Content uploaded by Björn John Praestegaard Larsen
Author content
All content in this area was uploaded by Björn John Praestegaard Larsen on Sep 27, 2022
Content may be subject to copyright.
MARITIME CYBERSECURITY
Shipping Industry Plan
Björn John Praestegaard Larsen
a20bjola@student.his.se
Supervisor: Ali Padyab
Examiner: Rose-Mharie Åhlfeldt
Date of examination: 2022-06-23
Master Degree Project (120 ECTS) in Informatics
with a specialisation in
Privacy, Information and CyberSecurity
30 ECTS
Master Degree Project
Spring term 2022
ABSTRACT
Cybersecurity management within the maritime industry is unfortunately still a
widely overlooked topic. This project examines the current cybersecurity status
from a technological perspective and then identifies the need for a Maritime
Computer Incident Response Team (MCIRT), this work provides a complete
template for constructing such a team with emphasis on shipping organisations
which includes a fleet of vessels. This study continues with providing a generic
Maritime CyberSecurity Strategy (MCSS) both these entities will be designed for
the maritime industry and shipping corporations in particularly. This includes
all the vital steps to both initiate, implement, evaluate and continue to evolve
such a strategy. The results concludes that in all cases, education must be
considered the most vital ingredient for a successful MCIRT and MCSS.
ABBREVIATIONS
AAA
Authentication, Authorisation, and Accounting
AIS
Automatic Identification System
ARP
Address Resolution Protocol
ARPA
Automatic Radar Plotting Aid
ASM
Advanced Sensor Module
BAMS
Bridge Alert Management System
BMP
Best Management Practices
BNWAS
Bridge Navigational Watch Alarm System
BYOD
Bring Your Own Devices
CCR
Cargo Control Room
CCTV
Closed-Circuit TeleVision
CERT/CC
CERT Coordination Center
C-ES
Cyber-Enabled Ship
CIRT
Computer Incident Response team
CVSS
Common Vulnerability Scoring System
DDoS
Distributed Denial of Service
DHCP
Dynamic Host Configuration Protocol
DNS
Domain Name Service
DOAJ
Directory of Open Access Journals
DoS
Denial of Service
DP
Dynamic Positioning
DS
Differentiated Services
DT
Dwell Time
DVD
Digital Versatile Disc
ECDIS
Electronic Chart Display and Information System
EH
Extension of Headers
ENISA
European Network and Information Security Agency
EUMSS
EU Maritime Security Strategy
FAL
Facilitation Committee
GMDSS
Global Maritime Distress and Safety System
GNSS
Global Navigation Satellite System
GPS
Global Positioning System
GT
Gross Tonnage
HCS
Heading Control System
HMI
Human-Machine Interface
HTF
Hierarchical Taxonomic Framework
HTTP
Hyper Text Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
IBS
Integrated Bridge System
ICMP
Internet Control Message Protocol
ICPS
Industrial Cyber-Physical System
ICS
Industrial Control Systems
IDS
Intrusion Detection Systems
IEC
International Electrotechnical Commission standard
IMO
International Maritime Organization
IoC
Indicators of Compromise
IoE
Internet of Everything
IoMT
Internet of Medical Things
IoT
Internet of Things
IP
Internet Protocol
IPS
Intrusion Prevention Systems
IPV4
Internet Protocol Version 4
IPV6
Internet Protocol Version 6
ISO
International Organisation for Standardization
IT
Information Technology
JSON
JavaScript Object Notation
KPI
Key Performance Indicators
LAN
Local Area Network
LEG
Legal Committee
MAC
Media Access Control
MCIRT
Maritime Computer Incident Response Team
MCSS
Maritime CyberSecurity Strategy
MiTM
Man-in-The-Middle attack
MSC
Maritime Safety Committee
MTTC
Mean Time to Contain
MTTD
Mean Time to Detect
MTTR
Mean Time to Respond
NVD
National Vulnerability Database
NSA
National Security Agency
NVS
Non-Volatile Storage
OT
Operational Technology
PLC
Programmable Logic Controllers
PMS
Property Management System
RAM
Random Access Memory
SAR
Search And Rescue
SCADA
Supervisory Control And Data Acquisition
SIEM
Security Information and Event Management
SNMP
Simple Network Management Protocol
SOAR
Security Orchestration, Automation and Response
SOC
Security Operations Centre
SSAS
Shipboard Security Alarm Systems
TAP
Test Access Port
TCP
Transmission Control Protocol
TMPFS
Temporary File System
TTL
Time-To-Live
TTP
Tactics, Techniques, and Procedures
UDP
User Datagram Protocol
USB
Universal Serial Bus
VDR
Voyage Data Recorder
VINS
Vessel Integrated Navigation System
VLAN
Virtual Local Area Network
VoIP
Voice over Internet Protocol
VPN
Virtual Private Networks
Wi-Fi
Wireless Fidelity
TABLE OF CONTENTS
1 Introduction ................................................................................................... 1
1.1 Problem definition ................................................................................... 2
1.2 Aim ............................................................................................................ 3
1.3 Research question .................................................................................... 3
1.4 Expected results ....................................................................................... 4
1.5 Importance ............................................................................................... 4
2 Background ................................................................................................... 5
2.1 IT and OT whats the difference? ............................................................. 5
2.2 Maritime cybersecurity ............................................................................ 5
2.3 Socio technical introduction .....................................................................7
2.4 Network attacks and hacking .................................................................. 9
2.5 Voyage Data Recorders ........................................................................... 13
3 Method ......................................................................................................... 14
3.1 Motivation ............................................................................................... 14
3.2 Validity ..................................................................................................... 15
3.3 Reliability................................................................................................. 16
3.4 Literature review ..................................................................................... 16
3.4.1 Search criterias .............................................................................. 16
3.4.2 Search terms .................................................................................. 17
3.5 Design science ......................................................................................... 19
3.5.1 MCIRT ............................................................................................ 19
3.5.2 MCSS ............................................................................................. 20
4 Results ......................................................................................................... 23
4.1 Literature review .................................................................................... 23
4.1.1 Maritime cybersecurity ................................................................ 23
4.1.2 Industrial control systems ............................................................ 26
4.1.3 Critical systems ............................................................................. 30
4.2 Design science ........................................................................................ 33
4.2.1 MCIRT ........................................................................................... 34
4.2.2 MCSS ............................................................................................. 40
4.3 Joint results ............................................................................................ 65
5 Discussion ................................................................................................... 66
5.1 Previous research ................................................................................... 66
5.2 Implementation...................................................................................... 68
5.3 Ethical ..................................................................................................... 68
5.4 Societal .................................................................................................... 69
6 Conclusion .................................................................................................... 71
6.1 Future studies ......................................................................................... 72
References ............................................................................................................. 74
Page 1 of 95
1 INTRODUCTION
Nations, corporations, and individuals are usually what is thought off when
considering cybersecurity incidents. Normally an individual would quickly
visualise the effects from such attacks as having huge impact on those being
subject to these attacks (O’Neill et al., 2021).
A cooperation which is having their business secrets posted all over the internet,
the small local council that has been forced to use large part of their budget to
pay a massive ransom sum for having the control over their infrastructure back
or an individual who is being the victim of identity theft. Indeed, these are
terrible scenarios which happen every day and which can have enormous
consequences for those subjected. The reason for these attacks might be anything
from pure curiosity to a political agenda and in the case of the maritime
environment, extorsion or piracy. Still the most common reason for a hacker
attack seems so far to be pure financial gain, where ransomware is the most
favourable choice of attack to achieve this (Cartwright et al., 2019).
Cybersecurity is continuously changing and for some time now the threat
landscape has shifted, and defenders must become knowledgeable about how the
cyber domain crosses into maritime, land, air, and space (Dawson, 2021). Not
surprisingly the marine industry is not really thought about that much by those
who are not directly involved within it or live-in close proximity to a seaport.
Still, it is the bases of modern society, raw material such as oil, iron and grain are
supplied and consumer products from all over the world is shipped back and
forth, making it one of our most crucial means of transportation of goods and in
our modern society with what seems like a never-ending increase in consumer
demands the container shipping industry is increasing every day (Hemminghaus
et al., 2021; Kessler et al., 2018). With this of course the shipping industry is
experiencing continuous technical advancement and one look at the bridge of a
modern container ship will confirm that it is heavily dependent on modern
technology to function.
Historically there has been an advancement from the mechanical revolution, the
industrial revolution and the computer and automation revolution to arrive at
this point in time where humanity is now being launched into the Cyber Physical
Revolution, also known as Industry 4.0 (Jazdi, 2014). This revolution will
demand a whole new level of hyperconnected devices which are emerging with
Internet of Things (IoT) and Internet of Everything (IoE) and the possibilities
for what can be accomplished are now being continuously challenged (Dawson,
2021; Bai et al., 2020; Xu et al.; 2018).
Autonomous shipping is one such area which is currently being pushed forward
by Industry 4.0 as the future of shipping will most likely not look anything like it
does today (Senčila and Kalvaitienė, 2019). Since 2019 there are several projects
in the making which are aimed towards autonomous shipping, in this race for
future markets the Norwegian corporation Yara International ASA has taken a
lead with its ship named Yara Birkeland. This is an internationally famous vessel
which is currently being produced and which is planned to be in full service
during 2022. The Yara Birkland is striving to become the first electrical and fully
autonomous container vessel in the world (Yara, 2022).
Page 2 of 95
1.1 PROBLEM DEFINITION
The maritime industry is vulnerable to cyber-attacks (Jensen, 2015). Not
surprisingly maritime cybersecurity has become an urgent matter. Security
breaches has been threatening the marine environment by causing situations
where important Operational Technology (OT) has stopped working and costs
encountered by shipping companies as a direct effect of this are counted in
hundreds of millions of dollars (McGillivary, 2018).
There are numerous parameters which makes the maritime industry exposed to
cybersecurity breaches. Many of these are the same threats as non-maritime
industries are subject to and there are a few threats which are unique for ships.
The continuously expanding usage of Information Technology (IT) together with
equipment such as OT on which a ship relies upon builds a vulnerable
environment. The potential corruption or failure of the Vessel Integrated
Navigation System (VINS), Global Positioning System (GPS), Automatic
Identification System (AIS) which has been a standard installation for hundreds
of thousands of vessels all over the world since 2002 (Balduzzi et al., 2014), the
Heading Control System (HCS), which enables the ship to keep a pre-set
heading, also known as an autopilot (Hareide et al., 2018). the Electronic Chart
Display and Information System (ECDIS) which a ship has heavy dependency on
(Svilicic et al., 2020), the Integrated Bridge System (IBS) which is connected to
almost every other OT unit onboard a ship (Awan and Ghamdi, 2019). Figure 1
shows an example of a modern bridge layout. The Bridge Alert Management
System (BAMS), which notifies when navigation is being compromised
(Heminghaus, 2021) or manipulation or loss of functionality for the Global
Navigation Satellite System (GNSS) any of these could be absolutely devastating
for a ship and in many cases, it could cause damage to the ship, the crew, the
cargo and even the environment (Uğurlu et al., 2018).
One issue which is widely debated concerns the introduction of the GNSS and
the more frequently used GPS device. This has changed the maritime industry at
its core, indeed the GNSS services which provides an exact position for a vessel
in real time has proven itself a seafarer revolution (Akpan et al., 2022). Any
navigator should know that there are some vulnerabilities. Signal interference
and the expected level of accuracy being two of these (Grant et al., 2011). This
Figure 1: An example of a modern bridge layout
Page 3 of 95
has become a discussion topic amongst those who claim that the skill of
navigation has deteriorated due to navigators being overly dependent on GNSS
(Glomsvoll and Bonenberg, 2017; Hareide et al., 2018; Norris, 2010). Something
that makes the GPS unit a very crucial device.
To make matters even more complicated there is a social problem between
different stakeholders when it comes to both communication, cooperation, and
onboard culture. It has been noticed that onboard crew and onshore
management have been dealing with these issues in the past which has proven
to be a major obstacle for achieving common goals (Poulsen and Sornn-Friese,
2015). In addition, there seems also to be a misconception regarding the
seriousness of cybersecurity which these statistics which provide insight into the
attitude of people in the shipping industry toward cybersecurity reveals. The
Nautical Institute HE Alert! surveyed more than 450 security officers employed
by shipping companies, 100 officers on board ships, 25 heads of IT departments,
and Chief Information Officers (CIO) about cybersecurity threats and how to
mitigate them (Avanesova et al., 2021). The outcome, according to Avanesova et
al (2021), was as follows:
• 67% responded that cyberthreats are not serious.
• 53% of responders reported that they provide IT security policies
onboard their vessels.
• 91% of responders do not have the training to deal with cyber threats.
1.2 AIM
The aim of this study is to be able to identify common management cybersecurity
challenges amongst industry vessels and their onboard IT and OT environments
as well as the socio-technical impact which can be found within the shipping
industry and by doing so this study will provide the foundation upon which
mitigating generic procedures can be manifested in the form of artefacts such as
the MCIRT and an MCSS base to support the MCIRT in its efforts to prevent
vulnerabilities from becoming exploited by external sources.
As far as this work has been able to verify there has been no attempts
documented to specify a Computer Incident Response Team (CIRT) for the
maritime shipping industry. There have been numerous cybersecurity strategies
developed specifically for the maritime shipping industry. These are often large
frameworks which are taking everything into consideration. The MCSS
presented here is a much more light-weight and easily adopted strategy, which
relies on the user to fill the four-phase cyclic framework with the necessary areas
of interest. The MCSS will function as a plan of actions designed to improve the
security and resilience of the maritime shipping industry. It is a high-level top-
down approach to cybersecurity that establishes a range of cross industry
objectives and priorities that should be achieved.
1.3 RESEARCH QUESTION
How to design and improve a classical cyber incident response team and a
cybersecurity strategy for the maritime industry?
Page 4 of 95
1.4 EXPECTED RESULTS
Through reading past and current research within the maritime cybersecurity
field it is likely to draw the assumption that several common cybersecurity issues
will emerge and it is this works ambition that through analysing this past
research and making conclusions based on these prior findings being able to
provide the tools needed for mitigating some of these problems by implementing
a Maritime Computer Incident Response Team (MCIRT) and a Maritime
CyberSecurity Strategy (MCSS) within a shipping organisation. It is the
expectation that this will contribute to secure each vessel within the maritime
organisations fleet as well as stimulate to increased engagement regarding
cybersecurity issues from both onboard and onshore involved stakeholders.
1.5 IMPORTANCE
The lines between IT and OT have traditionally been separated, but as the
Internet has increasingly been introduced onboard ships, they have become
increasingly connected and their lines have become blurred. Therefore, any
disruption in the operation of the OT systems may negatively impact the safety
of the ship (BIMCO et al., 2020; Heearing et al., 2020). Identifying the common
vulnerabilities onboard modern ships IT and OT environments as well as the
socio-technical entities which will affect this will allow for a better understanding
of the complexity of cybersecurity management within the maritime industry.
Through creating an MCIRT and a MCSS specifically for the maritime industry,
these considerations amongst others will be considered. The industry does not
have a specific framework designed that includes appropriate tools for evaluating
cybersecurity and testing on an application level (Hemminghaus, 2021). The
closest to something similar is a maritime strategy intended for defining the EU
Maritime Security Strategy (EUMSS) which among other initiatives sets focus on
risk analysis and the enhancement of the resilience of critical maritime
infrastructure within EU shipping (DG MARE, 2022).
There is no doubt that this document will provide a valuable tool, either as a
foundation for future research in this area or through providing artefacts which
will address the most common maritime cybersecurity vulnerabilities and
provide suggestions for mitigating these. The importance of this cannot be
stressed enough since past research strongly indicate that there are numerous
areas within the industry which needs to be strengthened in terms of
cybersecurity.
Page 5 of 95
2 BACKGROUND
The topic of maritime cybersecurity ventures into a whole range of sub areas
which are all in need of certain pre knowledge for the reader to be able to benefit
from the material. This background chapter is intended to prepare the reader for
this and to present the specific topics within which this work has identified that
additional knowledge is helpful for being able to understand the study in full.
2.1 IT AND OT WHATS THE DIFFERENCE?
In the case of discussing cybersecurity risks onboard ships, it is a standard
procedure to divide the digital environments into two groups: OT and IT (Larsen
and Lund, 2021; Lagouvardou, 2018). A simplified explanation would be that OT
are controlling physical devices while Information Technology IT systems
control information data (IMO, 2017). It is well established that OT systems
belong within the cyber safety area but merged with IT systems it becomes
bundled in cybersecurity (Androjna et al., 2020). For example, a crane onboard,
a vessel would be considered an OT device while the ship positioning software
would be defined as an IT system. To add to the complexity, it is not uncommon
that IT/OT systems will be managed remotely, even being subject to continuous
monitoring, information gathering and scheduled maintenance as well as normal
security activities, which can be controlled completely by third parties (Kala and
Balakrishnan, 2019).
One very important thing to remember is that the purchase of these products
could be spread between different departments. IT departments are rarely
involved in the purchase of OT equipment. This lack of merger between these
departments is indeed having an effect since industry 4.0 is heavily dependent
upon IT/OT synergies and it is not surprising that a widened gap is manifesting
itself in this mid-area regarding knowledgeable cybersecurity professionals
whom with their feet stuck in both IT and OT can provide valuable insights
(Morelli et al., 2020). Due to the interconnected IT/OT systems it is advisable to
create a multi educated environment, where both IT and OT experts are offering
their knowledge between each-others, such a setup would establish a much
higher level of protection and in doing so adding substantial value to the
organisation (Lagouvardou, 2018).
2.2 MARITIME CYBERSECURITY
The term cyber is often described as a myriad of interconnected networks
involving both IT and OT systems and the security factor being how to restrict
activities within such infrastructure. Although cybersecurity has always been
recognised as an important issue, in recent years it has taken on a whole new
significance. Unfortunately, it is still common for individuals to overlook
cybersecurity, even when it comes to small steps. For vessels, integrity and
security of systems are specifically important due to the high amount of money
which is involved (Pajunen, 2017).
In addition to providing significant benefits to the maritime industry,
technologies, and systems such as these also pose risks to critical processes and
Page 6 of 95
systems that are integral to the operation of shipping systems (IMO, 2017). The
use of cyber-technologies has become a prerequisite, even a critical part, not only
for the operation and management of a wide variety of systems and processes
onboard vessels and in ports, but also for the safety, security, and protection of
the ship, the crew, the cargo, and the marine environment (Androjna et al.,
2020). This is where cybersecurity comes in as a toolbox filled with concepts,
policies, guidelines, risk management approaches, actions, training, best
practice, assurance and that it involves the whole area of technology. This
including processes and techniques presented to secure networks, hardware,
systems and data from being compromised, damaged, or subject to any illegal
intrusion.
There are of course more specific definitions as found in for example
International Organisation for Standardization (ISO) /International
Electrotechnical Commission standard (IEC) 27032:2012 (2012) where it’s
declared that cybersecurity is the preservation of confidentiality, integrity, and
availability of information in the cyberspace. A definition which is frequently
referenced within academic work. Information security on the other hand
comprises of a large set of administrative techniques and technological solutions
which enables for cybersecurity to pursuit to contingently evolve and secure the
organisation and/or its individuals against threats which are coming from within
cyberspace. Amongst such tools are guidelines and policies, concepts and
training, best practices, and risk management together with technologies (von
Solms and van Niekerk, 2013).
The maritime industry is facing some major challenges and to ensure continuous
growth the industry needs to embrace new approaches to cybersecurity matters.
Even though the past has shown us a huge number of serious attacks to the
maritime industry it still seems that the ambition to foresee and adapt steps to
secure infrastructures is still on a developing level at best (Caprolu et al., 2020).
It is recognized that IT and OT systems on board a ship are susceptible to the
same degree of hacking as systems located ashore and that such security
breaches can adversely affect the safety and security of ships, ports, marine
facilities, and other elements of maritime transportation systems.
By promoting a maritime cyber risk management approach. The International
Maritime Organisation (IMO) has taken the initiative to raise awareness about
how to tackle risks in the maritime industry. In addition to its role as a specialised
United Nations agency, the International Maritime Organisation (IMO) is also
responsible for the safety and security of shipping and the prevention of
maritime and atmospheric pollution by ships. IMO's efforts contribute to UN
sustainable development goals. With 175 member states and to date 50
conventions and protocols, it has become the benchmark organisation for the
maritime industries conduct. Trade and travel by sea are considered a vital part
of the IMO's mandate. Through the Maritime Safety Committee (MSC) and with
input from the Facilitation Committee (FAL) and Legal Committee (LEG), the
Organization develops appropriate regulations and guidance to manage and
mitigate any threats that could compromise maritime security.
In response to acts or attempts of piracy or armed robbery against ships in
specific regions, the shipping industry developed Best Management Practices
(BMP) which outline the appropriate procedures to follow. It is the opinion of
the IMO that Best Management Practices are supported by the organisation, and
Page 7 of 95
the organisation has published these publicly. Ultimately, the objective is to
support a safe and secure shipping environment that is operationally resilient to
cyber threats (IMO, 2017). To emphasise how important cybersecurity is for the
maritime industry then just consider for a moment that you are a captain of a
ship. It is night and you are currently cruising one of the busiest sea routes in the
world. Your stopping distance is something along the lines of 2 to 3 kilometres
and you are navigating completely by digital means. Then all of a sudden, the
instruments you are relying on turns off and you and everyone onboard are
instantly in a life or death situation through the risk of a collision with another
vessel or of going aground (Akpan et al., 2022). Doing this consideration ought
in many ways be adequate answer to the importance of maritime cybersecurity.
2.3 SOCIO TECHNICAL INTRODUCTION
The following will provide background knowledge surrounding the
sociotechnical aspects. This will enable for understanding of the complexity
which is present when an individual is living at his workplace, which is the reality
for any shipping crew. Furthermore, it will provide understanding for individual
behaviour when having your privacy reduced due to circumstances which is out
of your control, something which is the effect or using a corporate infrastructure
for personal internet access. The purpose with a socio-technical systems theory
is to clarify the synergies between the individual, the social aspect and the
technical areas covered by professionally developed systems. Mainstream
theorising suggests that the idea should be to connect the two areas of technology
and social behaviour to advance and enhance these in conjunction with each-
other (Taxén, 2020). In such it can be stated that cybersecurity is a functionality
of the interactions between different technical and social elements that compose
complex, adaptive socio-technical systems (Kowalski, 1994).
Over the years there has been a huge number of systems invented to improve
business, Lean Six Sigma is one example of sociotechnical systems which has
been greatly implemented by the manufacturing businesses across the globe and
which is still a very important part of the industrial toolbox (Arumugam et al.,
2016). With the evolution of technology and with our advances within society
there is now demands on reconsideration of what is known about organisational
design (Pasmore, Winby , Mohrman & Vanasse, 2019). There are a lot of social
considerations within the term sociotechnical systems , figure 2 gives a good
overview for the social and technical subsystems interactions.
It’s important to distinguish the difference between sociotechnical systems and
social technology, the latter is the collective term for using various techniques to
accomplish social constructions. Still, they both interact, according to Mario
Bunge in his book Social Science Under Debate: A Philosophical Perspective
(Bunge, 1998) the field of social technology explores paths for keeping, updating,
changing, and conducting interchanges within society systems such as industrial,
medical, and educational. In addition, it allows for dealing with social issues such
as unemployment, pandemics, and criminal activities.
Bunge (1998) furthermore states that social medicine, social work, management
science, normative macroeconomics, and the law are all the products of social
Page 8 of 95
technology. This work claims that within all these areas of the field of social
technology there is today sociotechnical systems implemented and with this a
need for privacy which is increasing by the minute and has been doing so for the
last forty years. Humanity has today become totally dependent upon
sociotechnical systems as those used for public distribution of civic services
(Lind, 2014). There is also another sociotechnical dependency which is keeping
itself hidden in many smaller sociotechnical systems in the form of social media
applications and IoT.
People doing sports are connected to online platforms through wearable units
like watches and heart rate measurements devices. People are using smart
phones for pretty much everything, in offices sociotechnical systems help
keeping track of where employees are and what they are doing and in the average
home, mobile phones, tablet computers and laptops have become the social
meeting places where young people hang-out, middle-aged people share their
daily activities and where old people meet their grandchildren.
Furthermore, it’s becoming increasingly popular that all kind of home appliances
like fridges, stoves, washing machines and lamps should be connected to the
internet. The area of Internet of Medical Things (IoMT) where a huge concern is
privacy and security, something that has so far restricted the consumer level
implementation of IoMT (Vishnu et al., 2020). Studies show that IoMT is already
a vital part of healthcare and prognosis is predicting a rise of usage (Bharati et
al., 2021). Community services like public notices for hazards and risks,
information from local emergency services like police, ambulance or fire
departments are today communicated through numerous online services, most
of these being social media.
As technology around us is constantly evolving ever faster we find ourselves
living in a world that demands active digital participation if we wish to be a part
of society. The time when internet usage was optional is long gone and it has
become standard that even simple things like household equipment are to be
connected to the internet. Basic tasks in society are now becoming impossible to
do without having online presence. Things like paying bills, reading a bank
statement, managing insurances, seeking a new job, even going to the doctor for
Figure 2: Socio technical system
Page 9 of 95
a cold or reading public government announcements are just some examples on
these everyday online activities that are simpler to do online than offline.
2.4 NETWORK ATTACKS AND HACKING
Having good general IT knowledge is pretty much the prerequisites demanded
for anyone reading this study, but since we are discussing cybersecurity
additional knowledge within network infrastructure threats should be provided.
The following section will grant the reader a short breakdown of some of the
more common threats and attacks against network infrastructures.
Dependant on what the intention of an attack is, there are three main categories
for network attacks, reconnaissance attacks, access attacks, and Denial of Service
(DoS) attacks (Uma and Padmavathi, 2013), the latter is often used for making
servers malfunction to prevent usage of a specific service. There are numerous
terms used to describe a DoS attack, botnet, bots, botmaster and handlers (Tuan
et al., 2020). One way of looking at this is that networks are digital office
corridors which need more security than an actual physical office. The reason is
that the threat against your physical office is more than likely not a constant
global attack on your premises, but with a corporate network it is a different
story, the attack is ever ongoing and from all directions of the world. Most of
today's leading ship manufacturers and operators use the latest information and
communication technology in addition to incorporating innovations that go
beyond traditional engineering practices. The goal is to create efficient ships with
enhanced monitoring, communication and connectivity capabilities that can be
accessed and controlled remotely by onshore services (Lagouvardou, 2018).
