Maritime Cyber Security: Adopting a Checklist Based on IACS UR E26 Standard

Abstract

The efficient operation of ship systems that control navigation, communications, sensors, and power and machinery is dependent on the increasing digitization of the maritime sector and the intense use of information and operational technologies. The goal of issuing and enforcing global regulations and standards is to lessen the impact of potential dangers that could jeopardize on-board systems, network and data integrity, and operation, functionality and safety. At this point, "Cyber Resilience of Ships" (UR E26) is recently released by the International Association of Classification Societies (IACS) to address the need to improve ships' cyber resilience. This regulation will be applicable to new ships built on and after 1 July 2024. This study aims to create a check list for ship cyber security based on IACS UR E26 standard. A ship cyber security checklist was developed by first analyzing ship operational technologies, identifying potential cyber risks and vulnerabilities, and then creating a checklist in accordance with the IACS UR E26 standard to ensure cyber security on board. With a focus on clean seas and safe ships, the IACS provides technical assistance, verifies compliance, and conducts research and development to enhance maritime safety, security and regulation. This study provides practical tool to ships for ship cyber security management under the safety management system besides IACS standard benefits. Creating a checklist in accordance with the IACS UR E26 standard also allows ship owners and operators to comply with the standards and facilitate inspection processes. This reduces the effort spent to comply with international regulations. It helps to proactively manage cyber risks by providing a systematic approach to ship cyber security management.

Keywords

• Maritime cyber security
• Ship cyber security checklist
• Ship cyber resilience
• IACS UR E26

IACS UR E26 Standardına Dayalı Gemi Siber Güvenlik Kontrol Listesinin Benimsenmesi

Abstract

Seyir, iletişim, sensörler, güç ve makine kontrol sistemlerinden oluşan gemi sistemlerinin verimli bir şekilde çalışması, denizcilik sektörünün artan dijitalleşmesine ve bilgi ve operasyonel teknolojilerin yoğun kullanımına bağlıdır. Küresel düzenlemeler ve standartların amacı, gemideki sistemlere, ağ ve veri bütünlüğüne, operasyona, işlevselliğe ve güvenliğe zarar verebilecek potansiyel tehlikelerin etkisini azaltmaktır. Bu noktada, Uluslararası Klas Kuruluşları Birliği (IACS) tarafından gemilerin siber dayanıklılığını iyileştirme ihtiyacını ele almak için yakın zamanda "Gemilerin Siber Dayanıklılığı" (UR E26) yayınlandı. Bu düzenleme, 1 Temmuz 2024'ten itibaren inşa edilen yeni gemiler için geçerli olacaktır. Bu çalışma, IACS UR E26 standardına dayalı olarak gemi siber güvenliği için bir kontrol listesi oluşturmayı amaçlamaktadır. Gemi operasyonel teknolojilerinin analiz edilmesi, potansiyel siber risk ve güvenlik açıklarının belirlenmesi ve bu doğrultuda IACS UR E26 standardına uygun bir siber güvenlik kontrol listesi oluşturulması yoluyla bir gemi siber güvenlik kontrol listesi geliştirilmiştir.Temiz denizlere ve güvenli gemilere odaklanan IACS, teknik yardım sağlar, uyumluluğu doğrular ve deniz güvenliğini, emniyetini ve düzenlemesini geliştirmek için araştırma ve geliştirme yürütür. Bu çalışma, IACS standartının faydalarının yanı sıra emniyet yönetim sistemi kapsamında gemi siber güvenlik yönetimi için gemilere pratik bir araç sağlar. IACS UR E26 standardına uygun bir kontrol listesi oluşturmak, gemi sahiplerinin ve operatörlerinin standartlara uymasını ve denetim süreçlerini kolaylaştırmasını da sağlar. Bu, uluslararası düzenlemelere uymak için harcanan çabayı azaltır. Gemi siber güvenlik yönetimine sistematik bir yaklaşım sağlayarak siber riskleri proaktif bir şekilde yönetmeye yardımcı olur.

