17 October 2022
Review And Reflections On Maritime Transport
As maritime transport is one of the main facilitators of international trade, maritime infrastructures and services are considered as part of the European critical infrastructures.
They contain various cyber and cyber-physical systems including, among others: Automatic Identification Systems (AIS), VHF Data Exchange Systems (VDES), Supervisory Control and Data Acquisition (SCADA) systems, Port Community Systems (PCS), Terminal Operating Systems (TOS), Vessel Traffic Services, Ship Information System (SIS) and Electronic Chart Display and Information System (ECDIS), to name just a few. The main assets utilised in maritime transport involve port infrastructures and ships/vessels. Vessels are the maritime transport means for conducting seaborne transport operations. Autonomous ships are able to transport their freight over navigable waters, with limited or even without human interaction. The digitization of maritime transport increases the complexity and the required collaboration of the underlying processes, and therefore the (inter)dependencies and the cyber-physical interactions between the involved assets.
As a side-effect of this increased system connectivity between maritime systems, their exploitability against cyber and hybrid (cyber-physical) attacks has substantially increased. At the same time, they suffer from various vulnerabilities. For example, since the use of legacy systems is very common in maritime transport, updating and patching their security vulnerabilities is not always a trivial task. Even worse, the interconnectivity of potentially vulnerable and not properly isolated systems, creates chains of vulnerability paths. Hackers may now be able to extend their attack vectors, turning locally exploitable vulnerabilities to remotely exploited ones. For example, a vulnerability found in an internet-enabled non-critical service, may be used by skilful adversaries as a remote entry point to move laterally inside the ship network and eventually to take over a critical legacy system. Dealing with such attacks may require that various layers, such as the communication layer and the system layer, be properly secured. Setting up secure and trusted communications, properly hardening maritime systems at the software level and assuring the resilience of critical maritime systems, such as those utilized in autonomous ships, are some of the relevant open research problems.
Within WP5 (and in tight collaboration with the tasks of WP3) of the CyberSecurity4Europe project, we have integrated, properly extended and deployed various cybersecurity services targeted to the maritime sector. The main results of the integration of the underlying security services include: (i) We have extended the risk management service of MITIGATE to an adaptive, situation-based framework, by integrating it with the DynSMAUG a situation-driven security management system. (ii) We have extended our threat model by integrating system hardening security controls, developed by our hardening services, and also by integrating human-related threats via the HAMSTERS model. (iii) We have tested and validated secure communications of a VDES-enabled system, by integrating it with our maritime-specific PKI solution. Our validation results are based on various validation methods including technical test cases, stakeholder engagement and document analysis.