As the maritime sector embraces more technology to increase
efficiency, lower carbon emissions, and adapt to meet modern challenges, cyber
and cyber-physical safety become a more significant issue. However,
unfortunately, much of past research view cyber-security issues in
transportation as primarily information technology problems. This paper designs
and uses a case study to illustrate how cyber-security and physical safety
should be viewed together, cyber and physical (i.e. cyber-physical), when considering ship-to-ship and ship-to-shore interactions. While there is some scenario designing,
this case study is built with real port data and ship systems to demonstrate a
real-world cyber-attack on a ship. It shows plausible physical effects that
affect the safety of those involved. This case study is also made realistic
with a novel hybrid cyber range and hardware testbed environment, designed to
examine the different effects a ship-based cyber-attack could potentially have
on a port. This informs several solutions, technical and social, that could
enhance cyber-physical safety in marine transportation.
References
[1]
Höyhtyä, M., Huusko, J., Kiviranta, M., Solberg, K. and Rokka, J. (2017) Connectivity for Autonomous Ships: Architecture, Use Cases, and Research Challenges. 2017 International Conference on Information and Communication Technology Convergence, Jeju, 18-20 October 2017, 345-350. https://doi.org/10.1109/ICTC.2017.8191000
[2]
Tam, K. and Jones, K. (2018) Cyber-Risk Assessment for Autonomous Ships. 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Glasgow, 11-12 June 2018, 1-8. https://doi.org/10.1109/CyberSecPODS.2018.8560690
[3]
Yagdereli, E., Gemci, C. and Aktas, A.Z. (2015) A Study on Cyber-Security of Autonomous and Unmanned Vehicles. The Journal of Defense Modeling and Simulation, 12, 369-381. https://doi.org/10.1177/1548512915575803
[4]
Tam, K. and Jones, K. (2019) Macra: A Model-Based Framework for Maritime Cyber-Risk Assessment. WMU Journal of Maritime Affairs, 18, 129-163. https://doi.org/10.1007/s13437-019-00162-2
[5]
Ramos, K., Rocha, I., Cedenño, T.D.D., dos Santos Costa, A.C., Ahmad, S. Essar, M. and Tsagkaris, C. (2021) Suez Canal Blockage and Its Global Impact on Healthcare Amidst the Covid-19 Pandemic. International Maritime Health, 72, 145-146. https://doi.org/10.5603/IMH.2021.0026
[6]
Doumbia-Henry, C. (2020) Shipping and Covid-19: Protecting Seafarers as Frontline Workers. WMU Journal of Maritime Affairs, 19, 279-293. https://doi.org/10.1007/s13437-020-00217-9
[7]
Valenciaport (2020) Statistical Report December 2020. https://www.valenciaport.com/wp-content/uploads/Statistical-Report-December-2020-NF.pdf
[8]
Tam, K., Moara-Nkwe, K. and Jones, K. (2021) A Conceptual Cyber-Risk Assessment of Port Infrastructure. 2021 World of Shipping Portugal, An International Research Conference on Maritime Affairs, Parede, 28-29 January 2021, 1-22.
[9]
Topping, C., Dwyer, A., Michalec, O., Craggs, B. and Rashid, A. (2021) Beware Suppliers Bearing Gifts!: Analysing Coverage of Supply Chain Cyber Security in Critical National Infrastructure Sectorial and Cross-Sectorial Frameworks. Computers and Security, 108, Article ID: 102324. https://doi.org/10.1016/j.cose.2021.102324
[10]
BBC News (2021) Hacker Tries to Poison Water Supply of Florida City. https://www.bbc.co.uk/news/world-us-canada-55989843
[11]
Turton, W. and Mehrotra, K. (2021, June 4) Hacker Tries to Poison Water Supply of Florida City. Bloomberg. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
[12]
Tam, K., Forshaw, K. and Jones, K. (2019) Cyber-Ship: Developing Next Generation Maritime Cyber Research Capabilities. International Conference on Marine Engineering and Technology Oman 2019, Muscat, 5-7 November, 129-135. https://doi.org/10.24868/icmet.oman.2019.005
[13]
Tam, K., Moara-Nkwe, K. and Jones, K. (2020) The Use of Cyber Ranges in the Maritime Context: Assessing Maritime-Cyber Risks, Raising Awareness, and Providing Training. Maritime Technology and Research, 3, 16-30. https://doi.org/10.33175/mtr.2021.241410
[14]
Mass Soldal, L., Hareide, O.S. and Jøsok, Ø. (2018) An Attack on an Integrated Navigation System. USENIX Security Symposium, Baltimore, 15-17 August 2018, Submitted.
