Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Threat Analysis and Risk Assessment of Ship Ballast Water System

선박 평형수 시스템의 위협 분석 및 위험 평가에 관한 연구

  • Hyoseok Lim (CYTUR Inc.) ;
  • Yonghyun Jo (CYTUR Inc.) ;
  • Wonsuk Choi (Korea University)
  • 임효석 (주식회사 싸이터) ;
  • 조용현 (주식회사 싸이터) ;
  • 최원석 (고려대학교)
  • Received : 2024.07.08
  • Accepted : 2024.08.28
  • Published : 2024.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

As IT and OT systems become integrated into ship operations, the security of propulsion, control, communication, and navigation systems has become increasingly critical. In response, the International Association of Classification Societies (IACS) will enforce cybersecurity requirements starting from July 2024. IACS No. 171 (Recommendations on Incorporating Cyber Risk Management into Safety Management Systems) presents quantitative assessment methods; however, there is room for improvement. This study aims to address these issues by applying the TARA framework, outlined in ISO/SAE 21434 for connected vehicles, to identify attack surfaces and conduct risk assessments of the Ballast Water Treatment System(BWTS), which is crucial for navigational safety. Moreover, the study conducts a comparative analysis of the quantitative risk assessments of IACS No. 171 and the TARA framework, proposing the need for and considerations of a new risk assessment framework, VeTARA, specifically tailored for ships. This research is expected to contribute to the enhancement of cyber risk management in maritime operations.

선박 시스템에 IT/OT가 통합되며 추진, 제어, 통신, 항해 등 선박 운항 시스템의 보안이 중요해지고 있다. 이에 국제 선급 협회(IACS)는 2024년 7월부로 사이버 보안 요구사항을 시행한다. IACS No. 171(안전 관리 시스템에 사이버 리스크 관리 통합에 대한 권고사항)에서는 정량적 평가 방법을 제시하지만 개선의 여지가 있다. 본 연구에서는 이러한 문제를 해결하기 위해, 모빌리티 특성을 가진 커넥티드 카에 적용되는 ISO/SAE21434의 TARA 프레임워크를 활용하여 선박 항해 안전성에 중요한 평형수 관리 시스템(Ballast Water Treatment System)의 공격 표면을 식별하고 위험 평가를 수행한다. 또한, No. 171와 TARA 프레임워크에 대해 정량적 위험 평가와 비교 분석을 실시하고 선박에 특화된 새로운 위험 평가 프레임워크인 VeTARA의 필요성과 고려 요소를 제안한다. 이를 통해 선박의 사이버 위험 관리에 활용될 것으로 사료된다.

Keywords

Acknowledgement

본 연구는 2024년도 국방기술진흥연구소의 국방벤처 지원사업에 의한 연구임 [V230001]

