This report presents an updated assessment of the cyberthreat landscape in the context of CySiMS-SE. It is based on the previous work from CySiMS “D1.1 Risk Model and Analysis” and the methodology from CySiMS-SE “D2.1 Expanded risk and CBA methodology”. The goal has been to show how we obtain required means and opportunities of attack vectors for the PKI and motivation factors for potential threat actors.978-82-14-06467-4publishedVersio

Bernsmed, Karin

Meland, Per Håkon

Nesheim, Dag Atle

Rødseth, Ørnulf Jan

Wille, Egil

English

This report presents an updated assessment of the cyberthreat landscape in the context of CySiMS-SE. It is based on the previous work from CySiMS “D1.1 Risk Model and Analysis” and the methodology from CySiMS-SE “D2.1 Expanded risk and CBA methodology”. The goal has been to show how we obtain required means and opportunities of attack vectors for the PKI and motivation factors for potential threat actors

NORA - Norwegian Open Research Archives

D2.2 Updated cyber risk assessment for the maritime industry

SINTEF Open

                 2021:00341- Unrestricted  CySiMS-SE D2.2 Updated cyber risk assessment for the maritime industry     Author(s)  Per Håkon Meland Karin Bernsmed Egil Wille Ørnulf Jan Rødseth Dag Atle Nesheim       1 of 22  SINTEF Digital SINTEF Digital Address:  NO-  NORWAY Switchboard: +47 40005100  info@sintef.no  Enterprise /VAT No: NO 919 303 808 MVA  CySiMS-SE  D2.2 Updated cyber risk assessment for the maritime industry   KEYWORDS:  Cyber security, maritime, cyber threat, risk assessment                                           VERSION 1.0 DATE 2021-03-25 AUTHOR(S) Per Håkon Meland Karin Bernsmed Egil Wille Ørnulf Jan Rødseth Dag Atle Nesheim   CLIENT(S) The Research Council of Norway CLIENT’S REF. CySiMS SE (295969) PROJECT NO. 102019295 NUMBER OF PAGES/APPENDICES: 22 ABSTRACT Abstract heading This report presents an updated assessment of the cyberthreat landscape in the context of CySiMS-SE. It is based on the previous work from CySiMS “D1.1 Risk Model and Analysis” and the methodology from CySiMS-SE “D2.1 Expanded risk and CBA methodology”. The goal has been to show how we obtain required means and opportunities of attack vectors for the PKI and motivation factors for potential threat actors.  PREPARED BY Per Håkon Meland SIGNATURE CHECKED BY Ravi Borgaonkar SIGNATURE APPROVED BY Maria Bartnes SIGNATURE REPORT NO. 2021:00341 ISBN 978-82-14-06467-4 CLASSIFICATION Unrestricted CLASSIFICATION THIS PAGE Unrestricted             Ravi Borgaonkar           Per Håkon Meland           Maria Bartnes PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   2 of 22  Document history VERSION DATE VERSION DESCRIPTION 1.0 2021-03-25 First public version.      PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   3 of 22   PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   4 of 22  Table of contents  1 Introduction ............................................................................................................................. 5 2 The maritime cyberthreat landscape ......................................................................................... 5 3 Risk estimation ......................................................................................................................... 6 3.1 Unwanted event and threats ..................................................................................................... 7 4 Threat template ..................................................................................................................... 10 4.1 Threat summary ..................................................................................................................... 11 4.2 Threat actors .......................................................................................................................... 11 4.3 Opportunity ............................................................................................................................ 13 4.4 Means ..................................................................................................................................... 15 4.5 Motivation .............................................................................................................................. 18 5 Conclusion ............................................................................................................................. 19 6 References ............................................................................................................................. 20 A Appendix ............................................................................................................................... 21      PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   5 of 22  1 Introduction The maritime sector and infrastructure are critical to Norway, EU and the world economy. Digital technology for ships is in continuous development, and cyber security is an important enabler to ensure safe and reliable operations. Cyber Security in Merchant Shipping (CySiMS) (2015-2018) was a Research Council of Norway funded project, which designed security solutions to protect digital communication in the maritime domain. The results have been met with much interest in the maritime community, but there is now an urgent need to develop the specifications from the CySiMS project into a complete system.    