Keywords

• Denizel alanda siber güvenlik
• Gemi siber güvenlik kontrol listesi
• Gemi siber direnci
• IACS UR E26

References

1. Ashraf, I., Park, Y., Hur, S., Kim, S. W., Alroobaea, R., Zikria, Y. Bin, Nosheen, S. (2022). A Survey on Cyber Security Threats in IoT-Enabled Maritime Industry. IEEE Transactions on Intelligent Transportation Systems, 1–14. doi:10.1109/TITS.2022.3164678.
2. Bolbot, V., Kulkarni, K., Brunou, P., Banda, O.V., Musharraf, M. (2022). Developments and research directions in maritime cybersecurity: A systematic literature review and bibliometric analysis. International Journal of Critical Infrastructure Protection, 39: 100571. doi: 10.1016/j.ijcip.2022.100571
3. DNV-GL, (2016). Cyber security resilience management for ships and mobile offshore units in operation.
4. DNV-GL Corporate Report, DNVGL-RP-0 (September), 1–86.
5. DNV-GL, Cyber Secure Class Notation, (2022). Accessed Date: 03/07/2024, https://www.dnv.com/services/cyber-secure-class-notation-124600/ is retrieved.
6. Hyra, B. (2019). Analyzing the Attack Surface of Ships. DTU Compute Department of Applied Mathematics and Computer Science Technical University of Denmark. Accessed Date: 08/07/2024, https://backend.orbit.dtu.dk/ws/portalfiles/portal/218483747/190401_Analyzing_the_Attack_Surface_of_Ships.pdf is retrieved.
7. IACS, IACS UR E26 and E27 Press Release, (2024). Accessed Date: 05/08/2024, https://iacs.org.uk/news/iacs-ur-e26-and-e27-press-release is retrieved.
8. IACS UR E22, Computer-based Systems, (2023). Accessed Date: 05/08/2024 https://iacs.s3.af-south-1.amazonaws.com/wp-content/uploads/2023/08/10161629/ur-e22rev3.pdf is retrieved.

