CYBERSECURITY RISK ASSESSMENT IN THE MARITIME INDUSTRY

Cybersecurity risks are becoming an increasingly significant concern within the maritime industry, particularly in light of the rapid advancement of digitised technologies and the emergence of autonomous shipping. Concurrently, the apprehension surrounding the potential for cybersecurity incidents in maritime settings has also heightened. In fact, the number of reported cases of cyber-attacks in the maritime sector has seen a substantial increase since 2010. Consequently, academic interest in researching maritime cybersecurity has grown, underscoring its importance for a thorough exploration of the subject. Nevertheless, a scrutiny of existing literature reveals that current cybersecurity research predominantly underscores the necessity for improvement but lacks a specific focus on cyber threats and measures for risk mitigation. Notably, the maritime industry faces a scarcity of comprehensive investigations into cybersecurity risk assessment, and there is also a dearth of scholarly endeavours aimed at establishing a comprehensive framework for evaluating cybersecurity risks relevant to maritime operations. This thesis aims to create a new framework for assessing cybersecurity risks, contributing to safety improvements in the maritime sector. The objective is to provide a visualised solution that assists stakeholders in understanding and refining their approaches to cybersecurity risk management. Through this innovative framework, the thesis seeks to enhance safety measures and promote effective risk mitigation strategies within the dynamic landscape of the maritime industry. To attain the research aim, a literature review and bibliometric analysis were conducted to discern maritime cybersecurity guidelines from diverse maritime organisations. This purposed to assess the current state of academic research in the cybersecurity field specific to the maritime sector and address identified research gaps. Subsequently, a systematic literature review was employed to identify various maritime cybersecurity threats, and cybersecurity risks were assessed using a FMEA-Rule-based Bayesian Network (FMEA-RBN) model. The next step involved the identification of cybersecurity mitigation measures and criteria through another systematic literature review. These measures were then ranked using the Fuzzy TOPSIS model, enabling the research team to prioritise them effectively. Additionally, the research sought to demonstrate how a bowtie diagram could be integrated into the cybersecurity assessment framework, providing a visual representation of its components. The collective pursuit of these research objectives is anticipated to yield a comprehensive understanding of maritime cybersecurity, contributing to the development of a more efficacious cybersecurity assessment framework tailored for the maritime sector. Several significances of this research have been proposed. First and foremost, despite numerous studies addressing maritime risk, safety, and security, there remains a notable scarcity of research specifically dedicated to maritime cybersecurity. To bridge this gap, this research systematically identifies various cyber threats in the maritime sector and organises them into distinct groups. This categorisation serves to assist maritime managers in discerning the potential impact of different cyber threats on their cybersecurity management, enabling them to allocate limited budgets more effectively. Secondly, in addition to the identification and assessment of cyber threats, this research puts forth seven risk control measures and six hierarchical criteria for evaluating maritime cybersecurity. This framework aids maritime managers in comprehending the significance of these measures and adapting their cybersecurity strategies to varying circumstances. For example, some companies may prioritise the reliability of measures, while others may place greater emphasis on economic affordability. The research also suggests diverse policies for stakeholders to enhance maritime cybersecurity. Thirdly, this research not only presents a framework for maritime cybersecurity but also conducts risk assessments and evaluates risk control measures using empirical data gathered from industry experts, rather than relying solely on secondary data. This approach provides real-world insights and reflects the current state of maritime cybersecurity. Lastly, the research introduces a bowtie framework for maritime cybersecurity risk management, demonstrating its application through the assessment of risks related to malware. The visual representation of the bowtie framework assists managers in comprehending maritime cyber threats, potential consequences, and the corresponding risk control measures to mitigate both threats and their consequences. In conclusion, this thesis significantly contributes to maritime cybersecurity understanding and management, offering practical insights and recommendations for stakeholders to enhance their cybersecurity preparedness and safeguard their operations against cyber threats. The proposed framework and empirical approach ensure their relevance and applicability in the context of current maritime cybersecurity challenges

An experimental evaluation of bow-tie analysis for security

Purpose Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study’s hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety. Design/methodology/approach This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling. Findings The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management. Originality/value Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well