[15]
Pavur, J., Moser, D., Strohmeier, M., Lenders, V. and Martinovic, I. (2020) A Tale of Sea and Sky on the Security of Maritime VSAT Communications. 2020 IEEE Symposium on Security and Privacy, San Francisco, 18-21 May 2020, 1384-1400. https://doi.org/10.1109/SP40000.2020.00056
[16]
Costin, A. (2016) Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations. Proceedings of the 6th International Workshop on Trustworthy Embedded Devices, Vienna, 28 October 2016, 45-54. https://doi.org/10.1145/2995289.2995290
[17]
Avatefipour, O. and Malik, H. (2018) State-of-the-Art Survey on In-Vehicle Network Communication (Can-Bus) Security and Vulnerabilities. arXiv: 1802.01725. http://arxiv.org/abs/1802.01725
[18]
Sandaruwan, G.P.H., Ranaweera, P.S. and Oleshchuk, V. A. (2013) Plc Security and Critical Infrastructure Protection. 2013 IEEE 8th International Conference on Industrial and Information Systems, Peradeniya, 17-20 December 2013, 81-85. https://doi.org/10.1109/ICIInfS.2013.6731959
[19]
Svilicic, B., Brcic, D., Zuskin, S. and Kalebic, D. (2019) Raising Awareness on Cyber Security of Ecdis. TransNav: The International Journal on Marine Navigation and Safety of Sea Transportation, 13, 231-236. https://doi.org/10.12716/1001.13.01.24
[20]
Balduzzi, M., Pasta, A. and Wilhoit, K. (2014) A Security Evaluation of AIS Automated Identification System. Proceedings of the 30th Annual Computer Security Applications Conference, New Orleans, 8-12 December 2014, 436-445. https://doi.org/10.1145/2664243.2664257
[21]
C4ADS (Center for Advanced Defense Studies) (2019) Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria. Technical Report, Center for Advanced Defense Studies, Washington DC.
[22]
Wärtsilä (n.d.) https://www.wartsila.com/
[23]
Davis, J. and Magrath, S. (2013) A Survey of Cyber Ranges and Testbeds Executive. Defence Technical Information Center, Fort Belvoir.
[24]
Yamin, M.M., Katt B. and Gkioulos, V. (2020) Cyber Ranges and Security Testbeds: Scenarios, Functions, Tools and Architecture. Computers & Security, 88, Article ID: 101636. https://doi.org/10.1016/j.cose.2019.101636 https://www.sciencedirect.com/science/article/pii/S0167404819301804
[25]
Qassim, Q., Jamil, N., Zainal Abidin, I., Rusli, M., Yussof, S., Ismail, R., Abdullah, F., Ja’afar, N., Hasan, H. and Daud, M. (2017) A Survey of SCADA Testbed Implementation Approaches. Indian Journal of Science and Technology, 10, 1-8.
[26]
Saftey4Sea (2012) National Marine Electronics Association Introduces Onenet. https://safety4sea.com/national-marine-electronics-association-introduces-onenet/
[27]
International Chamber of Shipping (2016) Review of Maritime Transport. United Nations Conference on Trade and Development (UNCTAD), Geneva.
