiar with terms like loss of control, loss of
122
information, and manipulation of information; these
hadto beexplained to them.Then, the interviewees
wereinvitedtoanswerthefollowingquestions:
DoestheAISshipspoofingattackregardcontrolor
information?(correctanswer:information);
Does the AIS ship spoofing attack regard loss or
manipulation of information?
(correct answer:
manipulation)
Is the AIS ship spoofing attack critical or
uncritical?(correctanswer:critical).
The severity of the AIS ship spoofing attack was
successfully, quickly, easily, and consistently by all
interviewees identified as Manipulation of Critical
Information.
During the interview, three risks related to AIS
andGPScomponentswere
discussed.AlthoughGPS
jamming was known by all professionals, GPS
spoofing and AIS ship spoofing attacks were not
familiar to everyone. Consequently, determining the
probability of spoofing attacks was challenging for
some professionals. Therefore, it appears that the
probability ofknown orrecentlyexperiencedattacks
in the industry can be
more easily determined by
professionals.
Redundancyanddependencycomponentsforthe
AIS and GPS were successfully identified by all
interviewees. According to the interviewees, the
design of the criticality matrix was confusing. As a
result,thiswasre‐designedbytakingintoaccountthe
suggestionsoftheinterviewees,asshownin
Table4.
During the interview, it was observed that a junior
officerwhohadservedforlessthanthreemonthsas
OOWwasnotfullyfamiliarwiththebridgenetwork.
Therefore, he might have made an error in the
dependency element if a risk related to a bridge
componentother
than
Table13.Risknumericscoresandqualitativelevels
________________________________________________
IDSeverityProbabilityCriticality Riskscore Risklevel
________________________________________________
1 4 4348 high
2 4 3336 medium
3 4 3336 medium
4 2 3318 low
5 4 3336 medium
6 2 3318 low
7 3 3327 medium
8 3 3327 medium
9 3 4336 medium
10 4 4348 high
11 4 3112 low
12 4 3112 low
13 4 3112 low
14 3 4224 medium
15 4 3112 low
16 3 4112 low
17 4 3112 low
18 5 4240 medium
19 3 216 low
20 2 2312 low
21 5 2110 low
22 2 214 low
23 3 216 low
24 3 216 low
________________________________________________
Table14.ComparisonofRiskLevels
________________________________________________
ID ComparisonofRiskLevels Results
________________________________________________
OurStudy ReferenceStudy
________________________________________________
1 highhigh✓
7 medium medium✓
8 medium medium✓
9 medium medium✓
10 highhigh✓
12 lowhighx
16 lowhighx
________________________________________________
GPS and AIS was given as an example. It was
concluded that sea service might be necessary to
determinethecriticalityelementaccurately.
6 CONCLUSION
Maritime transportation is a crucial component of
global trade,and vesselsare central to this mode of
transport.However,withtheincreasingprevalenceof
computerized systems
on modern vessels, including
theIntegratedNavigationSystem(INS),cyberthreats
havebecomeasignificantconcern.
No statistics for maritime cyber incidents can be
foundin the literature.However, statistical data can
beveryusefulindeterminingtheprobabilityofrisks.
Withoutsuchdata,riskassessmentscanbesubjective
and
depend too heavily on expert judgement. This
paperproposedaCRASH,amethodforassessingthe
safetyimpactofcyberrisksonboardships.CRASHis
acombinationofsubjectiveandobjectiveapproaches:
Probability and criticality are objective elements of
risk, whereas the importance of control and
information should be assessed as
critical or non‐
critical by an expert, making the determination of
severitysomewhatsubjective.
CRASHhassignificantadvantages:itsapplication
is easy and does not require the use of software.
Furthermore,themethodreducestheneedforexpert
judgements. Lastly, it is similar to the traditional
maritimeriskassessmentformula,
makingiteasyfor
experienced professionals with a maritime
backgroundtofamiliarizethemselveswithandapply.
Indicative of this is the fact that even though
interviewee #5 (in Table 15) was not fully aware of
cyberrisks,hesuccessfullyappliedthemethod.Thus,
CRASH can be used by ship operators to
perform
effectivecyberriskassessmentsinsteadofrelyingon
subjectivelyselectedlikelihoodandseverityvaluesin
traditionalriskassessmentmethods.
However, CRASH also has some drawbacks: it
requires a thorough assessment of cyber risks,
including known vulnerabilities and past cyber
incidents,whichmustbeobtainedfromtheliterature
and experience.
Additionally, technical and
operationaldetailsofthevesselarenecessary,andsea
experienceiscrucialtoidentifyingdependenciesand
redundancies of compromised components. 24 risks
associatedwith the INS were assessedin thispaper.
