6 minute read
Maritime transport
Panayiotis Kotzanikolaou
University of Piraeus — 15 May 2020
Advertisement
From ship to shore: securing maritime transport
This application demonstrator covers the maritime transport use case. The goal of each demonstrator is to ‘put the correct pieces together’ which are firstly described through concrete use cases.
The use cases
Although the security requirements of maritime transport are vast and cover multiple areas of cybersecurity controls, we have identified four concrete security services – use cases – that will be integrated and later demonstrated. These are based on the requirements analysis and the maritime transport research and development roadmap developed in earlier stages of the project.
1. Threat modelling and risk analysis for maritime transport services
We identified targeted threats and risks for maritime transport that include various other use cases, which describe all the distinctive phases, such as:
→ critical maritime assets and services identification; → vulnerability management; → threat modelling and scenarios specification; → maritime transport risk analysis; → attack paths representation; and → maritime transport risk management.
2. Maritime system software hardening
Applications used in the maritime domain, such as software running on a moving vessel, usually utilise legacy code which is hard to update and sometimes even harder to replace. An attractive option is software hardening, whereby a program is re-written in order to avoid memory-related vulnerabilities. Re-writing the code can be done either by re-compiling the source (where possible) or by reconstructing the binary. Note that this re-writing is focused on the security properties of software and not on its base functionality.
Hardening can be applied much more easily than a total replacement of the code.
3. Secure maritime communications
We examined the secure exchange of various types of information, including maritime-specific systems such as:
→ VHF data exchange system (VDES) frequencies; → automatic identification system (AIS) information; → maritime mobile service identity (MMSI), time, ship position, speed, course etc; → vessel voyage information (such as route plans and mandatory ship reports); → maritime single window reporting information (such as ship certificates, log books, passenger lists and crew lists); and → port to vessel information, such as weather reports, passenger lists or cargo manifestos.
4. Trust infrastructure for secure maritime communication
As various types of information are exchanged/transmitted between different maritime stakeholders and actors at sea and on shore, designing a specially crafted trust infrastructure is vital. However, it is not straightforward to set up and operate a typical public key infrastructure (PKI) solution, since there are constraints associated with the maritime transport domain. The communication bandwidth of ship networks have to be taken into account. For example, the SATCOM component of VDES is expected to become a bottleneck in ship communication, due to its low capacity. In addition, it is not uncommon for ships to sail for long periods of time without any Internet connectivity at all; and, as shipping is a low cost business, this imposes strict limitations on what solutions will be acceptable to the industry.
Here we will research those constraints and design and demonstrate a PKI service specifically adapted to fit the needs of the maritime domain.
The demonstrator set-up
Here is what the three demonstrators will illustrate:
(A) Threat modelling and risk analysis for maritime transport services using a web application utilising multiple modules to give a complete risk assessment process. The sequence of information insertion will ultimately lead to a complete asset map and informative output forms based on multiple risk assessment results.
(B) Maritime system software hardening firstly by enhancing the risk analysis framework realised in (A), and then hardening unsafe components used in (C).
(C) Secure maritime communications and trust infrastructure for secure maritime communication initially implementing the PKI service described in (A) and in the next phase will be extended to demonstrate the secure maritime communications.
For more information on this phase of all the demonstrators, detailed descriptions can be found in our report Specification and Set-up Demonstration case Phase 1 (D5.2).
Panayiotis Kotzanikolaou
and Eleni-Maria Kalograki University of Piraeus — 27 March 2021
The case for investing in resilient maritime transport infrastructures
Maritime transport is a dynamic sector which includes various interactions between physical and cyber systems operated by different stakeholders and users. It involves various processes and services such as docking of the ship, loading and unloading, ship navigation, ship-to-ship and ship-to-shore communications, pre-arrival notifications, to name just a few.
Such complex structures provide a vast attack surface, where many attack paths may occur due to various causes, ranging from software vulnerabilities, deliberate attacks or human errors. The incremental evolution of technology in accordance with the spread of automation and digitalisation on maritime transport operations has raised the need to look for strategies, methods and tools that can adequately secure the dynamic environment of maritime transport. This includes the involved operators, the critical information infrastructures (of ports and vessels) that function and their corresponding communications.
The identification of the current and near-term future cybersecurity challenges for the maritime transport sector are within the scope of the research roadmapping activities of CyberSec4Europe, along with the identification of the existing methods and tools that may assist researchers in meeting these challenges.
Challenges and opportunities
The complicated dual cyber and physical nature of the maritime environment raises a set of open issues concerning the effective and efficient handling of their security and safety issues. In this context, we have identified a set of research challenges and issues, regarding the distributed and interconnected nature of complex, inter-related maritime components, network and operating environments that need to be investigated:
Developing risk assessment and threat modeling techniques targeted at the maritime transport threat landscape
Existing maritime transport risk assessment methodologies could be enhanced with targeted threat models that capture the adversarial environment of maritime infrastructures such as ship and port facilities. The early identification of novel cyber-physical attacks and cascading attack paths against autonomous ships and port automation SCADA systems are typical examples of new cascading threats.
Security hardening for critical maritime systems
System security hardening is a challenging task in domains where it is hard to analyse and correct software errors. Maritime systems fall into this category, as they are based on non-standard devices, embedded systems, legacy applications, and so on. Therefore, developing efficient hardening techniques for maritime systems is an important research challenge.
Maritime communications involve data exchange between ships, ports, remote control centres, vessel traffic services, search and rescue and so on, each of which have different technical and environmental constraints. For example, ships cannot depend on landline communications, while search and rescue communication services require the prioritisation of communication channels in case of emergencies. Setting up and operating efficient trust infrastructures for such an environment is also an open challenge, since typical public key infrastructures require high bandwidth and real time communications for certificate verification, which may not be efficient for the ship environment.
Securing autonomous ships
Autonomous ships are characterised by the increasing deployment of interconnected cyber-physical systems. To this end, a comprehensive requirements elicitation process requires a security assessment to incorporate safety aspects.
Since resilience suggests properties like infrastructure redundancy and robustness, it is implicit that building resilient infrastructures comes with an increase in cost. An interesting problem is balancing infrastructure resilience and cost optimisation. As the recent pandemic has reminded us, the maritime transport sector is a critical sector for many vital activities such as the delivery of medicine and supply chain operations.
A major challenge is ensuring the resilience of critical maritime systems which should continue to provide a minimum service level during or after a cyber/physical threat, and should also quickly adapt and recover from such unwanted events.
As the EU is one of the key global players in maritime transport, the development of resilient and cost-effective maritime infrastructures is a clear opportunity for Europe.
More information on the research and development roadmap for the maritime transport sector but also for the other verticals examined within CyberSec4Europe can be found in the report Research and Development Roadmap 1 (D4.3).
