A critical analysis of security vulnerabilities and countermeasures in a smart ship system

It is timely to raise cyber security awareness while attacks on maritime infrastructure have not yet gained critical momentum. This paper analyses vulnerabilities in existing shipborne systems and a range of measures to protect them. It discusses Information Technology network flaws, describes issues with Industrial Control Systems, and lays out major weaknesses in the Automated Identification System, Electronic Chart Display Information System and Very Small Aperture Terminals. The countermeasures relate to the concept of “Defence-in-depth”, and describe procedural and technical solutions. The maritime sector is interconnected and exposed to cyber threats. Internet satellite connections are feasible and omnipresent on vessels, offshore platforms and even submarines. It enables services that are critical for safety and rescue operations, navigation and communication in a physically remote environment. Remote control of processes and machinery brings benefits for safety and efficiency and commercial pressure drives the development and adaptation of new technologies. These advancements include sensor fusion, augmented reality and artificial intelligence and will lead the way to the paradigm of “smart” shipping. Forecasts suggest unmanned, autonomous ships in international waters by 2035. This paper is the starting point for future research, to help mapping out the risks and protect the maritime community from cyber threats

New labour and new surveillance: Theoretical and political ramifications of CCTV implementation in the UK

This paper examines the implications of New Labour's approaches to crime and disorder on CCTV implementation. It concentrates on the usage of CCTV as one of the government's many initiatives, which are intended to address crime and disorder, including the fear of crime. In particular, the impact of the 1998 Crime and Disorder Act (CDA) - the cornerstone of this government's approach to crime reduction - on the generation of such strategies is examined. The paper revisits neo-Marxist and Foucauldian analyses of the so-called surveillance society through an appraisal of the complex relationship between structure and agency in the formulation and implementation of anti-crime and disorder strategies. Drawing on fieldwork data the paper considers the activities of practitioners at a local level by focusing on the influence of central government, local communities and 'common sense' thinking based on certain criminological theories. It is argued that a myriad of micro-level operations, obligations, processes, managerial concerns (particularly conflict resolution and resource issues), structures and agency - as well as the indirect influence of central government - shape CCTV policy. Ultimately, the creation of new local policy contexts under the CDA emphasise the need to consider incremental and malleable processes concerning the formulation of CCTV policy. In turn, this allows a re-examination of theoretical accounts of surveillance, and their attendant assumptions of sovereign or disciplinary power

Autonomy and capacity: a state-centred approach to post-communist transition in Central Europe

The paper examines state characteristics and their policy implications in five Central European post-communist countries. It argues that policies on macroeconomic stabilisation, privatisation and FDI had been shaped by state-society relations, which, in turn, had been affected by policy outcomes. Curiously, though, whereas structural and institutional developments exhibited a great deal of path-dependency in some countries, in others significant policy shifts took place. The conceptual tools of state capacity and autonomy are used to describe both dynamics, as well as to explain the spectacular variation in the role of FDI across the region

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Compliance analysis for cyber security marine standards : Evaluation of compliance using application lifecycle management tools

The aim of this thesis is to analyse cyber security requirements and notations from marine classification societies and other entities to understand how to meet compliance in current cyber security requirements from maritime class societies and other maritime organizations. The methods used in this research involved a desk review of cyber security requirements from IACS members, IACS UR E 27 and IEC 62443, a survey questionnaire of relevant cyber security standards pertinent to maritime product development, and Polarion, an application lifecycle management solution used to synthesize the cyber security requirements from the maritime class societies and determine their correlations to IEC 62443 as a baseline. Results indicate that IEC 62443 correlates to the standards from DNV and IACS (UR E 27) and majority of the requirements were deemed compliant in compliance gap assessments of a maritime product. The conclusion is that IEC 62443 can be utilised as a baseline cyber requirement with a requirements management tool like Polarion to analyse and satisfy compliance requirements from maritime class societies and maritime organizations that base their cyber security requirements according to IACS UR E27 and IEC 62443-3-3 and should be adopted in addressing future compliance analysis of cyber requirements focusing on autonomous shipping

APPLICATION OF GAME THEORY FOR ACTIVE CYBER DEFENSE AGAINST ADVANCED PERSISTENT THREATS

Advanced persistent threats (APTs) are determined, adaptive, and stealthy threat actors in cyber space. They are often hosted in, or sponsored by, adversary nation-states. As such, they are challenging opponents for both the U.S. military and the cyber-defense industry. Current defenses against APTs are largely reactive. This thesis used machine learning and game theory to test simulations of proactive defenses against APTs. We first applied machine learning to two benchmark APT datasets to classify APT network traffic by attack phase. This data was then used in a game model with reinforcement learning to learn the best tactics for both the APT attacker and the defender. The game model included security and resource levels, necessary conditions on actions, results of actions, success probabilities, and realistic costs and benefits for actions. The game model was run thousands of times with semi-random choices with reinforcement learning through a program created by NPS Professor Neil Rowe. Results showed that our methods could model active cyber defense strategies for defenders against both historical and hypothetical APT campaigns. Our game model is an extensible planning tool to recommend actions for defenders for active cyber defense planning against APTs.Approved for public release. Distribution is unlimited.Captain, United States Marine CorpsCaptain, United States Marine CorpsDISA, Arlington, VA, 2220

SROS2: Usable Cyber Security Tools for ROS 2

ROS 2 is rapidly becoming a standard in the robotics industry. Built upon DDS as its default communication middleware and used in safety-critical scenarios, adding security to robots and ROS computational graphs is increasingly becoming a concern. The present work introduces SROS2, a series of developer tools and libraries that facilitate adding security to ROS 2 graphs. Focusing on a usability-centric approach in SROS2, we present a methodology for securing graphs systematically while following the DevSecOps model. We also demonstrate the use of our security tools by presenting an application case study that considers securing a graph using the popular Navigation2 and SLAM Toolbox stacks applied in a TurtleBot3 robot. We analyse the current capabilities of SROS2 and discuss the shortcomings, which provides insights for future contributions and extensions. Ultimately, we present SROS2 as usable security tools for ROS 2 and argue that without usability, security in robotics will be greatly impaired

SROS2: Usable Cyber Security Tools for ROS 2

ROS 2 is rapidly becoming a standard in the robotics industry. Built upon DDS as its default communication middleware and used in safety-critical scenarios, adding security to robots and ROS computational graphs is increasingly becoming a concern. The present work introduces SROS2, a series of developer tools and libraries that facilitate adding security to ROS 2 graphs. Focusing on a usability-centric approach in SROS2, we present a methodology for securing graphs systematically while following the DevSecOps model. We also demonstrate the use of our security tools by presenting an application case study that considers securing a graph using the popular Navigation2 and SLAM Toolbox stacks applied in a TurtleBot3 robot. We analyse the current capabilities of SROS2 and discuss the shortcomings, which provides insights for future contributions and extensions. Ultimately, we present SROS2 as usable security tools for ROS 2 and argue that without usability, security in robotics will be greatly impaired.Comment: Accepted, IROS 2022, 7 pages, 2 figures, 5 code listings, 5 sections plus reference