By applying CRASH, the study assessed 18 risks as
low, 8 risks as medium, and 2 risks
as high,
highlighting the importance of having appropriate
risk mitigation measures in place. Future studies
coulduseCRASHtoassessthecyberrisksofsystems
123
inotherlocationsonboard,suchastheengineroomor
thecargocontrolroom.
ACKNOWLEDGMENTS
Wewouldliketoexpressoursinceregratitudetoexpertsfor
theircommentstowardsimprovingourstudy.
ThispaperhasreceivedfundingfromtheResearchCouncil
ofNorwaythroughtheMaritimeCyberResilience(MarCy,
project number 295077) project and the SFI Norwegian
Centre for Cybersecurity in Critical Sectors (NORCICS,
project number
310105). The content reflects only the
authors’views,andneithertheResearchCouncilofNorway
northeprojectpartnersareresponsibleforanyusethatmay
bemadeoftheinformationitcontains.
REFERENCES
[1]EmreAkyüz.“ApplicationoffuzzyFMEAtoperforman
extensive risk analysis in maritime transportation
engineering”. In: International Journal Maritime
Engineering 159.A1 (2017). DOI: 10.5750/ijme.v159iA1.
1013.
[2]Emre Akyüz and Erkan Çelik. “A quantitative risk
analysisbyusingintervaltype‐2fuzzyFMEAapproach:
thecaseofoilspill”.In:
MaritimePolicy&Management
45.8 (2018), pp. 979–994. ISSN: 0308‐8839. DOI:
10.1080/03088839.2018.1520401.
[3]Andrej Androjna et al. “Assessing cyber challenges of
maritimenavigation”.In:JournalofMarineScienceand
Engineering 8.10 (2020), p. 776. DOI:
10.3390/jmse8100776.
[4]H. Arabian‐Hoseynabadi, H. Oraee, and P. J. Tavner.
“Failure Modes and
Effects Analysis (FMEA) for wind
turbines”.In:InternationalJournalofElectricalPower&
EnergySystems32.7(2010),pp.817–824.ISSN:01420615.
DOI:10.1016/j.ijepes.2010.01.019.
[5]MarcoBalduzzi,AlessandroPasta,andKyleWilhoit.“A
security evaluation of AIS Automated Identification
System”.In:ACSAC’14:Proceedingsofthe30thAnnual
Computer Security Applications Conference. Ed.
by
CharlesN.Payneetal.NewYork,NY,USA:Association
for Computing Machinery, 2014, pp. 436–445. DOI:
10.1145/2664243.2664257.
[6]JahshanBhattiandToddE.Humphreys.“Hostilecontrol
of ships via false GPS signals: Demonstration and
detection”.In:JournaloftheInstituteofNavigation64.1
(2017),pp.51–66.DOI:10.1002/navi.183.
[7]BIMCOetal.The guidelinesoncybersecurity onboard
ships. 2020. URL: https://www.ics‐shipping.org/ wp‐
content/uploads/2021/02/2021‐Cyber‐Security‐
Guidelines.pdf(visitedon04/16/2023).
[8]Tanya Blake. Hackers took ‘full control’ of container
ship’s navigation systems for 10 hours‐IHS Fairplay.
2017. URL: https://rntfnd.org/2017/11/25/hackers‐took‐
full‐control‐of‐container‐ships‐ navigation‐systems
‐for‐
10‐hours‐ihs‐fairplay/(visitedon04/16/2023).
[9]Victor Bolbot et al. “A novel cyber‐risk assessment
methodforshipsystems”.In:SafetyScience131(2020).
ISSN:09257535.DOI:10.1016/j.ssci.2020.104908.
[10]C4ADS.Aboveusonlystars.2019.URL:https://c4ads
. org / wp‐content /
uploads / 2022 / 05 /
AboveUsOnlyStars‐Report.pdf(visitedon04/15/2023).
[11]Northern California Area Maritime Security
Committee. Cyber security newsletter. 2014. URL:
https://www. sfmx.org/wp‐
content/uploads/2017/03/Cyber‐ Security‐ Newsletter‐
2014‐1.pdf(visitedon04/16/2023).
[12]MaritimeExecutive.TestsshoweaseofhackingECDIS,
RADAR and machinery. 2017. URL: https://www.
maritime‐executive.com/article/tests‐show
‐ease‐of‐
hacking‐ecdis‐radar‐and‐machinery (visited on
04/16/2023).
[13]DanaGoward.MassGPSspoofingattackinBlackSea?
2017. URL: https://www.maritime‐executive.
com/editorials/mass‐gps‐spoofing‐attack‐in‐black‐sea
(visitedon04/16/2023).
