Hostname: page-component-76fb5796d-r6qrq Total loading time: 0 Render date: 2024-04-26T06:33:42.575Z Has data issue: false hasContentIssue false
  • English
  • Français

Cybersecurity risk assessment of VDR

Published online by Cambridge University Press:  31 January 2023

Ömer Söner Open the ORCID record for Ömer Söner [Opens in a new window] ,
Gizem Kayisoglu ,
Pelin Bolat  and
Kimberly Tam
Ömer Söner*
Affiliation:
Department of Maritime Transportation Management Engineering in Maritime Faculty, Van Yuzuncu Yıl University, Van, Türkiye
Gizem Kayisoglu
Affiliation:
Department of Maritime Transportation Management Engineering in Maritime Faculty, Istanbul Technical University, Istanbul, Türkiye
Pelin Bolat
Affiliation:
Department of Basic Sciences in Maritime Faculty, Istanbul Technical University, Istanbul, Türkiye
Kimberly Tam
Affiliation:
School of Engineering, Computing and Mathematics, University of Plymouth, Plymouth, UK
*
*Corresponding author. E-mail: soneromer023@gmail.com
Get access Rights & Permissions [Opens in a new window]

Abstract

The voyage data recorder (VDR) is a data recording system that aims to provide all navigational, positional, communicational, sensor, control and command information for data-driven investigation of accidents onboard ships. Due to the increasing dependence on interconnected networks, cybersecurity threats are one of the most severe issues and critical problems when it comes to safeguarding sensitive information and assets. Cybersecurity issues are extremely important for the VDR, considering that modern VDRs may have internet connections for data transfer, network links to the ship's critical systems and the capacity to record potentially sensitive data. Thus, this research adopted failure modes and effects analysis (FMEA) to perform a cybersecurity risk assessment of a VDR in order to identify cyber vulnerabilities and specific cyberattacks that might be launched against the VDR. The findings of the study indicate certain cyberattacks (false information, command injection, viruses) as well as specific VDR components (data acquisition unit (DAU), remote access, playback software) that required special attention. Accordingly, preventative and control measures to improve VDR cybersecurity have been discussed in detail. This research makes a contribution significantly to the improvement of ship safety management systems, particularly in terms of cybersecurity.

Keywords

maritimecybersecurityrisk assessmentVDRFMEA
Type
Research Article
Information
The Journal of Navigation , Volume 76 , Issue 1 , January 2023 , pp. 20 - 37
Check for updates
Copyright
Copyright © The Author(s), 2023. Published by Cambridge University Press on behalf of The Royal Institute of Navigation

