The digital development brings new methods and technologies such as object detection, artificial intelligence, machine learning and sensor fusion into the maritime industry in the form of unmanned and autonomous vessels. The level of automation has grown significantly in maritime operations during the past years and this introduces new risks to safety at sea, forcing revisioning of the regulatory framework. As technology used in vessels has become more efficient and intelligent, information technology (IT) and operational technology (OT) are networked together. The technology is also more frequently connected to internet. This introduces a demand for protecting the assets from vulnerabilities and cybersecurity attacks. The criticality of these systems requires well-established, preferably standardized, methods to find weaknesses in systems that could be exploited by an attacker. Poor security may lead to financial loss or even penalties, business disruption, reputational damage, loss of customer and industry confidence, loss or damage to cargo, environmental damage or even loss of lives. Cybersecurity is not only preventing adversaries or hackers gaining access to ship systems, but it also helps to maintain business continuity, ensures availability of ship systems and safe operations. Cybersecurity comprises, inter alia policies, procedures, safeguards, actions, practices and tools - all that can be used to protect a system and its users, networks, and assets
Background and objective:
The objective for this article is to evaluate and enhance vessels’ cybersecurity posture by creating a model of a cybersecurity validation and verification framework, composed of a set of chosen cybersecurity standards conforming to maritime guidelines and regulations. This framework, referred to as the V&V Framework from now on, will be used in the near future to conduct cybersecurity end testing and for determining vessels’ current cybersecurity posture. Cybersecurity testing is about discovering vulnerabilities that may reside in a system, and about testing that security controls exist and are functioning as planned. End testing in this context refers to a state where hardware and software components constituting the vessel intelligence have been deployed to the vessel and are operational, but have not yet been taken into use. During the end testing the vessel is not operating nor does it have any cybersecurity monitoring on. Testing itself includes for example network-based scans, host-based scans and validating that different networks are segregated. The V&V Framework is provided as a spreadsheet where chosen standards and their security controls with enhancements are listed along with examples of tools and methods that can be used to test that control is implemented and whether a system’s cybersecurity posture is aligned with the state defined by the V&V Framework. Found vulnerabilities will be reported to system owners and based on the report, future mitigation plans can be made.
Scope:
The scope for this article needs to be defined in terms of coverage of the validation and verification and what is included in the vessel system to be tested, since the concept of automated vessel is not exact. These two dimensions set the overall scope for the V&V Framework. This thesis does not designate the vessel type nor the level of intelligence but it is expected that the vessel has an information system and a remote connection to it. The remote connection can be used for monitoring, information system maintenance and/or controlling the vessel from a remote operation centre. The remote operation centre itself is excluded from this thesis. The V&V Framework is technology agnostic and can be applied to any environment if proper controls and testing methods can be established. However, in this model it is assumed that the vessel IT system is based on the Linux operating system and therefore examples of testing methods are for a Linux environment where open-source technologies and tools are utilized. The V&V Framework can be applied across different systems but the scope introduced in this model focuses on vessel IT systems constituted by situational awareness, connectivity and processing units. Figure 1 below illustrates the components included in this model. Blue colour indicates that the component is included in the V&V Framework and orange components are left out.
Cybersecurity standards and guidelines for V&V:
Cybersecurity standards are published, agreed specifications designed to protect the system, its users and services. The purpose of cybersecurity standard is to provide a common ruleset defining requirements. Commonly these standards are produced by experts in cybersecurity, collaborating with international and both governmental and non-governmental organizations. Standards undertake continuous reviews and are being updated with new versions. There are many cybersecurity standards having focus on different areas. Standards must do what they are designed for but also consider cost and technological limitations. Standard requirements must be defined so that they can be tested, verified and assessed.
Challenges:
The most challenging part was constructing the V&V framework spreadsheet as each security control had to be studied, understand the control, its objective and context and go through all enhancements for each control. Additionally, each standard had unique ways to describe the controls and their enhancements. It was difficult to select security controls that fit into the validation and verification end testing scope as they all seem so important. I had to constantly remind myself of the scope and try not to include controls that were not within validation and verification testing. Also, the depth and coverage needed to be aligned with overall baseline determined for the vessel system. After selecting the security controls and their enhancements, I needed to set actions for testing of the control’s existence and functionality without dictating technologies.
Validation and Verification Framework:
This article describes how the V&V Framework is created.
First, the Framework layout is explained. Then methods behind selecting and
tailoring security controls are introduced. General testing techniques to
evaluate security control existence and effectiveness are described. Since it
is not feasible to introduce all subcategories nor security controls from the
V&V Framework here, a few sample subcategories are chosen that will be
described in this chapter in terms how security controls are selected and
tailored and requirements with examples of test methods are derived. It would
have been ideal to include samples from each Core Function in the CSF
(Identify, Protect, Detect, Respond and Recover) but the verification and
validation scope has limited subcategories to Identify, Protect and Detect.
Appendix 1 shows Functions and Categories including their unique identifiers to
clarify Subcategory identifiers with samples presented later on.
