The Finnish Maritime Sector Inside the Cybersecurity Hurricane

For a long time, maritime safety and security regulations have remodeled the operations of the international maritime sector. In recent years, there has emerged a new kind of security matter called cybersecurity, which has globally remodeled even further the operations of the maritime sector. Cybersecurity and its related key factors, cyberthreat and cyberattack, have showed new kind of threats and vulnerabilities of the maritime sector. Despite the growing number of researches of related to this topic, the overall awareness of the maritime cybersecurity occurs inadequate within the international maritime sector. The research question “How does the Finnish maritime sector experience cybersecurity?” aims at understanding the perceptions and opinions of the Finnish maritime sector’s key operators, which are port authorities, port operators and shipping companies, concerning cybersecurity. This thesis was conducted as a qualitative research which was built upon a comprehensive literature review and enhanced with in-depth interviews with the key operators of the Finnish maritime sector. The results show that the awareness within the Finnish maritime sector has increased, but there still occurs some differences between different maritime operators in terms of understanding the cybersecurity factors. The Finnish maritime operators have taken steps towards better cybersecurity, but there is still a great need for industry wide standards and practical level coordination. The NIS Directive has the chance to improve the cybersecurity operations even further and to simplify the concepts and procedures in terms of better cybersecurity situation

CYBERSECURITY RISK ASSESSMENT IN THE MARITIME INDUSTRY

Cybersecurity risks are becoming an increasingly significant concern within the maritime industry, particularly in light of the rapid advancement of digitised technologies and the emergence of autonomous shipping. Concurrently, the apprehension surrounding the potential for cybersecurity incidents in maritime settings has also heightened. In fact, the number of reported cases of cyber-attacks in the maritime sector has seen a substantial increase since 2010. Consequently, academic interest in researching maritime cybersecurity has grown, underscoring its importance for a thorough exploration of the subject. Nevertheless, a scrutiny of existing literature reveals that current cybersecurity research predominantly underscores the necessity for improvement but lacks a specific focus on cyber threats and measures for risk mitigation. Notably, the maritime industry faces a scarcity of comprehensive investigations into cybersecurity risk assessment, and there is also a dearth of scholarly endeavours aimed at establishing a comprehensive framework for evaluating cybersecurity risks relevant to maritime operations. This thesis aims to create a new framework for assessing cybersecurity risks, contributing to safety improvements in the maritime sector. The objective is to provide a visualised solution that assists stakeholders in understanding and refining their approaches to cybersecurity risk management. Through this innovative framework, the thesis seeks to enhance safety measures and promote effective risk mitigation strategies within the dynamic landscape of the maritime industry. To attain the research aim, a literature review and bibliometric analysis were conducted to discern maritime cybersecurity guidelines from diverse maritime organisations. This purposed to assess the current state of academic research in the cybersecurity field specific to the maritime sector and address identified research gaps. Subsequently, a systematic literature review was employed to identify various maritime cybersecurity threats, and cybersecurity risks were assessed using a FMEA-Rule-based Bayesian Network (FMEA-RBN) model. The next step involved the identification of cybersecurity mitigation measures and criteria through another systematic literature review. These measures were then ranked using the Fuzzy TOPSIS model, enabling the research team to prioritise them effectively. Additionally, the research sought to demonstrate how a bowtie diagram could be integrated into the cybersecurity assessment framework, providing a visual representation of its components. The collective pursuit of these research objectives is anticipated to yield a comprehensive understanding of maritime cybersecurity, contributing to the development of a more efficacious cybersecurity assessment framework tailored for the maritime sector. Several significances of this research have been proposed. First and foremost, despite numerous studies addressing maritime risk, safety, and security, there remains a notable scarcity of research specifically dedicated to maritime cybersecurity. To bridge this gap, this research systematically identifies various cyber threats in the maritime sector and organises them into distinct groups. This categorisation serves to assist maritime managers in discerning the potential impact of different cyber threats on their cybersecurity management, enabling them to allocate limited budgets more effectively. Secondly, in addition to the identification and assessment of cyber threats, this research puts forth seven risk control measures and six hierarchical criteria for evaluating maritime cybersecurity. This framework aids maritime managers in comprehending the significance of these measures and adapting their cybersecurity strategies to varying circumstances. For example, some companies may prioritise the reliability of measures, while others may place greater emphasis on economic affordability. The research also suggests diverse policies for stakeholders to enhance maritime cybersecurity. Thirdly, this research not only presents a framework for maritime cybersecurity but also conducts risk assessments and evaluates risk control measures using empirical data gathered from industry experts, rather than relying solely on secondary data. This approach provides real-world insights and reflects the current state of maritime cybersecurity. Lastly, the research introduces a bowtie framework for maritime cybersecurity risk management, demonstrating its application through the assessment of risks related to malware. The visual representation of the bowtie framework assists managers in comprehending maritime cyber threats, potential consequences, and the corresponding risk control measures to mitigate both threats and their consequences. In conclusion, this thesis significantly contributes to maritime cybersecurity understanding and management, offering practical insights and recommendations for stakeholders to enhance their cybersecurity preparedness and safeguard their operations against cyber threats. The proposed framework and empirical approach ensure their relevance and applicability in the context of current maritime cybersecurity challenges