[14]Luke Graham. Shipping industry vulnerable to cyber
attacksandGPSjamming.2017.URL:https://www.cnbc.
com/2017/02/01/shipping‐
industry‐ vulnerable‐ to‐
cyber‐ attacks‐ and‐ gps‐ jamming.html (visited on
04/16/2023).
[15]Alan Grant et al. “GPS jamming and the impact on
maritime navigation”. In: Journal of Navigation 62.2
(2009),pp.173–187.DOI:10.1017/S0373463308005213.
[16]Stanisław Gucma and Wojciech S´ la˛czka.
“Comprehensivemethodofformalsafetyassessmentof
ship
manoeu‐ vring in waterways”. In: Scientific
Journals of the Maritime University of Szczecin 54.126
(2018), pp. 110–119. URL:
https://repository.am.szczecin.pl/handle/123456789/2473
(visitedon04/16/2023).
[17]Muhammet Gül and Erkan Çelik. “Fuzzy rule‐based
Fine‐Kinney risk assessment approach for rail
transportationsystems”.In:HumanandEcologicalRisk
Assessment: An International Journal 24.7
(2018), pp.
1786–1812. ISSN: 1080‐7039. DOI:
10.1080/10807039.2017.1422975.
[18]Todd E. Humphreys et al. “Assessing the spooing
threat:DevelopmentofaportableGPScivilianspoofer”.
In: Proceedings of the 21st International Technical
Meeting of the Satellite Division of The Institute of
Navigation(IONGNSS2008).ION,2008,pp.2314–2325.
URL:
https://www.ion.org/publications/abstract.
cfm?articleID=8132(visitedon04/16/2023).
[19]IEC. IEC 63154 Maritime navigation and
radiocommunication equipment and systems‐
Cybersecurity‐General requirements, method s of
testing and required test results. Geneva, Switzerland,
2021.
[20]IMO. International Safety Management (ISM) Code:
Part A Chapter 10 Maintenance of the ship and
equipment.London,UK,2008.
[21]IMO.
MSC 105/8/2 Measures to enhance maritime
security. Voluntary cyber risk management guidelines
for shipboard operational technology (OT) systems.
London,UK,2022.
[22]IMO.Resolution MSC.252(83) Adoption of the revised
performance standards for Integrated Navigation
Systems (INS), Introduction, Contents, Module A‐B.
London,UK,2018.
[23]IMO. Resolution MSC.428(98) Maritime cyber
risk
management in Safety Management Systems. London,
UK,2017.
[24]iTrust. Guidelines for cyber risk management in
shipboard operational technology systems. 2022. URL:
https:// itrust. sutd. edu. sg/ news‐ events/ news/
guidelines‐for‐cyber‐risk‐management‐in‐shipboard‐
ot‐systems/(visitedon04/16/2023).
[25]Georgios Kavallieratos and Sokratis Katsikas.
“Managing cyber
security risks of the cyber‐enabled
ship”. In: Journal of Marine Science and Engineering
8.10(2020),p.768.DOI:10.3390/jmse8100768.
[26]GeorgiosKavallieratos,SokratisKatsikas,andVasileios
Gkioulos.“Cyber‐attacksagainsttheautonomousship”.
In:ComputerSecurity.Ed.bySokratisK.Katsikasetal.
Vol. 11387. Lecture Notes in Computer
Science. Cham:
SpringerInternationalPublishing,2019,pp.20–36.DOI:
10.1007/978‐3‐030‐12786‐2_2.
[27]GaryCKessler,J PhilipCraiger,and Jon CHaass. “A
taxonomy framework for maritime cybersecurity: A
demonstration using the Automatic Identification
System”.In:TransNav:InternationalJournalonMarine
NavigationandSafetyofSeaTransportation12.3
(2018),
p.429.DOI:10.12716/1001.12.03.01.
124
[28]G.FineKinneyandA.D.Wiruth.Practicalriskanalysis
for safety management. China Lake, California, USA,
1976.URL:https://apps.dtic.mil/sti/citations/ADA027189
(visitedon04/16/2023).
[29]MassSoldalLund,OddSveinungHareide,andØyvind
Jøsok.“AnattackonanIntegratedNavigationSystem”.
In:Necesse3.2(2018),pp.149–163.DOI:10.21339/2464‐
353x.3.2.149.
[30]Mass Soldal Lund et al. “Integrity of Integrated
Navigation Systems”. In: 2018 IEEE Conference on
Communica‐ tions and Network Security (CNS). IEEE,
2018.DOI:10.1109/CNS.2018.8433151.
[31]B. Malekmohammadi and L. Rahimi Blouchi.
