Operational analysis of sequence diagram specifications

This thesis is concerned with operational analysis of UML 2.x sequence diagram specifications. By operational analysis we mean analysis based on a characterization of the executions of sequence diagrams, or in other words an operational semantics for sequence diagrams. We define two methods for analysis of sequence diagram specifications – refinement verification and refinement testing – and both are implemented in an analysis tool we have named ‘Escalator’. Further, we make the first steps in the direction of extending our approach with support for availability analysis. In order to facilitate operational analysis, we define an operational semantics for UML 2.x sequence diagrams. The operational semantics is loyal to the intended semantics of UML, and is proven to be sound and complete with respect to the denotational semantics for sequence diagrams defined in STAIRS – a framework for stepwise development based on refinement of sequence diagram specifications. The operational semantics has a formalized meta-level, on which we define execution strategies. This meta-level allows us to make distinctions between positive and negative behavior, between potential and universal behavior, and between potential and mandatory choice, all of which are inherently difficult in an operational semantics. Based on the operational semantics and its formalized meta-level, we define trace generation, test generation and test execution. Further, based on a formalization of refinement in STAIRS, the trace generation is used to devise a method for refinement verification, and the test generation and the test execution are used to define a method for refinement testing. Both are methods for investigating whether or not a sequence diagram specification is a correct refinement of another sequence diagram specification. The operational semantics, the refinement verification and the refinement testing are implemented with the term rewriting language Maude, and these implementations are integrated in the Escalator tool. In addition, Escalator provides a graphical user interface for working with sequence diagram specifications and for running the analyses. In order to facilitate availability analysis, we define a conceptual model for service availability where the basic properties of availability are identified. Further, we extend the operational semantics with support for one class of these basic properties, namely real-time properties, and outline how the operation semantics extended with time can be applied to make methods for timed analysis of sequence diagram specifications

Øving på cybersikkerheit: Ein casestudie av ei cybersikkerheitsøving

Denne artikkelen presenterer ein casestudie av ei cybersikkerheitsøving i militær utdanning, og nyttar denne casestudien til å drøfte nokre utfordringar med cybersikkerheitsøvingar til utdanningsføremål. Casestudien gjer greie for sentrale avgjerder i designet av øvinga, evaluering av øvinga og utfordringar i øvingskonseptet. Gjennom ein litteraturgjennomgang samanliknar vi øvinga med liknande øvingar, og ser på korleis desse øvingane har blitt evaluert. Avslutningsvis nyttar vi casestudien og litteraturgjennomgangen til å gjere betraktningar om vidare undersøkingar av cybersikkerheitsøvingar.Øving på cybersikkerheit: Ein casestudie av ei cybersikkerheitsøvingpublishedVersio

Kommunikasjonssystemer for beredskap og krisehåndtering – teknologi og utfordringer

acceptedVersio

Cyber Risk Perception in the Maritime Domain: A Systematic Literature Review

This paper aims to present an approach to investigate cyber risk perception with use of recognized psychological models, and to give an overview of state-of-the-art research within the field of cyber risk perception in general and in the context of the maritime domain. The focus will be on determinative dimensions within the psychometric paradigm and cognitive biases, and to give recommendations on further research within these fields. Okoli and Schabram’s eight-step guide to plan, select, extract, and execute a systematic literature review is used as guidance. The search process resulted in 25 relevant articles which describes 24 dimensions of cyber risk perception in different online environments. Research within the area of maritime cyber security is increasing, however, no studies relevant for our literature review were found within the maritime domain. The nine dimensions in the psychometric model, perceived benefit and the optimistic bias is presented and discussed in a maritime context. Cyber risk perception is a complex research-area where both determinative factors and other cognitive processes can be influenced by each other. This can indicate that the dimensions differ across populations and professions, creating grounds for why context-specific studies are important. Further research may benefit from more multidisciplinary, descriptive, and inductive approaches, and contextual studies within maritime cyber risk perception can contribute to develop targeted tools for risk mitigation to enhance safety at sea.publishedVersio

An Operational Approach to Maritime Cyber Resilience

acceptedVersio

Navigating through Cyber Threats, A Maritime Navigator’s Experience

Cyber threats are emerging as a risk in the maritime industry. If the navigational systems on board a ship somehow fail to function because of a cyber incident, the navigator is an important asset who is expected to handle the problem and provide a solution to maintain the safety of the crew, the vessel, and the environment. The International Maritime Organization (IMO) urges the shipping industry to be resilient towards cyber threats. To facilitate for enhanced operational maritime cyber resilience, there is a need to understand how navigators interpret cyber threats, which can be essential to safely conduct nautical operations. This paper presents a qualitative study of navigators’ understanding of cyber threats based on interviews with ten navigators, and further provides recommendations for how use of this knowledge can contribute to enhanced maritime cyber resilience.Navigating through Cyber Threats, A Maritime Navigator’s ExperiencepublishedVersio