This demands a well thought through security plan, something that comes in the
form of automated network monitoring technologies like firewalls, Intrusion
Detection Systems (IDS), Intrusion Prevention Systems (IPS) and endpoint
security software (Sistla et al., 2020). Of course, sometimes these automated
systems will get things wrong and alerts will be triggered for authorised traffic.
This is why the cybersecurity analysts plays an important role in this process by
developing, implementing, and upgrading security controls and measures. In
addition to maintaining data, monitoring security access, and protecting
electronic files and information systems from unauthorized access,
modifications, and destruction, the role also maintains security access and
monitoring of digital files. Security analysts are expected to manage networks,
intrusion detection systems, conduct internal and external security audits, and
determine the root cause of security breaches (Chudasama, 2021). The analysts
will of course have a full range of tools to aid them, log files and Simple Network
Management Protocol (SNMP), Network Protocol Analysers. The latter is used
for network monitoring, planning and analysis of network communication. One
physical device that will greatly enhance security is a network Test Access Port
(TAP), this device will have all the network traffic streaming through it, including
faults within the traffic, the tap will send all this traffic to an analysing unit
simultaneously to allowing the traffic to be delivered to its destination (Svoboda
et al., 2015).
Internet Protocol Version 4 (IPV4) and Internet Protocol Version 6 (IPV6)
headers contains numerous fields and since these fields are often manipulated
by attackers and it is important that the cybersecurity analyst understands how
Page 10 of 95
to evaluate the authenticity of these field values. IPv4 Packet headers contains
the following fields, version, internet header length, Differentiated Services (DS),
total length, identification, flag, and fragment offset, Time-To-Live (TTL),
protocol header checksum, source IPv4 address, destination IPv4 address and
options and padding (Tye and Fairhurst, 2003). IPv6 headers hold less fields as
standard but allows for Extension of Headers (EH) which can support mobility,
fragmentation, and other network layer information. The standard fields are
version, traffic class (priority), flow label, payload length, next header, hop limit,
source IPv6 address, destination IPv6 address (Stallings, 1996).
Some common IP vulnerabilities are Internet Control Message Protocol (ICMP)
which is used to send error messages and other information related to
communication failures between IP addresses. ICMP messages which could be
of interest for attackers are echo request and echo reply, unreachable, mask
reply, redirects and router discovery, these can be used by attackers for
conducting DoS and Distributed Denial of Service (DDoS) attacks (Harshita,
2017). Other common attacks include address spoofing, Man-in-The-Middle
attack (MiTM) (Pandey, 2014) and session hijacking (Daş et al., 2015). After the
IP header there is a segment header called Transmission Control Protocol (TCP)
which holds numerous fields for creating reliable deliveries, flow control and
something called stateful communication, this is a three-way handshake that
opens the TCP connection and is a prerequisite for data transfers. Another
header segment is the User Datagram Protocol (UDP), it is amongst others used
for Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS)
and SNMP, media streaming or Voice over Internet Protocol (VoIP). It is an
unencrypted connectionless transport layer protocol. The most common attacks
on both TCP and UDP are flood attacks.
Address Resolution Protocol (ARP) broadcasts to all machines on a network to
identify which device is using a particular IP address to retrieve the Media Access
Control (MAC) address from this host (Willems, 2021). Any device on a network
can initiate an unsolicited ARP reply, this is called a gratuitous ARP, this is
common when a device boots up to notify other devices of its IP and MAC address
so these can be stored in the devices ARP tables. This feature allows for any host
to claim ownership of a specific IP and MAC address, something that opens for
an attacker to manipulate the ARP index and setting up a MiTM attack. There
are tools available online to create ARP MiTM attacks, such as dsniff, Cain &
Able, Ettercap and Yersinia. DNS is a protocol which one could call the
phonebook of the internet and its purpose is to simplify address management
through substituting the IP address with a domain name, like for instance the
domain name www.google.com which is referring to 216.58.211.4. Security
surrounding DNS is commonly forgotten even though it is a main part of the
network and needs to be properly secured (Zdrnja, 2006).
There is a wide range of attacks against DNS, some of these are open resolver
attacks, stealth attacks, domain shadowing attacks and tunnelling attacks. DHCP
is used to automate the process of configuring devices on IP networks. The most
common type of DHCP attack is DHCP Spoofing Attack which is staged by an
unauthorised DHCP server offering IP addresses to devices, this can cause
difficulties such as wrong default gateway, wrong DNS server and wrong IP
address. Hyper Text Transfer Protocol (HTTP) and its extension Hypertext
Transfer Protocol Secure (HTTPS) is used by everyone all the time and because
of this web-based attacks needs extra focus from the analyst. Email usage has
Page 11 of 95
become the global standard for written communication and with this it has also
an evolved threat level. Today there are an enormous number of threats against
email communication, attachment-based attacks, email spoofing, spam email,
open mail relay server and homoglyphs are just a few examples of these threats.
The best way of being on top of this problem is through education of the end
users, the end user is after all the last line of defence.
In addition to having a good idea of the threats and attacks commonly
encountered within networks it will be additionally important for the reader to
have knowledge regarding the technique of making network communication or
a certain activity look like it originates from a trusted source, this is known as
spoofing. It is often used in combination with phishing and for setting up social
engineering attacks, either to trigger an activity or to collect information. There
are numerous different types of spoofing attacks, some of these include email
spoofing, caller ID spoofing, website or domain spoofing, IP spoofing, ARP
spoofing, GPS spoofing and facial spoofing. One type of attack which usually will
use spoofing is the MiTM (Chordiya et al., 2018). The consequences of becoming
a spoofing victim might differ immensely dependant on the attacks purpose. In
theory this might include anything from a satellite going out of orbit to a social
media user becoming locked out of their account. Spoofing is a wide term and it
includes so many different aspects that it is hard to define a particular effect of
this criminal activity.
Spoofing attack on a network by a threat agent includes manipulation of IP
addresses, DNS server or ARP. This threat agents impersonate victim's device on
a network to launch attacks, steal user's data, disrupt network, spread malware,
and bypass access controls. A spoofing attack can have a dire consequence on an
individual, organisation, institutions or in this case a whole fleet or an individual
vessel. The impact of such attack can lead to loss of sensitive personal
identification information which can be directly or indirectly used in future
attack. A successful spoofing attack could lead to a ransomware attack,
immobilising a ship completely, compromise of the organisations email system
where threat agent can pose as a legitimate IT employee and successfully extort
information from the organisation's manager. The compromised organisation
website could be used by threat agent to spread malware as well as in DDoS.
When this happen the organisation, reputation is damaged, and customers loses
confidence in the company's brand.
This study is discussing how cybersecurity shall be enforced and how it shall be
maintained onboard a shipping vessel, but an enforcer of cybersecurity is
expected to have at least some knowledge regarding the opposition, to know the
enemy. The term attacker might, but not always, be an individual, usually
referred to as a hacker. This term usually means an individual who is dedicated
and technically advanced within the information technology sector, most often
these are individuals who have a huge desire to overcome any obstacle in their
way. There are three defined groups of hackers, firstly there are white hats which
are hackers who have a normal morale and good ethics and who utilises their
skills for purely legal purposes. These white hat hackers are often referred to as
ethical hackers. Ethical hackers are to identify vulnerabilities and security flaws
and protect businesses from malicious hackers. They work under the
authorisation of the organisations and ensure that their hacking activities are
legal and legitimate (Chudasama, 2021). Not surprisingly these types of hackers
can often be found within areas such as information and cybersecurity, many
Page 12 of 95
times within law enforcement and sometimes on a national security level, these
kinds of hackers are often mentioned as valuable resources for securing an
infrastructure.
Then there are grey hats, these are individuals with a low morale and bad ethics
who commit crimes, yet not for their own personal gain or even to cause havoc,
but rather for shining attention on a vulnerability or for some greater purpose.
Lastly there is the black hats, these are criminals without either morale or ethics
who conducts attacks purely for personal gain, or for other purposes such as
creating chaos.The black hat will often be part of huge criminal network which
are acting in the corners of the internet where they can buy and sell information
or malicious software. Such software can be tools like password crackers,
network scanners, packet sniffers, vulnerability scanners and so on, just to
mention a few. Such tools are often utilised together with different types of
attacks, such as eavesdropping, password based, man-in-the-middle, sniffer
attacks and many more different types of attacks. Most of these attacks can be
avoided through sharing information about Indicators of Compromise (IOC).
It seems that when the incentive is of a financial nature then attackers will
continuously evolve their techniques of how to take control of a system no matter
how much counter measures are applied. This advancement of ransomware
attacks is without much doubt a negative flipside which has been fuelled by the
circulation of cryptocurrencies (Kshetri and Voas, 2017). It is probably safe to
assume that attacks which are involving different types of ransomwares will
continue for as long as it is possible for the assailants to receive anonymous
payments using different types of cryptocurrencies, because this type of currency
can make it extremely hard to find the criminals if they have setup their
cryptocurrency accounts for this purpose (Custers et al., 2020).
With the access to knowledge having increased for everyone, something which
follows the technical advancements made. This has terminated the days of a
Figure 3: Hacker network hierarchy
Page 13 of 95
single isolated computer genius misfit who turned evil and is sitting in his
basement hacking the Pentagon. Today the hacker market has evolved into a
modern cybercrime market which involves all types of participants, most well
educated, with academical degrees and solid competence networks surrounding
them. These individuals are structured, highly organised and the groups and
networks they work within seem to all contain criminals which show a high level
of professional approach to its criminal activities (Ablon et al., 2014). Figure 3
gives a good overview of how this structure might function.
2.5 VOYAGE DATA RECORDERS
To better understand this work and especially the parts connected to forensic
investigations, knowledge about the Voyage Data Recorder (VDR) is needed.
This unit is sort of the first stop when a vessel has an incident of any kind, be it
physical or bridge related. The unit is mandatory onboard vessels on and can best
be described as a maritime version of an aircraft’s black box and it is an
important device which is vital for after incident investigations.
Essentially, a Voyage Data Recorders (VDR) records and stores critical
parameters about a ship. In the event of a ship's movement, position, physical
status, command and control, information is stored securely and can be retrieved
at any time. As a result of the captured data, a root cause analysis can be
performed by reconstructing the incident scene. Figure 4 will give a basic idea of
how this device functions.
Through international regulations regarding the safety of ships it is required by
all modern ships that they should be equipped with a VDR unit. The device main
purpose is to document all relevant data, radar images, positions, the current
speed, and what was being said on the bridge (Piccinelli and Gubian, 2013).
There are of course additional data which is being recorded but briefly that would
be it. The whole idea with the VDR is that it is supposed to be used to understand
what caused an accident. Analysing the unit from a cybersecurity perspective, it
seems that the VDRs are an interesting target since it will allow for spying on a
vessel’s activities or for deleting data which might be of a sensitive kind for either
the crew, the shipping company or a third party.
Figure 4: Voyage Data Recorder workflow
Page 14 of 95
3 METHOD
The initial ambition of this work was to add value to the field of maritime
cybersecurity. At first this was to be done through trying to identify every
potential risk onboard a vessel, using approaches such as qualitative research.
Understanding that the qualitative research approach provided a full range of
research tools such as investigating documents, conducting surveys, performing
interviews, and observing behaviour (Creswell & Poth, 2018). It did feel as this
was indeed the correct approach for such a huge topic as the maritime
cybersecurity. However, this was quickly abandoned since it became very clear
that with the time limit of the project, the limited access which existed in the
form of industry contacts and the insight that, probably the topic of cybersecurity
weaknesses within an organisation and especially a vessel was not a subject for
easy discussions with corporate representatives which did not know this
researcher. It has been argued that organisations are reluctant to admit being
victims of cybersecurity incidents, fearing the loss of customer confidence
(Aggarwal and Reddie, 2018), so a different approach was needed.
Research in design science involves developing and validating prescriptive
knowledge as a research paradigm. In contrast to natural sciences, design
sciences focus on how things ought to be, mainly by creating artifacts which will
support accomplishing this goal of explaining how things ought to be (Brocke et
al., 2020). In the case of this project two different artifacts have been developed,
the MCIRT and the MCSS, where the MCSS has a supporting role towards the
MCIRT which is subject to the greatest design changes when compared to a
classical CIRT structure. To be able to build theories and ideas for artefacts on
previous research two separate literature reviews was conducted. It can be said
that a literature review can exist in three different forms, as an end in and of
itself, as a component of a finalised report or as a part of a greater research
project (Knopf, 2006). The latter is the approach which has been used for this
study.
3.1 MOTIVATION
Only exposing the socio technical problem didn’t feel to be sufficient and the idea
of building artefacts to mitigate the problem, such as the MCIRT which focused
on involving vessel operators and providing a space for the IT/OT representative
and by doing so create the integrated IT and OT program which Lagouvardou
had identified a need for in 2018 to protect both sides of the enterprise systems.
It had also been found that onboard crew and onshore management have had
social problems according to Poulsen and Sornn-Friese in 2015 and it was
assumed that maybe this would make huge maritime cybersecurity strategies
such as those provided by BIMCO difficult to implement and the idea of a more
tailored light weight cybersecurity strategy appeared and the construction of the
MCSS started. The thought is not that the MCSS shall in anyway replace such
strategies, but rather serve as a cyclic routine in which an organisation, fleet or
individual vessel can add whichever components feels relevant to their
environment, making the strategy relevant, rather than just a long list of items
to cross of, which might feel both completely unnecessary and just silly, imagine
Page 15 of 95
a fishing vessel abiding to the same cybersecurity strategy as a passenger ferry,
it would just not be reasonable.
In the quest for how things should be this project has set out to change the
structure of a classical CIRT team to improve and design it towards a maritime
corporation structure which needs to take things like mobility and distance
administration into account. It is the aim of this study to significantly contribute
to maritime cybersecurity by introducing the MCIRT and through this invite
onboard decision makers within a fleet to actively participate when dealing with
cybersecurity incidents. This new design called MCIRT will also introduce a new
role called an IT/OT representative which is a role that will greatly improve
cybersecurity onboard a vessel. By supporting the MCIRT with the four-phase
structured MCSS which will but extra emphasis on maritime cybersecurity issues
this work strives to be a one stop document for implementing both entities.
3.2 VALIDITY
It is of the outmost importance that the validation shall consist of a critical
evaluation of collected information and how this will support a theory (Taylor,
2013). The literature review was conducted as a survey of related works within a
specific field of study where papers was chosen that would provide appropriate
background knowledge that would work as a base to enable a successful
implementation of the MCIRT and MCSS. The validity of creating the MCIRT
and the MCSS was in a way reached once the past research on the topic had been
read, it became clear through understanding that the maritime cybersecurity
issue is not merely technological, but also consists of individuals and information
(Hareide et al., 2018). That the maritime industry is not prepared for the threats
that will emerge in the future (Androjna et al., 2020). That threats against ICSs
are an ongoing battle that will not end, only evolve (Nazir et al., 2017) and that
new technology within these ICS systems will present new threats and new
vulnerabilities (Rubio et al., 2019). The picture that emerges is one of neglect or
a “it never happens to me” attitude. In addition to this it has also been revealed
that the maritime industry is missing expertise and there is a noticed lack of best
practices (Karahalios, 2020) and the industry does not have a specific framework
designed (Hemminghaus, 2021).
Furthermore, it has been concluded that ICS threats needs attention, sensors and
actuators is increasing likeliness of penetration (Hemsley and Fisher, 2018) and
that ICS security shall be taken with utmost seriousness and the protection of
these systems are crucial (Alladi et al., 2020). Finally, it’s established that past
research has mostly focused on documentation of policies and some important
know-how, ports, and OT (Awan and Ghamdi, 2019). It all sets the stage for
creating research into threats and vulnerabilities since this is one way of fighting
malicious attacks against ICS’s (Angle et al., 2019). This past research also points
on a serious gap and there are major issues which in most cases comes down to
a socio technical problem and of course an economical issue as identified by
McGillivary in 2018 when stating that OT which stopped working due to
cybersecurity issues was running up costs counted in hundreds of millions of
dollars.
To ensure validity the MCIRT and MCSS was introduced to a Cyber Security
Engineer from Kongsberg Maritime. This engineer confirmed that the research
Page 16 of 95
had indeed a value within the maritime industry. As the largest marine
technology specialist organisation in the world, Kongsberg Maritime provides
innovative and reliable technology solutions across a wide range of marine
industries, including the largest marine technology company in the world. A
headquarters located in Kongsberg, Norway, the company maintains 127
manufacturing, sales, and service centres throughout the world. This initial
meeting led to an additional meeting being held, which confirmed the ideas
which are being described within this work.
3.3 RELIABILITY
For the literature review the scope will focus on scientific community
acknowledged papers and sources and will try and limit these to consist of well-
known scientific databases. The documents have been selected by using prior
knowledge on the topic, combined with a critical evaluation of the paper and its
content. This study was conducted without having any political, financial, or
other interest dependencies which would influence the outcome. There are no
personal biases which might interfere with or influence the findings and clarity
shall be held at point during all time. When this research has been conducted
successfully it will provide reliable data which has been gathered in a scientific
manner following formal academical research procedures.
It should however be stated that creating any kind of document which is
completely without subjectivity sounds somehow as an impossible task.
Researchers are influenced by their surroundings, their past experiences and
ongoing research, none of these factors can be removed. They can however be
acknowledged and by doing so they can be at least mitigated as to not pose as a
big influence on the results produced. In this case the literature review
accelerated an image of a massive global industry which has through past
research been proven to lack the consideration which it deserves and the focus
was solidly on providing something that would benefit the process of either
mitigation or responses to cybersecurity incidents.
3.4 LITERATURE REVIEW
The approach for the literature review has been a so-called advanced search,
using Boolean operators AND and OR (Rowley and Slack, 2004). Combining this
technique with parenthesis for establishing the order for how search statements
are evaluated by the selected search engine.
3.4.1 SEARCH CRITERIAS
While conducting search for prior research a several specific search terms was
created that would consider misuse or dual meanings of industry terminology
and conditions related to the topic was set such as limitations of document types
accepted. A timespan selection was set being limited between the year 2017 to
2022. The selection was chosen since the maritime IT and OT industry is a
technical entity and as such it feels relevant to limit results due to industry
advancement rate to include only research which produced within recent years.
Search provider of choice has been the university online library service which is
provided free of cost for all students. For the search results provided by the
Page 17 of 95
university online library a filter for using only academical journals and e-books
was set. Results returned by the university online library service was limited to
the following databases: Academic Search Premier, Business Source Premier,
IEEE Xplore Digital Library, J-Stage, ScienceDirect, Springer Nature Journals,
Springer Nature e-books and Directory of Open Access Journals (DOAJ).
It is important to understand that even though there are a certain differentiation
between the term “marine” and “maritime”, “maritime” is used when describing
such which is of or related to the sea (Oxford, 2022a). Something that is also
applicable for the term “marine”, yet the later term also connects with life in the
sea (Oxford, 2022b). It’s also been noticed that the term “naval” which relates to
the navy of a country (Oxford, 2022c) is occasionally misused as a description
for something connected to the sea as a synonym for marine or maritime. Similar
terminology confusions can be found within terms such as “ship”, “vessel” or
“shipping”, likewise within the IT industry there are terms such as
“cybersecurity”, “cyber security” or “cyber-security” and “informationsecurity”,
“information security and “information-security”. To assure that this
terminology confusion which exists is taken into consideration the result must
be produced using a search term based on a wider range of terminology.
3.4.2 SEARCH TERMS
Locating relevant research demands that a consistent search terminology is used,
in the case of producing relevant results for the research proposal several search
strings was used as specified here. For the results presented for the topic
maritime cybersecurity, the following search strings was used.
(cybersecurity OR cyber-security OR (cyber AND security) OR cyber OR
security) AND (critical AND infrastructures AND maritime) OR (shipping AND
4.0 AND requirements AND cyber-enabled AND Ship) OR (cyber-risk AND
assessment AND method AND ship AND systems) OR (triggering AND
mechanism AND cyber-attacks AND naval AND sensors AND systems) OR
(vessels AND issues AND challenges AND ahead) OR (assessing AND challenges
AND maritime AND navigation) OR (Appraisal AND efficiency AND piracy) OR
(marine AND network AND protocols AND risk)
The search string returned 130 English language academical journal articles and
e-books. From these the following papers was selected using prior knowledge on
the topic, combined with a critical evaluation of the paper and its content.
Result
Article
Author
1
Critical infrastructures cybersecurity and the
maritime sector
(Alcaide and Llave,
2020)
2
A novel cyber-risk assessment method for
ship systems
(Bolbot et al.,
2020)
3
Digital transformation of the maritime
industry: A cybersecurity systemic approach
(Kechagias et al.,
2022)
9
Shipping 4.0: Security Requirements for the
Cyber-Enabled Ship
(Kavallieratos et
al., 2020)
Page 18 of 95
12
Vessels Cybersecurity: Issues, Challenges,
and the Road Ahead
(Caprolu et al.,
2020)
17
Cybersecurity in ports and maritime
industry: Reasons for raising awareness on
this issue
(Zarzuelo, 2020)
43
A Triggering Mechanism for Cyber-Attacks
in Naval Sensors and Systems. Sensors
(Leite et al., 2020)
44
Marine Network Protocols and Security
Risks.
(Tran et al., 2021)
55
Assessing Cyber Challenges of Maritime
Navigation
(Androjna et al.,
2020)
87
Appraisal of a Ship’s Cybersecurity
efficiency: the case of piracy
(Karahalios, 2020)
For the results presented for the topic Industrial Control Systems (ICS) the
following search strings was used.
(((industrial AND control AND systems) OR ics) OR (scada OR (supervisory
AND control AND data AND acquisition))) AND ((cyber-defence AND trends)
OR (attack AND detection AND prevention AND system AND cyber-attack) OR
(assessing AND augmenting AND cybersecurity AND survey) OR (history AND
cyber AND incidents AND threats AND trends) OR (cyberattack AND trends
AND countermeasures) OR (security AND taxonomic AND framework AND
incidents AND survey) OR (survey AND attack AND detection AND cyber–
physical) OR (identifying AND cyberattacks AND physical AND damage) OR
(trends AND detection AND avoidance))
The search string returned 43 English language academical journal articles and
e-books. From these the following was selected using prior knowledge on the
topic, combined with a critical evaluation of the paper and its content.
Result
Article
Author
1
Attack detection/prevention system against
cyber-attack in industrial control systems
(Yılmaz and
Gönen, 2018)
2
Industrial control system security taxonomic
framework with application to a
comprehensive incidents survey
(Ahmadian et al.,
2020)
3
Industrial Control Systems: Cyberattack
trends and countermeasures
(Alladi et al., 2020)
4
A survey on attack detection, estimation, and
control of industrial cyber–physical systems
(Zhang et al., 2021)
Page 19 of 95
6
Machine learning for intrusion detection in
industrial control systems: Applications,
challenges, and recommendations
(Umer et al., 2022)
8
Current cyber-defence trends in industrial
control systems
(Rubio et al., 2019)
11
Trends and Detection Avoidance of Internet-
Connected Industrial Control Systems
(Hasselquist et al.,
2019)
13
Identifying and Anticipating Cyberattacks
That Could Cause Ph
ysical Damage to
Industrial Control Systems
(Angle et al., 2019)
25
A History of Cyber Incidents and Threats
Involving Industrial Control Systems.
(Hemsley and
Fisher, 2018)
27
Assessing and augmenting SCADA
cybersecurity: A survey of techniques.
(Nazir et al., 2017)
3.5 DESIGN SCIENCE
Through evaluating prior research and through having discussions with industry
expertise proof of a need for a maritime cybersecurity strategy has emerged and
based on the need which has been identified as both an MCIRT and an MCSS
this document has evolved. Through analysing the identified weak areas as being
communication, education, and structure and to mitigate this a MCIRT structure
specifically developed for the maritime industry was created together with a
cybersecurity strategy which has been given the name MCSS.
3.5.1 MCIRT
To successfully implement a MCIRT within a shipping organisation, there is a
need for cybersecurity professionals who have the competence needed, together
with the will to take on the responsibility for protecting all identified assets.
Conducting cross organisation knowledge inventories is one way of finding and
care for the competence which is already located within the organisation.
Realising and accepting that knowledge will escape if it is not being cared for,
something that demands an organisational view that acknowledges the problem
and realises that financial compensation, public appreciation and the ability for
continuous education and training is an absolute minimum of what is expected.
CIRT is not a standard entity within the maritime industry and it seems strange
that so is the case considering the centralised organisational structure which
most shipping companies seems to be working according to, in such case an
MCIRT is suggested to be a better suited model which would not only benefit the
organisation as a whole, it would also provide a cybersecurity channel which
could be streamlined for helping vessels and their crew to maintain a well-
functioning MCSS. When assembling a MCIRT there are some considerations,
these could help ensure that the members can work together effectively and that
any gaps in expertise is minimised. Whenever possible, select members who can
respond to incidents at all hours of the day are preferred. To ensure this
response, select members who have the capability of accessing the systems on
Page 20 of 95
short notice and who can respond during a wide variety of hours to ensure a
timely response. To ensure constant coverage, this can sometimes involve
supplementing team members with external resources during off hours or during
holidays.
These individuals may be full or part-time employees in other roles, but they will
be available on call in case of an emergency. It is an excellent option for
individuals with extremely specific skills which are not always needed but can
still provide valuable assistance when necessary. It may also be beneficial to hire
distance personnel when needed, to act as advisers or external experts in times
of need. To prevent team burnout, it is important to support and encourage team
members, remember, incident response teams often deal with highly stressful
situations that require a clear focus. The first step for solving the construction of
a functioning MCIRT for the shipping organisation is to establish
responsibilities, in this case the MCIRT will be dealing with security breaches,
viruses, and other potentially disastrous events that in this case will be or have
the potential to become a threat to the industry, the organisation or the fleet or
a certain vessel. Figure 5 illustrates the hierarchical structure of a centralised
MCIRT team. In a classical centralised CIRT, the incident response team serves
the entire organisation as a single point of contact (Killcrece, 2003). In this case
the same approach is chosen for the MCIRT. This might at first not seem as
optimal solution for an organisation within the shipping industry since this
through its nature of having vessels being geographically widespread, but as a
starting point it might be advisable to setup a centralised initial team which in
the long-term, through mentorship can enable more smaller teams to launch a
distributed MCIRT across the organisations fleet.