The underlying idea of CySiMS-SE is to demonstrate and operationalize a secure communication solution for the maritime sector and integrating this with the onboard computer architecture. The solution will include a Public Key Infrastructure (PKI) and necessary hardware and software for secure information exchange across systems on the bridge, off-bridge and on shore. This will provide the world's first open, integrated, and cost-effective protection against cyber-attacks on critical safety and operational information, while contributing to preserving Norway's position as a leading seafarer nation leading the way in developing, adopting and selling technological innovations.    This report presents an updated assessment of the cyberthreat landscape in the context of CySiMS-SE. It is based on the previous work from CySiMS “D1.1 Risk Model and Analysis” [1] and the methodology from CySiMS-SE “D2.1 Expanded risk and CBA methodology” [2]. The goal has been to show how we obtain required means and opportunities of attack vectors for the PKI and motivation factors for potential threat actors.  2 The maritime cyberthreat landscape The scope of our analysis is the maritime PKI processes and technology stemming from CySiMS and CySiMS-SE. However, this is a new system yet to be fully realised, and it is therefore useful to look at work related to the wider maritime cyberthreat landscape.   During the autumn of 2020, a study on historical incidents and threats in the maritime sector was performed by SINTEF on commission by the Norwegian Coastal Administration. The report [3] from this work is publicly available (in Norwegian) and gives an overview of: • Ship systems, communication channels and related infrastructure onshore. • Previous work on assessing maritime threats and vulnerabilities. • An overview of 35 known cyber security events related to maritime from the last decade. • A prioritized list of the top-10 cyber threats based on previous incidents. • A brief discussion of contemporary and future threats.  Figure 1 shows the resulting top-10 cyber threats, which shows that there has been a wide variety of attacks. In general, there has not been a large number of incidents compared to other sectors, but the consequences of these events have been among the most severe in any sector [3]. Such attacks with low frequency and high impact represent risks that are hard to predict and defend against.   PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   6 of 22   Figure 1. Top-10 cyber threats based on past incidents. In CySiMS-SE we expanded the maritime incident and threat study in [3] and created a scientific paper for international dissemination. The authors’ manuscript of this paper is included in Appendix A.  As an additional input to the Maritime Strategy for Digital Security [4] developed in collaboration by the Norwegian Maritime Authority and the Coastal Administration, DNV-GL [5] conducted an online survey among stakeholders in the maritime industry regarding vulnerabilities. From this study, 51 respondents indicated that the most vulnerable systems were: • Software-based control and automation systems onboard (62,7%) • Software-based navigation and communication systems onboard (52,9%) • Software-based information systems onboard (33,3%) • Other systems onboard (11,8%) The survey also showed that IT-systems onshore are standard commercial off-the-shelf (COTS) products and share the same risks as in other sectors.   The CySiMS-SE PKI is basically a distributed system that resides on-shore as a part of IT-systems, communication system and tied to OT/navigation and IT-system onboard. Hence, there are many different attack entry points that can have an impact on the operations and services relying on the PKI. 3 Risk estimation As already mentioned in the previous section, attacks with low frequency and high impact represent risks that are hard to predict and defend against. This is because past incidents cannot really give a good idea of the risks for new designs in an evolving threat landscape. We also saw in the previous section that attackers have been using a variety of attack entry points and methods.   Our extended risk methodology takes such concerns into account and look at various threats that can lead to unwanted events, and different consequences that could follow them.  The threat estimations are based on the availability of potential threat actors, their opportunities of performing attacks, the required means (resources) that are needed for the attack to succeed, and motivation factors. Such estimations are less  PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   7 of 22  dependent on historical events data, and are therefore allow us to use a proactive approach for assessing the risk of new designs and prototypes.  