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

ABS (American Bureau of Shipping). (2016). The Application of Cybersecurity Principles To Marine and Offshore Operations. ABS Cybersafety Volume 1. Spring, TX 77389 USA.Google Scholar
Akula, S. K. and Salehfar, H. (2021). Risk-based Classical Failure Mode and Effect Analysis (FMEA) of Microgrid Cyber-Physical Energy Systems. In 2021 North American Power Symposium (NAPS). IEEE 16.CrossRefGoogle Scholar
Amro, A. (2021). Cyber-Physical tracking of IoT Devices: A Maritime Use Case. In Norsk IKT-Konferanse for Forskning Og Utdanning, Vol. 3.Google Scholar
Babineau, G. L., Jones, R. A. and Horowitz, B. (2012). A System-Aware Cybersecurity Method for Shipboard Control Systems with A Method Described to Evaluate Cybersecurity Solutions. In 2012 IEEE Conference on Technologies for Homeland Security (HST). IEEE, 99104.CrossRefGoogle Scholar
Barkow, I., Leopold, T., Raab, M., Schiller, D., Wenzig, K., Blossfeld, H. P. and Rittberger, M. (2011). 20 RemoteNEPS: data dissemination in a collaborative workspace. Zeitschrift für Erziehungswissenschaft, 14(2), 315325.10.1007/s11618-011-0192-5CrossRefGoogle Scholar
Bhatia, S., Kush, N., Djamaludin, C., Akande, J. and Foo, E. (2014). Practical Modbus flooding attack and detection. Conferences in Research and Practice in Information Technology Series, 149, 5765.Google Scholar
BIMCO. (2020). The Guidelines on Cyber Security onboard Ships - Version 4. BIMCO: Copenhagen, Denmark.Google Scholar
Bolbot, V., Theotokatos, G., Boulougouris, E. and Vassalos, D. (2020). A novel cyber-risk assessment method for ship systems. Safety Science, 131, 104908.CrossRefGoogle Scholar
Cicek, K. and Celik, M. (2013). Application of failure modes and effects analysis to main engine crankcase explosion failure on-board ship. Safety Science, 51(1), 610.CrossRefGoogle Scholar
Danelec. (2021). DM100 VDR, Voyage Data Recorder. VDR Manufacturer Brochure. https://denmark.xcontain.com/company/danelec-electronics-a-s/Google Scholar
Danelec Systems. (2016). White Paper on Vdr Cybersecurity.Google Scholar
Gallagher, S. (2015). Hacked at sea: Researchers find ships’ data recorders vulnerable to attack. ArsTECHNICA. https://arstechnica.com/information-technology/2015/12/hacked-at-sea-researchers-find-ships-data-recorders-vulnerable-to-attack/Google Scholar
Glomsrud, J. A. and Xie, J. (2019). A Structured STPA Safety and Security Co-Analysis Framework for Autonomous Ships. In European Safety and Reliability Conference, Germany, Hannover.CrossRefGoogle Scholar
Gunes, B., Kayisoglu, G. and Bolat, P. (2021). Cybersecurity risk assessment for seaports: A case study of a container port. Computers & Security, 103, 102196.CrossRefGoogle Scholar
Guzman, N. C., Kufoalor, D. K. M., Kozine, I. and Lundteigen, M. A. (2019). Combined Safety and Security Risk Analysis Using the UFoI-E Method: A Case Study of an Autonomous Surface Vessel. In Proceedings of the 29th European Safety and Reliability Conference, Lower Saxony, Germany, 2226.Google Scholar
Haseeb, J., Mansoori, M. and Welch, I. (2021). Failure Modes and Effects Analysis (FMEA) of Honeypot-Based Cybersecurity Experiment for IoT. In 2021 IEEE 46th Conference on Local Computer Networks (LCN). IEEE, 645648.CrossRefGoogle Scholar
Heering, D., Maennel, O. M. and Venables, A. N. (2021). Shortcomings in Cybersecurity Education for Seafarers. In Developments in Maritime Technology and Engineering, 4961. CRC Press.CrossRefGoogle Scholar
Hemminghaus, C., Bauer, J. and Padilla, E. (2021a). BRAT: A BRidge attack tool for cybersecurity assessments of maritime systems. TransNav, the International Journal on Marine Navigation and Safety of Sea Transportation, 15(1), 3544. doi:10.12716/1001.15.01.02CrossRefGoogle Scholar
Hemminghaus, C., Bauer, J. and Wolsing, K. (2021b). SIGMAR: Ensuring Integrity and Authenticity of Maritime Systems Using Digital Signatures. 2021 International Symposium on Networks, Computers and Communications (ISNCC), 16. doi:10.1109/ISNCC52172.2021.9615738CrossRefGoogle Scholar
Huitsing, P., Chandia, R., Papa, M. and Shenoi, S. (2008). Attack taxonomies for the modbus protocols. International Journal of Critical Infrastructure Protection, 1(C), 3744. doi:10.1016/j.ijcip.2008.08.003CrossRefGoogle Scholar
IMO. (2012).Adoption of Revised Performance Standards for Shipborne Voyage Data Recorders (VDRs). IMO Resolution MSC 333(90).Google Scholar
IMO (International Maritime Organization). (2016). Guidelines On Maritime Cyber Risk Management. IMO MSC-FAL.1/Circ.3.Google Scholar
Jo, Y., Choi, O., You, J., Cha, Y. and Lee, D. H. (2022). Cyberattack models for ship equipment based on the MITRE ATT&CK framework. Sensors, 22(5), 1860. doi:10.3390/s22051860CrossRefGoogle ScholarPubMed
Kaleem Awan, M. S. and Ghamdi, M. A. A. (2019). Understanding the vulnerabilities in digital components of an integrated bridge system (IBS). Journal of Marine Science and Engineering, 7(10), doi:10.3390/jmse7100350Google Scholar
Katsikas, S. K. (2017). Cybersecurity of the Autonomous Ship. In Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security, pp. 5556.CrossRefGoogle Scholar