3.5.2 MCSS
The base for the MCSS is the European Network and Information Security
Agency (ENISA) cyclic approach in four steps which is highly advisable since it
Figure 5: Maritime Cyber Incident Response Team (MCIRT)
Page 21 of 95
is both simple and efficient (ENISA, 2016b). This process enables a good
overview which is not overly complicated and which allows for an ongoing cyclic
process with the ambition to constantly improve the MCSS, this can be seen in
figure 6 which illustrates the process.
Once the MCSS has been launched it is important to have scheduled reviews that
allows for reflections and improvements. An MCSS is a framework which defines
how organisations chooses to manage maritime cybersecurity over a long period
of time. It manifests the vision and the goals of the organisation and it provides
the fundamental basis which steers the direction of the strategy, the impact of
not having a cybersecurity strategy in place spans across every single part of an
organisation’s infrastructure. In addition, one organisations lack of
cybersecurity might affect other organisations and in worst case scenario it will
make an organisation a hotspot for reoccurring incidents. The truth of the matter
is that in our interconnected world cybersecurity is something that concerns
everyone, on a global scale. In such a MCSS is a must to accomplish a structured
approach to maritime cybersecurity in a sustainable way. There exists plenty of
examples on how an on-land cybersecurity strategy could be organised, spread
across multiple industries and environments. Amongst the most popular huge
frameworks are ISO/IEC 27001 (2018) which is the international standard for
information security management systems (ISMS). It is a comprehensive
specification for protecting and preserving your information under the principles
of confidentiality, integrity, and availability and it embraces cybersecurity
guidelines through ISO/IEC 27032 (2012) standard. For the North American
market, it so far seems that NIST Cybersecurity framework (NIST, 2022) is the
number one choice for official frameworks, this is provided by the United States
government and is considered a state-of-the-art strategy.
A few other examples of smaller solutions, developed by researchers are “A
framework for an effective cybersecurity strategy implementation: Fundamental
Figure 6: Four-phase recommendation for lifecycle of cybersecurity strategy
Page 22 of 95
pillars identification.” by Elkhannoubi and Belaissaoui (2015), “A holistic cyber
security implementation framework. Information Management & Computer
Security.” from Atoum et al. (2014), “Cyber security risks in globalized supply
chains: conceptual framework.” By Pandet et al. (2020), “Security framework for
industrial collaborative robotic cyber-physical systems.” written by Khalid et al.
(2018). This study has however chosen to only include the absolute minimum of
what can be expected from such strategy and then tailor its composition for
specific use within the maritime shipping industry and the complexity which is
expected to be encountered within this. Every shipping organisation differs from
the other but there are basics that no one can be without, these basics have
therefore become the foundation for the MCSS.
Page 23 of 95
4 RESULTS
There is no denying that the past cybersecurity management documentation for
the maritime industry is lean even though it holds a high standard, something
that creates a problem in how to approach the subject for any researcher. There
have been three main categories of past research areas identified within the
existing literature for the topic. Documentation of policies and important know-
how of maritime cybersecurity, cybersecurity related to ports, analyses of the
vulnerabilities of OT (Awan and Ghamdi, 2019). As a contrast there are plenty of
technical analysis which has been made with focus on the cybersecurity issue. A
deliberate effort has been made to try and avoid these categories of topics since
these areas seems to be well explored in the past and this work is aimed at
exploring existing gaps and adding value in the form of concrete tools for
mitigating cybersecurity incidents, rather than just quoting past research.
4.1 LITERATURE REVIEW
The literature review was performed to be able to identify past research which
would point out maritime industry weaknesses and it was used for producing a
firm background knowledge which allowed for drawing conclusions based on
this alongside the design science method which was used for establishing
scientific value for the created artefacts.
4.1.1 MARITIME CYBERSECURITY
In maritime security, Maritime CyberSecurity (MCS) may be considered as a
component that is concerned with protecting all aspects of maritime cyber
systems, especially those associated with integrity and availability from cyber
threats. Moreover, MCS has the objective of reducing the negative consequences
of cyber-attacks on maritime operations. Hence, the means of MCS are not
merely technological, but also consists of individuals and information (Hareide
et al., 2018).
Alcaide and Llave (2020) states that a lot of cybersecurity incidents are created
by the human factor. They set out to determine which knowledge is needed, what
training must be implemented and how the maritime environment is affected by
this. Their methodology was based on a questionnaire to evaluate maritime
personnel’s cybersecurity knowledge level. The study was struggling with getting
participants and in the end only a result of 102 respondents was analysed. The
missing participants was blamed partly on that it was assumed that sending a
document via email had in some cases made the recipients worried of receiving
viruses through attached files, something that showed a certain amount of
important knowledge. Secondly the greatest reason for the low number of
participants was accounted to the lack of internet access for those working on the
sea.
Bolbot et al. (2020) explores threats which occurs as a direct result of maritime
industries technical progress. The author elaborates and presents a general risk
assessment tool which can be incorporated for evaluation of a vessels onboard
IT and OT environment and specific attention is being made towards
autonomous ships. The tool presented considers many attacks connected to
Page 24 of 95
autonomous ships, exploring compromised autonomous ship centralised
controls and determines that multiple firewalls spread out within an
environment and creating zones and expanded attack detection units will greatly
minimise vulnerability.
Kechagias et al. (2022) the paper discusses the importance, characteristics, and
the risk assessment of cybersecurity in maritime industries together with a brief
introduction to cybersecurity and cyberspace concepts. The paper then moves on
to presenting a systemic approach to cybersecurity for maritime companies with
reference to procedures and policies. The paper claims that it is an ongoing
process for shipboard IT and OT systems to become more integrated in
cyberspace, since ships are part of cyberspace. Increasing complexity of ship
systems is recognised as a result from increasing software automation, internet
connectivity, and interconnection between systems onboard. As time goes on,
these ships will extend to become completely autonomous ships. It is advised
that the maritime industry should recognize that this future of integrated IT and
OT systems is the norm rather than the exception and it will create an increased
threat landscape as cybercriminals are indeed becoming more adept and
sophisticated. Furthermore, it is stated that cybersecurity management must be
under the assumption that no matter which security measures were to be in
place, there is always a means by which digital information might become
compromised.
Kavallieratos et al. (2020) provide an analysis of needed security requirements
for the Cyber-Enabled Ship (C-ES). The authors present the Secure Troops
methodology which merges requirements with engineering aids to create a
unified process. They carefully explore each entity used for controlling a vessel,
such as AIS, ECDIS, Global Maritime Distress and Safety System (GMDSS), GPS
and Advanced Sensor Module (ASM) only to mention a few. The study concludes
that it fulfilled its quest by presenting suggested security requirements for three
of the weakest areas within the C-ES system, AIS, ECDIS and GMDSS.
Caprolu et al. (2020) identifies eight different security threats that are of specific
urgency to solve. They further discuss each area and points out that due to
missing message authentication ships are prone to GNSS spoofing attacks. Also,
they mention that in situations such as warfare scenarios, then sophisticated
electronic tools could be used to interfere with communication, something that
could have dreadful consequences. Researchers states that recent attacks carried
out through SATCOM networks have given satellite communication security a
renewed interest. In addition, the lack of encryption and message authentication
for the AIS protocol is mentioned as a source for potential spoofing attacks.
Furthermore, the importance of securing the software used for controlling the
bridge is pointed out due to being a high risk with potentially disastrous outcome
if being subject for a cyber-attack and it should be one of the highest priorities.
Besides additionally explaining the need for mitigating malware attacks,
implementing automated safety systems and increase communication protocol
security. It is mentioned that there is a high demand and need for technical
guidelines designed for the maritime industry.
Zarzuelo (2020) pinpoints that a significant challenge faced by the industry is
cybersecurity, and advice government policymakers to work with the private
sector to ensure that critical infrastructures such as ports are appropriately
protected, while at the same time facilitating the full development of new
Page 25 of 95
technologies in a sector that has fallen behind others in embracing the emerging
new 4.0 industry world. It is acknowledged that a considerable amount of
investment has been made in IT as well as cybersecurity by port, terminal, and
maritime companies. Cybersecurity, however, has not been extended to
companies OT, such as Supervisory Control And Data Acquisition (SCADA)
systems. The article concludes that future work should focus on developing
methodologies for objectively assessing cyber-risks and mitigating their effects
in the port industry. Also, further studies should be conducted to design
protections against these attacks as well as recovery plans in case cybercriminals
find a method of hacking the systems.
Leite et al. (2020) presents the mechanisms which a potential attacker can utilise
to take control over a radar or an AIS with the intent of communicating with
malware located onboard the ship, even though the vessel is not connected to an
external network. Through a series of attack simulations, the authors suggest a
responder that utilises templates for identifying certain patterns which are
communicated to the vessels radar or AIS. In such case as with an attack on a
vessels radar, the established preciseness is 0.90 and, in a scenario, involving an
attack on an AIS/ECDIS this elevates to 0.93. It is therefore suggested that such
a responder will provide a certain level of security against these attacks. The
researchers finish with projecting a future investigation into potential activities
with the purpose of mitigating these types of threats.
One of the more difficult areas within maritime cybersecurity is investigated by
Tran et al. (2021). The authors analyse a selection of current marine network
protocols and looks at attack risks. Some of these protocols have well known
security weaknesses, such as AIS. The author’s conclusion is that there are
protocols that are actively used within both the commercial and the civilian
marine sector which are providing inadequate security. The researchers
identified OneNet as the latest standard for Internet Protocol (IP) networking of
marine electronic devices. The authors also concludes that even new cutting-
edge technology might have its flaws especially when it is supposed to function
within a such a challenging environment.
Androjna et al. (2020) determines that GNSS signals are an absolute necessity
to secure navigation and any disruption of this is a direct threat against both
vessel and crew safety as well as other ships located in the proximity of a vessel.
The authors further establish to find the unique challenges which are
encountered when attempting to enforce cybersecurity within the maritime
industry. The authors conclude there are new cybersecurity areas being
threatened to be compromised if these are no secured, especially when
considering that autonomous ships will become a future standard. Finally, it is
concluded that there are great parts of the maritime industry which is in no way
prepared for the threats that becomes reality when the digital world around these
vessels advances while the existing onboard technology becomes outdated.
Karahalios (2020) chooses to perform a study with risk-based methodology in
his article. The study concludes after having audited 315 maritime workers on 15
ships owned by 3 corporations that there was a major lack of cybersecurity
knowledge. This resulted in serious security holes and it was concluded that
piracy would more than likely increase would they start using the benefits of
hacking. The authors conclusion mentions that the chain of events that might
occur when a land-based shipping office might be hacked and could give
Page 26 of 95
assailants access to vessels in traffic. The author especially addresses the
limitations which was encountered because of the industries missing expertise
within maritime cyber threats and the noticed lack of industry best practices
when carrying out the study.
4.1.2 INDUSTRIAL CONTROL SYSTEMS
The OT environment is crucial for the operation of vessels and it is depending on
ICS and SCADA systems (Lagouvardou, 2018). There is an ongoing need for
security improvements within all areas of ICS, something which has been
pointed out from every single source that has been researched on the subject.
Due to increased connectivity between ICSs and the internet, the threats are both
changing as well as increasing rapidly (Wallischeck, 2013). It is indeed a two-
edged sword that the industry is facing, on the one hand, remote access and
administration allows for more control, financial savings, and quicker response.
On the other hand, internet connectivity, or even local connectivity pairing the
ICSs with administrative networks opens for a whole new pool of threats and
because of this puts increased demands on security. It is therefore strongly
recommended that a good general ICS knowledge is acquired before deciding to
start implementing a MCSS.
Yılmaz and Gönen (2018) conduct an analysis in the testbed of one of the most
important components of the ICS, the Programmable Logic Controllers (PLC).
The experiment carried out was thoroughly documented and went through three
separate phases, the attack phase, the attack observation phase, and the attack
detection phase. In short, this means that a start/stop attack, which is a scan for
PLC, stop the PLC and start the PLC steps, is carried out and the result has then
been analysed. Not surprisingly the authors came to the same conclusion as
many other researchers within this area, that the best protection against threats
is maintained by isolating the ICS network. They do, however, as many before
them, continue to explain that this is of course not practical and because of this
work must be focused on revealing existing vulnerabilities to secure the network
against malicious intruders. The authors conclude and confirms the need for
ongoing security work to protect ICSs. It is emphasised that the most obvious
part of the analysis is that by monitoring and detecting out-of-norm packets, the
creation of the signature and the pattern of the attack then warnings can be
created for future attacks of the same kind. This leaves the limitation of only
considering these pre-documented attacks. It is interesting research that focuses
on PLCs and concludes their vulnerabilities and the difficulties that will be
encountered while trying to protect this important ICS component. This makes
the research especially important since it adds the particulars of PLCs.
Ahmadian et al. (2020) state in their research that it is of utmost importance that
a framework is used due to the role ICSs have. The authors suggests that the
Hierarchical Taxonomic Framework (HTF) which they are providing is used for
defining attacks and incidents in ICSs. The taxonomy presented is the result of a
study of 268 incidents that have been analysed for patterns and key points. The
ambition has been to allow for ICS improvements based on the learned
information. The authors define a set of definitions to be able to properly present
the taxonomy with the appropriate security terms and parameters. Furthermore,
the authors declare sixteen characteristics that are to be considered when
creating a security incidents taxonomy. These are the core of the taxonomy, and
the authors continues to proclaim that the issues which have been with
Page 27 of 95
taxonomies prior to the one they are presenting is that there has been a lack of
details. These previous taxonomies have not been taking the full span of
characteristics needed to be able to properly classify ICS security incidents. It is
important research that concludes with its classification and analyses of 268 ICS
security incidents that have provided an important foundation for the
visualisation of patterns and key points. These patterns and key points will
indeed aid this work in its pursuit of identifying trends to be able to foresee future
threats and to mitigate future incidents and thereby improve ICSs.
Alladi et al. (2020) investigates past events and tries and analyses these with the
ambition to prevent similar incidents in the future. The authors work its way
through twenty years of case studies of major attacks on ICSs. Describing in
detail how the attacks have been carried out and providing ideas on how to
prevent these attacks in the future. Through comparison with other studies, the
authors are trying to position their research amongst its predecessors as a top
twelve influencer within its field between 2004 and 2020. It is impossible to be
sure of how accurate this is, the work has only been cited twelve times since
published on ScienceDirect. The research does however hold value since it has a
good list of ICS attacks such as the Stuxnet attack on the Natanz nuclear facility,
the German steel mill attack, the cyberattack on the Ukrainian power grid, the
Chemical mix changed at a water treatment plant, the watershed attack on Saudi
Arabian petrochemical plant and the Notpetya cyberattack. In each case, the
authors initially explain the goal of the attack and then continues with a thorough
description of how the attack took place and then a summary of the consequences
thereof. Together with each described attack, a solution is presented which gives
a better understanding of what went wrong in each case. The authors concludes
that security regarding ICSs shall be taken with utmost seriousness and the
protection of these systems are crucial. The authors finalise with recommending
that ICSs should be monitored and the security surrounding this should be
improved.
Zhang et al. (2021) presents an exploration of which security advances have been
made lately regarding Industrial Cyber-Physical Systems (ICPSs). The ICPSs are
commonly important parts in creating what is best described as ‘smart’
manufacturing systems both physical as well as in cyberspace. The authors
mainly focus on two types of attacks, DoS and Deception attacks. It should be
noted that a conventional DoS attack might make a service such as a website
unavailable, but the same attack on an ICS system could have horrific
consequences. The authors do a thorough survey on attack detection, estimation,
and control of ICPSs and claims that the content of the research is substantially
broader than what can be found in existing surveys on this subject. That could
very well be the case, the authors discuss things like anomaly-based intrusion
detection methods, hybrid detection method, Kalman filtering method, robust
filtering method, Bayesian method and artificial intelligence-based methods just
to mention a few. The research feels extremely relevant for several reasons, it
was published in 2021, this makes it an updated survey that has been made with
new information at hand, the subject is current, and the conclusion of the
authors provides direct recommendations of what needs to be investigated to
prevent Dos and Deception attacks. Even if the term used is ICPSs by the authors,
this is still applicable in our pursuit of knowledge surrounding threats against
ICSs and how to best mitigate attacks on these systems.
Page 28 of 95
Umer et al. (2022) starts with declaring that within ICS's and in order to secure
these devices, machine learning is used. This survey focuses on four methods,
supervised, semi-supervised, unsupervised, and reinforcement learning, from
machine learning for detecting intrusions and anomalies. Through analysing
past attacks on iCS's it is stated that these incidents have led to the
understanding that new tools and methods are needed. It is also concluded that
ICSs are critical devices within an infrastructure and because of this they should
be protected. This being stated, there is a pressing need for tools to defend
against the machine learning models employed in IDS, due to a dramatic
increase in adversarial machine-learning techniques. Finally, it is concluded that
machine learning and deep learning are techniques which have a lot of potential
in identifying cyber-attacks, being it within the physical infrastructure of an ICS,
yet it is declared that there is space for enhancing this.
Rubio et al. (2019) states that understanding the defence technicalities which are
to be used as an initial defence is of the utmost importance. Because of this, the
authors investigate the different attack segments that are commonly utilised. The
analysis of threats covers classical threats against ICSs before looking into the
necessity of trying to foresee future threats. There is an analysis of the IoT and
cloud computing threats that are available mentioning threats against
availability, integrity, confidentiality, and authentication. The authors continue
to discuss defence techniques to great lengths and points out anomaly-based
Network IDS, data mining-based detection, statistical anomaly detection,
knowledge-based detection and machine learning-based detection concluding
that the latter is not able to detect unknown threats. The authors continue to
investigate the existing products available for IDS, such as zone separation,
secure configuration, signature-based detection solutions, honeypots, and
anomaly-based detection solutions. Current and past academic research within
the area of detection and protection of ICSs is both discussed as it is encouraged
and the authors looks at detection mechanisms, detection coverage and protocol
analysis. It is discussed that including new technological advances within these
ICS systems will present new threats and new vulnerabilities.
Hasselquist et al. (2019) is focusing on the search engine named Shodan. This
search engine allows for finding specific types of computers, webcams, routers,
servers and so on, like finding and indexing ICSs. The authors state that unless
hidden all the ICS devices might be visible through the Shodan search engine.
The research conducted uses Shodan and some other information that has been
provided to establish and present certain trends for these ICS devices. Trends
such as the percentage of ICS devices per country over time showed that there
had been a decrease in the total amount of ICS devices globally. It is however
concluded that this might be an effect of organisations learning the importance
of hiding their devices. Furthermore, the authors concludes that many of the
devices that are visible for Shodan are using old protocols, something that most
probably is a consequence of old devices being connected to the internet. This
research is telling us that on a global scale, security awareness seems to be
increasing and search engines like Shodan could be helping this progress along
since it provides a service that will scan and present an environments device. It’s
important research that presents an online tool and the data that this tool can
produce can be valuable for statistical usage as well as for helping with securing
environments.
Page 29 of 95
Nazir et al. (2017) surveys SCADA which is one of the more commonly known
ICSs. The authors evaluate the systems characteristics and the vulnerabilities
and provides analyses of a wide range of tools for simulation and modelling with
a focus on intrusion, DDoS, malware injection, Modbus weaknesses and many
other tools. The article continues by describing additional tools such as scanning
tools which are used for gathering information about ICSs. Furthermore, the
authors explain the functionality and usage of Network IDS and how this is
inspecting the network traffic using two different approaches, either based on
signature or on the anomaly. They continue to explain that IPS conduct intrusion
detection and tries to prevent incidents from happening. The Security
Information and Event Management (SIEM) functions by collecting data from
selected utilities and present this in a central database for real-time analysis. In
addition, the authors also mention forensic science for post-attack analysis. The
research is relevant since it provides plenty of information surrounding ICS
security and testing. Having the background knowledge of how these systems are
currently being monitored and what tools and techniques are available for
testing an ICS environment is crucial to be able to determine weaknesses and
potential future threats. The authors conclude that improved strategies are
demanded which can enable the appropriate protection against threats. They
continue by emphasising that the different techniques presented within their
research are important cornerstones in exposing weaknesses within ICSs such as
SCADA. Finally, the authors conclusion is that threats against ICSs are an
ongoing battle that will not end, only evolve.
Angle et al. (2019) investigates the physical vulnerabilities which are the
consequences of the demand for internet-connected ICSs that allow for remote
administration. The authors investigate how these physical components are
endangered by revisiting old threats and vulnerabilities that have caused havoc
in the past. Aurora vulnerability, the Ukrainian power grid attack, Turkish
pipeline and Stuxnet are the cases that are analysed. Even if the Aurora
vulnerability were not an actual attack, but rather an experiment conducted in a
lab, it shows the vulnerability which could be used to create disruptions in a
power grid. The rest of the cases leads to several important discussions such as
the pure fact that what motivates attacks will differ widely. Political, financial, or
just the will to cause destruction are some of the motors that are driving
attackers, as pointed out by the authors a lot of electronics that manage physical
systems can create huge amounts of physical damage if they are being
manipulated into performing actions that are outside of what could be
considered the normal process of functionality. The authors concludes that since
there is a continuous increase in cyber-attacks, then all potential threats against
ICSs should be examined and evaluated beforehand, allowing for the
development of new and improved techniques that will either eliminate the
threat completely or at least lower the potential impacts of such. The research
takes a different angle, focusing more on the actual results of attacks and trying
to reach some kind of ‘lessons learned’ status with which help the authors
conclude that increased laboratory activities when it comes to research into
threats and vulnerabilities are one way of fighting malicious attacks against ICSs.
This is precisely why this research is important for this literature review, it sheds
light on a different side of the matter, focusing more on the actual physical effects
of attacks and how physical experiments might help avoidance.
Page 30 of 95
Hemsley and Fisher (2018) present an analysis of publicly reported cyber
incidents involving critical infrastructure assets and the effect that these threats
have had. This is in no way a complete list, but it points out the most well-known
attacks and provides a window into ICS threats. The authors describe from a
historical perspective the Marcone wireless hack in 1903, the world’s first cyber
incident and then continues to analyse and explain numerous incidents such as
the Maroochy Water Services Breach 2000, Turkish Pipeline Explosion 2008,
Stuxnet malware attack 2010, Night Dragon Malware 2009, New York Dam
Attack 2013 and many more. The authors present a summary of past incidents
in chronological order, thoroughly explaining each incident scenario and then
evaluating this, the corresponding consequences and providing an analysis of the
scenario and how the threat exploited the environment, how it was identified and
removed and what important lesson that can be learned from each incident. It is
in many ways especially important research that is highly relevant in the context
of providing a historical analysis of past threats and the corresponding incidents
these have presented. The authors contribute with a reflection of past
weaknesses within ICSs and gives perspective for assuming how future
weaknesses might appear and as such the research is valuable. Even though the
authors do not provide any means of mitigation they provide important
knowledge about past events. Hemsley and Fisher highlight the most prevalent
weaknesses within the industry and ranks these together with risks. They
conclude that ICS threats are a problem that needs to be managed urgently,
further they conclude that the IoT in the shape of sensors and actuators is adding
complexity to the problem, increasing the likeliness of malicious penetration.
The authors conclude by strongly encouraging all infrastructure communities to
prepare for and maintain heightened vigilance against future cyber-attacks.
It should be noted that contrary to other types of cyberattacks, ICS attacks can
easily be mistaken for IT/OT failures or as mistakes made by crew members.
4.1.3 CRITICAL SYSTEMS
From the past research identified it was concluded by Kavallieratos et al. (2020)
that the three weakest areas within the C-ES system was the AIS, ECDIS and the
GMDSS. Since this was established, it feels important that these three systems
are explored and explained in a more detailed manner to increase the knowledge
level, to accomplish this the following section will cover these areas.
The IMO has adopted the AIS as a maritime navigation safety communication
system primarily for safety purposes to provide vessel information. A vessel's
movements within the range of transmissions can be spatially represented using
AIS data, a source of information. By sending and receiving vessel information
on dedicated VHF radio frequencies, an AIS identifies and monitors maritime
traffic (Kessler et al., 2018). To improve situational awareness and make
informed decisions, mariners can display AIS information on a laptop computer,
chart plotter, or other Multi-Function Display. Figure 7 provides a good overview
for the communication flow and components of the AIS system.
With the help of precise positioning technology, AIS uses accurate positioning.
AIS does not specify, nor does it depend on, which GNSS is used; AIS simply
broadcasts a position based on a feed from the navigation and positioning system
of the ship. In any case, any cybersecurity vulnerabilities in the GNSS system of
the vessel will affect the accuracy of the AIS transmissions. The AIS system
Page 31 of 95
enhances safety and increases vessel traffic management, but AIS messages are
transmitted in plaintext, which is a security risk, as anyone with a receiver can
decode them (Kessler et al., 2018). A ship's AIS signal can be divided into two
classes, AIS-A being carried by ships with Gross Tonnage (GT) of 300 or more
tonnes and all passenger ships, regardless of size. Small vessels and recreational
vessels are using AIS-B.
An AIS message will contain the following:
• Vessel identification
• Length, breadth, type of ship
• Course and rate of turn
• Draft, cargo
• Position
• Speed
• Estimated Time of Arrival (ETA)
Since AIS was designed in the 1980s, it lacks any security properties, such as
authentication and confidentiality. It is susceptible to different attacks, such as
data manipulation, spoofing, hijacking, and DoS attacks (Caprolu et al., 2020).
Kessler (2020) writes about AIS protection and identifies that despite being used
onboard almost every single ship on the ocean the AIS suffers from a high
number of known security issues where the ability to create ghost vessels, false
warning or fake meteorological messages are only a few listed. He continues to
conclude that even though new AIS protocols are presented, not many actions
have been taken to secure the existing standard. Kessler finalises he’s conclusion
by addressing the lack of policies for regulating the usage of secure methods.
For a navigational officer, the ECDIS has become an important navigational tool.
The ECDIS is an alternative to paper nautical charts, and it is a geographical
information system used for nautical navigation in compliance with IMO
regulations. Electronic navigation software and many modern navigational tools
Figure 7: Communication flow and components for the AIS system.
Page 32 of 95
are incorporated into the ECDIS (Svilicic et al., 2019a; Akpan et al., 2022).