Figure 2 shows the steps we have been using for expanding our methodology for risk estimation. We initially developed the risk methodology itself for our purpose. It is based on existing approaches, such as bow-tie modelling closely linked to formal safety assessment (FSA), capability-based modelling in the form of resource cost trees and determining attack paths using the cyber kill chain. These techniques are explained in detail in D2.1 [2]. The methodology was validated using system owners for parts of business case 1, specifically the ECDIS connected to a NavStation and the bridge communication system. The validation study allowed us to create generic threat modelling templates as we saw the resource costs trees shared so many common elements. This allowed us to more efficiently model unwanted events for other situations in the business use cases. The combined results are used to evaluate and compare the risk values of the various unwanted events, and ultimately support decisions on security investments.  Figure 2. Steps for the updated risk estimation. Central to the methodology is the identification of unwanted events, threats that can lead to such events, and potential consequences. The section below contains an explanation how we have identified these based on the methodology in D2.1 [2]. 3.1 Unwanted event and threats Our analysis of the cyberthreat landscape in Appendix A showed that malware infection is the prevalent way of compromising systems, and we have therefore focused the scope of our analysis towards these types of threats. The unwanted event is related to malware compromise towards different systems or components used in the context of the PKI and the operational pilot as described in “D1.2 Evaluation of the operational pilot” [6]. Figure 3 shows three of the threats linked to attack points for shore-based systems and Figure 4 the same for onboard systems.    Develop risk methodologyValidate methodology on sample sub-systemsCreate threat modelling templates from validation resultsApply templates to business usecasesEvaluate results PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   8 of 22   Figure 3. Threats targeting shore-based systems related to the PKI. The PKI service is responsible for receiving certificate signing requests, issuing certificates and revoking certificates. The software is supplied by SINTEF Digital based on the OpenXPKI project and operated by the Norwegian Maritime Authority (SDIR). The Maritime Single Windows (MSW) is supplied and operated by the Norwegian Coastal Administration (KYV), and relies on a local PKI-unit, supplied by Kongsberg Defence and Aerospace (KDA), for verifying and signing messages from ships.     Figure 4. Threats targeting onboard systems related to the PKI. Onboard the ship there are a number of reference systems/components that are relevant for the business cases. The VDES-unit, supplied by Kongsberg Seatex (KSX), is used to communicate to other surrounding ships and the MSW. The PKI-unit is equal to the one onshore, but operates in a different environment and has a different threat picture. The NavStation is an integrated voyage planning and electronic chart management station supplied by NAVTOR that uses the PKI-unit for securing messages. The Bridge communication system provides the communication infrastructure between the systems/components. The Single Board Computer (SBC), provided by SINTEF Ocean, is only used for test purposes in the operational pilot, and hence not part of the risk assessment scope. The Global Navigation Satellite System (GNSS) is also outside the scope of the risk assessment, though it provides data that is central to the NavStation.   PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   9 of 22  The figures above contain the following threats where malware is the reason for compromise: • T1: PKI service compromised at operator (SDIR/SINTEF Digital) • T2: PKI-unit used by MSW compromised (KDA/KYV) • T3: MSW system compromised (KYV) • T4: VDES-unit onboard ship compromised (KSX) • T5: PKI-unit onboard ship compromised (KDA) • T6: NavStation onboard ship compromised (NAVTOR) • T7: Bridge communication system compromised (SINTEF Ocean)   The stakeholders in parentheses of T1-T7 are the ones best suited for making threat estimations due to knowledge of the system/component.  Figure 5 shows a high-level bow-tie diagram for the unwanted event “Business case compromised”. The indicator values for both threats and consequences are intentionally left blank, as the detailed values from the risk assessment are kept internal to the project partners.     Figure 5. A bow-tie diagram for the unwanted event “Business case compromised”.    PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   10 of 22  4 Threat template We have created a threat template in the form of Excel spreadsheets to estimate values more efficiently for each threat in the bow-tie diagram. The contents are based on the methodology described in D2.1 [2].We have to assume that all threats are possible, but we want to make sure that they are relatively difficult and expensive to realize that we can tolerate the risk.  Using the threat template is an iterative approach, where threat actors, opportunity, means, and motivations are identified and given weighted values. This weighted value and the associated threat agent can then be put back into the bow-tie diagram in Figure 5.   Figure 6. The components of the threat template.  Figure 6 gives an overview of the components of the threat template. The treat summary is explained in Section 4.1, threat actors in Section 4.2, opportunities in Section 4.3, means in Section 4.4 and motivation in Section 4.5.    