Cyber security in shipping and navigation: a framework for ship design and compliance check

摘要

Physical security and safety of ships and their systems as the most valuable assets of the shipping industry has been on its focus for many years. Due to the distributed architecture of this business and a very high usage of stand-alone and disconnected systems, no major efforts have been made on considering cyber security. Nowadays systems on board of ships have a higher automation and connection level and exchange a significant number of sensor data and other information in a very short time. Many of these computers and systems are an integral part of the critical onboard infrastructure, which is one of the main reasons why shipping industry should reprioritize cyber security for the future of intelligent and resilient ships. This fact is actually well known and many actions and guidelines on the management of cyber risks are being developed and published by different actors and authorities. Most of them encompass a very wide range of measures for managing cyber risk and cyber security at all three main relevant levels: personnel, processes and technology. The deployment of security measures is of course a management decision, but in order to be effective these measures must go hand in hand with the technical ones.Cyber security has not been part of the design criteria for most of the ships that are actually in operation. This makes it very challenging for shipping companies to comply and implement guidelines in a very wide range.In this contribution, we provide an overview of well-known technical aspects of computer security and categorize them based on their relevance for shipping industry and its most important use case: the ship and its critical systems on board. We will focus on the technical aspects of cyber security as done in the information technology and derive their suitability and importance for ships and their main systems. The main scope is to develop a framework for classification and definition of requirements on secure onboard systems and give decision support in the challenging subject of cyber security on board. For the requirement's definition following security levels (layers) will be considered.1. Physical layer (e.g. processor, sensor)2. Physical interfaces and low level protocols (e.g. USB)3. Operating systems (e.g. Windows-based, Unix-based other operating systems)4. Internal network and topology 5. Internal communication protocols between connected systems (e.g. ftp, http) 6. Communication layer and protocol with external systems (e.g. GPS, Internet, AIS) 7. Application layer (e.g. stand-alone and/or shared software, database security) This classification framework should enable and support a stronger influence of cyber security aspects as design criteria for ship's systems and their architecture. Furthermore, it can be used for cyber security compliance checks for all black box systems and software, integrated onboard and will support decision makers with technical knowledge "to design by security".