Functions depend on the type of charts it is using at the moment. When ships
use the latest electronic navigation charts, they have access to all the
information, automation, and safety features available to them. It is sometimes
necessary, however, to use Raster Charts, which have few features. ECDISs can
be used to access information from these sources, check tide tables and virtually
all relevant navigational information. Figure 8 provides a flowchart that enables
for identifying the different components within the ECDIS. This includes GPS,
RADAR, Automatic Radar Plotting Aid (ARPA) and many more. Additionally,
ECDIS is an integral part of the ship's digitalization in combination with other
navigational equipment, while cyber-attacks emerge as a new threat alongside
digitalization (Park et al., 2021). Vigour’s testing of ECDIS and its potential
vulnerabilities has been conducted and the results that were presented
highlighted that even if the ECDIS software and its underlying operating system
was maintained there was still a possibility of vulnerability due to potential
weaknesses in the third-party software components (Svilicic et al., 2019b).
There are several ways to update the software and the electronic charts on an
ECDIS:
• With using physical media such as DVDs.
• Through downloading from the internet.
• A SATCOM attachment via email.
Most vessels use ECDIS as an offline system, and all updates are performed using
Universal Serial Bus (USB) sticks (Hareide et al., 2018).
As early as the 1990s, satellite communications and simple, yet effective, digital
messaging technologies were introduced to support distress alerts via the
GMDSS (Lagouvardou, 2018). Since then GMDSS have been developed as a fully
Figure 8: ECDIS Data flow diagram
Page 33 of 95
integrated system embodying the most advanced communication technologies
to address the need of all kinds of distress situations specifically. To provide
reliable emergency alerts of ships in distress, the GMDSS network consists of a
complex of radio and INMARSAT and COSPAS-SARSAT satellite systems,
solutions, and equipment. To ensure that a distress message is received by shore
or other vessels in the immediate vicinity, determine the position of the ship in
distress, conduct Search and Rescue (SAR) operations to locate survivors, and
arrange for their prompt rescue (Ilcev, 2020). Figure 9 provides a detailed sketch
showing the many connections which are possible for a GMDSS unit.
It is inescapable that the areas that hinder the effectiveness of the GMDSS also
affect its operability. Based on the descriptions provided in the previous
paragraph, it is apparent that the GMDSS operator is tasked with performing
numerous lifesaving (and frequently important) functions with the assistance of
a sophisticated set of equipment, in varying combinations based upon the sea
area through which the ship is passing (Tzannatos, 2002). Nevertheless, GMDSS
technology has not significantly improved since it was implemented and some
parts have become obsolete. Because of this the system has not reached its full
potential. Therefore, at the 86th session of the IMO Maritime Safety Committee
(MSC), the committee decided in 2009 that the GMDSS would be modernised,
which is still in development (Valčić et al., 2021).
4.2 DESIGN SCIENCE
The new roles and structures that comes with implementing the MCIRT and the
MCSS is projected to greatly enhance the overall knowledge level within the
organisation and drastically lower incident response time. These are all
important factors which will have impact on privacy within the organisation.
To ensure that the theories behind the MCIRT and the MCSS was correct an
expert evaluation was conducted where a Cyber Security Engineer at Kongsberg
Maritime was consulted and the MCIRT and MCSS artefact was presented. The
Figure 9: Global Maritime Distress and Safety System
Page 34 of 95
engineer concurred that the industry needed this type of tools and that
Kongsberg had in the past received requests regarding help with creating teams
such as CIRT and he could confirm that cybersecurity knowledge unfortunately
in many cases was very low onboard vessels and on occasions this could create
major incidents.
Through further collaboration with Kongsberg a meeting was organised for the
presentation of the MCIRT and the MCSS. The meeting was attended by a Cyber
Security Engineer and a Technical Cyber Security Specialist from Kongsberg
Maritime together with a Security Engineer and a Cyber Security Team Manager
from, Kongsberg Defence & Aerospace. The meeting lasted for 30 minutes, 15
minutes was used for presenting the research for the cybersecurity experts and
another 15 minutes was used for discussing the content. The discussion would
mainly concern the MCIRT and the role of the IT/OT representative onboard a
vessel. It was discussed and identified that the IT/OT representative probably
would be an individual with an interest in IT and OT and who would likely have
an additional role onboard, but who would for example be carrying out tasks
based on a Technical Advisors instruction.
The suggestion for an established direct contact between the IT/OT onboard
representative and the Technical Advisor on land was considered a much valid
point and it was concluded that this setup would more than likely prevent the
need for the MCIRT to be activated in many cases due to the incidents either
being mitigated or dealt with immediately by the IT/OT representative and the
Technical Advisor, other benefits of an IT/OT representative onboard was also
discussed and examples such as the advantage of having someone onboard who
quickly can determine when a vessels normal state is being compromised or
someone who knows and understand the technical physical construction
onboard. The group also discussed training of the IT/OT representative and was
presented with the MCSS and its educational process which involves a
competence assessment process that should aid in establishing what type of
training is needed.
It was concluded by the gathered cybersecurity experts that such a scenario as
the one described for the MCIRT was indeed possible and, in many ways,
desirable since this would more than likely help mitigate cybersecurity incidents
and possibly support an increased interest for cybersecurity from the vessels
crew, since once there was cybersecurity staff onboard, such as the IT/OT
representative, this role would probably have an additional cybersecurity
ambassador functionality. It was concluded that this socio-technical point of
extra benefit was a good idea.
4.2.1 MCIRT
To be able to provide a team base structure numerous papers have been studied
which provides ideas of how a CIRT team should be constructed within other
industries and with other circumstances. Still, it proved to be difficult to find a
specific list of the roles and responsibilities which were listed in a simplified
manner that allows for cross industry usage. This did however demand that the
following maritime role list of what this study considers essential members for
the MCIRT was mainly constructed based on a combination of the NIST Special
Publication 800-137 (Dempsey et al., 2011), the ENISA Recruitment of CSIRT
Staff, Handbook, Document for Trainers (ENISA, 2016a), past experiences, logic
Page 35 of 95
and general knowledge regarding organisational structure and incident
management within on land businesses. In this case since it was intended for the
maritime industry this also involved adding unique roles such as the IT/OT
Representative, the Fleet Manager, Ship Operation Manager, and the Vessel
Maintenance Manager. In all cases, the MCIRT should report to the
organisations board of directors.
Team leader
• Decides whether a response should be initiated or not.
• Gathers the MCIRT.
• Overall management of the MCIRT.
• Acts as an interface with the board and other high-level stakeholders
• Final decision maker in case of disagreement
Team administrator
• Supports the MCIRT.
• Coordinates resources within the team
• Prepares meetings and registers documents and decisions
• Informs members about current status when they have been absent
• Facilitates communication via e-mail, telephone, or other methods
• Monitors external sources of information such as news
Manager
• Contributes with knowledge within business operations
• Summarizes other members of the team on operational issues
• Helps to assess the probability impact on the organisation.
Press manager
• Responsible for ensuring that internal communication is effective
• Determines level, frequency, and content shared with news media
• Defines ways to keep stakeholders informed.
Legal advisor
• Advise on ensuring compliance with relevant laws and regulations
• Assess the actual and potential legal consequences
Incident monitor
• Be present at the scene of the incident as soon as possible
• Assess the extent and consequence of the event
• Provides a first-person account of the situation for the MCIRT
• Provides updates and answer questions required for decision making
Technical Advisor
• Provides input on technically related problems
• Helps with impact assessment
Security manager
• Assess the risk of physical damage
• Ensures that legal responsibilities for health and safety are met
• Collaborates with emergency services such as police, fire and medical
• Thinking about environmental issues in relation to the event
• Offers physical security and access
Page 36 of 95
• Provides security presence when needed
Human Resources Manager
• Assess and provide advice on HR issues and employment contracts
• Represents the interests of the organization's employees
• Consult with competence and disciplinary issues
Business development manager
• Provides advice on business continuity and alternatives
• Prepares and/or updates business plans if necessary
Fleet Management
• Responsible for providing an overview of all vessels within fleet.
• Secures information flow between the main office and the vessels
Ship Operation Manager
• Maintains continues shipping operations.
• Secures cargo operations and shipping scheduling
• Reports transportation oversights
Vessel Maintenance Manager
• Vessel maintenance updates
• Securing vessels continuous operation
IT/OT Onboard Representative
• Securing IT and OT operations
• Communication directly with Technical Advisor
Using resources close to the shipping operations by including the Ship Operation
Manager, the Vessel Maintenance Manager and through appointing and
including an onboard IT/OT representative which has direct communication
with the MCIRT Technical Advisor then this will enable a faster response time
and will also assure that the vessel operations is secured.
It is understandable that there might exist a huge variety of organisational
structures and of course onboard cultures, but in all cases an IT/OT
representative should be a minimum staff requirement for an operating vessel.
This suggestion to permanently enable an onboard IT/OT representative should
be considered an urgent decision for the Fleet manager since this appointment
of one crew member of each vessel to be an onboard IT/OT representative for
that vessel will assure that elementary things which cannot be centralised will
still be carried out onboard, this might also help to boost the crews view on
cybersecurity awareness through onboard discussions and from a sociotechnical
point of view it might initiate a closer on land/onboard relationship when an
onboard crew member assumes such a vital role.
It is suggested that such an individual does not necessarily need to have a
technical degree or even professional technical experience, but rather a huge
interest within technology and the will to learn new skills. It’s important to
understand that this is a dynamic constellation and the Technical Advisor might
not be one single individual but could rather be a complete IT department or a
specific group of Technical Advisors, each with their specific area of competence
Page 37 of 95
which would be of significancy to an onboard IT/OT Representative. For an
example of such a setup see figure 10.
As for any organisation it might turn out to be problematic to identify either
skilled internal experts or to hire competent specialists that has the needed
skillsets, in such cases it is advisable to try and establish creative relationships
with trusted experts maybe through industry related organisations or via
consulting agencies, attempting to create agreements that will allow for utilising
their competence when in need (CMU, 2016).
Team members of an incident response department analyse information, discuss
observations and activities, and share important information between each
other’s. Each of these activities requires a certain amount of time depending on
one key question: Is this a time of calm or crisis? To review current security
trends and incident response procedures, the team should meet at least quarterly
when not actively investigating or responding to security incidents. In all cases
the MCIRT should be a dynamical team. It will be called upon when needed, but
maybe not all roles are needed at once, or maybe some roles are only needed
when a certain type of incident happens, either way is important to remain
flexible and with an agile mindset since all organisations are different, all
incidents are different and handled in different ways.
A good resource for generic solutions regarding incident management can be
found in the ISO/IEC 27035-1:2016 (2016) which provides standards and
Figure 10: Example of how a Technical Advisor group can be constructed.
Page 38 of 95
guidelines related to information security incident management. A cyber
incident can be initially detected in many ways and through several different
sources, depending on the nature and location of the incident. Some events can
be detected internally via software tools used within the organisation or by users
who notice unusual activity. Others may be reported by a third party as an
external stakeholder, supplier or law enforcement agency that has become aware
of a crime.
It is not uncommon for there to be a delay between the origin of the incident and
its actual discovery, here the often remote and sometimes of grid location of a
ship might also be a parameter to consider. One of the goals of a proactive
approach to cybersecurity is to reduce this time. The most important factor is
that the incident response procedure must be started as soon as possible after
detection so that an effective response can be given. Once the event has been
detected an initial impact assessment must be performed to determine
appropriate management.
Unfortunately, not all identified incidents are reported. There are many different
reasons for an individual not to notify management when for instance a personal
computer within a ship network has been compromised. First reason being that
the individual might not even have noticed it themselves, but culture can also
have an impact, maybe the person feels shame or embarrassment and doesn’t
wish to out themselves by notifying their managers, fear of being held
responsible or fear of losing once job might be other reasons. It is for instance a
known fact that in some culture’s employees are afraid of reporting cybersecurity
incidents or even just providing information regarding an incident since this
might costs them their employment. Organisations are unfortunately often quick
to point fingers and directing shame, something that has been confirmed to make
employees less likely to report incidents (Renaud et al., 2021).
The MCIRTs main concern will be to try and stop the incident from getting
worse. In the event of a virus outbreak, this can mean disconnecting the affected
parts of the network. In the event of a hacker attack, it could mean that certain
profiles are deactivated or that gates in the firewall are being closed or perhaps a
complete disconnection of the internal network from the Internet. The specific
actions to be performed will depend on the circumstances of the event.
Once a report of a cyber incident has been made, the person responsible must
determine whether the extent or potential effect of the incident justifies the
activation of the MCIRT. Guidelines for whether a formal activation of the
MCIRT should be done for a particular incident that has been identified are if
any of the following apply:
• There is a direct threat to the organisations or the fleets infrastructure
or an individual vessel.
• There are significant, actual, or potential disruptions in operations or
security which affects the organisation, the fleet, it’s movement or any
individual vessel.
• There are significant, actual, or potential losses of classified
information.
• Other situation that may have a significant impact on the organisation
and its fleet or individual vessels.
Page 39 of 95
Once the decision has been made to activate the MCIRT the responsible manager
shall ensure that all the resources needed within the response group are
contacted and are aware of the type of incident that occurred and that an initial
meeting is conducted either as a distance meeting or a physical meeting if
possible. An incident monitor to represent the team shall be appointed to
participate in the work of the incident at its geographical location, if the incident
is on board a vessel, then the onboard IT/OT representative shall be included in
the MCIRT team and should be instructed to begin gathering information for the
incident assessment that the MCIRT will conduct so that an appropriate
response can be determined. In the event of disagreement or uncertainty as to
whether to activate the team or not, the ultimately responsible decision of the
MCIRT Team Leader will be final. If it is decided not to activate the team, a plan
shall be created to enable a less demanding response to the incident within
normal management channels. This may call for relevant procedures at the local
level.
The extent of the impact on IT infrastructure, including computers, networks,
equipment, and the rest of the data environment should be documented and
analysed. Information assets that may be at risk or have been compromised
should be identified. Furthermore, the probable duration of the event when it
may have started shall be determined. All the areas concerned and the extent of
the impact on these should be evaluated. For violations that affect personal data,
the degree of risk to the data subjects' rights and freedoms should be valued. This
information must be documented so that a clear time-based understanding of
the situation becomes available for immediate use and later review.
In a case when the incident is taking place onboard a vessel it is vital that all units
which are crucial for the vessel are secured and assured to be active. This could
involve but is not limited to the VINS, GPS, GNSS, AIS, ECDIS, IBS and any other
Satellite Communication devices. A list of information assets, business activities,
services, teams, and support processes that may have been affected by the
incident should be created together with an assessment of the extent of the
impact. As a result of this initial analysis, any member of this impact assessment
group has the authority to contact the responsible MCIRT team leader at any
time to ask them to assess whether the MCIRT should be activated.
If it is considered probable that digital evidence is needed which will later be used
in court, precautions must be taken to ensure that such evidence is preserved
(Selamat et al., 2008). This means that relevant information may not be changed
either intentionally or unintentionally, it is therefore recommended that
specialist advice should be obtained at this time. If it is suspected to be an
intentionally initiated incident, precise information on the measures taken and
evidence gathered in accordance with the guidelines for digital forensic science
must be maintained.
In all cases a copy of the content from the VDR should always be secured as soon
as possible.
The team leader decides based on the latest information from the other members
of the MCIRT, at what time the MCIRTs activities shall stop. Please note that
recovery and implementation of other plans may continue beyond this point, but
under less formal guidance. That decision to cease all activities is the
responsibility of the team leader but should be based on the following criteria.
Page 40 of 95
• The situation has become completely resolved or is relatively stable.
• The handling of the incident has stagnated to a point where few
decisions are necessary.
• The appropriate response is initiated and the recovery plans are
developed.
• The assessment of the risks that exist for the organisation shows
reduced risks down to an acceptable point.
• Immediate legal and administrative responsibilities have been met.
If recovery from the incident is underway, the team leader should decide on the
next action to take. These may include but are in no way limited to the following.
• Less frequent meetings of the MCIRT, maybe weekly instead of daily
depending on the circumstances.
• Inform all stakeholders that the MCIRTs activities will be discontinued.
• Ensure that all documentation from the incident is secured.
• Request that all staff not involved in further work within the MCIRT
returns to their normal duties.
After the MCIRT has finished its activities, the team leader will hold a meeting
with all members, preferably within 24 hours. The relevant incident data will be
reviewed by the MCIRT to ensure that they reflect current events and represent
a complete and accurate record of the incident. Any comments or feedback from
the team shall be documented. A more formal review after the incident will be
held at a time to be decided by management in accordance with the extent and
the type of incident. Communicating the experiences with other external
MCIRT’s is highly advisable since this might help others to prevent similar
incidents from happening at other locations. Sharing incident information
across the industry should be encouraged since sharing, cooperation, and
coordination between industry organisations will help prevent future incidents
of similar nature.
Having finished all activities within the MCIRT does not affect the IT/OT
representative which should have continuous direct communication with the
MCIRT Technical Advisor. This should in all cases include but should not be
limited to the continues education of the IT/OT representative. Such activities
can be one on one tutoring, course activities, access to knowledge databases and
regular meetings between the Technical Advisor or individual appointed where
the IT/OT representative can ask questions, get updates on threats and which
activities are expected to be carried out. The process should be focused on
educating and developing a skilful and reliable IT/OT representative.
4.2.2 MCSS
One of the most important characteristics of an effective MCSS is a clear division
of roles, each with defined responsibilities. These roles must be assigned to
specific individuals or groups within the organisation and onboard the vessels.
This approach within all the shipping corporations’ vessels minimises
bureaucracy and provides grounds for faster decision making. It’s important to
match the right individual to the right role and often detailed work descriptions
are needed to establish the criteria’s for matching a role to an individual (Larkin
Page 41 of 95
and Gould, 1999). When roles and responsibilities are defined in a formal way
then everyone knows what is to be achieved, how to act and what to do. It is
important that everyone in the organization understands the part they must play
to keep the infrastructure and its processes secure. The risk of cyber-attacks on
shipping is increasing because of digitalisation, integration and automation of
processes and systems. Stakeholders must therefore take all preventive measures
available to secure their organisation from current and emerging threats (IMO,
2017).
Below is a short summary of each of the subchapters within the MCSS
Implementation chapter.
• Phase 1 – Preparing
Discusses and shows examples on how to determine responsibilities, conduct a
risk assessment and enable asset supervision
• Phase 2 - Executing
Expands on the topic of sociotechnical concerns, elaborates on the importance
of policies and guidelines, and explains the action plan.
• Phase 3 - Evaluating
Explains the process of penetration testing, the importance of Common
Vulnerabilities and Exposure (CVE) repositories and how digital forensics is
carried out.
• Phase 4 – Maintaining
Describes the Security Operations Centre (SOC), discusses ways of research and
development, how to conduct competence assessment and build a process for
continued education and mentorship.
To ensure the fleets integrity and its vessel's safe operation, cybersecurity
objectives must be identified. As well as the requirements of the IMO, other
internal and external stakeholder requirements should be taken into
consideration when determining the objectives. It should be emphasised that the
MCSS does in no way substitute for other cybersecurity strategies, but rather
complements as a first point of entry or a less formal introduction to the more
detailed and comprehensive cybersecurity strategy standards available.
PHASE 1 – PREPARING
Science and research in the areas of risk assessment and risk management have
contributed significantly to the support of decision-making in practice (Aven,
2016). A risk assessment is important across the board of all areas within an
organisation when dealing with cybersecurity (Basumatary et al., 2021). It is the
source of all the information needed to develop a functional MCSS. There are
several reasons that a risk assessment is something that should be embraced.
Firstly, and more importantly for a vessel, is the fact that a properly conducted
risk assessment can reduce the danger and greatly increase safety and reduce
long term costs and since the initial risk assessment is not a onetime event, but
rather a revisited activity, this means that doing a proper job the first time
around will provide a template for these continuous activities and again it will
Page 42 of 95
increase onboard safety and reduce long-term costs (Tam and Jones, 2019; IMO,
2017).
To conduct a cyber risk assessment, it is necessary to have an inventory, network
drawings that show the system connectivity, and other information. It is
necessary to compile an inventory of all systems and software that are considered
critical for the vessel and the organisation. An analysis should be made of the
consequences of losing confidentiality, integrity, and availability of each system.
The likelihood of the specific system being compromised. Ranking the asset
based on its cybersecurity risk. Identifying barriers that need to be improved
based on processes, people, and technology.
The risk assessment will help the ship operator in deciding where to invest
money and resources to protect and avoid cybersecurity incidents. The shipping
organisation needs to be fully committed to protecting the vessels they manage,
both data and infrastructure shall be protected in accordance with the
requirements set out. The purpose of this risk assessment is to ensure that all
possible risks to these digital environments are secure and that there is a clear
picture of what the consequences of cybersecurity failure might be.
Risk assessment within cybersecurity can involve stating a numerical value for
the probability and for the effects of a risk. These values are then multiplied to
arrive at a classification level of high, medium, or low for the risk. An estimate of
Figure 11: A classical standard Risk Matrix
Page 43 of 95
the likelihood that a risk will arise must be made. This should consider whether
it has happened before either to this shipping company and its vessels or to any
other organisation or maybe to a similar organisation within another part of the
industry, passenger ferries, public services such as coastguard or army ships and
whether there is sufficient motive, opportunity, and ability to make this a threat.
The likelihood of each risk should be rated. In this example a numerical scale of
1 (rare) to 5 (almost certain) is used. General guidance for the meaning of each
grade is provided below. When assessing the likelihood of a risk, existing controls
should be considered. This may require an assessment of the effectiveness of
these existing controls. In all cases it is crucial that these assessments are
conducted by acknowledged expertise within the area which is evaluated. More
detailed guidance can be decided for each likelihood class, depending on the
subject for the risk assessment. The following is fair risk classification, which can
also be identified in the standard risk matrix which is provided in figure 11.
1. Rare, never happened before and there is no reason to believe it is more
likely now.
2. Unlikely, there is a possibility that this could happen, but it probably
will not.
3. Possible, it is likely that it will happen.
4. Likely, it would be surprising if it did not happen, based on experience
or current circumstances.
5. Almost certain, either it is already happening regularly or there is no
reason to believe that it would not happen again.
The basis for a grading scale should be documented for anyone involved to
understand and allow repeatability in future assessments. Furthermore, the
consequences should be assessed, an estimate of the impact that the risk may
have must be provided. This should consider existing controls that might reduce
the consequences, if these controls are considered effective, figure 11 provides a
graded consequence axis reaching from Negligible to Catastrophic. The need for
controls that will mitigate the consequences of a risk must be considered in the
following areas (as an absolute minimum).
• Operational
• Communicational
• Health and Safety
• Financial
• Reputation
• Legal, contractual, or statutory obligations
• Other potential effects
The effects of each risk could then in the example here be rated on a numerical
scale of 1 (rare) to 5 (almost certain). A detailed guide shall be defined for each
type of impact, depending on the subject for the risk assessment. The basis for
grading scale should be recorded to understand and allow repeatability in future
assessments. Based on the assessment of the degree of likelihood and
consequences, one point is calculated for each risk by multiplying the two digits.
Likelihood x Consequence = Score
Page 44 of 95
This resulting score is then used to determine the risk classification, this is
visualised in figure 11. Each risk will be assigned a classification based on its
score as follows.
• EXTREME - 15 and above
• HIGH - 8 to 12
• MODERATE - 4 to 6
• LOW - 1 to 3
The purpose of the risk assessment matrix is to determine which risks can be
accepted and which need to be managed. The risk-taking criteria established for
this specific risk assessment should be considered. The matrix in figure 11 shows
the classifications of risk, risks are prioritised for treatment according to their
points and classification so that very high point risks are recommended to be
treated before those with lower exposure levels. Figure 11 shows a standard risk
matrix as it is commonly presented.
It is important to understand that a threat and a vulnerability is not the same
thing. A threat is anything that could affect an asset in such a way that it will be
damaging to the organisation. A vulnerability is that which either is a quality of
the asset or is a quality of the assets surroundings that enables for a threat to
manifest itself. By creating a document consisting of all available assets listed
and analyse these, and then in a structured way determining what threats and
vulnerabilities exists against each asset, and the potential consequences that
would occur would this threat become a reality together, with an action proposal
on what to do if this would happen it is possible to achieve a greater
understanding for the scope of the project and this will help in visualising worst-
case scenarios as well as how to avoid these. The types of risks and vulnerabilities
to be looking for are endless, it could be anything from earthquake to a mistake
made by an internal user. And it should be pointed out that even if attacks are
usually finically driven, there has been noticed that attacks which are related to
either politics or pure revenge are becoming more common (Ahmadian et al.,
2020).
There are more common types of threats regarding cyber and information
security, such as malware, unpatched security vulnerabilities, hidden backdoor
programs, administrator privileges, automated script execution, software bugs,
phishing, IoT devices and end users. But the list is far from complete and it is a
list that needs to be put together individually. The following is to be considered
a starting point for any Cybersecurity Risk Assessment.
• Environmental Considerations
The environment is of great importance for cyber and information security,
unsafe or unstable surroundings could of course have huge impact. This could be
matters such as fire, flood, dust, chemicals, lightning, and anything else in the
surrounding environment that has the potential to affect cybersecurity.
• Personnel Physical Actions
All activities carried out by personnel or other involved individuals could affect
cybersecurity. The more obvious ones are theft, vandalism, extortion, sabotage,
terrorism, improper usage but this could also include accidental damages and
extreme matters such as war.
Page 45 of 95
• On site aspects
On-site matters such as physical security, availability, ease of access,
maintenance, electrical power, temperature, and trash disposal are only a few
things that needs to be considered when conducting an on-site risk assessment.
• Technical system specific situations
System specific threats and vulnerabilities is a list that could become endless. It
is good to assure that this risk assessment is made in conjunction with technical
personnel which understands the technical environment. Malware, hacking
attacks, unpatched systems, surveillance, media failure, storage reuse, these are
only a few items that can be added to this list. The dependencies onboard a vessel
is many and complicated, more than often these dependencies are also connected
to land-based equipment, something that adds additional risks. To fully
understand the complexity of a vessels IT and OT infrastructure a graphical
illustration over the ships different dependencies is best. This will give an idea of
the scope, which is involved, obviously this will change from organisation to
organisation and between vessels.
The maritime industry has numerous specifics which will influence it's potential
for becoming a cyberattack victim. Amongst these, the following could be
considered common vulnerabilities. Multiple stakeholders involved in
management of a vessel is something that could affect the possibility to pinpoint
responsibilities surrounding IT/OT devices, systems, infrastructures, networks.