[28]
Boardman, J. and Sauser, B. (2006) System of Systems—The Meaning of of. 2006 IEEE/SMC International Conference on System of Systems Engineering, Los Angeles, 24-26 April 2006, 6. https://doi.org/10.1109/SYSOSE.2006.1652284
[29]
Sridhar, S., Hahn, A. and Govindarasu, M. (2012) Cyber-Physical System Security for the Electric Power Grid. Proceedings of the IEEE, 100, 210-224. https://doi.org/10.1109/JPROC.2011.2165269
[30]
Ray, C., Gallen, R., Iphar, C., Napoli, A. and Bouju, A. (2015) Deais Project: Detection of AIS Spoofing and Resulting Risks. OCEANS 2015-Genova, Genova, 18-21 May 2015, 1-6. https://doi.org/10.1109/OCEANS-Genova.2015.7271729
[31]
Hambling, D. (2021) UK Ship Hit by GPS Spoof. NewScientist, 250, 17. https://doi.org/10.1016/S0262-4079(21)01131-3 https://www.sciencedirect.com/science/article/pii/S0262407921011313
[32]
Govil, N., Agrawal, A. and Tippenhauer, N.O. (2018) On Ladder Logic Bombs in Industrial Control Systems. International Workshop on Security and Privacy Requirements Engineering 2017, Oslo, 14-15 September, 110-126. https://doi.org/10.1007/978-3-319-72817-9_8
[33]
Basnight, Z., Butts, J., Lopez, J. and Dube, T. (2013) Firmware Modification Attacks on Programmable Logic Controllers. International Journal of Critical Infrastructure Protection, 6, 76-84. https://doi.org/10.1016/j.ijcip.2013.04.004
[34]
Boyson, S. (2014) Cyber Supply Chain Risk Management: Revolutionizing the Strategic Control of Critical It Systems. Technovation, 34, 342-353. https://doi.org/10.1016/j.technovation.2014.02.001 https://www.sciencedirect.com/science/article/pii/S0166497214000194
[35]
Reclus, F. and Drouard, K. (2009) Geofencing for Fleet & Freight Management. 2009 9th International Conference on Intelligent Transport Systems Telecommunications (ITST), Lille, 20-22 October 2009, 353-356. https://doi.org/10.1109/ITST.2009.5399328
[36]
Talley, W.K., Jin, D. and Kite-Powell, H. (2005) Determinants of Crew Injuries in Vessel Accidents. Maritime Policy & Management, 32, 263-278. https://doi.org/10.1080/03088830500139760
[37]
Kotachi, M., Rabadi, G. and Obeid, M.F. (2013) Simulation Modeling and Analysis of Complex Port Operations with Multimodal Transportation. Procedia Computer Science, 20, 229-234. https://doi.org/10.1016/j.procs.2013.09.266 https://www.sciencedirect.com/science/article/pii/S1877050913010661
[38]
CyRiM (Cyber Risk Management) (2019) Shen Attack: Cyber Risk in Asia Pacific Ports. https://assets.lloyds.com/assets/pdf-cyrim-shen-attack-final-report/1/pdf-cyrim-shen-attack-final-report.pdf
Agarwal, A. and Cohn, D. (2020) A Novel Data Acquisition Solution to Expedite Global Oceanographic Research. Global Oceans 2020: Singapore-U.S. Gulf Coast, Biloxi, 5-30 October 2020, 1-6. https://doi.org/10.1109/IEEECONF38699.2020.9389328
[41]
Kessler, G. (2020) Protected AIS: A Demonstration of Capability Scheme to Provide Authentication and Message Integrity. TransNav: International Journal on Marine Navigation and Safety of Sea Transportation, 14, 279-286. https://doi.org/10.12716/1001.14.02.02
[42]
Kuruvila, A.P., Zografopoulos, I., Basu, K. and Konstantinou, C. (2021) Hardware-Assisted Detection of Firmware Attacks in Inverter-Based Cyberphysical Microgrids. International Journal of Electrical Power and Energy Systems, 132, Article ID: 107150. https://doi.org/10.1016/j.ijepes.2021.107150
[43]
Pham, C., Tang, D., Chinen, K.-I. and Beuran, R. (2016) CyRIS: A Cyber Range Instantiation System for Facilitating Security Training. Proceedings of the Seventh Symposium on Information and Communication Technology, Ho Chi Minh City, 8-9 December 2016, 251-258. https://doi.org/10.1145/3011077.3011087
[44]
International Maritime Organization (2017) Resolution MSC.428(98)-Maritime Cyber Risk Management in Safety Management Systems.
[45]
International Maritime Organization (2016) International Convention on Standards of Training, Certification and Watchkeeping. International Maritime Organization, London.
[46]
Kobayashi, H. (2005) Use of Simulators in Assessment, Learning and Teaching of Mariners. WMU Journal of Maritime Affairs, 4, 57-75. https://doi.org/10.1007/BF03195064
[47]
Hawkins, H. (2017) Why Communication Is Vital during a Cyber-Attack. Network Security, 2017, 12-14. https://doi.org/10.1016/S1353-4858(17)30028-4 https://www.sciencedirect.com/science/article/pii/S1353485817300284
[48]
Mitchell, R. and Chen, I.-R. (2014) A Survey of Intrusion Detection Techniques for Cyber-Physical Systems. ACM Computing Surveys, 46, Article No. 55. https://doi.org/10.1145/2542049
[49]
Lund, M., Gulland, J., Hareide, O.S., Josok, E. and Weum, K. (2018) Integrity of Integrated Navigation Systems. 2018 IEEE Conference on Communications and Network Security, Beijing, 30 May-1 June 2018, 1-5. https://doi.org/10.1109/CNS.2018.8433151