“Ecologicalriskassessmentofwetlandecosystemsusing
Multi Criteria Decision Making and Geographic
InformationSystem”.In:EcologicalIndicators
41(2014),
pp. 133– 144. ISSN: 1470160X. DOI:
10.1016/j.ecolind.2014.01.038.
[32]Per Håkon Meland et al. “A retrospective analysis of
maritime cyber security incidents”. In: TransNav:
Interna‐tionalJournalonMarineNavigationandSafety
of Sea Transportation 15 (2021). DOI: 10.12716/1001.15.
03.04.
[33]Per Håkon Meland et al. “Assessing cyber threats
for
storyless systems”. In: Journal of Information Security
and Applications 64 (2022), p. 103050. ISSN: 22142126.
DOI:10.1016/j.jisa.2021.103050.
[34]VoltaireNetwork.WhatspookedtheUSSDonaldCook
so much in the Black Sea? 2014. URL: https://www.
voltairenet.org/article185860.html (visited on
04/16/2023).
[35]NIST. Guide for conducting risk assessments.
Gaithersburg, MD, USA, 2012.
DOI:
10.6028/NIST.SP.800‐30r1.URL:https://nvlpubs.nist.
gov/nistpubs/Legacy/SP/nistspecialpublication800‐
30r1.pdf.
[36]OCIMF. Safety critical equipment and‐spare parts
guidance. 2018. URL: https : / / www . ocimf . org /
document‐ libary/93‐ safety‐ critical‐ equipment‐ and‐
spare‐
parts‐guidance/file(visitedon04/16/2023).
[37]AybarsOruc.“Claimsofstate‐sponsoredcyberattackin
the maritime industry”. In: The International Naval
Engineering Conference and Exhibition (INEC 2020).
2020.
[38]Aybars Oruc. “Cybersecurity risk assessment for
tankers and defence methods”. MSc. Istanbul, Turkey:
Piri Reis University, 2020. URL:
http://openaccess.pirireis.edu.tr/xmlui/handle/20.500.129
60/52?locale‐attribute=en
(visitedon04/16/2023).
[39]Aybars Oruc, Ahmed Amro, and Vasileios Gkioulos.
“Assessing cyber risks of an INS using the MITRE
ATT&CK framework”. In: Sensors 22.22 (2022). DOI:
10.3390/s22228745.
[40]AybarsOruc,VasileiosGkioulos,andSokratisKatsikas.
“Towards a Cyber‐Physical Range for the Integrated
NavigationSystem(INS)”.In:Journalof
MarineScience
and Engineering 10.1 (2022), p. 107. DOI: 10.3390/
jmse10010107.
[41]Celia Paulsen and Patricia Toth. Small business
information security: The fundamentals. Gaithersburg,
MD, USA, 2016. DOI: 10.6028/NIST.IR.7621. URL:
https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.
7621r1.pdf(visitedon04/16/2023).
[42]Wenli Shang et al. “Information security risk
assessment method for ship control system based
on
Fuzzy Sets and Attack Trees”. In: Security and
CommunicationNetworks(2019).ISSN:1939‐0114.DOI:
10.1155/2019/3574675.
[43]BorisSvilicicetal.“Astudyoncybersecuritythreatsin
a shipboard Integrated Navigational System”. In:
JournalofMarineScienceandEngineering7.10(2019),p.
364.DOI:10.3390/jmse7100364.
[44]Boris Svilicic
et al. “Maritime cyber risk management:
An experimental ship assessment”. In: Journal of
Navigation 72.5 (2019), pp. 1108–1120. DOI:
10.1017/S0373463318001157.
[45]BorisSvilicicetal.“Towardsacybersecure shipboard
radar”. In: Journal of Marine Science and Engineering
7.10(2020).DOI:10.1017/S0373463319000808.
[46]Kimberly Tam and Kevin Jones. “MaCRA: a
model‐
based framework for maritime cyber‐risk assessment”.
In:WMU Journal of Maritime Affairs 18.1 (2019), pp.
129–163.DOI:10.1007/s13437‐019‐00162‐2.
[47]UMT. Severity, Exposure & Probability (SEP) risk
assessmentmodel.URL:https://winapps.umt.edu/
winapps/ media2 / wilderness/ toolboxes/ documents/
safety/ Severity, %20Exposure%
20
&%20Probability%20(SEP)%20Risk%20Assessment%20
Model.pdf(visitedon04/16/2023).
[48]UNCTAD. Review of maritime transport 2021. New
York, USA, 2021. URL: https://unctad.org/webflyer/
review‐maritime‐transport‐2021(visitedon04/16/2023).