Running IT/OT systems which are unsupported and/or are dependent on out-
of-date software, such as for example old operating systems. Using OT systems
which are not compatible with anti-virus software or which cannot be patched
due to approval issues. Vessels that are connected to onshore environments or
other external segments of the global supply chain. Vessel devices which are
controlled and monitored remotely by third party. Distribution of corporate
sensitive data with third parties such as onshore businesses and authorities.
Usage of crucial systems which have not been patched, been adequately installed,
or properly secured, to establish the ship’s cybersecurity and safety. A
cybersecurity organisation which is lacking appropriate training and established
roles and responsibilities. Automated systems which are provided with the ship
and which are integrated and implemented without any concerns for
cybersecurity (BIMCO, 2020).
Making it simplified one could just state that the categories of cyber-attacks that
can affect the Maritime industry are (Lagouvardou, 2018):
• Targeted, an organisation, fleet or ship are the intended target.
• Untargeted, a company, fleet or vessel are one of many potential targets.
• Intentional, the attack comes from intentional malicious actions.
• Unintentional, an incident an effect of negligence or ignorance.
Attackers might have different reasons but there are three main components that
must be taken into consideration. Threats, Vulnerability and Assets, the latter is
what the attacker wants to access, this could be anything that an attacker deems
as valuable. The combination of Threats, Vulnerability and Assets is what can be
used for analysing and determining the potential risk. Figure 12 is a graphical
representation of how that might look. This is an important piece to understand
to conduct risk management and to hold a firm balance between costs and
Page 46 of 95
security. This might involve making decisions based on risk assessments where
sometimes a risk is accepted to keep both a reasonable user ease of access as well
as a reasonable cost for the security provided.
Assets are defined as something which is considered valuable for an organisation
and/or an individual. These can include all from individual computers and its
unique data to complete infrastructures.
Vulnerabilities is when a design or
system can be manipulated due to an
identified weakness within these and
threats are defined as anything that
could compromise an asset. An often-
used metaphor when discussing the
defence-in-depth approach is “the
security onion”. It symbolises the
different layers of security and how a
potential attacker must manage to gain
access through penetrating all these
layers, firewall, IPS, content filtering,
Authentication, Authorisation, and
Accounting (AAA) and Hardened
devices.
General common maritime vulnerabilities
• Unsecure shore connections
• Outdated IT systems
• Outdated antivirus programs
• Faulty system configurations
• Lack of best practices
• Inadequate network management
• Use of default login information
• Missing evaluation of supplier IT security
Densham et al. (2020) concludes that it is obvious that to empower cyber
resilient ships with infrastructures which can be managed during service then
the actual meaning of what is operational needs to be clarified and implemented
into the onboard system design. The authors continue to say that there are
obligations for cybersecurity which must be kept up and overseen through the
lifecycle of a vessel, also supporting land resources such as administrational
framework and operations needs to be available. Ships are generally long lived
and that creates a whole set of challenges, and this is without taking the merging
of OT and IT into the equation. There are naturally noteworthy 3rd parties upon
which this might depend, however complex supply chains take time to develop.
The list over potential threats are long and it keeps growing, but during the last
ten years a new type of threat has emerged from within organizations, the insider
threat. These are trusted individuals who use their access level to steal
information from their employer. This kind of crime is a huge challenge to secure
an information system from since large-scale computer systems still to a
significant part relies on human interaction. In 2018, 77% of corporate data
breaches was caused by individuals being active inside the organization (Kettani
at al., 2019).
Figure 12: Identifying the risk
Page 47 of 95
Through identifying which assets, vulnerabilities and the threats that are upon a
network environment the cybersecurity analyst can be prepared for any type of
attack. The IT/OT environment onboard a ship is, as has been previously
determined, a complex and interconnected environment which differs greatly
between vessels, due to this it is this study’s conclusion that any type of detailed
step-by-step instruction might instead add to the vulnerability factor by
providing a false sense of security. The solution should be that every vessel
greater their own detailed asset list, here a comprehensive list with vulnerable
IT/OT devices is presented according to BIMCO (2020) as a starting point for
this cybersecurity work onboard a vessel.
Access control and safety systems
• Bridge Navigational Watch Alarm System (BNWAS)
• Electronic “personnel-on-board” systems
• Emergency shutdown
• Fire and flood control
• Physical access control as locks and doors
• Tracking
• Shipboard Security Alarm Systems (SSAS)
• Surveillance systems such as Closed-Circuit TeleVision (CCTV) network
Administrative, supply chain and crew welfare systems
• Administrative and email systems, fax
• Automated manifest
• Crew Wireless Fidelity (Wi-Fi) or Local Area Network (LAN) access
• Consumable stores inventory
• Customs and immigration handling
• Bring Your Own Devices (BYOD) for personnel connections
• Maintenance and spares management
• Remote and onshore vendor updates
• Timekeeping and scheduling
Bridge control systems
• Automated weather monitoring
• Automatic Identification System (AIS)
• Automatic Radar Plotting Aid (ARPA) and radar equipment
• Electronic Chart Display Information System (ECDIS)
• Dynamic Positioning (DP) systems
• Global Maritime Distress and Safety System (GMDSS)
• Global Navigation Satellite and Positioning Systems (GPS)
• Integrated navigation system
• Other monitoring and data collection systems
• Systems that interface with electronic navigation systems and
propulsion/manoeuvring systems
• Voyage Data Recorder (VDR)
Cargo management systems, loading and stability
• Ballast water systems
Page 48 of 95
• Bay and stowage planning
• Cargo Control Room (CCR) and its equipment
• Cargo management systems
• Hull stress monitoring
• Level indication system
• Stability control and decision support systems
• Valve remote control system
• Water ingress alarm system
Communication systems
• Integrated communication systems, intercom
• Public address and general alarm systems
• Satellite communication equipment
• Ship-to-shore and ship-to-ship communications, handheld radios
• Voice over Internet Protocols (VoIP) equipment
• Wireless networks (WLANs)
Passenger-facing networks
• Guest entertainment systems
• Passenger Wi-Fi or Local Area Network (LAN) internet access, for
example where onboard personnel can connect their own devices
Passenger servicing and management systems
• Electronic health records
• Financial related systems
• Infrastructure support systems like Domain Name Service (DNS) and
user authentication/authorisation systems
• Property Management System (PMS)
• Ship passenger/seafarer boarding access systems
Propulsion and machinery management and power control systems
• Alarm system
• Emergency response system
• Engine governor and control
• Generators
• Integrated control system
• Onboard machinery monitoring and controls
• Power management
• Steering
Operations, network and physical security, ICS systems
• Antivirus software, software updates and vendor patches
• Bridge and machinery space restriction
• Digital and analogue sensors
• Electronics and electrical management
• External data storage devices Universal Serial Bus (USB), Digital
Versatile Disc (DVD)/CD, portable Hard Disk Drive (HDD)
• Firewalls
Page 49 of 95
• Human-Machine Interfaces (HMI)
• Intrusion prevention systems
• Programmable Logic Controllers (PLC)
• Routers, switches and other segmentation devices
• SCADA controllers
• Security gateways
• Security event logging systems
• Server rooms, access control barriers
• Virtual LANs (VLAN)
• Virtual Private Networks (VPN)
MCSS PHASE 2 - EXECUTING
Within the maritime industry the documented weaknesses which exists for
certain systems such as navigational equipment, which have been subject to
incidents where for instance a vessels position is false or where fake emergencies
are initiated. Such events are of course an outcome of the use of technology for
managing navigation, engines, cargoes, and other entities. In all this it is the
crew, the individuals onboard, who can either mitigate or efficiently manage
these events. The human factor is the first line of defence for any asset, including
the ship and onboard cybersecurity is indeed relying on the will to be vigilant and
prepared for cyber incidents (Alcaide and Llave, 2020; Akpan et al., 2022).
A test conducted by the UK and Irish General Lighthouse Authority which was
aimed at jamming the GPS signal for a certain part of the ocean while the vessel
named Pole Star entered this area. The vessel showed alarming results for the
interference, the Pole Star was losing services one after another, the ships DGPS
receivers, the AIS transponders, the ships gyro calibration system, and its digital
selective calling system, it all started malfunctioning. The crew which had
anticipated this was well prepared to manage all these alarms, it is however
pointed out that on a modern ship the bridge is at times, especially at night, only
managed by one individual, something that could add to the difficulties.
Furthermore, several unexpected failures occurred onboard, one of these being
that the ECDIS didn’t update which made the ECDIS screen static. This triggered
what might be considered a sociotechnical issue amongst the crew which grew
impatient from watching these static screens and in their frustration decided to
turn the ECDIS off (Grant et al., 2009; Awan and Ghamdi, 2019).
With the increasing complexity of technology being implemented onboard
vessels there is also a need for an increased understanding of the importance for
human-computer interaction. Development of technology which does not
consider the human interaction might prove itself to have the opposite effect
from what is intended, especially in such a safety driven environment such as the
maritime sector where mistakes have the potential to develop into incidents with
grim consequences (Allen, 2009). The transformation of an onboard
cybersecurity attitude demands a new definition on what is to be expected from
a vessels crew member. There might be a privacy paradox which makes users
seem to agree with anything if they have access to whatever service they want.
On one hand users will express great concerns regarding their privacy, still they
do nothing or very little to secure their personal information (Barth and Jong,
2017). This could be one explanation to how so many users in the world of social
media now are being subject to a wide range of cyber related crimes like identity
Page 50 of 95
theft, manipulation and surveillance from hackers, governments, and
organisations. Assailants who are conducting activities such as social
engineering have a wide range of tools at their disposal and they can be extremely
clever and fool even a seasoned cybersecurity professional. Phising, water holing,
port scanning, software weaknesses, third party, brute force, DDoS, spear-
phising, the list is long (Lagouvardou, 2018).
However, within the maritime industry a vessel is a crew members home for
longer periods of time, this means that they should have the same access to the
same services as would they be in their own homes. But that is not the reality of
the matter. In 2019 Oldenburg and Jensen interviewed 323 crew members from
different cultural backgrounds and who were working different shipping routes.
It turned out that personal internet access was a rarity, especially for worldwide
routes, then internet was usually confined to the onboard office environment
(Oldenburg and Jensen, 2019).
Having restrictions set upon such access will only work for a very limited time
and it should therefore instead exist a plan for access of services even if these
might not be vital for the vessel and its operations. It is very important to fully
understand how decisions of access, trust and availability affect crew members,
both when on duty, but also in their spare time. All these different entities are
connected and actions taken within one area will undoubtably affect other areas.
It is very important that all decisions regarding such matters shall be taken
seriously and be thoroughly discussed, evaluated, and decided by the MCIRT
with the support of involved parties. Figure 13 is a great illustration for
understanding the complexity of decisions regarding technology within an
organisation.
It is advisable to allow as much external access as possible for crew members to
facilitate their individual needs and to establish a level of controlled risk, rather
than an unknown risk factor which might be the case if the crew is not allowed
to use an official route for their internet needs. It is under any circumstances
impossible to completely secure an infrastructure unless pulling the plug is an
option.
Figure 13: Sociotechnical system model
Page 51 of 95
Remember that education is better than prohibition, social engineering is
designed to manipulate people to have them either share sensitive information
or to have them do things that will compromise security, but this will only work
if their knowledge level within the field s is inadequate. These types of attacks
can be dumpster diving, impersonation, shoulder surfing, phishing, spear
phishing, pretexting, spam, something for something tailgating, baiting. And
let’s not forget that when discussing a ship’s crew on a vessel then these are
individuals who in a sense are living onboard. And this means most have their
own computers, their own smart phones and they will most likely want to use the
same online services while onboard as would they when they are on land and
without a doubt this will include social media, streaming services, discussion
forums and maybe specific user groups of interest and so on. It might be
tempting to reduce the usage of such services for onboard crew, this can be rather
easily done, but before taking such decisions maybe another angle of usage issues
needs to be considered.
For instance, the main problem with social media is that most people love
attention; often even those who say they don’t love attention do actually love it.
And social media will boost your dopamine levels every time someone like a post
you’ve made or every time you believe that you get have gotten that
acknowledgement you were seeking, it will seem like you have reached
acceptance and in a way you have because when you go online and interact you
will for a while feel that you are a part of something, and that you matter and you
can play a difference. And for social networks such as Facebook the human vanity
of needing to be confirmed fits like a glove and once you’ve created your account
the addiction develops quickly and make no mistake, dopamine is addictive
(Macit et al., 2018).
So why is this important in relation to cybersecurity onboard a ship? Well, one
example of how social media is affecting security onboard a ship is the stories
that Facebook is a pirate intelligence source in the Gulf of Aden (Awan, 2019).
This might feel like grounds for an immediate social media ban onboard, but my
point with comparing social media usage to addiction is that addiction is a
powerful force and even though a ban might be tempting, the chances are that
users will find a way around it instead, and this might end up being an unknown
channel which is not controlled and hence makes the vessels IT environment
even more exposed to potential dangers.
And in all fairness it should be said that in the scenario with attackers wanting
access to a ship network then maybe Facebook isn't the preferred channel, maybe
LinkedIn is better, allowing you to find out a young cadets employment record
and then pinpoint him in an e-mail full of compliments and offer a great
opportunity for advancement at a well-known shipping company, all he needs to
do to show he is serious about wanting this new position is to visit a website and
fill out an online form. He clicks the link, which is provided in the e-mail, at
which point a file is automatically downloaded and installed on his laptop and
just like that access to the ships systems has been achieved. Therefore, in order
to prevent this type of employee error, the organisation should ensure that all
employees are aware of and understand their responsibilities regarding
information security (Al-Mahri, 2018).
One of the most important tools that are at service for anyone trying to enhance
cybersecurity strategy is policies and the guidelines they hold (Pseftelis and
Page 52 of 95
Chondrokoukis, 2021). Because of this it is important at an early stage in the
process to start and make an inventory of which policies and guidelines will be
applicable. Are there local considerations that demands certain policies or any
international requirements that needs to be considered?
One such example is the usage of AIS. This was firstly introduced in the early
days of the internet, in a time when cybersecurity had not yet risen into the
important factor which it is today (Kessler, 2020). It’s a vital piece of equipment.
There is indeed a cyber-security issue when it comes to the use of AIS. It is one
of the most frequent used marine navigation tool due to it being an obligatory
requirement of the IMO with the purpose of reducing collision risks and by doing
so enhancing marine safety (Jakovlev et al., 2020; Hemminhaus et al., 2021).
There have of course been many studies done surrounding AIS and its
vulnerabilities and it has been identified that the threats against the AIS unit can
be divided into three categories, spoofing, hijacking, and disruption (Balduzzi et
al., 2014).
With all this said it should be acknowledged that the AIS is actively used for
accomplishing tasks such as sailing under an alias while hiding its real identity
or sailing completely without the AIS and therefore not being visible for
coastguards to inspect cargo or for avoiding pirates while they are not seeing the
vessel passing (Awan and Ghamdi, 2019).
Let that be a reminder that no matter how many regulations and policies there is
in place, it does not mean anything if they are not being followed.
Policies and their guidelines should be communicated in a manner which allows
for all stakeholders, either be it onshore staff, vessel crew or other involved third
party to be able consult this material in their daily activities. The following listing
is an initial proposal of policies which might be applicable in most cases. This list
is in no way complete, but it will provide a foundation to build from. The Policies
and the guidelines are divided into two sections, were the first one is the overall
cybersecurity policy plan and the second section is the General Data Protection
Regulation 2016/679 policy plan. The latter is only legally applicable for
countries within Europe, but it is advisable to consider implementing this policy
plan within any organisation worldwide since it will increase the protection of
personal information.
Policies which define what activities are acceptable will function as a benchmark
and indicate quickly when something does not comply with these, then it is more
than likely a security breach, some of the policies needed for an organisation is
company policies, employee policies and security policies. A well thought
through and carefully planned security policy will add benefits to an organisation
through showing that the organisation takes its security issues seriously and it
will support security staff and define what behaviours is anticipated from
employees alongside creating a unified environment as well as assuring that
everyone is aware of the effects of violating these. Certain additional policies like
the BYOD policies have become more important as organisations are allowing
employees to use their own devices within the corporate network and as such a
best practice attitude should be defined through this policy (Brodin et al., 2015).
In many cases policies are mandatory for organisations which wish to maintain
compliance with laws and regulations and they should always be appointed from
a higher level. For the successful implementation of the MCIRT and the MCSS it
Page 53 of 95
is advisable to follow at least a minimum of guidelines for providing a more
structured approach towards cybersecurity. The following small list is to be
considered a minimum number of guidelines which should be developed for
onboard reference.
• Personal Device Usage
• Remote Access
• Social Media Usage
• Storage and Protection
• IT/OT Representative
In terms of mitigating incidents, it is easy to identify the biggest threat as being
financial or reputational damages (Reva, 2020). If valuable data is compromised
by someone with what could be considered low moral according to the society
norm, then this might often result in negative consequences. National Security
Agency (NSA) has a well thought through top ten list of Cybersecurity Mitigation
Strategies (NSA, 2018), which in short contains the following:
1. Update and upgrade software immediately
2. Defend privileges and accounts
3. Enforce signed software execution policies
4. Exercise a system recovery plan
5. Actively manage systems and configurations
6. Continuously hunt for network intrusions
7. Leverage modern hardware security features
8. Segregate networks using application-aware defences
9. Integrate threat reputation services
10. Transition to multi-factor authentication
One step towards accomplishing this is to enable a well-designed action plan,
which will function as a guide of what needs to be done and when. A strategy
must always be followed by an action plan which outlines the steps that will be
taken for achieving each of the specific objectives outlined in the strategy.
Through setting up an action plan based on the risk assessment a plan is in place
that will help with avoiding, mitigating, transferring, and even accepting possible
risks that a vessel might be facing, furthermore it will aid in how to conduct
interaction between stakeholders.
The action plans consist of multiple layers of guidelines such as to determine how
to respond and how to recover services in case of a cyber-attack, how to assess
the likelihood and the consequences and how to identify threats and
vulnerabilities which together provides the needed backbone of the action plans.
In this case the MCSS is the strategy which guides the overall direction, whilst
the action plans support the more detailed mitigation and attack response
process, figure 14 gives an example on how such a plan might look.
Figure 14: Mitigation action plan
Page 54 of 95
Once the information systems and data that are vital to the organisation have
been identified together with what types of risks and threats there could be to
these systems and its data. Then it is appropriate to figure out what techniques,
tools and strategies that can be used to mitigate impacts from an attack on these
systems. This definition of a cybersecurity action plan is a crucial ingredient for
the shipping industry and it should contain information on what decisions
should be immediate in the case of an attack. There exists a whole range of
different approaches to how a cybersecurity action plan should be constructed,
all depending on industry, resources, and desired scope (Werlinger et al., 2007).
But figure 15 will give you the initial starting points for developing a tailored
attack action plan.
Developing, executing, evaluating, and maintaining action plans is not a one-
time task, it’s an ongoing project that is evolving along with the industry and the
threats and vulnerabilities upon which it will need to react.
MCSS PHASE 3 - EVALUATING
Through continues analysis it is possible to determine how good the MCSS has
been implemented. This will involve testing the organisations systems as well as
the individual systems located on vessels to be able to establish the level of
success. These cybersecurity tests need to be developed, implemented, and
maintained by the organisation (CRN, 2011). The following is a typical list
provided by the Cooperative Research Network CRN which defines the tools
needed.
Testing of
• personnel awareness and capability require designed skills reviews.
• security features and software require manual penetration testing.
• software security requires static analysis tools.
• web applications require dynamic testing tools.
• protocols require interoperability harnesses and fuzzing tools.
• hosts and networks require network penetration testing tools.
In addition, the evaluation process should include points for determining the
effectiveness of the activities which have been implemented. Such checks should
include the evaluation of
• reaching the desired cybersecurity goals.
• mitigation action plan efficiency.
• cyber-attack action plan response.
Additional checklists should be constructed in accordance with the needs set
Figure 15: Attack action plan
Page 55 of 95
forth by the organisation, fleet, or vessel. These lists could typically include items
such as
• reviewing cyber incident and event reports
• reviewing log files and intrusion detection systems
• ensuring cybersecurity by conducting internal audits
• organising drills for training cybersecurity incident response
• evaluation of third-party access and restrictions
The technique of testing a network, computer, or any other system for its
weaknesses through penetration testing is more commonly known as ethical
hacking and it helps in creating a stable and reliable cyber defence. When
possible, it is highly recommended to use external hackers, so called white hats
to assure a true case scenario. This is an attempt to try and establish the security
within an IT Infrastructure and it is usually conducted according to a standard
penetration testing methodology as seen in figure 16.
When conducting tests the main objective must be the most crucial part of the
system and not surprisingly the most vulnerable part within the vessels
infrastructure is the IBS, it is at the core of the bridge and with its
interconnections it controls and
commands not only a full range of
digital devices which are vital for
navigation but it is merged into almost
every additional systems such as the
propulsion and machinery
management system, the cargo
management system, the safety
management system, the core
infrastructure systems, the
administrative and crew welfare
systems and more. To make it even
further crucial it also functions as a
gateway to the internet adding even
more complexity and vulnerability to
itself and every device under its control
(Awan and Ghamdi, 2019). This means
that the IBS is what needs to be both
tested, evaluated and protected
accordingly.
There are four kinds of penetration testing which will concentrate on different
parts of the environment being tested.
• Network and infrastructure penetration test
• Web application penetration test
• Wireless network penetration test
• Simulated phishing test
Onboard a vessel either it is a cargo ship or a passenger ship this penetration
testing should at a minimum involve the following maritime specific entities.
• Bridge systems.
Figure 16: Testing methodology
Page 56 of 95
• Cargo handling and management systems.
• Propulsion, machinery, and power control systems.
• Access control systems.
• Passenger/crew servicing and management systems.
• Passenger/crew facing public networks.
• Administrative and crew welfare systems.
• Communication systems.
It should be clarified that understanding the three defined groups of hackers
which are identified and presented in the background section will increase the
ability to predict an attacker’s penetration approach. However, attackers are
constantly innovating and changing their approach (Ablon, 2014), something
that makes it more difficult to keep in front of them. The process will in each case
typically include nine main steps that the hacker will go through, scope,
reconnaissance, vulnerability detection, information analysis and planning,
penetration testing, privilege escalation, result analysis, reporting and clean-up
(Goel and Mehtre, 2015).
In essence digital forensic is a matter of preserving, identifying, extracting, and
documenting evidence that will be sufficient to present in a court of law. Once a
crime has been identified it is important that the cybersecurity analyst is aware
of how to manage evidence and how to connect it to the attackers (Casey, 2009).
After an attack where a network has been breached and information has been
either stolen, altered, or deleted it is crucial that sufficient evidence is collected
to be able to show the scope of the attack.
Evidence should be collected starting with the
most volatile data (Kävrestad, 2020). An example
of most volatile to least volatile is memory
registers which can be considered the most
volatile, caches, routing tables, ARP cache,
process tables, kernel statistics, Random Access
Memory (RAM), Temporary File System
(TMPFS), Non-Volatile Storage (NVS), fixed and
removable, remote logging and monitoring data,
physical interconnections, topologies and VDR.
The least volatile would-be archival medias, tape,
or other backups.
Depending on jurisdiction there are different
rules for what actions an organisation must take
when data has been compromised. Of course, a
properly conducted forensic investigation will
help in identifying what actions need to be taken.
Organisations must prepare documentation
where procedures and processes for digital
forensic analysis are documented. NIST Special
Publication 800-86 Guide to Integrating Forensic
Techniques into Incident Response (NIST, 2006)
provides guidance for organisations that wish to
develop or evolve their digital forensic plans. The
process is based on four activities, collection,
examination, analysis, and reporting. This work
Figure 17: Forensic Cycle
Page 57 of 95
will provide a slightly more detailed investigation process as is illustrated in
figure 17. Connecting an attack to an individual, organisation, or nation should
be the outcome from the systematic investigation of evidence collected. Tactics,
Techniques, and Procedures (TTP) are compared against other known attacks.
To find an internal threat, the process is much more connected to finding the
device which has been used since this might directly point out the assailant.
As well as providing valuable and unique perspectives, IT cybersecurity
professionals can be leveraged in converged enterprises to improve OT security
as well. IT security is not a new topic and, in a converged enterprise, IT security
teams can be leveraged to enhance OT security as well. The OT profession is
dedicated to automating processes, so they are able to provide insights into the
importance of repeatable processes, pre-planned responses, and profound
knowledge of the networks they are responsible for maintaining. It is advisable
to incorporate an integrated program that combines IT and OT and it is critical
to reducing the potential enterprise risk and protecting both sides of enterprise
systems (Lagouvardou, 2018). The MCIRT and the IT/OT onboard
representative does just that, the role becomes a centred entity between IT and
OT and will therefore develop a birds-eye view over both areas and as such will
be able to make decisions which take both environments into consideration.
The IT/OT environment needs to be documented in a centralised manner which
allows for both IT and OT parties to have common access to each other’s
documentation. In this manner knowledge bridges are built between the two
separate environments, in certain areas where there are a heavy IT/OT
dependency it is recommended that documentation is produced as a joint project
by both parties, allowing not only for joint decisions, but also for a better
understanding of each other’s areas of expertise. Figure 18 illustrates how the
IT/OT representative is placed in the merger of these two areas. These joint
activities can include but should not be limited to the inventory of the following.
• Communication equipment
• Software
• Network devices
• Network services
It is also recommended that a detailed logical network map is established,
documenting IP addresses and other device information. Furthermore, it is
advisable to establish existing IT/OT dependencies and evaluate these. Such
evaluation can include parameters such as the following (BIMCO, 2020)
• Is it a stand-alone device?
• Does the device hold dependencies?
Figure 18: Illustration of the merger of IT and OT
Page 58 of 95
• Are there direct connections?
• Are connections local or external or do they include other systems?
• Which built in support measures are available?
• Are there needs for continuous updates of device software?
• Do the devices allow for removable units?
With removable units this study means storage devices, such as USB or external
HDD.