Threat summaryThreat actorsOpportunititesMotivationMeans PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   11 of 22  4.1 Threat summary  The threat value summary sheet is shown in Figure 6 and is used to calculate the weights. It takes input from four other sheets, namely threat actors, opportunity, means and motivation.    Figure 7. Threat value summary sheet. 4.2 Threat actors Figure 7 shows an excerpt from the treat actor sheet.  PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   12 of 22   Figure 8. Threat actor suggestions.      PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   13 of 22  4.3 Opportunity Figure 8 shows the template sheet for determining opportunities tied to the phases of the cyber kill chain. Input to the columns when, where and vulnerability can be based on Figure 9, Figure 10 and Figure 11.    Figure 9. Table for describing opportunities.    Figure 10. Spatial dimension.   PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   14 of 22   Figure 11. Temporal dimension.    Figure 12. Vulnerability opportunities.  PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   15 of 22  4.4 Means The means template sheet is an alternative to the Interactive Resource Cost Model (IRCM) tool described in D2.1 [2] and Haga et al. [7]. Instead of having to model the resource trees from scratch, a generic setup is pre-made and only needs cost values and optionally confidence. The values are calculated for each resource, for each phase and for the total attack. When resource alternatives or phases are irrelevant, the cost cells can be left blank. Templates for each phase of the cyber kill chain are shown in Figure 12, Figure 13, Figure 14, Figure 15, Figure 16, Figure 17 and Figure 18.   Figure 13. Template for reconnaissance.   Figure 14. Template for weaponization.   PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   16 of 22   Figure 15. Template for delivery.   Figure 16. Template for exploitation.   PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   17 of 22   Figure 17. Template for installation.   Figure 18. Template for Command and Control.   Figure 19. Template for Act on Objective.     PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   18 of 22  4.5 Motivation The motivation sheet contains motivation elements and intents that can be used as input to the threat summary. Figure 19 and Figure 20 show such suggestions.   Figure 20. Motivation elements.   PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   19 of 22   Figure 21. Motivation based on intent.   5 Conclusion  This report provides our assessment of the maritime cyber threat landscape based on past incidents, and shows how to estimate risk for a new design such as the technology related to the CySiMS PKI. The detailed results of the specific analysis are kept internal to the project participants, while we provide the generic templates that have been developed and used for this purpose. These can be further developed, for instance with inclusion of reference values for cost estimates, and applied to other systems with similar context characterisations.   PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   20 of 22  6 References  [1] D. A. Nesheim, Ø. Rødseth, K. Bernsmed, C. Frøystad, and P. H. Meland, "D1.1 Risk Model and Analysis," SINTEF, http://cysims.no/, 2017.  [2] P. H. Meland and K. Bernsmed, "D2.1 Expanded risk and CBA methodology," SINTEF, CYSiMS-SE, 2020.  [3] P. H. Meland, K. Bernsmed, Ø. J. Rødseth, and D. A. Nesheim, "Trusselvurdering i forbindelse med strategi for maritim digital sikkerhet," SINTEF, Jan 15 2020. [Online]. Available: https://www.sdir.no/contentassets/174739a55adb44098b05bcb8ef3b2f65/trusselvurdering-i-forbindelse-med-strategi-for-maritim-digital-sikkerhet-v1_2.pdf?t=1615969701283 [4] N. H. Bua et al., "Overordnet strategi for maritim digital sikkerhet," Sjøfartsdirektoratet, 2020. [Online]. Available: https://www.sdir.no/contentassets/174739a55adb44098b05bcb8ef3b2f65/2020-12-18---rapport-overordnet-strategi-for-maritim-digital-sikkerhet---v3-klar-til-levering-nfd-og-sd.pdf?t=1615969701283 [5] J. C. Blomhoff, "Sårbarhetsanalyse forbindelse med strategi for maritim digital sikkerhet," DNV-GL, 2020-0927, 2020. [Online]. Available: https://www.sdir.no/contentassets/174739a55adb44098b05bcb8ef3b2f65/dnv-gl---2020-09-15-ros-analyse-for-maritim-digital-sikkerhet-v1---report.pdf?t=1615969701283 [6] Ø. J. Rødseth, K. Bernsmed, P. H. Meland, G. Bour, and D. A. Nesheim, "D1.2 Evaluation of the operational pilot," SINTEF, CySiMS-SE, 2021.  [7]  K. Haga, P. H. Meland, and G. Sindre, "Breaking the cyber kill chain by modelling resource costs," in International Workshop on Graphical Models for Security, 2020: Springer, pp. 111-126.      PROJECT NO. 102019295 REPORT NO. 2021:00341   VERSION 1.0   21 of 22  A Appendix       The manuscript will be included in this report once it has been accepted for publication. 

https://sintef.brage.unit.no/sintef-xmlui/bitstream/11250/3018487/2/D2.2%2bUpdated%2bcyber%2brisk%2bassessment%2bfor%2bthe%2bmaritime%2bindustry_FINAL-signed.pdf

D2.2 Updated cyber risk assessment for the maritime industry

Abstract

Similar works

Full text

Available Versions

NORA - Norwegian Open Research Archives

SINTEF Open