Advertisement

WMU Journal of Maritime Affairs

, Volume 18, Issue 3, pp 509–520 | Cite as

Assessing ship cyber risks: a framework and case study of ECDIS security

  • Boris SvilicicEmail author
  • Junzo Kamahara
  • Jasmin Celic
  • Johan Bolmsten
IAMU Section Article

Abstract

The growing reliance of the shipping industry on information and communication technologies places a high premium on cyber risk management. The International Maritime Organization has imposed improvement of the approved safety management system of ships by incorporating the cyber risk management no later than the first annual verification of a shipping company’s document of compliance following 1 January 2021. In this paper, we present a framework for assessing cyber risks that affect safe operation of ships. The framework relies on an on-board survey to identify existing safeguards, cyber security testing to detect vulnerabilities and threats, and determination of the cyber risk level. The cyber security testing of the ship’s critical systems and assets, as the specific part of the framework, is introduced and studied. The cyber security testing method is based on computational vulnerability scanning and penetration testing techniques, which is aligned with the upcoming maritime standard IEC 63154. For a case study, the testing of a shipboard Electronic Chart Display and Information System cyber security was performed using an industry vulnerability scanning tool.

Keywords

Maritime cyber risk management Ship security assessment Ship cyber critical systems Cyber risk assessment Assessment framework Cyber security testing 

Notes

Funding information

The research was financially supported by the University of Rijeka under the research project Cyber Security of Maritime ICT-Based Systems (grant number: uniri-tehnic-18-68).