There are many different reasons for organisations to setup a SOC. Some vital
reasons might be the increased possibility to detect a compromise, the ability to
quickly identify the severity of a compromise and the SOC ongoing mitigating
process. The SOC contains three major elements, people, processes, and
technologies and consists of security analysts organised to detect, analyse,
respond to, report on, and prevent cybersecurity incidents (Zimmerman, 2014;
Shutock, M. and Dietrich, 2022). The roles of the SOC are constantly advancing
and they are divided within three level. Where the CyberOps Associate
(Cybersecurity Analyst) is part of the first level which is monitoring incidents and
reporting cases upwards in the SOC system where level two is the case responder
and level three is the most experienced level for the SOC manager and other
resources with in-depth knowledge (Vielberth, 2021)
The standard procedures for a cybersecurity professional is starting with
analysing alerts and deciding if the incident should be investigated or dismissed
as a false alarm. Any SOC while be fully dependant on a SIEM, or something
similar (Podzins and Romanovs, 2019). The SIEM system will be collecting data
from network traffic, network flows, system logs, endpoint data, intel threat
feeds, security events and more, which is illustrated with figure 19 which will
provide a visual representation of the process.
The SIEM will then filter, structures, and categorises the information received to
present it for the analyst. The SIEM is often teamed up with Security
Figure 19: SIEM system data collection.
Page 59 of 95
Orchestration Automation and Response (SOAR) since these two systems helps
each other, huge security teams often utilise both SOAR and SIEM to enhance
performance of the SOC. SOAR provides a process for automatically processing
a cyber incident completely without any individual having to act on anything. It
does this by using IT, predefined algorithms, and artificial intelligence (Singh,
2020). The SOC can be outsourced or be a complete in-house solution,
depending on the size and/or the structure of the organisation (Shutock, M. and
Dietrich, 2022). The SOCs performance is measured to by using Key
Performance Indicators (KPI). The most common measuring metrics are Dwell
Time (DT), Mean Time to Detect (MTTD), Mean Time to Respond (MTTR),
Mean Time to Contain (MTTC), and Time to Control. One important thing to
remember is that security can never be allowed to compromise the activities
carried out during day-to-day business within an organisation, the level of
security must be balanced against the need for ease of access.
Being vigilante and keeping track of CVE which is a list of publicly known
vulnerabilities can help you stay in front of potential new threats. The
vulnerabilities are discovered then assigned and published by organizations from
around the world that have partnered with the CVE Program. Partners publish
CVE Records to communicate consistent descriptions of vulnerabilities.
Information technology and cybersecurity professionals use CVE Records to
ensure they are discussing the same issue, and to coordinate their efforts to
prioritize and address the vulnerabilities (MITRE, 2021). The CVE system is
managed by MITRE corporation and is funded by Department of Homeland
Security’s Cybersecurity and infrastructure security agency.
CVE Entries are brief in nature, they do not include too much technical details
about, impact fixes. Those details appear in other databases, including the U.S.
National Vulnerability Database (NVD), the CERT Coordination Center
(CERT/CC) Vulnerability Notes Database, and various lists maintained by
vendors and other organizations. Across these different systems, CVE IDs give
users a reliable way to tell one unique security flaw from another (Redhat, 2010-
2021). CVE isn’t the vulnerability database, rather it is design to facilitate linking
between vulnerability database and other tools. The unique CVE identifier is the
key which differentiate one security vulnerability with another, that also
provides a reliable way of communicating across these different databases to get
more information about the reported flaw.
A CVE database alone cannot explain the impact of the vulnerabilities. The CVE
identifier does not provide vulnerability context such as exploitability complexity
and potential impact on confidentiality, integrity, and availability. These are
provided by the Common Vulnerability Scoring System (CVSS), maintained by
NIST. According to NIST, CVSS defines a vulnerability as a bug, flaw, weakness,
or exposure of an application, system device, or service that could lead to a failure
of confidentiality, integrity, or availability (Muniz et.al., 2015).
Through building a Python script information was extracted from the CVE
database, which was then analysed, the result shows a steady rise in the number
of reported vulnerabilities. As seen in figure 20, during 2002 there was 6769
CVEs reported, but this is a merged file containing 1999 until 2002 which
explains the high number of reported CVEs in 2002. 2003 the number of CVE’s
are 1553. This number continues to rise until 2007 when there is a slight drop
Page 60 of 95
and then a rise and a much bigger drop in 2009. From 2011 there has been a
constant increase peaking at a grand total of 19736 registered CVEs in 2021.
To retrieve all the CVE files from the NVD to be analysed, the Python code for
doing this data extraction is listed on the next page. Please be advised that to do
this the Python software needs to be installed together with the appropriate
additional modules such as JavaScript Object Notation (JSON).
Figure 20: Reported vulnerabilities between 2002 and 2021
Page 61 of 95
The following is the Python code used for downloading JSON files from NVD.
import requests
import re
r = requests.get('https://nvd.nist.gov/vuln/data-feeds#JSON_FEED')
for filename in re.findall("nvdcve-1.1-[0-9]*\.json\.zip", r.text):
print(filename)
r_file = requests.get("https://nvd.nist.gov/feeds/json/cve/1.1/" + filename,
stream=True)
with open("zip/" + filename, 'wb') as f:
for chunk in r_file:
f.write(chunk)
Once all the CVE files are downloaded, they will need to be unzipped in order to
be evaluated, this can be done using the following Python code.
import zipfile
from os import listdir
from os.path import isfile, join
files = [f for f in listdir("zip/") if isfile(join("zip/", f))]
files.sort()
for file in files:
print("Opening: " + file)
archive = zipfile.ZipFile(join("zip/", file), 'r')
with archive as f:
f.extractall('json')
When all the files have been unzipped the data can be explored. To count number
of incidents from 2002 until the current year, the Python code below can be used.
import json
from os import listdir
from os.path import isfile, join
list = listdir("json/")
number_files = len(list)
for year in range(2002,2002 + number_files):
filename = join("json/nvdcve-1.1-" + str(year) + ".json")
with open(filename, encoding="utf8") as json_file:
CVE_dict = json.load(json_file)
CVE_Items = CVE_dict['CVE_Items']
print(str(year)+" "+str(len(CVE_Items)))
Page 62 of 95
MCSS PHASE 4 - MAINTAINING
Once the MCSS has been launched it is important to have scheduled reviews that
allows for reflections and improvements. Developing, executing, evaluating, and
maintaining a MCSS is not a one-time task, it’s an ongoing project that does not
end. Vessels and their systems are becoming more and more interconnected and
cyber threats are continuously evolving. Because of this it is of outmost
importance that the work with improving and updating the MCSS is not
neglected.
There are numerous ways in which an organisation can support and encourage
research and development within the cybersecurity area. Through long-term
investment plans, corporate funded research programs or even in-house
research facilities might become successful, especially if the focus is on
cybersecurity specific areas, it might not only stimulate research and
development, but also provide important knowledge and guidance to the whole
industry. Funding doctorates or supporting universities is another way to
encourage research and take part in development, on a global scale there is
constantly research conducted within the area of maritime cybersecurity.
And there are numerous products being launched which are developed to
counter the effects. NovAtel is one such company which is producing a full series
of military grade anti-jam antennas, but their efficiency, cost or how widely
spread the usage is has not been investigated. The point is that research is being
conducted and the commercial industry is responding on the needs which are
revealed. Even if most organisation either don’t have the economy or the staff to
setup their own cybersecurity research facility, this still doesn’t mean that they
must ignore this. Through supporting research and universities either be it
financial backing or through providing equipment, facilities, or access to staff,
corporations can keep themselves in the forefront of advancement, learning and
participating in projects which might benefit the whole industry. Either way
choosing to involve a corporation with the scientific field will provide
advantages, no doubt about this.
The consequences of not having sufficient competence available can lead to
resource issues, lack of compliance with legal requirements and increased risk
for the organisation’s entities and all its stakeholders. The shipping corporation
shall therefore place emphasis on providing training to meet the needs and to
develop employees so that they can better fulfil their roles. The purpose of this
competence development procedure is to identify whether there are sufficient
competencies in the right areas within the organisation and what skills may be
required in the near future to handle known changes. All educational programs
should be custom made to the proper levels depending on which area within the
maritime industry, which is being explored, be it on land or onboard a vessel
(Canepa et al., 2021).
To be able to do this, the necessary competence levels for each technical area and
cybersecurity role must be identified and then compared with the understanding
of existing competence levels of the persons fulfilling the roles to make
recommendations for further competence development. Using a competence
assessment flow as described in figure 21 will make this process simpler and
easier to overview.
Page 63 of 95
As this study has identified, education is one of the most important ingredients
to maintain an up-to-date MCSS. There are multiple ways of doing this, but in all
cases continued education should be well thought through and it should provide
benefits for the individual, their work and in the case of a crew member it should
benefit the vessel.
Indeed, education of staff is so important that it must be at the absolute top of
recommended initial first step towards a successfully launched cybersecurity
strategy. It is therefore important that educational programs reach out to
everyone within the maritime shipping organisation, every single individual
needs to have their cybersecurity knowledge level lifted for assuring a heightened
cybersecurity awareness. This should involve vessel crew, onshore personnel,
port operators, shipping agencies and general network users, which could mean
employees, contractors, researchers, and anyone else who might be active within
the information infrastructure which has a direct or indirect connection to the
vessels.
This is accomplished through educational training programs which can be
conducted either through pre-recorded classes, which could be accessible online
or actual physical classroom sessions or combinations of both. It should be noted
that maritime operations present limited opportunities for training crew, but
academical training is moving more and more towards online distance teaching.
The important thing is that there is consistency, a one-time training course is
insufficient (Hopcraft, 2021). Through dividing education into three different
categories, it should become easier to advance a crews cybersecurity knowledge.
Novice
To make the audience more familiar with cybersecurity, the courses should cover
a basic introduction to cybersecurity from a maritime industry perspective. It
will also provide crew members with a better understanding of cybersecurity
threats and basic concepts for reducing risks in the maritime industry, as well as
raise awareness among crew members.
Advanced
Figure 21: Competence evaluation flowchart
Page 64 of 95
Designed to provide a birds-eye overview of cybersecurity risks within the
maritime industry to users who are already familiar with cybersecurity and who
understand threats and the basic technics for mitigating risks and who are eager
to develop their knowledge and skills.
Expert
A user with high cybersecurity skills and practical experience, this individual has
a huge IT interest and is willing to educate themselves further in order to become
a cybersecurity onboard resource. In addition to providing a detailed overview of
cybersecurity risks, this level of training should provide information regarding
risk assessments as a tool for reducing maritime security threats and
vulnerabilities. This training should include training on how to use and benefit
from policies and guidelines as well as general security awareness such as
password management, information backups, antivirus protection, spam,
viruses, and how social engineering works. In addition to this all users should
have knowledge on how to report suspected activities or incidents.
In technical departments such as IT, there is a need to ensure that specific
technical skills are developed and maintained within the group, especially as
demands for certain skills can change rapidly as technology develops, for
example with new versions of software or as new systems and controls are
introduced. Furthermore, it should be ensured that all involved stakeholders are
continuously educated within cybersecurity. Once a clear picture of the necessary
and current competencies has been established for an individual within a specific
role, the differences can be reviewed to identify the need for development
measures. In the case of recommended development measures, one or more of
the following alternatives may be considered.
• Informal training conducted by existing staff with higher competence,
in other words the mentoring system.
• Formal training via online or classroom courses.
• Recruitment of extra staff with relevant competences.
• Use of third-party resources when needed, contractors or consultants.
• Use of resources from third parties via an agreed support agreement
that provides guaranteed access to the necessary level of competence.
The choice of approach may depend on several factors, including available
internal resources, budget, and schedules. In certain circumstances, it may be
decided not to take measures to deal with a perceived lack of competence, in
other words if the requirement is likely to decrease or disappear soon due to
known changes. The risks of doing so should be clearly defined.
Finally, the approved measures identified to develop the competence of specific
individuals should be reviewed for its effectiveness, both as part of employee
performance evaluations and regular management reviews. Once an educational
development action has been completed, a reassessment should be performed to
verify that: the individual has indeed received the required skills. If this is not
the case, the reasons for this should be established and, if necessary, additional
measures identified to achieve the desired result should be introduced.
Appropriately documented evidence should be obtained for implemented
measures, this could include training plans, mentor logs or third-party
recognition in the form of professional certificates.
Page 65 of 95
When there is a lack of competence or educational possibilities mentorship
might be the right path. For mentorship to function properly there are a few
points that should be considered before appointing tutors to undertake the task
of mentoring those with less knowledge within a certain profession, the following
is a list of the main characteristics that should be present in a mentor according
to Professor Dele Braimoh at the University of Zululand in South Africa (2008).
• Willingness and the ability to find time to help others
• Clear, critical, and objective mind
• A show of genuine concern
• Accessibility to the mentor
• Highly experienced and knowledgeable in his/her field
• Honesty, frankness, and openness
• Ability to motivate and inspire confidence
• Trustfulness and truthfulness
• Commitment and selflessness
• Acceptance and readiness to serve without strings attached
• Empathy – deserving respect but not demanding respect
One difficult phenomenon which tends to emerge when an individual expecting
to be a mentor to others has a medium level of knowledge within an area, or if
the individual has a high level of knowledge but is of a young age. The
phenomena can easiest be described as the unwilling mentor. This phenomenon
often appears when these individuals are asked to share their knowledge in the
form of mentorship. For the young person the role as a mentor can become a
threat to the persons position within the group, since sharing one’s knowledge
strips an individual of uniqueness and takes away an upper hand competence.
Same goes for the individual that has a medium or low level of knowledge. This
problem is an even greater dilemma when it can be identified as a cultural issue
and it demands attention, tutor education and a great deal of assurance of
continues education within the field for the mentor.
4.3 JOINT RESULTS
It should be clarified that the two techniques used within this work is indeed
produced in dependency of each other. It would have been difficult making the
conclusions that were needed for carrying out the design science method and
producing the MCIRT and the MCSS without having a meticulous literature
review as the base. On the other hand, the literature review would not have had
the same value if the design science method would not have been the follow up
activity.
Page 66 of 95
5 DISCUSSION
During the direct science meeting which was held with Kongsberg Maritime it
was identified that the MCIRT and MCSS held a position within the industry
through Kongsbergs acknowledgment of the importance of these kinds of tools
and how this could help in mitigating incidents. Therefore it feels safe to say that
this research has proven itself of value for the maritime industry.
5.1 PREVIOUS RESEARCH
The ambition was to provide the appropriate set of tools as an answer to the
research question, how to design and improve a classical cyber incident response
team and a cybersecurity strategy for the maritime industry?
To be able to do this a solid knowledge of the past research was needed and
therefore this is presented as a collection of ten maritime research papers and
another collection of ten papers on the of topic of ICS, this is due to vessels being
incredibly dependent upon ICS devices. The existing literature on the topic has
identified three main categories of past research areas, this study intentionally
avoided topics from these categories since they had been well explored in the
past.
The maritime literature review revealed sociotechnical difficulties which has
been addressed throughout this work. It is important to understand that how an
organisation should protect an individual crew members privacy at the same
time as it’s securing its infrastructure is a task that should not be taken lightly.
Defining privacy is truly a dilemma, how can it be put down in words, this subject
that has been widely disputed throughout history both in technical and
philosophical ranks (Dowding, 2011). These standards that secure
documentation and other manifestations of the emotional intellect can be
described as the right to privacy (Warren and Brandeis, 1890). Privacy should be
considered a self-sustaining established right that should be protected on its own
(Onn et al., 2005). Privacy is a collective term, referring to a broad and
diversified group of connected items, using such a wide term is of course as
helpful during some circumstances as it is unhelpful in other contexts (Solove,
2006).
This work has chosen to define privacy as a human right to protect and decide
over everything that makes a person individually identifiable but remember that
with all these different opinions on what privacy is there is still not one exact law
or research statement which define it. It’s not a matter of looking for privacy
euphoria, and even though many seem to claim that prior to the world’s
digitalisation privacy was simpler and a matter of face-to-face analogue
encounters, surveillance at worst, this was never the case. Sure, things might
have been a bit easier, but it can be concluded that even in these times the world
was not extol as a privacy heaven by anyone (Schulhofer, 2016).
Nowadays it seems to be without a doubt a global opinion that we as individuals
have the right to our own privacy. This right will however differ depending on
multiple parameters ranging from culture to local legislation and because of this
our view on privacy here in Sweden might differ to the view on what is privacy in
for example a nation like India (Rho et al., 2018). In the United States the
Page 67 of 95
Constitutional 4th Amendment is considered the protector of privacy, but the
amendment does not address privacy as an actual term, instead it defines rights
to avoid unreasonable searches. It is obvious that privacy is important for
everyone and if humanity is not unified under one set of laws the opinion on what
rights to privacy an individual is entitled to will differ depending on the
geographical position of for example a website server or under which flag a vessel
is sailing.
If an individual does not realise the importance of securing information, or if
they simply do not care, he or she may not fully comprehend the nature and
weaknesses of the media they work with, the value of the information stored, or
the possible damage caused by this information. Employees, managers, and
subcontractors might be involved, and their intentions may not be to harm
others, but their lack of knowledge and actions may allow third parties access to
sensitive information.
The ICS literature review both confirmed and shinned a new light on the contrast
between traditional information systems and the ICS security requirements,
which differ significantly. An information system's security means that
unauthorised individuals or organisations cannot divulge, modify, steal, or
damage private, sensitive, or valuable data. Traditional enclosed ICS, however,
are generally considered to be secure by the definition of safety, which means
avoiding adverse consequences of failures of hardware, software, or systems on
production, personal safety, and property safety. As ICS become increasingly
open, their connections with the Internet become increasingly extensive, thereby
requiring both safety and security requirements (Hu et al., 2018). The general
conclusion is that threats are continuously being presented and the only way to
respond is through evolving security measurements. This can only be
accomplished through a future that involves an increase of collaboration
between scholars, researchers, vendors, developers, and government
representatives to improve ICS security.
For commercial vessels ICS is used to manage almost everything onboard,
navigation, communication, different types of safety related systems and for
loading just to mention a few areas. But then there are ICS used in harbours,
canals, and container cranes. Once you start looking, they are everywhere, a ship
alone can hold several hundreds of ICS. It should be remembered that before the
internet, ICS was a closed environment, only accessible from within the
infrastructure it existed in (Asghar, 2019). Nowadays industries such as the
maritime sector have scaled their processes and as an effect of this, they have
used the internet as a means of having greater control over their ICSs. This has
besides eased administrational tasks and twenty-four-hour surveillance also
created possible access for antagonists who has malicious intentions. Something
that has been increasing demand for cybersecurity and for keeping ahead of the
weaknesses which are present within ICSs.
The ICSs has certain characteristics and vulnerabilities that need to be
considered. Operating systems is one such thing, these systems might run on
conventional operating systems and therefore inherit their vulnerabilities
(Asghar, 2019). Even if there are patches available for known vulnerabilities the
problem is the time lag that might occur before the patch is administrated. The
Discovery of new zero-day vulnerabilities on such operating systems is one more
Page 68 of 95
important aspect to be considered. For vessels enroute which are lacking
technical staff onboard this might be a very pressing issue.
Another consideration for ICSs is a long operational life, onboard systems that
are functional are rarely replaced. The systems are costly and time-consuming to
install and due to this most systems remain in operation for a long time,
sometimes more than fifteen years. This often well past the expected supported
lifespan of the software and hardware, something that can be a threat since
outdated components are vulnerable. Furthermore, ICSs provide multiple points
of entry and of course also multiple points of failure, since the systems often are
geographically spread out over a large area and even though the main system
may be protected from cyber-attacks, there are no such guarantees for individual
field devices.
Communication protocols used for industrial systems often lack security and
encryption since they were designed for isolated systems, something that opens
possibilities for attacks. Also, there is the problem with real-time and complex
interactions. ICSs monitor real-world processes under very tight timing and
operational limitations. These hard operational limitations of ICSs do make it
more prone to fail in response to small deviations. Researching past
documentation regarding ICS is a great way of understanding the complexity
which is surrounding these units.
5.2 IMPLEMENTATION
The idea of a MCIRT which placed a IT/OT Onboard Representative which had
a permanent connection with the Technical Advisor on land has all the
prerequisites for proving itself to be a valuable construction. This will benefit
both vessels and organisations since incidents will become either mitigated or
instantly dealt with before causing damage. Furthermore, there is a huge
advantage of having onboard personal who can quickly determine a vessels
current state, based on what is considered normal. The combination of the
MCIRT and the MCSS gives the advantage of the MCSS providing the tools
needed to successfully activate and incorporate the MCIRT. The guidelines setup
within the Results chapter will undoubtably be of great assistance for elevating
the cybersecurity knowledge level onboard vessels.
With the knowledge that all shipping organisations and vessels are unique (IMO,
2017) the MCSS is provided in a generic manner which should be adjusted
towards the organisation, fleet or vessel which is to be included into the MCSS
framework. Vessels that are less digital might use an even more lightweight
version, whilst vessels that are using advanced digital equipment in a complex
manner which is not applicable together with the MCSS might need to evolve and
develop a much more complex MCSS by consulting government provided
documentation such as the NIST framework (NIST, 2022) or other more
advanced suitable industry cybersecurity strategy.
The MCSS provides a solid foundation from which a shipping organisation can
secure fleets, vessels, and their operations through following a four-step process
which is continuously cyclic, and by so it will improve itself.
5.3 ETHICAL
Page 69 of 95
With the knowledge that ethics is how an individual governs himself and his
actions morally (Pasztor, 2015), then this work considers ethics as the product of
society, culture, religion, upbringing, surroundings, peers, and education. The
numbers of differentiated factors in play for determining someone’s ethics are
clearly enough to come to the realisation that ethics are unpredictable. There is
also an unfortunate psychological dilemma that makes most people believe that
they are following ethics that are superior to their surroundings (Tappin and
McKay, 2017). This leaving their interpretations of normative ethics to become
subjective and due to this their actions might be unrealistic when it comes to
decisions within cybersecurity.
In terms of privacy breaches, we can easily identify the biggest threat as being
financial damage, if valuable data is compromised by someone with what could
be considered low moral according to the society norm, then this might often
result in negative consequences. Another more common problem is neglect in
securing sensitive information, this being due to poor education, poor attitude,
poor judgement or just a low morale. This is often the result from individuals
that do not understand the impact of their decisions, attitude, or actions (Al-
Mahri, 2018). People who either do not see the seriousness of neglecting to
secure information, or they just do not care, they might not understand the
nature of the media they are working with, its weaknesses, the value of the
information stored or the damage that this information can do. These people
might be employees, managers or sub-contractors and their intentions might not
be to cause any harm but their lack of knowledge and action might enable third
parties’ access to sensitive information.
This means that any level of trust which is given to individuals which are allowed
to function within an infrastructure is in a way also an assumption that these
individuals share similar ethics as the organisation. It is very important to
understand and remind oneself of the fact that this might not at all be the case.
This research constitutes that the best weapon against bad ethics is a unified
educational approach which works towards inclusion, enlightenment, and
emphatic behaviour.
In such an industry as the maritime sector there are parameters such as a diverse
cultural work environment, a hierarchical decision culture and the complications
of living on your work, which all are to be considered subjective. This leaving
their interpretations of normative ethics to become subjective and due to this
their actions might be unrealistic when it comes to decisions within
cybersecurity. This study has priorly defined ethics as how an individual governs
himself and his actions morally (Pasztor, 2015). It is to be assumed that by
adding the MCIRT and the MCSS to the organisation then some ethical factors
will be faced out due to increased knowledge level through the MCSS educational
planning system and through a changed hierarchical flow when it comes to the
management of cybersecurity incidents.
5.4 SOCIETAL
Essentially, social impact theory is a metatheory that incorporates several basic
principles of social influence. Together with the concepts of social space, these
principles are meant to form the basis for a dynamic model of social impact that
is rigorous and scientifically rigorous (Latané, 1996). Research scientists should
Page 70 of 95
of course be concerned about the social benefits of their efforts. However, it often
turns out that scientists are unaware of the societal impact of their work
(Bornmann, 2012). In addition to the advantages of using broad and inclusive
definitions that focus on the "influence" and "change" of the impacts for
assessment purposes, the inclusion of such definitions will raise questions
regarding the nature, direction, and desired nature of impacts (Hill, 2016).
It is hard to predict the impact without having any benchmark cases to study, but
it can probably be assumed that there will be none, or very few negative impacts
connected with introducing MCIRT and MCSS into a shipping corporation. This
work is taking the stand that it is greatly contributing to the field of maritime
cybersecurity by inviting the onboard decision makers from each vessel within a
fleet to the decision-making table when it comes to dealing with cybersecurity
incidents. By introducing a brand-new role such as the IT/OT representative the
MCIRT is making a huge difference for the maritime cybersecurity sector.
Something which is amplified through having the MCIRT structure and idea
verified as a great solution by representatives for a key maritime cybersecurity
corporation.
Adding the MCSS as an MCIRT supporting tool will greatly minimise the MCIRT
implementation time and as a tool the MCSS will provide important strategy
workflows together with valid suggestions on how to manoeuvre each phase of
the MCSS, this will ensure a successful implementation and a strengthened
cybersecurity environment for the corporation, fleet, and vessel in question.
Education of staff and crews are of course also one of the best investments when
it comes to securing a shipping organisation. Because when the individual on
board a vessel is using a device connected to the internet and then understands
the risks that comes with this connection and the risks which exists for being
hacked then this individual can make decisions which could be considered ‘fair
trade’ for convenience. The problem is when the individual does not know or
understand the risks which he or she is exposing themselves or the infrastructure
from which they are accessing a certain online service by connecting and instead
base their trust on assumptions.
Indeed, this will all together have a societal impact, identifiable at least on a large
level, either it be by more secured vessels trafficking our waters or be it that the
involved individuals have a greater understanding for what cybersecurity is and
how they can have an impact in securing their infrastructures.
Page 71 of 95
6 CONCLUSION
In this study the most important steps to follow for the maritime shipping
corporation which has decided to implement a MCIRT and an MCSS has been
suggested. The conclusions presented are based on the literature review and on
additional past research which has been consulted. The opinions are of course
subjective, but as far as it has been possible, they have been based on past
research material. Having had the results, in the form of artefacts, discussed with
cybersecurity experts has also of course added a more reality-based approach to
the issues mentioned.
It is important to embrace that the area of cybersecurity is evolving in symbioses
with the threats that it is faced with and it’s a never-ending process. The cyber
threat landscape is indeed moving so quickly forward that when implementing
new security techniques, they are swiftly outmanoeuvred by new threats being
evolved. It is therefore important that continuous research surrounding known
threats is carefully carried out with the intention of trying to predict what will
come next.