9. IACS UR E26, Cyber Resilience of Ships, (2022). Accessed Date: 05/08/2024, https://www.classnk.or.jp/hp/pdf/info_service/iacs_ur_and_ui/ur_e26_rev.1_nov_2023_cr.pdf is retrieved.
10. IMO, Guidelines on Maritime Cyber Risk Management, (2022). Accessed Date: 16/06/2024, https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/MSC-FAL.1-Circ.3-Rev.2%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20(Secretariat)%20(1).pdf is retireved.
11. iTrust, Guidelines for Cyber Risk Manegement in Shipboard Operational Technology Systems, (2022). Accessed Date: 16/06/2024, https://itrust.sutd.edu.sg/research/projects/maritime-cyber/ is retrieved.
12. Jo, Y., Choi, O., You, J., Cha, Y., Lee, D.H. (2022). Cyberattack Models for Ship Equipment Based on the MITRE ATT&CK Framework. Sensors, 22(5): 1860. doi: 10.3390/s22051860.
13. Kanwal, K., Shi, W., Kontovas, C., Yang, Z., Chang, C.H. (2024). Maritime cybersecurity: are onboard systems ready? Maritime Policy and Management, 51(3): 484–502. doi: 10.1080/03088839.2022.2124464.
14. Kavallieratos, G., Katsikas, S., Gkioulos, V. (2019). Cyber-Attacks Against the Autonomous Ship. In S. K. Katsikas, F. Cuppens, N. Cuppens, C. Lambrinoudakis, A. Antón, S. Gritzalis, J. Mylopoulos, & C. Kalloniatis (Eds.), Computer Security, Springer International Publishing, 11387, pp. 20–36. doi: 10.1007/978-3-030-12786-2.
15. Kayisoglu, G., Bolat, P., Tam, K. (2022). Evaluating SLIM-based human error probability for ECDIS cybersecurity in maritime. The Journal of Navigation 75: 364–1388. doi: 10.1017/S0373463322000534.
16. Kayisoglu, G., Bolat, P., Tam, K., (2023). A novel application of the CORAS framework for ensuring cyber hygiene on shipboard RADAR. Journal of Marine Engineering & Technology, 1–15. doi: 10.1080/20464177.2023.2292782.
17. Kesseler, G.C. (2019). Cybersecurity in the Maritime Domain. USCG Proceedings of the Marine Safety & Security Council, 76(1): 11–13.
18. Martínez, F., Sànchez, L.E., Santos-Olmo, A., Rosado, D.G., Fernàndez-Medina, E. (2024). Maritime cybersecurity: protecting digital seas. International Journal of Information Security, 23(2): 1429–1457. doi: 10.1007/s10207-023-00800-0.
19. Palbar Misas, J. D., Hopcraft, R., Tam, K., Jones, K. (2024). Future of maritime autonomy: cybersecurity, trust and mariner’s situational awareness. Journal of Marine Engineering and Technology, 23(3): 224–235. doi: 10.1080/20464177.2024.2330176.
20. Rajaram, P., Goh, M., Zhou, J. (2022). Guidelines for cyber risk management in shipboard operational technology systems. Journal of Physics: Conference Series, 2311(1): 012002. doi: 10.1088/1742-6596/2311/1/012002.
21. Rana, A. (2019). Commercial Maritime and Cyber Risk Management. Safety & Defense, 5(1): 46–48. doi: 10.37105/sd.42.
22. Reilly, G., Jorgensen, J. (2016). Classification considerations for cyber safety and security in the smart ship era. RINA, Royal Institution of Naval Architects - Smart Ship Technology 2016, Papers, January, pp. 33–39.
23. Santamarta, R. (2014). SATCOM Terminals: Hacking by Air, Sea, and Land. IOActive. Accessed Date: 23/05/2024, https://www.ioactive.com is retrieved.
24. Silverajan, B., Vistiaho, P. (2019). Enabling Cybersecurity Incident Reporting and Coordinated Handling for Maritime Sector. 2019 14th Asia Joint Conference on Information Security (AsiaJCIS), 88–95. doi: 10.1109/AsiaJCIS.2019.000-1.
25. Soner, O., Kayisoglu, G., Bolat, P., Tam, K. (2023a). Cybersecurity risk assessment of VDR. The Journal of Navigation, 76(1): 20–37. doi: 10.1017/S0373463322000595.
26. Soner, O., Kayisoglu, G., Bolat, P., Tam, K. (2023b). Risk sensitivity analysis of AIS cyber security through maritime cyber regulatory frameworks. Applied Ocean Research, 142: 103855. doi: 10.1016/j.apor.2023.103855.
27. Svilicic, B., Rudan, I., Jugović, A., Zec, D. (2019). A Study on Cyber Security Threats in a Shipboard Integrated Navigational System. Journal of Marine Science and Engineering, 7(10): 364. doi: 10.3390/jmse7100364.
28. Tam, K., Jones, K. (2019). MaCRA: a model-based framework for maritime cyber-risk assessment. WMU Journal of Maritime Affairs, 18(1): 129–163. doi: 10.1007/s13437-019-00162-2.
29. Tran, K., Keene, S., Fretheim, E., Tsikerdekis, M. (2021). Marine Network Protocols and Security Risks. Journal of Cybersecurity and Privacy Communication, 239–251. doi: 10.3390/jcp1020013.
30. Tucci, A.E. (2017). Cyber Risks in the Marine Transportation System. In: Cyber-Physical Security Protecting Critical Infrastructure at the State and Local Level, R. M. Clark & S. Hakim (Eds.), Springer International Publishing, Switzerland, pp. 113–131. doi: 10.1007/978-3-319-32824-9_6.
31. Witherby, BIMCO, ICS, (2023). Cyber Security Workbook for On Board Ship Use.
32. Zăgan, R., Raicu, G., Hanzu-Pazara, R., Enache, S. (2018). Realities in Maritime Domain Regarding Cyber Security Concept. Advanced Engineering Forum, 27: 221–228. doi: 10.4028/www.scientific.net/AEF.27.221.