References

  1. Balduzzi M, Pasta A, Wilhoit K (2014) A security evaluation of AIS automated identification system. Proceedings of the 30th Annual Computer Security Applications Conference, pp 436-445, New Orleans, USA.  https://doi.org/10.1145/2664243.2664257
  2. Baltic and International Maritime Council (BIMCO) (2017) The guidelines on cyber security on-board ships. http://www.ics-shipping.org/docs/default-source/resources/safety-security-and-operations/guidelines-on-cyber-security-on-board-ships.pdf?sfvrsn=16. Accessed 25 November 2018
  3. Botunac I, Gržan M (2017) Analysis of software threats to the automatic identification system. Brodogradnja 68:97–105.  https://doi.org/10.21278/brod68106 CrossRefGoogle Scholar
  4. Burton J (2016) Cyber attacks and maritime situational awareness: evidence from Japan and Taiwan. Proceedings of the 2016 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, London, UK.  https://doi.org/10.1109/CyberSA.2016.7503295
  5. Cybersecurity Insiders (2019) Application security report. https://www.cybersecurity-insiders.com/portfolio/application-security-report. Accessed 1 June 2019
  6. DNV-GL (2016) Cyber security resilience management for ships and mobile offshore units in operation. http://www.gard.no/Content/21865536/DNVGL-RP-0496.pdf. Accessed 25 November 2018
  7. Ernstsen J, Nazir S (2018) Consistency in the development of performance assessment methods in the maritime domain. WMU J Marit Aff 17:71–90.  https://doi.org/10.1007/s13437-018-0136-5 CrossRefGoogle Scholar
  8. Hareide OS, Jøsok Ø, Lund MS, Ostnes R, Helkala K (2018) Enhancing navigator competence by demonstrating maritime cyber security. J Navig 71:1025–1039.  https://doi.org/10.1017/S0373463318000164 CrossRefGoogle Scholar
  9. Hassani V, Crasta N, Pascoal AM (2017) Cyber security issues in navigation systems of marine vessels from a control perspective. Proceedings of the International Conference on Ocean, Offshore Mechanics and Arctic Engineering, Trondheim, Norway.  https://doi.org/10.1115/OMAE2017-61771
  10. Institution of Engineering and Technology (IET) (2018) Code of Practice: Cyber Security for Ships. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/642598/cyber-security-code-of-practice-for-ships.pdf. Accessed 25 November 2018
  11. International Electrotechnical Commission (IEC) (2019) IEC 63154 Maritime navigation and radiocommunication equipment and systems - cybersecurity - general requirements, methods of testing and required test results. https://www.cybersecurity-insiders.com/portfolio/application-security-report. Accessed 1 June 2019
  12. International Maritime Organization (IMO) (2013) International Ship and Port Facility Security (ISPS) code. SOLAS/CONF.5/34Google Scholar
  13. International Maritime Organization (IMO) (2017) Guidelines on maritime cyber risk management. http://www.imo.org/en/OurWork/Security/Guide_to_Maritime_Security/Documents/MSC-FAL.1-Circ.3 - Guidelines On Maritime Cyber Risk Management (Secretariat).pdf. Accessed 25 November 2018
  14. International Maritime Organization (IMO-MSC) (2017) Maritime cyber risk management in safety management systems. http://www.imo.org/en/OurWork/Security/Guide_to_Maritime_Security/Documents/Resolution MSC.428(98).pdf. Accessed 25 November 2018
  15. Lee YC, Park SK, Lee WK, Kang J (2017) Improving cyber security awareness in maritime transport: a way forward. J Kor Soc Mar Eng 41:738–745.  https://doi.org/10.5916/jkosme.2017.41.8.738 CrossRefGoogle Scholar
  16. Microsoft (2018) Microsoft Security Bulletin MS17-010 - Critical. https://technet.microsoft.com/library/security/MS17-010. Accessed 25 November 2018
  17. Microsoft (2019) Microsoft: search product lifecycle. https://support.microsoft.com/en-us/lifecycle. Accessed 1 June 2019
  18. National Institute of Standards and Technology (NIST) (2018) Framework for improving critical infrastructure cybersecurity. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. Accessed 25 November 2018
  19. Nessus (2018) Tenable products: Nessus Professional version 8. https://www.tenable.com/products/nessus/nessus-professional. Accessed 1 June 2019
  20. Oil Companies International Marine Forum (OCIMF) (2019). Ship Inspection Report (SIRE) programme - vessel inspection questionnaires for oil tankers, combination carriers, shuttle tankers, chemical tankers and gas tankers, Seventh Edition (VIQ 7). https://www.ocimf.org/media/127546/SIRE-Vessel-Inspection-Questionnaire-VIQ-Ver-7007.pdf. Accessed 1 June 2019
  21. Polatid N, Pavlidis M, Mouratidis H (2018) Cyber-attack path discovery in a dynamic supply chain maritime risk management system. Comp Stand Interfaces 59:74–82.  https://doi.org/10.1016/j.csi.2017.09.006 CrossRefGoogle Scholar
  22. Shapiro LR, Maras MH, Velotti L, Pickman S, Wei HL, Till R (2018) Trojan horse risks in the maritime transportation systems sector. J Transp Secur 8:1–19.  https://doi.org/10.1007/s12198-018-0191-3 CrossRefGoogle Scholar
  23. Svilicic B, Kras A (2005) Computer systems privacy protection. Pomorstvo Sci J Marit Res 19(1):275–284Google Scholar
  24. Tam K, Jones K (2019) MaCRA: a model-based framework for maritime cyber-risk assessment. WMU J Marit Aff 18:129–163CrossRefGoogle Scholar
  25. The Apache Software Foundation (2019) Apache Web Server 2.2 vulnerabilities. https://httpd.apache.org/security/vulnerabilities_22.html. Accessed 1 June 2019
  26. Transas (2018) Navi-Sailor 4000 ECDIS. http://wwwtransascom/products/navigation/ecdis/ECDIS. Accessed 25 November

Copyright information

© World Maritime University 2019

Authors and Affiliations

  1. 1.Faculty of Maritime StudiesUniversity of RijekaRijekaCroatia
  2. 2.Graduate School of Maritime SciencesKobe UniversityKobeJapan
  3. 3.World Maritime UniversityMalmöSweden

Personalised recommendations