Both information security and cybersecurity are functioning in conjunction with
each other’s. In many ways cybersecurity functions as a first point of battle
against threats related to digital systems (Aydin, 2019), whilst information
security takes all information under its wing either it is digital or analogue. The
way these themes interact makes it important for us to create logs and authority
models to be able to define responsibilities. Hence the ground base for all areas
should really be to secure the privacy of all information, individuals and
organizations managed in systems within an environment, secure all physical
hardware which exists in this environment and secure all data and all
communication to and from the environment.
Privacy is a dilemma, nor more so is that true than when you are confined to a
vessel as your home and your workplace. Even though it might be the case that
privacy is available in a wider sense, this might not necessarily be either enough
or the type of privacy which an individual would expect. Onboard a ship, you
might have some type of privacy, depending on a lot of different circumstances,
but regarding your online privacy, onboard internet access is granted through a
vessels infrastructure which have all different type of setups and logs which
tracks individual activities, thereby in affect take away some of the privacy. It has
been concluded in the past that privacy should be considered a self-sustaining
established right that should be protected on its own. This demands a higher grad
of evaluating the sociotechnical aspect of privacy.
Securing a cyber environment is to a great extent a matter of predicting which
threats are coming next and to determine how well prepared an infrastructure is
for these attacks. Not surprisingly penetration testing is considered one of the
better techniques available for establishing the latter, especially when it is
conducted by a third party, then this will help in exposing hidden vulnerabilities.
Other ways of improving cybersecurity might be honey pots, simulation,
modelling, and security assessment, just to mention some of the more promising
tools available. They are all important tools and combined with vendors being
ready to provide integration with commercial database systems this can all help
to increase ICS protection and make it possible for real-time data analytics to
Page 72 of 95
identify a threat before it strikes, which for a vessel in the middle of the Atlantic
would be more than desirable.
This is an important image to keep in mind, especially when there is a wish for
evolving security past the current status quo. Even though there are huge
similarities between the maritime industry and other land-based industries there
are certain differences which emphasis that the maritime sector and every vessel
within it is a critical infrastructure and should be managed as such. The effects
of a cyberattack on a ship might be considered a serious incident at best, but
more than likely it might provide prerequisites for more devastating attacks to
come. The loss or disruption of sensitive information, communication, or system
failures such as loosing AIS, ECDIS or GPS functionality only to point at a few
week points, any of these might enable terror attacks, piracy activities or hostile
state activities.
With more focus on cybersecurity awareness, ICS manufacturers have grown to
provide and emphasise security in their products. ICSs are not only complex but
have many system interdependencies which make it difficult for them to be
tested for cyber defence. Simulation frameworks are needed to model all aspects
of the ICS system using simulators and emulators. Testbeds are platforms used
to test systems or technologies where the actual system cannot be endangered by
testing, for example, when checking the effects of patching against malware.
Simulating ICS attacks makes it possible to explore the cyber defence of the
systems, using the results to strengthen the defence. Mathematic modelling
techniques such as linear modelling can be used to model the behaviour of these
control systems when under attack. Probabilistic modelling will focus on system
survivability, despite attacks and risk modelling and assessment reduces the
likelihood of cyber-attacks disrupting ICSs and in the event of a successful attack,
it will help reduce damages.
The maritime industry is becoming more and more complex, the introduction of
autonomous ships is more than likely only a small step towards complete fleets
of remote-controlled vessels transporting goods back and forth around the globe.
This work concludes that the number one priority in all instances should be to
reduce the risk of a cyber-attacks either it be by updating all equipment or
through educating crew and operators. It can be concluded from past research
that when an individual who is a user within an infrastructure understands the
risks that comes with having units connected to the internet and the risk of being
hacked then the usage must be considered a ‘fair trade’ for convenience. The
problem is when the user does not know or understand the risks and instead base
their trust on assumptions about how privacy within a certain device function,
all this in alignment with their trust for the manufacturers (Zheng et al., 2018).
Finally, it should be concluded that failure to install patches can become
catastrophic. Furthermore, third party unsecured networks are unfortunately a
not so uncommon entry point for malicious software and they should therefore
be limited.
6.1 FUTURE STUDIES
The MCIRT provides the structure for a more dynamic and agile CIRT team and
as such it feels like the structure is in place, but the form and more importantly
the roles should probably be further investigated. The Ship Operation Manager
Page 73 of 95
and the Vessel Maintenance Managers roles within the MCIRT still needs to be
much more defined as do the IT/OT role. The supporting MCSS needs more
work, during the process of producing this document it has become apparent that
the MCSS would need to be examined and the components might need to be
revisited and, in most cases, expanded. It is important to remember that the
MCSS is nothing but a basic starting point from which every unique maritime
organisation can evolve its own custom designed MCSS. Here it important to
understand that a huge impact is coming from the ICS industry since a vessel is
heavily dependent on this type of technology and research within ICSs shows an
increased focus on security.
The matter is indeed becoming even more complex with things like cloud
computing which even if it is still a new technology for ICSs since the control and
monitoring industry has not yet fully embraced cloud computing, technology like
cloud computing is gradually being adopted by the industry. Future deployments
of ICSs will more than likely become integrated with machine learning and there
is no doubt that in future, there will be an increased need for a lot more
collaboration between researchers, academics, vendors, developers, and
government agencies to design fool proof solutions.
Research and laboratory experiments are something that should be increased
since they might help in identifying new threats beforehand through analysing
the potential weaknesses of physical components connected.
Page 74 of 95
REFERENCES
Ablon L., Martin C., Libicki and Andrea A. Golay (2014) Markets for Cybercrime
Tools and Stolen Data: Hackers’ Bazaar. Santa Monica, California: RAND
Corporation. Available at: https://www.doi.org/10.7249/RR610 [Accessed 3rd
of June 2022]
Aggarwal, V. K. and Reddie, A. W. (2018) Comparative industrial policy and
cybersecurity: the US case. Journal of Cyber Policy, 3(3), 445-466. Available at:
https://doi.org/10.1080/23738871.2018.1551910 [Accessed 3rd of June 2022]
Ahmadian, M. M., Shajari, M. and Shafiee, M. A. (2020) Industrial control
system security taxonomic framework with application to a comprehensive
incidents survey, International Journal of Critical Infrastructure Protection, 29.
Available at: https://www.doi.org/10.1016/j.ijcip.2020.100356 [Accessed 3rd of
June 2022]
Akpan, F., Bendiab, G., Shiaeles, S., Karamperidis, S. and Michaloliakos, M.
(2022) Cybersecurity Challenges in the Maritime Sector. Network, 2(1), pp.123-
138. Available at: https://doi.org/10.3390/network2010009 [Accessed 3rd of
June 2022]
Al-Mahri, M. (2018) Employees’ information security awareness and behavioral
intentions in Higher Education Institutions in Oman. Available at:
https://nrl.northumbria.ac.uk/id/eprint/39454/ [Accessed 3rd of June 2022]
Alcaide, J. I. and Llave, R. G. (2020) Critical infrastructures cybersecurity and
the maritime sector. Transportation Research Procedia, 45, pp. 547–554.
Available at: https://www.doi.org/10.1016/j.trpro.2020.03.058 [Accessed 3rd
of June 2022]
Alladi, T., Chamola, V. and Zeadally, S. (2020) Industrial Control Systems:
Cyberattack trends and countermeasures, Computer Communications, 155, pp.
1–8. Available at: https://www.doi.org/10.1016/j.comcom.2020.03.007
[Accessed 3rd of June 2022]
Allen, P. (2009) Perceptions of technology at sea amongst British seafaring
officers, Ergonomics, 52(10), pp. 1206–1214. Available at:
https://www.doi.org/10.1080/00140130902971924 [Accessed 3rd of June
2022]
Androjna, A., Brcko, T., Pavic, I. and Greidanus, H. (2020) Assessing Cyber
Challenges of Maritime Navigation. Journal of Marine Science and Engineering,
8, p. 776. Available at: https://www.doi.org/10.3390/jmse8100776 [Accessed
3rd of June 2022]
Androjna, A., Perkoviˇc, M., Pavic, I., Miškovic, J. (2021) AIS Data Vulnerability
Indicated by a Spoofing Case-Study. Applied Science 2021, 11, 5015. Available at:
https://www.doi.org/10.3390/app11115015 [Accessed 3rd of June 2022]
Page 75 of 95
Angle, M., Madnick S., Kirtley J. and Khan S. (2019) Identifying and Anticipating
Cyberattacks That Could Cause Physical Damage to Industrial Control Systems,
IEEE Power and Energy Technology Systems Journal, Power and Energy
Technology Systems Journal, IEEE, IEEE Power Energy Technol. Syst. J, 6(4),
pp. 172–182. Available at: https://www.doi.org/10.1109/JPETS.2019.2923970
[Accessed 3rd of June 2022]
Arumugam, V., Antony, J. and Linderman, K. (2016) The influence of
challenging goals and structured method on Six Sigma project performance: A
mediated moderation analysis, European Journal of Operational Research,
254(1), pp. 202–213. Available at:
https://www.doi.org/10.1016/j.ejor.2016.03.022 [Accessed 3rd of June 2022]
Asghar, M. R., Hu, Q., & Zeadally, S. (2019) Cybersecurity in industrial control
systems: Issues, technologies, and challenges. Computer Networks, 165,
106946.Available at: https://www.doi.org/10.1016/j.comnet.2019.106946
[Accessed 3rd of June 2022]
Atoum, I., Otoom, A., And Ali, A. A. (2014) A holistic cyber security
implementation framework. Information Management & Computer Security.
Available at: https://www.doi.org/10.1108/IMCS-02-2013-0014 [Accessed 3rd
of June 2022]
Avanesova, T. P., Gruzdeva, L. K., Iuskaev, R. A., Gruzdev, D. Y. and Somko, M.
L. (2021) Analysis of cyber-security aspects both ashore and at sea. In IOP
Conference Series: Earth and Environmental Science (Vol. 872, No. 1, p.
012024). IOP Publishing. Available at: http://www.doi.org/10.1088/1755-
1315/872/1/012024 [Accessed 3rd of June 2022]
Aven, T. (2016) Risk assessment and risk management: Review of recent
advances on their foundation. European Journal of Operational Research,
253(1), 1-13. Available at: https://doi.org/10.1016/j.ejor.2015.12.023 [Accessed
3rd of June 2022]
Awan, Malik Shahzad Kaleem and Ghamdi, Mohammed A. (2019)
Understanding the Vulnerabilities in Digital Components of an Integrated
Bridge System (IBS), Journal of Marine Science and Engineering, 7(10), p. 350.
Available at: https://www.doi.org/10.3390/jmse7100350 [Accessed 3rd of June
2022]
Aydin, B. (2019) Identifying critical cybersecurity controls at country level
(Master's thesis, Fen Bilimleri Enstitüsü). Available at:
https://acikbilim.yok.gov.tr/handle/20.500.12812/265811 [Accessed 3rd of
June 2022]
Bai, C., Dallasega, P., Orzes, G., & Sarkis, J. (2020). Industry 4.0 technologies
assessment: A sustainability perspective. International journal of production
economics, 229, 107776. Available at:
https://www.doi.org/10.1016/j.ijpe.2020.107776 [Accessed 3rd of June 2022]
Page 76 of 95
Balduzzi, M., Pasta, A., Wilhoit, K. (2014) A security evaluation of AIS. A Trend
Micro Research Paper. Irving: Texas. Available at:
http://www.doi.org/10.1145/2664243.2664257 [Accessed 3rd of June 2022]
Baltic and International Maritime Council (BIMCO) (2020) The guidelines on
cybersecurity onboard ships, version 4. Available at:
https://www.bimco.org/about-us-and-our-members/publications/the-
guidelines-on-cyber-security-onboard-ships [Accessed 3rd of June 2022]
Barth S. and Menno D.T. Jong (2017) The privacy paradox – Investigating
discrepancies between expressed privacy concerns and actual online behavior –
A systematic literature review. University of Twente, Faculty of Electrical
Engineering, Mathematics and Computer Science. Available at:
https://www.doi.org/10.1016/j.tele.2017.04.013 [Accessed 3rd of June 2022]
Basumatary, B., Kumar, C. and Yadav, D. K. (2021) Security Risk Assessment of
Information Systems in an Indeterminate Environment., 2021 11th International
Conference on Cloud Computing, Data Science & Engineering (Confluence),
Cloud Computing, Data Science & Engineering (Confluence), 2021 11th
International Conference on, pp. 82–87. Available at:
https://www.doi.org/10.1109/Confluence51648.2021.9377129 [Accessed 3rd of
June 2022]
Bharati, S., Podder, P., Mondal, M. and Paul, P. K. (2021). Applications and
challenges of cloud integrated IoMT. In Cognitive Internet of Medical Things for
Smart Healthcare (pp. 67-85). Springer, Cham. Available at:
https://www.doi.org/10.1007/978-3-030-55833-8_4 [Accessed 3rd of June
2022]
Bolbot V., Theotokatos G., Boulougouris E. & Vassalos D. (2020) A novel cyber-
risk assessment method for ship systems. Safety Science, 131, Available at:
https://www.doi.org/10.1016/j.ssci.2020.104908 [Accessed 3rd of June 2022]
Bornmann, L. (2012) What is societal impact of research and how can it be
assessed? A literature survey. Journal of the American Society for information
science and technology, 64(2), 217-233. Available at:
https://www.doi.org/10.1002/asi.22803 [Accessed 3rd of June 2022]
Braimoh, Dele (2008) Lifelong learning through mentoring process and it’s
operational dimensions in society. Available at:
http://hdl.handle.net/10500/7235 [Accessed 3rd of June 2022]
Brocke vom, J., Hevner, A. and Maedche, A. (2020) Introduction to design
science research. In Design Science Research. Cases (pp. 1-13). Springer, Cham.
Available at: https://www.doi.org/10.1007/978-3-030-46781-4_1 [Accessed
3rd of June 2022]
Brodin, M., Rose, J., Åhlfeldt, R. (2015) Management issues for Bring Your Own
Device. In: Proceedings of 12th European, Mediterranean & Middle Eastern
Conference on Information Systems 2015 (EMCIS2015) Available at:
https://www.diva-portal.org/smash/get/diva2:817936/FULLTEXT01.pdf
[Accessed 3rd of June 2022]
Page 77 of 95
Bunge, M. (1998) Social Science Under Debate : A Philosophical Perspective.
Toronto, Ont: University of Toronto Press, Scholarly Publishing Division.
Available at: https://www.doi.org/10.3138/9781442680036 [Accessed 3rd of
June 2022]
Caprolu, M., Pietro, R., Raponi, S., Sciancalepore, S. and Tedeschi, P. (2020)
Vessels Cybersecurity: Issues, Challenges, and the Road Ahead. IEEE
Communications Magazine, 58(6), pp. 90–96. Available at:
https://www.doi.org/10.1109/MCOM.001.1900632 [Accessed 3rd of June
2022]
Carnegie Mellon University (CMU) (2016) What skills are needed when staffing
your CSIRT? Software Engineering Institute, Available at:
https://resources.sei.cmu.edu/asset_files/WhitePaper/2017_019_001_48568
4.pdf [Accessed 3rd of June 2022]
Canepa, M., Ballini, F., Dalaklis, D. and Vakili, S. (2021) Assessing the
effectiveness of cybersecurity training and raising awareness within the
maritime domain. In Proceedings of INTED2021 Conference (Vol. 8, p. 9th).
Available at: https://www.doi.org/10.21125/inted.2021.0726 [Accessed 3rd of
June 2022]
Cartwright, E., Hernandez Castro, J. and Cartwright, A. (2019) To pay or not:
game theoretic models of ransomware. Journal of Cybersecurity, 5(1), tyz009.
Available at: https://www.doi.org/10.1093/cybsec/tyz009 [Accessed 3rd of
June 2022]
Casey, E. (2009) Handbook of digital forensics and investigation. Academic
Press. Available at: https://www.doi.org/10.1016/C2009-0-01683-3 [Accessed
3rd of June 2022]
Chordiya, A. R., Majumder, S. and Javaid,A. Y. (2018) Man-in-the-Middle
(MITM) Attack Based Hijacking of HTTP Traffic Using Open Source Tools. IEEE
International Conference on Electro/Information Technology (EIT), 2018, pp.
0438-0443, Available at: https://www.doi.org/10.1109/EIT.2018.8500144
[Accessed 3rd of June 2022]
Chudasama, D. (2021) Why choose cyber security as a career. Current Trends in
Information Technology, 11(1), 14-19. Available at:
https://www.doi.org/10.37591/CTIT [Accessed 3rd of June 2022]
Cooperative Research Network (CRN) (2011) Guide to Developing a Cyber
Security and Risk Mitigation Plan. Available at:
https://www.cooperative.com/programs-services/bts/documents/guide-
cybersecurity-mitigation-plan.pdf [Accessed 3rd of June 2022]
Creswell, J. W., & Poth, C. N. (2016) Qualitative inquiry and research design:
Choosing among five approaches. Sage publications. Available at:
https://www.doi.org/10.1177/1524839915580941 [Accessed 3rd of June 2022]
Custers, B, Oerlemans, J-J and Pool, R (2020) Laundering the Profits of
Ransomware: Money Laundering Methods for Vouchers and Cryptocurrencies,
Page 78 of 95
European Journal of Crime, Criminal Law & Criminal Justice, 28(2), pp. 121–
152. Available at: https://www.doi.org/10.1163/15718174-02802002 [Accessed
3rd of June 2022]
Daş, R., Karabade, A., & Tuna, G. (2015, May) Common network attack types and
defense mechanisms. In 2015 23nd signal processing and communications
applications conference (siu) (pp. 2658-2661). IEEE. Available at:
https://www.doi.org/10.1109/SIU.2015.7130435 [Accessed 3rd of June 2022]
Dawson Jr. M. E. (2021) Cyber warfare: threats and opportunities. [pdf] Porto:
Universidade Fernando Pessoa. Available at: http://hdl.handle.net/10284/9678
[Accessed 3rd of June 2022]
Dempsey, K. L., Johnson, L. A., Scholl, M. A., Stine, K. M., Jones, A. C.,
Orebaugh, A. and Johnston, R. (2011) Information security continuous
monitoring (ISCM) for federal information systems and organizations. Available
at: https://doi.org/10.6028/NIST.SP.800-137 [Accessed 3rd of June 2022]
Densham B., Duffy D., Cassi E. and Snape, J. (2020) Cyber Security for Ships -
Socio-technical Systems Challenge. Marine Engineering, 55(2), pp. 235-244.
Available at: https://www.doi.org/10.5988/jime.55.235 [Accessed 3rd of June
2022]
Directorate-General for Maritime Affairs and Fisheries (DG MARE) (2022) The
EU’s maritime security strategy. Available at: https://ec.europa.eu/oceans-and-
fisheries/ocean/blue-economy/other-sectors/maritime-security-strategy_en
[Accessed 3rd of June 2022]
Dowding, M. (2011) Privacy : Defending an Illusion. Lanham, MD: Scarecrow
Press. Available at: https://rowman.com/ISBN/9780810881020/Privacy-
Defending-an-Illusion [Accessed 3rd of June 2022]
Elkhannoubi, H., and Belaissaoui, M. (2015) A framework for an effective
cybersecurity strategy implementation: Fundamental pillars identification. In
2015 15th International Conference on Intelligent Systems Design and
Applications (ISDA) (pp. 1-6). IEEE. Available at:
https://www.doi.org/10.1109/ISDA.2015.7489156 [Accessed 3rd of June 2022]
European Network and Information Security Agency (ENISA) (2016a)
Recruitment of CSIRT Staff, Handbook, Document for Trainers. Available at:
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-
specialists/online-training-material/documents/2016-
resources/recruitment_of_csirt_staff-handbook [Accessed 3rd of June 2022]
European Network and Information Security Agency (ENISA) (2016b) NCSS
Good Practice Guide - Designing and Implementing National Cyber Security
Strategies. Available at: https://www.doi.org/10.2824/48036 [Accessed 3rd of
June 2022]
Glomsvoll, O., and Bonenberg, L. K. (2017) GNSS jamming resilience for close to
shore navigation in the Northern Sea. The Journal of Navigation, 70(1), 33-48.
Page 79 of 95
Available at: https://www.doi.org/10.1017/S0373463316000473 [Accessed 3rd
of June 2022]
Goel, N.J. and Mehtre B.M. (2015) Vulnerability Assessment & Penetration
Testing as a Cyber Defence Technology. Procedia Computer Science, Volume 57,
Pages 710-715. Available at: https://www.doi.org/10.1016/j.procs.2015.07.458
[Accessed 3rd of June 2022]
Grant, A., Williams, P., Ward, N. and Basker, S. (2009) GPS Jamming and the
Impact on Maritime Navigation. Journal of Navigation - J NAVIG. 62. Available
at: https://www.doi.org/10.1017/S0373463308005213 [Accessed 3rd of June
2022]
Grant, A., Williams, P., Shaw, G., De Voy, M., & Ward, N. (2011) Understanding
GNSS availability and how it impacts maritime safety. In Proceedings of the 2011
International Technical Meeting of the Institute of Navigation (pp. 687-695).
Available at: https://rntfnd.org/wp-content/uploads/GNSS-Maritime-GLA.pdf
[Accessed 3rd of June 2022]
Hareide, O. S., Jøsok, Ø., Lund, M. S., Ostnes R. and Helkala K. (2018)
Enhancing Navigator Competence by Demonstrating Maritime Cyber Security.
Available at: https://www.doi.org/10.1017/S0373463318000164 [Accessed 3rd
of June 2022]
Harshita, H. (2017) Detection and prevention of ICMP flood DDOS attack.
International Journal of New Technology and Research, 3(3), 263333. Available
at: https://www.ijntr.org/detection-and-prevention-of-icmp-flood-ddos-attack
[Accessed 3rd of June 2022]
Hasselquist, D., Rawat, A. and Gurtov, A. (2019) Trends and Detection
Avoidance of Internet-Connected Industrial Control Systems, IEEE Access,
Access, IEEE, 7, pp. 155504–155512. Available at:
https://www.doi.org/10.1109/ACCESS.2019.2948793 [Accessed 3rd of June
2022]
Heering, D., Maennel, O. M., and Venables, O. M. (2020) Shortcomings in
cybersecurity education for seafarers. In 5th International Conference on
Maritime Technology and Engineering, Lisbon, Portugal. Available at:
https://www.doi.org/10.1201/9781003216582-6 [Accessed 3rd of June 2022]
Hemminghaus, C., Bauer, J., & Padilla, E. (2021) BRAT: A BRidge Attack Tool
for cyber security assessments of maritime systems. TransNav: International
Journal on Marine Navigation and Safety of Sea Transportation, 15. Available at:
https://www.doi.org/10.12716/1001.15.01.02 [Accessed 3rd of June 2022]
Hemsley K., Fisher R. (2018) A History of Cyber Incidents and Threats Involving
Industrial Control Systems. 12th International Conference on Critical
Infrastructure Protection (ICCIP), Mar 2018, Arlington, VA, United States.
pp.215-242. Available at: https://www.doi.org/10.1007/978-3-030-04537-1_12
[Accessed 3rd of June 2022]
Page 80 of 95
Hill, S. (2016) Assessing (for) impact: Future assessment of the societal impact
of research. Palgrave Communications, 2(1), 1-7. Available at:
https://www.doi.org/10.1057/palcomms.2016.73 [Accessed 3rd of June 2022]
Hopcraft, R. (2021) Developing Maritime Digital Competencies. IEEE
Communications Standards Magazine, 5(3), 12-18. Available at:
https://www.doi.org/10.1109/mcomstd.101.2000073 [Accessed 3rd of June
2022]
Hu, Y., Yang, A., Li, H., Sun, Y. and Sun, L. (2018) A survey of intrusion detection
on industrial control systems. International Journal of Distributed Sensor
Networks, 14(8), 1550147718794615. Available at:
https://www.doi.org/10.1177/1550147718794615 [Accessed 3rd of June 2022]
Ilcev, M. (2020) New Aspects for Modernization Global Maritime Distress and
Safety System (GMDSS). TransNav, the International Journal on Marine
Navigation and Safety of Sea Transportation, 14(4). Available at:
https://www.doi.org/10.12716/1001.14.04.26 [Accessed 3rd of June 2022]
International Maritime Organization (IMO) (2017) Guidelines On Maritime
Cyber Risk Management. Available at:
https://www.imo.org/en/OurWork/Security/Pages/Cyber-security.aspx
[Accessed 3rd of June 2022]
International Organisation for Standardization/International Electrotechnical
Commission standard (ISO/IEC) (2018) ISO/IEC 27000:2018 Information
technology — Security techniques — Information security management systems
— Overview and vocabulary. Geneve: International Organisation for
Standardization. Available at: https://www.iso.org/standard/73906.html
[Accessed 3rd of June 2022]
International Organisation for Standardization/International Electrotechnical
Commission standard (ISO/IEC) (2012) ISO/IEC 27032:2012 Information
technology — Security techniques — Guidelines for cybersecurity. Geneve:
International Organisation for Standardization. Available at:
https://www.iso.org/standard/44375.html [Accessed 3rd of June 2022]
International Organisation for Standardization/International Electrotechnical
Commission standard (ISO/IEC) (2016) ISO/IEC 27035-1:2016 Information
technology — Security techniques — Information security incident management
— Part 1: Principles of incident management. Geneve: International
Organisation for Standardization. Available at:
https://www.iso.org/standard/60803.html [Accessed 3rd of June 2022]
Jakovlev, S, Daranda, A, Voznak, M, Lektauers, A, Eglynas, T & Jusis, M (2020)
Analysis of the Possibility to Detect Fake Vessels in the Automatic Identification
System, 2020 61st International Scientific Conference on Information
Technology and Management Science of Riga Technical University (ITMS),
Information Technology and Management Science of Riga Technical University
(ITMS), 2020 61st International Scientific Conference on, pp. 1–5, Available at:
https://www.doi.org/10.1109/ITMS51158.2020.9259293 [Accessed 3rd of June
2022]
Page 81 of 95
Jazdi, N. (2014, May) Cyber physical systems in the context of Industry 4.0. In
2014 IEEE international conference on automation, quality and testing, robotics
(pp. 1-4). IEEE. Available at:
https://www.doi.org/10.1109/AQTR.2014.6857843 [Accessed 3rd of June
2022]
Jensen, L. (2015) Challenges in Maritime Cyber-Resilience. Technology
Innovation Management Review, 5(4), pp. 35-39. Available at:
https://www.doi.org/10.22215/timreview889 [Accessed 3rd of June 2022]
Kala, N. and Balakrishnan, M. (2019) Cyber Preparedness in Maritime Industry.