An Attack on an Integrated Navigation System

Maritime cyber security is emerging as a field as reports of cyber attacks against computerized maritime systems have started arriving. Modern vessels are equipped with computerized systems for navigation employing the Global Positioning System (GPS), known as Integrated Navigation Systems (INS) and Electronic Chart Display and Information Systems (ECDIS). This paper describes a proof-of-concept attack on an INS and its integrated ECDIS, and reports on a demonstration of the attack on a vessel. The attack includes malware that acts as a man-in-the-middle intercepting and manipulating GPS coordinates. Furthermore, the paper discusses the feasibility of the attack, as well as countermeasures

A model of factors influencing deck officers' cyber risk perception in offshore operations

Offshore operations onboard vessels are increasingly reliant on digitalization, integration, automation, and networked-based systems, which creates new dimensions of cyber risks. The causes of cyber incidents often include complex relationships between humans and technology, and in offshore operations, the onboard crew can be both a cyber security risk and a vital resource in strengthening the cyber security. This makes the behaviour of the decisionmakers onboard important in both preventing and handling cyber risks at sea. By use of in-depth interviews and the constant comparative analysis (CCA), this paper investigates factors influencing deck officers’ cyber risk perception in offshore operations and presents a contextual model of these factors. The model indicates that deck officers’ cyber risk perception can be affected by a feeling of distance towards cyber risks, being more restricted in their working environment because of digitalization, and trust in their reliable cyber-physical systems and suppliers. Further, targeted cyber risk mitigation measures should be implemented on multiple levels in shipping companies. The measures may benefit from focusing on increased risk communication, operational training, awareness campaigns, vessel-specific procedures, and policies, in addition to increased communication from management regarding the demand for digitalization. With this approach, the contextual model can contribute to the ongoing work of developing targeted measures for cyber risk mitigation in the maritime domain and can be used as a point of departure for further studies to discover additional nuances and factors within cyber risk perception in this domain.publishedVersio

Maritime Cyber Simulator Scenario Workshop report

The 7th of December 2021, the Maritime Cyber Resilience (MarCy) project held a Cyber Simulator Scenario workshop aiming to create a fundament for training to enhance operational maritime cyber resilience. MarCy is a research project collaboration, between the academic partners Norwegian University for Science and Technology (NTNU), Norwegian Defence University College (NDUC), and the industry partners DNV, Norwegian Hull Club (NHC) and Kongsberg Defence & Aerospace (KDA). The scope of the workshop was to invite maritime stakeholders and people in the maritime industry to discuss how and if simulator training should be part of cyber awareness training, and what simulator scenarios can be beneficial to implement in such training. The aim was to develop both operational level scenarios for the crew handling ships, and management level scenarios for the shipowners and maritime stakeholders. In addition to this, the workshop led to fruitful discussion how the maritime industry is dealing and coping with cyber threats, and what could be considered as beneficial for cyber training. Real life incidents and experiences was also shared among the participants. The MarCy project partners and the authors of the report want to express their greatest gratitude for all the participants attending the workshop. The workshop could not have been completed without you. Due to the protection of the privacy for the attendants, no individual level information is given. See more in Section 2. List of the organizations attending the workshop: DNV Island Offshore Kongsberg Aerospace & Defence Norwegian Defence University College Norwegian Hull Club NTNU – COAST project NTNU in Ålesund NTNU in Gjøvik NTNU – SFI-Move project Royal Norwegian Naval Academy The Norwegian Armed Forces Cyber Defence The Norwegian Armed Forces The Norwegian Coast Guard The Norwegian Coastal Administration The Norwegian Society for Sea RescuepublishedVersio

Maritime Cyber Simulator Scenario Workshop report

The 7th of December 2021, the Maritime Cyber Resilience (MarCy) project held a Cyber Simulator Scenario workshop aiming to create a fundament for training to enhance operational maritime cyber resilience. MarCy is a research project collaboration, between the academic partners Norwegian University for Science and Technology (NTNU), Norwegian Defence University College (NDUC), and the industry partners DNV, Norwegian Hull Club (NHC) and Kongsberg Defence & Aerospace (KDA). The scope of the workshop was to invite maritime stakeholders and people in the maritime industry to discuss how and if simulator training should be part of cyber awareness training, and what simulator scenarios can be beneficial to implement in such training. The aim was to develop both operational level scenarios for the crew handling ships, and management level scenarios for the shipowners and maritime stakeholders. In addition to this, the workshop led to fruitful discussion how the maritime industry is dealing and coping with cyber threats, and what could be considered as beneficial for cyber training. Real life incidents and experiences was also shared among the participants. The MarCy project partners and the authors of the report want to express their greatest gratitude for all the participants attending the workshop. The workshop could not have been completed without you. Due to the protection of the privacy for the attendants, no individual level information is given. See more in Section 2. List of the organizations attending the workshop: DNV Island Offshore Kongsberg Aerospace & Defence Norwegian Defence University College Norwegian Hull Club NTNU – COAST project NTNU in Ålesund NTNU in Gjøvik NTNU – SFI-Move project Royal Norwegian Naval Academy The Norwegian Armed Forces Cyber Defence The Norwegian Armed Forces The Norwegian Coast Guard The Norwegian Coastal Administration The Norwegian Society for Sea Rescu