References

  1. USCG, "Cyber Trends and Insights in the Marine Environment Report", https://www.news.uscg.mil/maritime-commons/Article/3750095/2023-cyber-trends-and-insights-in-the-marine-environment-report, 2024.04.22
  2. ISO, "Medical devices Application of risk management to medical devices",ISO 14971:2013, Jun. 2013.
  3. ISO, "Road Vehicles - Cybersecurity engineering", ISO/SAE 21434:2021,Aug. 2021.
  4. IMO, "International Convention for the Control and Management of Ship's Ballast Water and Sediments", https://www.imo.org/en/About/Conventions/Pages/, 2024.04.22
  5. The Times of Israel, "Secret files show alleged iranian plans to sink ships using cyberattacks | the times of israel", https://www.timesofisrael.com/secret-files-show-alleged-iranian-plans-to-sink-ships-using-cyberattacks/, 2024.04.22
  6. V. Bolbot, G. Theotokatos, L.A. Wennersberg, J. Faivre, D. Vassalos, E. Boulougouris, O.J. Rodseth, P. Andersen, A.S. Pauwelyn, and A.V Coillie, "A novel risk assessment process: Application to an autonomous inland waterways ship," Proceedings of the Institution of Mechanical Engineers, Part O: Journal of Risk and Reliability, pp. 436-458, Oct. 2023.
  7. K. Tam and K. Jones, "MaCRA: a model-based framework for maritime cyber-risk assessment," WMU Journal of Maritime Affairs, vol. 18, pp. 129-163, Jan. 2019.
  8. G. Kavallieratos and S. Katsikas, "Managing cyber security risks of the cyber-enabled ship," Journal of Marine Science and Engineering, vol. 8, no. 10, pp. 768-778, Sep. 2020.
  9. B. Svilicic, J. Kamahara, M. Rooks, and Y. Yano, "Maritime cyber risk management: an experimental ship assessment," The Journal of Navigation, vol. 72, no. 5, pp. 1108-1120, Feb. 2019.
  10. C.H. Chang, C. Kontovas, Q. Yu, and Z. Yang, "Risk assessment of the operations of maritime autonomous surface ships," Reliability Engineering & System Safety, vol. 207, Mar. 2021.
  11. D. Ward, I. Ibarra, and A. Ruddle, "Threat analysis and risk assessment in automotive cyber security," SAE International Journal of Passenger Cars-Electronic and Electrical Systems, vol. 6, pp. 507-513, Apr. 2013.
  12. M.M. Islam, A. Lautenbach, C. Sandberg, and T. Olovsson, "A risk assessment framework for automotive embedded systems," Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pp.3-14, May 2016.
  13. J. Cui and G. Sabaliauskaite, "On the alignment of safety and security for autonomous vehicles," IARIACYBER,pp. 57-64, Nov. 2017.
  14. A. Bolovinou, U.I. Atmaca, A.T. Sheik, O. Ur-Rehman, G. Wallraf, and A. Amditis, "TARA+: Controllability-aware Threat Analysis and Risk Assessment for L3 Automated Driving Systems," 2019 IEEE Intelligent Vehicles Symposium(IV), pp. 8-13,Jun. 2019.
  15. J. Cui and B. Zhang, "VeRA: a simplified security risk analysis method for autonomous vehicles," IEEE Transactions on Vehicular Technology,vol. 69, no. 10, pp. 10494-10505, Oct.2020.
  16. C. Plappert, D. Zelle, H. Gadacz, R.Rieke, D. Scheuermann, and C. Krauss,"Attack surface assessment for cybersecurity engineering in the automotive domain," Proceedings of the 20212 9th Euromicro International Conference on Parallel, pp. 266-275,Mar. 2021.
  17. C. Schmittner, B. Schrammel, andS.Konig, "Asset driven ISO/SAE 21434 compliant automotive cybersecurity analysis with ThreatGet," Systems,Software and Services Process Improvement: Proceedings of the 28th European Conference, pp. 548-563,Sep. 2021.
  18. M. Khatun, M. Glass, and R. Jung, "An approach of scenario-based threat analysis and risk assessment over-the-air updates for an autonomous vehicle," Proceedings of the 2021 7th International Conference on Automation, pp. 122-127, Feb. 2021.
  19. A. Puder, J. Henle, and E. Sax, "Threat assessment and risk analysis (TARA) for interoperable medical devices in the operating room inspired by the automotive industry," Healthcare, vol. 11, no. 6, pp. 872-901, Mar. 2023.
  20. IACS, "Recommendation on incorporating cyber risk management into safety management systems", REC 171, May. 2022.
  21. B. Sayinli, Y. Dong, Y. Park, A. Bhatnagar, and M. Sillanpa , "Recent progress and challenges facing ballast water treatment-A review," Chemosphere, vol. 291, Mar. 2022.
  22. Y. Jo, O. Choi, J. You, and Y. Cha, "Cyberattack models for ship equipment based on the MITRE ATT&CK framework," Sensors, vol. 22, no. 5, pp. 1860-1879, Feb. 2022.
  23. A. Yousaf and J. Zhou, "From sinking to saving: MITRE ATT &CK and D3FEND frameworks for maritime cybersecurity," International Journal of Information Security, vol. 32, pp. 1603 -1618, Jan. 2024.
  24. A. Lautenbach, M. Almgren, and T. Olovsson, "Proposing HEAVENS 2.0 - an automotive risk assessment model," Proceedings of the 5th ACM Computer Science in Cars Symposium, vol. 21, no. 5, pp. 1-12, Nov. 2021.
  25. C. Schuett, J. Butts, and S. Dunlap, "An evaluation of modification attacks on programmable logic controllers," International Journal of Critical Infrastructure Protection, vol. 7, no. 1, pp. 61-68, Mar. 2014.
  26. X. Pan, Z. Wang, and Y. Sun, "Review of PLC security issues in industrial control system," Journal of Cybersecurity, vol. 2, no. 2, pp. 69-83, Jun.2020.
  27. IMO, "Revised guidelines for formal safety assessment (FSA) for use in the IMO rule-making process,"MSC-MEPC.2/Circ.12/Rev.2, Apr. 2018.
  28. Y. Wang, Z. Cha, G. Liang, X. Zhang,K. Li, and G. Guan, "Risk assessment of LNG bunkering vessel operation based on formal safety assessment method," Process Safety Progress, vol.43, no. 2, pp. 299-312, Nov. 2023.
  29. A. Yousaf, A. Amro, P.T.H. Kwa, M.Li, and J. Zhou, "Cyber risk assessment of cyber-enabled autonomous cargo vessel," International Journal of Critical Infrastructure Protection, vol.46, Sep. 2024.
  30. Z. Anifowose, "Aligning MITREATT&CK framework with threat analysis and risk assessment (TARA) to support R155 compliance," Master.Thesis, Lulea University of Technology, Jun. 2023.
  31. S.S. Rao and S.K. Roy, "Anovel scalable hybrid threat analysis and risk assessment engine for an automotive subsystem," Proceedings of the 2024 IEEE International Conference on Interdisciplinary Approaches in Technology and Management for Social Innovation (IATMSI), pp. 1-6, Mar.2024.