Int. J. Sci. Technol. Adv, 5, 19-28. Available at:
http://ijsta.com/papers/IJSTAV5N2Y19/IJSTAV5N2R1Y19.pdf [Accessed 3rd
of June 2022]
Karahalios, H. (2020) Appraisal of a Ship’s Cybersecurity efficiency: the case of
piracy. Journal of Transportation Security, 13(3-4), p. 179. Available at:
https://www.doi.org/10.1007/s12198-020-00223-1 [Accessed 3rd of June
2022]
Kavallieratos, G, Diamantopoulou, V and Katsikas, SK (2020) Shipping 4.0:
Security Requirements for the Cyber-Enabled Ship. IEEE Transactions on
Industrial Informatics, Industrial Informatics, IEEE Transactions on, IEEE
Trans. Ind. Inf, 16(10), pp. 6617-6625. Available at:
https://www.doi.org/10.1109/TII.2020.2976840 [Accessed 3rd of June 2022]
Kshetri, N. and Voas, J. (2017) Do Crypto-Currencies Fuel Ransomware? IT
Professional, 19(5), pp. 11-15. Available at:
https://www.doi.org/10.1109/MITP.2017.3680961 [Accessed 3rd of June 2022]
Kechagias, E. P., Chatzistelios, G., Papadopoulos, G. A., & Apostolou, P. (2022)
Digital transformation of the maritime industry: A cybersecurity systemic
approach. International Journal of Critical Infrastructure Protection, 37.
Available at: https://www.doi.org/10.1016/j.ijcip.2022.100526 [Accessed 3rd of
June 2022]
Kessler, G. C., Craiger, J. P. and Haass, J. C. (2018) A taxonomy framework for
maritime cybersecurity: A demonstration using the automatic identification
system. TransNav: International Journal on Marine Navigation and Safety of Sea
Transportation, 12(3), 429. Available at:
https://www.doi.org/10.12716/1001.12.03.01 [Accessed 3rd of June 2022]
Kessler, G. C. (2019). Cybersecurity in the Maritime Domain. USCG Proceedings
of the Marine Safety & Security Council, 76(1). Available at:
https://commons.erau.edu/publication/1318 [Accessed 3rd of June 2022]
Kessler, Gary C. (2020) Protected AIS: A Demonstration of Capability Scheme to
Provide Authentication and Message Integrity. TransNav: International Journal
on Marine Navigation and Safety of Sea Transportation, 14(2), pp. 279-286.
Available at: https://www.doi.org/10.12716/1001.14.02.02 [Accessed 3rd of
June 2022]
Page 82 of 95
Kettani, H. and Waiwnright, P. (2019) On the Top Threats to Cyber Systems.
Available at: https://www.doi.org/10.1109/INFOCT.2019.8711324 [Accessed 29
March 2022]
Khalid, A., Kirisci, P., Khan, Z. H., Ghrairi, Z., Thoben, K. D., & Pannek, J. (2018)
Security framework for industrial collaborative robotic cyber-physical systems.
Computers in Industry, 97, 132-145. Available at:
https://www.doi.org/10.1016/j.compind.2018.02.009 [Accessed 3rd of June
2022]
Killcrece, G., Kossakowski, K. P., Ruefle, R., & Zajicek, M. (2003) Organizational
models for computer security incident response teams (CSIRTs). Carneige-
Mellon University Pittsburgh PA Software Institution. Available at:
https://www.doi.org/10.1184/R1/6575921.v1 [Accessed 3rd of June 2022]
Knopf, J. W. (2006) Doing a literature review. PS: Political Science & Politics,
39(1), 127-132. Available at: http://hdl.handle.net/10945/50674 [Accessed 3rd
of June 2022]
Kowalski, S. (1994) IT Insecurity: A Multi-disciplinary Inquiry. Available at:
https://www.researchgate.net/publication/262363153_Computer_ethics_and
_computer_abuse_A_study_of_Swedish_and_Canadian_university_data_pr
ocessing_students [Accessed 3rd of June 2022]
Kävrestad, J. (2020). Fundamentals of Digital Forensics. Springer International
Publishing. Available at: https://www.doi.org/10.1007/978-3-030-38954-3
[Accessed 3rd of June 2022]
Lagouvardou, S. (2018) Maritime Cyber Security: concepts, problems and
models. Kongens Lyngby, Copenhagen. Available at:
https://backend.orbit.dtu.dk/ws/portalfiles/portal/156025857/Lagouvardou_
MScThesis_FINAL.pdf [Accessed 3rd of June 2022]
Larsen, Marie Haugli and Lund, Mass Soldal (2021) Cyber Risk Perception in the
Maritime Domain: A Systematic Literature Review. IEEE Access, 9, pp. 144895-
144905. Available at: https://www.doi.org/10.1109/ACCESS.2021.3122433
[Accessed 3rd of June 2022]
Larkin, P. and Gould, E. (1999) The definition of work roles within organisations.
In Proceedings of the Twenty Second IRIS Conference (Information Systems
Research Seminar in Scandinavia), Keuruu, Finland. Available at:
http://iris22.jyu.fi/iris22/pub/Gould_IRIS22_work-roles3.pdf [Accessed 3rd
of June 2022]
Latané, B. (1996) Dynamic social impact: The creation of culture by
communication. Journal of communication, 46(4), 13-25. Available at:
https://www.doi.org/10.1111/J.1460-2466.1996.TB01501.X [Accessed 3rd of
June 2022]
Leite Jr. W. C., Coreixas de Moraes C., de Albuquerque C. E. P., Machado R. C.
S. and Oliveira de Sá A. (2021) A Triggering Mechanism for Cyber-Attacks in
Page 83 of 95
Naval Sensors and Systems. Sensors, 21(3195), p. 3195. Available at:
https://www.doi.org/10.3390/s21093195 [Accessed 3rd of June 2022]
Lind, T. (2014) Change and resistance to change in health care : Inertia in
sociotechnical systems Available at: https://www.diva-
portal.org/smash/record.jsf?pid=diva2%3A718762&dswid=9574 [Accessed 3rd
of June 2022]
Macit, G., Güngör, O. and Bilal, M. H. (2018) A Research on Social Media
Addiction and Dopamine Driven Feedback, Mehmet Akif Ersoy Üniversitesi
İktisadi ve İdari Bilimler Fakültesi Dergisi, 5(3), pp. 882–897. Available at:
https://www.doi.org/10.30798/makuiibf.435845 [Accessed 3rd of June 2022]
McGillivary, Phil (2018) Why Maritime Cybersecurity Is an Ocean Policy Priority
and How It Can Be Addressed. Marine Technology Society Journal, 52(5), pp.
44-57. Available at: https://www.doi.org/10.4031/MTSJ.52.5.11 [Accessed 3rd
of June 2022]
Mitre Corporation (MITRE) (2021) Corporate Overview - Our History. Available
at: https://www.mitre.org/about/our-history [Accessed 3rd of June 2022]
Morelli, U., Nicolodi, L. and Ranise, S. (2020) An Open and Flexible
CyberSecurity Training Laboratory in IT/OT Infrastructures. Cham: Springer
International Publishing (Lecture Notes in Computer Science. 11981). Available
at: https://www.doi.org/10.1007/978-3-030-42051-2 [Accessed 3rd of June
2022]
Muniz, J., McIntyre, G. and AlFardan, N., (2015) Security operations center:
Building, operating, and maintaining your SOC. Cisco Press. Available at:
https://www.ciscopress.com/articles/article.asp?p=2455014&seqNum=2
[Accessed 3rd of June 2022]
National Institute of Standards and Technology (NIST) (2006) Guide to
Integrating Forensic Techniques into Incident Response. Natl. Inst. Stand.
Technol. Spec. Publ. 800-86, 121 pages (August 2006). Available at:
https://doi.org/10.6028/NIST.SP.800-86 [Accessed 3rd of June 2022]
National Institute of Standards and Technology (NIST) (2022) NIST
Cybersecurity Framework. Available at: https://www.nist.gov/cyberframework
[Accessed 3rd of June 2022]
Nazir, S., Patel, S. and Patel, D. (2017) Assessing and augmenting SCADA
cybersecurity: A survey of techniques, Computers & Security, 70, pp. 436–454.
Available at: https://www.doi.org/10.1016/j.cose.2017.06.010 [Accessed 3rd of
June 2022]
Norris, A. (2011) Integrated Bridge Systems Vol.2 ECDIS and Positioning.
Published by The Nautical Institute, London, 2010. The International
Hydrographic Review, (5). Available at:
https://journals.lib.unb.ca/index.php/ihr/article/view/20882 [Accessed 3rd of
June 2022]
Page 84 of 95
National Security Agency (NSA) (2018) NSA’S Top Ten Cybersecurity Mitigation
Strategies. Available at: https://www.nsa.gov/portals/75/documents/what-we-
do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-
mitigation-strategies.pdf [Accessed 3rd of June 2022]
Oldenburg, M. and Jensen, H. J. (2019) Needs and possibilities for ship's crews
at high seas to communicate with their home. International Journal of
Occupational Medicine and Environmental Health, 32(6), 805-815. Available at:
https://doi.org/10.13075/ijomeh.1896.01436 [Accessed 3rd of June 2022]
Onn, Y. Druckman, Y. Timor, R. Maroun, A., Nachmani Y., Sicklai, S., Fishman,
M., Pery, L., Geva, M., Zyssman, A., Lev, I., Maron, T., Simsolo, Y., Fuches, A.
and Packer, S. (2005) Privacy in the Digital Environment, Haifa Center of Law &
Technology. Available at: https://books.google.se/books?id=yeVRrrJw-
zAC&lpg=PR1&hl=sv&pg=PR3#v=onepage&q&f=false [Accessed 3rd of June
2022]
O'Neill, A., Ahmad, A., & Maynard, S. (2021) Cybersecurity Incident Response in
Organisations: A Meta-level Framework for Scenario-based Training. arXiv
preprint arXiv:2108.04996. Available at:
https://www.doi.org/10.48550/arXiv.2108.04996 [Accessed 3rd of June 2022]
Oxford University Press (Oxford) (2022a) Oxford Learners Dictionaries -
maritime. Available at:
https://www.oxfordlearnersdictionaries.com/definition/english/maritime?q=
maritime [Accessed 16 January 2022]
Oxford University Press (Oxford) (2022b) Oxford Learners Dictionaries -
marine. Available at:
https://www.oxfordlearnersdictionaries.com/definition/english/marine_1?q=
marine [Accessed 16 January 2022]
Oxford University Press (Oxford) (2022c) Oxford Learners Dictionaries - naval.
Available at:
https://www.oxfordlearnersdictionaries.com/definition/english/naval?q=nava
l [Accessed 16 January 2022]
Pajunen, N. (2017) Overview of maritime cybersecurity. Available at:
https://urn.fi/URN:NBN:fi:amk-201702252701 [Accessed 9 May 2022]
Pandey, A., & Saini, J. R. (2014) A Simplified Defense Mechanism Against Man
in the Middle Attack. International journal of engineering innovation and
research. Available at:
https://www.academia.edu/6743286/A_Simplified_Defense_Mechanism_Aga
inst_Man_In_The_Middle_Attacks [Accessed 3rd of June 2022]
Pandey, S., Singh, R. K., Gunasekaran, A., & Kaushik, A. (2020) Cyber security
risks in globalized supply chains: conceptual framework. Journal of Global
Operations and Strategic Sourcing. Available at:
https://www.doi.org/10.1108/JGOSS-05-2019-0042 [Accessed 3rd of June
2022]
Page 85 of 95
Park, S., Chang, Y., and Park, Y. (2021) Importance-Performance Analysis (IPA)
of Cyber Security Management: Focused on ECDIS User Experience. Journal of
the Korean Society of Marine Environment & Safety, 27(3), 429-438. Available
at: https://www.doi.org/10.7837/kosomes.2021.27.3.429 [Accessed 3rd of June
2022]
Pasmore W., Winby S., Mohrman Albers S. & Vanasse R. (2019) Reflections:
Sociotechnical Systems Design and Organization Change, Journal of Change
Management, 19:2, 67-85, Available at:
http://www.doi.org/10.1080/14697017.2018.1553761 [Accessed 3rd of June
2022]
Pasztor, J. (2015) What Is Ethics, Anyway?, Journal of Financial Service
Professionals, 69(6), pp. 30–32. Available at:
http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=110556945
&lang=sv&site=eds-live [Accessed 3rd of June 2022]
Piccinelli, M. and Gubian, P. (2013) Modern ships Voyage Data Recorders: A
forensics perspective on the Costa Concordia shipwreck, Digital Investigation,
10(Supplement), pp. S41–S49. Available at:
http://www.doi.org/10.1016/j.diin.2013.06.005 [Accessed 3rd of June 2022]
Podzins, Oskars and Romanovs, Andrejs. (2019). Why SIEM is Irreplaceable in
a Secure IT Environment?. 1-5. Available at:
https://www.doi.org/10.1109/eStream.2019.8732173 [Accessed 3rd of June
2022]
Poulsen R.T. and Sornn-Friese H. (2015) Achieving energy efficient ship
operations under third party management: how do ship management models
influence energy efficiency? Res Transp Bus Manag 17:41–52. Available at:
https://www.doi.org/10.1016/j.rtbm.2015.10.001 [Accessed 3rd of June 2022]
Pseftelis, T., and Chondrokoukis, G. (2021) A Study about the Role of the Human
Factor in Maritime Cybersecurity. SPOUDAI-Journal of Economics and
Business, 71(1-2), 55-72. Available at:
https://spoudai.unipi.gr/index.php/spoudai/article/view/2887 [Accessed 3rd
of June 2022]
Redhat (2010-2021), SECURITY: What is a CVE? Available at:
https://www.redhat.com/en/topics/security/what-is-cve [Accessed 3rd of June
2022]
Renaud, K., Searle, R., and Dupuis, M. (2021) Shame in Cyber Security: Effective
Behavior Modification Tool or Counterproductive Foil? In New Security
Paradigms Workshop (NSPW '21). Association for Computing Machinery, New
York, NY, USA, 70–87. Available at:
https://www.doi.org/10.1145/3498891.3498896 [Accessed 3rd of June 2022]
Reva, D. (2020) Maritime cyber security Getting Africa ready. ISS Africa Report,
2020(29), 1-16. Available at: https://hdl.handle.net/10520/ejc-isafrica-v2020-
n29-a1 [Accessed 3rd of June 2022]
Page 86 of 95
Rho, E., Ha, R., Kobsa, A., Ngyen, C. (2018) Differences in online privacy and
security attitudes based on economic living standards: A global study of 24
countries. Twenty-Sixth European Conference on Information Systems
(ECIS2018), Portsmouth,UK, 2018, Available at:
https://aisel.aisnet.org/ecis2018_rp/95 [Accessed 3rd of June 2022]
Rowley, J., & Slack, F. (2004). Conducting a literature review. Management
research news. Available at: https://www.doi.org/10.1108/01409170410784185
[Accessed 3rd of June 2022]
Rubio J., Alcaraz C., Roman R. and Lopez J. (2019) Current cyber-defence trends
in industrial control systems, Computers & Security, 87. Available at:
https://www.doi.org/10.1016/j.cose.2019.06.015 [Accessed 3rd of June 2022]
Schulhofer, S. J. (2016) An international right to privacy? Be careful what you
wish for. International Journal of Constitutional Law, 14(1), p. 238. Available at:
https://www.doi.org/10.1093/icon/mow013 [Accessed 3rd of June 2022]
Senčila, V., and Kalvaitienė, G. (2019). Industry 4.0: Autonomous shipping and
new challenges for maritime education and training. In Transport Means-
Proceedings of 23rd International Scientific Conference. Available at:
https://www.researchgate.net/publication/340965814 [Accessed 3rd of June
2022]
Shutock, M. and Dietrich, G. (2022) Security Operations Centers: A Holistic
View on Problems and Solutions. In Proceedings of the 55th Hawaii
International Conference on System Sciences. Available at:
http://hdl.handle.net/10125/80249 [Accessed 3rd of June 2022]
Singh, K. (2020). Application of SIEM/UEBA/SOAR/SOC (Cyber SUSS)
Concepts on MSCS 6560 Computer Lab. Available at:
https://epublications.marquette.edu/theses_open/602 [Accessed 3rd of June
2022]
Sistla, V. P. K., Kolli, V. K. K., Voggu, L. K., Bhavanam, R., & Vallabhasoyula, S.
(2020) Predictive Model for Network Intrusion Detection System Using Deep
Learning. Rev. d'Intelligence Artif., 34(3), 323-330. Available at:
https://www.doi.org/10.18280/ria.340310 [Accessed 3rd of June 2022]
Snyder, H. (2019) Literature review as a research methodology: An overview and
guidelines. Journal of Business Research, 104, pp. 333-339. Available at:
https://www.doi.org/10.1016/j.jbusres.2019.07.039 [Accessed 3rd of June
2022]
Stallings, W. (1996) IPv6: the new Internet protocol. IEEE Communications
Magazine, 34(7), 96-108. Available at: https://www.doi.org/10.1109/35.526895
[Accessed 3rd of June 2022]
Svilicic, B., Brčić, D., Žuškin, S., & Kalebić, D. (2019a) Raising awareness on
cyber security of ECDIS. TransNav: International Journal on Marine Navigation
and Safety of Sea Transportation, 13(1). Available at:
https://www.doi.org/10.12716/1001.13.01.24 [Accessed 3rd of June 2022]
Page 87 of 95
Svilicic, B, Rudan, I, Frančić, V & Doričić, M (2019b) Shipboard ECDIS Cyber
Security: Third-Party Component Threats. Scientific Journal of Maritime
Research, 33(2), pp. 176–180. Available at:
https://www.doi.org/10.31217/p.33.2.7 [Accessed 3rd of June 2022]
Svilicic, B., Kristić, M., Žuškin, S., Brčić, D. (2020) Paperless ship navigation:
cyber security weaknesses. Journal of Transportation Security, 13(3-4), p. 203.
Available at: https://www.doi.org/10.1007/s12198-020-00222-2 [Accessed 3rd
of June 2022]
Svoboda, J., Ghafir, I., & Prenosil, V. (2015) Network monitoring approaches: An
overview. Int J Adv Comput Netw Secur, 5(2), 88-93. Available at:
https://www.researchgate.net/publication/305957483 [Accessed 3rd of June
2022]
Solove, Daniel J. (2006) A Taxonomy of Privacy, University of Pennsylvania Law
Review. 154(3), p. 477. Available at: https://www.doi.org/10.2307/40041279
[Accessed 3rd of June 2022]
Tam, K., and Jones, K. (2019) MaCRA: a model-based framework for maritime
cyber-risk assessment. WMU Journal of Maritime Affairs, 18(1), 129-163.
Available at: https://www.doi.org/10.1007/s13437-019-00162-2 [Accessed 3rd
of June 2022]
Tappin, B. M. and McKay, R. T. (2017) The Illusion of Moral Superiority. Social
psychological and personality science, 8(6), pp. 623–631. Available at:
https://www.doi.org/10.1177/1948550616673878 [Accessed 3rd of June 2022]
Taxén, L. 1944 (2020) Reviving the Individual in Sociotechnical Systems
Thinking, Complex Systems Informatics and Modeling Quarterly, CSIMQ, (128),
pp. 39–48. Available at: http://www.doi.org/10.7250/csimq.2020-22.03
[Accessed 3rd of June 2022]
Taylor, C. S. (2013) Validity and Validation, Series in Understanding Statistics.
Oxford: Oxford University Press. Available at:
https://www.doi.org/10.1093/acprof:osobl/9780199791040.001.0001
[Accessed 3rd of June 2022]
Tran, K.Keene, S., Fretheim, E. and Tsikerdekis, M. (2021) Marine Network
Protocols and Security Risks. Journal of Cybersecurity and Privacy, 1(2), pp.239-
251. Available at: http://www.doi.org/10.3390/jcp1020013 [Accessed 3rd of
June 2022]
Tuan, T. A., Long, H. V., Son, L. H., Kumar, R., Priyadarshini, I. and Son, N. T.
K. (2020). Performance evaluation of Botnet DDoS attack detection using
machine learning. Evolutionary Intelligence, 13(2), 283-294. Available at:
https://doi.org/10.1007/s12065-019-00310-w
Tye, C. S. and Fairhurst, G. (2003) A review of IP packet compression
techniques. Proc. PGNet, 13. Available at:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.111.6448&rep=rep1
&type=pdf [Accessed 3rd of June 2022]
Page 88 of 95
Tzannatos, E. (2002) GMDSS operability: the operator-equipment interface. The
Journal of Navigation, 55(1), 75-82. Available at:
https://www.doi.org/10.1017/S037346330100162X [Accessed 3rd of June
2022]
Uğurlu, Ö., Yıldız, S., Loughney, S. and Wang J. (2018) Modified human factor
analysis and classification system for passenger vessel accidents (HFACS-PV).
Ocean Engineering, 161, pp. 47-61. Available at:
https://www.doi.org/10.1016/j.oceaneng.2018.04.086 [Accessed 3rd of June
2022]
Uma, M. and Padmavathi, G. (2013). A Survey on Various Cyber Attacks and
their Classification. Int. J. Netw. Secur., 15(5), 390-396. Available at:
https://www.doi.org/10.6633/IJNS.201309.15(5).09 [Accessed 3rd of June
2022]
Umer, M. A., Junejo, K. N., Jilani, M. T., & Mathur, A. P. (2022) Machine
learning for intrusion detection in industrial control systems: Applications,
challenges, and recommendations. International Journal of Critical
Infrastructure Protection. Available at:
https://www.doi.org/10.1016/j.ijcip.2022.100516 [Accessed 3rd of June 2022]
Valčić, S., Škrobonja, A., Maglić, L., & Sviličić, B. (2021). GMDSS Equipment
Usage: Seafarers’ Experience. Journal of Marine Science and Engineering, 9(5),
476. Available at: https://www.doi.org/10.3390/jmse9050476 [Accessed 3rd of
June 2022]
Vielberth, M. (2021). Security Operations Center (SOC). Available at:
https://www.doi.org/10.1007/978-3-642-27739-9_1680-1 [Accessed 3rd of
June 2022]
Vishnu, S., Ramson, S. R. J. and Jegan, R. (2020) Internet of Medical Things
(IoMT) - An overview, 2020 5th International Conference on Devices, Circuits
and Systems (ICDCS), Devices, Circuits and Systems (ICDCS), 2020 5th
International Conference on, pp. 101–104. Available at:
https://www.doi.org/10.1109/ICDCS48716.2020.243558 [Accessed 3rd of June
2022]
Von Solms, R. and Van Niekerk (2013) From information security to cyber
security, School of ICT, Nelson Mandela Metropolitan University, Port Elizabeth
6031, South Africa, Elsevier Ltd., Available at:
https://www.doi.org/10.1016/j.cose.2013.04.004 [Accessed 3rd of June 2022]
Wallischeck, Eric York (2013) DOT-VNTSC-MARAD-13-01; Department of
Transportation-John A. Volpe National Transportation Systems Center-
Maritime Administration-12-01. Available at:
https://www.doi.org/10.13140/RG.2.1.2140.2963 [Accessed 3rd of June 2022]
Warren, S.D. and Brandeis, L.D. (1890) The right to privacy. Harvard Law
Review, Available at: https://www.doi.org/10.2307/1321160 [Accessed 3rd of
June 2022]
Page 89 of 95
Werlinger, R., Botta, D. and Beznosov, K. (2007) Detecting, analyzing and
responding to security incidents: A qualitative analysis. ACM International
Conference Proceeding Series. Available at:
https://doi.org/10.1145/1280680.1280702 [Accessed 3rd of June 2022]
Willems, J. (2021) Software-Defined Networking (SDN) and cyber security: The
Current Scenario, Opportunities, and Challenges. Communication Systems XIV,
145. Available at:
https://files.ifi.uzh.ch/CSG/teaching/FS21/IFI_2021_02.pdf#page=145
[Accessed 3rd of June 2022]
Xu, L. D., Xu, E. L., & Li, L. (2018) Industry 4.0: state of the art and future trends.
International journal of production research, 56(8), 2941-2962. Available at:
https://www.doi.org/10.1080/00207543.2018.1444806 [Accessed 3rd of June
2022]
Yara International ASA (2022) News and media Yara Birkeland. Available at:
https://www.yara.com/news-and-media/press-kits/yara-birkeland-press-kit/.
[Accessed 3rd of June 2022]
Yılmaz, E.N. and Gönen, S. (2018) Attack detection/prevention system against
cyber-attack in industrial control systems, Computers & Security, 77, pp. 94–
105. Available at: https://www.doi.org/10.1016/j.cose.2018.04.004 [Accessed
3rd of June 2022]
Zarzuelo Pena de la, I. (2021) Cybersecurity in ports and maritime industry:
Reasons for raising awareness on this issue, Transport Policy, 100, pp. 1–4.
Available at: https://www.doi.org/10.1016/j.tranpol.2020.10.001 [Accessed 3rd
of June 2022]
Zhang, D., Wang Q., Feng G., Shie Y. and Vasilakos A. (2021) A survey on attack
detection, estimation, and control of industrial cyber–physical systems, ISA
Transactions. Available at: https://www.doi.org/10.1016/j.isatra.2021.01.036
[Accessed 3rd of June 2022]
Zheng, S., Apthorpe, N., Chetty, M., Feamster, N. (2018) User Perceptions of
Smart Home IoT Privacy. Proc. ACM Hum.-Comput. Interact., 2(200),
Computer Supported Cooperative Work (CSCW). Available at:
https://www.doi.org/10.1145/3274469 [Accessed 3rd of June 2022]
Zimmerman, C. (2014) Cybersecurity operations center. The MITRE
Corporation. Available at: https://www.mitre.org/publications/all/ten-
strategies-of-a-world-class-cybersecurity-operations-center [Accessed 3rd of
June 2022]
Zdrnja, B. (2006). Security Monitoring of DNS traffic. University of Auckland.
Available at:
https://www.researchgate.net/publication/228539325_Security_Monitoring_
of_DNS_traffic [Accessed 3rd of June 2022]