Kavallieratos, G. and Katsikas, S. (2020). Managing cybersecurity risks of the cyber-enabled ship. Journal of Marine Science and Engineering, 8(10), 768.CrossRefGoogle Scholar
Kavallieratos, G., Katsikas, S. and Gkioulos, V. (2018). Cyberattacks against the autonomous ship. In International Workshop on Security and Privacy Requirements Engineering, International Workshop on the Security of Industrial Control Systems and Cyber-Physical Systems, Cham: Springer, 2036.Google Scholar
Kessler, G. C. (2021). The can bus in the maritime environment – technical overview and cybersecurity vulnerabilities. TransNav, 15(3), 531540. doi:10.12716/1001.15.03.05CrossRefGoogle Scholar
Kim, M., Joung, T. H., Jeong, B. and Park, H. S. (2020). Autonomous shipping and its impact on regulations, technologies, and industries. Journal of International Maritime Safety, Environmental Affairs, and Shipping, 4(2), 1725.CrossRefGoogle Scholar
King, J. (2005). The security of merchant shipping. Marine Policy, 29(3), 235245.CrossRefGoogle Scholar
Kovacs, E. (2015). Ship Data Recorders Vulnerable to Hacker Attacks. SecurityWeek. https://www.securityweek.com/ship-data-recorders-vulnerable-hacker-attacksGoogle Scholar
Liu, H. C. (2016). FMEA using uncertainty theories and MCDM methods. In FMEA Using Uncertainty Theories and MCDM Methods. Singapore: Springer, 13–27, doi:10.1007/978-981-10-1466-6.Google Scholar
Liu, H. C., You, J. X., Ding, X. F. and Su, Q. (2015). Improving risk evaluation in FMEA with a hybrid multiple criteria decision-making method. International Journal of Quality & Reliability Management, 32(7), 763782. doi:10.1108/IJQRM-10-2013-0169CrossRefGoogle Scholar
Malviya, N. (2020). RS-232 and RS-485. Infosec. https://resources.infosecinstitute.com/topic/rs-232-and-rs-485/Google Scholar
MD (Marine Digital). (2022). Cybersecurity in shipping and port technologies: examples of cyber-attacks in maritime. Retrieved: 15.03.2022. From: https://marine-digital.com/cybersecurity_in_shipping_and_portsGoogle Scholar
Meland, P. H., Bernsmed, K., Wille, E., Rødseth, ØJ and Nesheim, D. A. (2021). A retrospective analysis of maritime cybersecurity incidents. TransNav: International Journal on Marine Navigation and Safety of Sea Transportation, 15(3), 519530.CrossRefGoogle Scholar
NMEA. (2021). NMEA Standards. National Marine Electronics Association. https://www.nmea.org/content/STANDARDS/NMEA_0183_StandardGoogle Scholar
OCIMF (Oil Companies International Marine Forum). (2020). Recommendations on the Proactive Use of Voyage Data Recorder Information. (Revised edition 2020). London, UK.Google Scholar
Omitola, T., Downes, J., Wills, G., Zwolinski, M. and Butler, M. (2018). Securing Navigation of Unmanned Maritime Systems. Proceedings of the International Robotic Sailing Conference 2018, Southampton, United Kingdom, 31-08-2018.Google Scholar
Papastergiou, S., Polemi, N. and Karantjias, A. (2015). CYSM: AN Innovative Physical/Cybersecurity Management System for Ports. In International Conference on Human Aspects of Information Security, Privacy, and Trust. Springer, Cham, pp. 219230.Google Scholar
Parian, C., Guldimann, T. and Bhatia, S. (2020). Fooling the master: Exploiting weaknesses in the modbus protocol. Procedia Computer Science, 171(2019), 24532458. doi:10.1016/j.procs.2020.04.265CrossRefGoogle Scholar
Perera, L. P. and Mo, B. (2020). Ship performance and navigation information under high-dimensional digital models. Journal of Marine Science and Technology, 25(1), 8192.CrossRefGoogle Scholar
Piccinelli, M. and Gubian, P. (2013). Modern ships Voyage Data Recorders: A forensics perspective on the Costa Concordia shipwreck. Digital investigation, 10, S41S49.CrossRefGoogle Scholar
Pillay, A. and Wang, J. (2003). Modified failure mode and effects analysis using approximate reasoning. Reliability Engineering & System Safety, 79(1), 6985.CrossRefGoogle Scholar
Queiroz, C., Mahmood, A., Hu, J., Tari, Z. and Yu, X. (2009). Building A SCADA Security Testbed. NSS 2009 - Network and System Security, 357364. doi:10.1109/NSS.2009.82CrossRefGoogle Scholar
Ralston, P. A., Graham, J. H. and Hieb, J. L. (2007). Cybersecurity risk assessment for SCADA and DCS networks. ISA Transactions, 46(4), 583594.CrossRefGoogle Scholar
Santamarta, R. (2015). Maritime security: Hacking into a voyage data recorder (VDR). IOActive.Google Scholar
Shang, W., Gong, T., Chen, C., Hou, J. and Zeng, P. (2019). Information security risk assessment method for ship control system based on fuzzy sets and attack trees. Security and Communication Networks, 2019, Article ID 3574675, 11 pages. https://doi.org/10.1155/2019/3574675CrossRefGoogle Scholar
Silverajan, B., Ocak, M. and Nagel, B. (2018). Cybersecurity Attacks and Defences for Unmanned Smart Ships. Proceedings - IEEE 2018 International Congress on Cybermatics: 2018 IEEE Conferences on Internet of Things, Green Computing and Communications, Cyber, Physical and Social Computing, Smart Data, Blockchain, Computer and Information Technology, IThings/Gree, 1520. doi:10.1109/Cybermatics_2018.2018.00037CrossRefGoogle Scholar
Stamatis, D. H. (2003). Failure Mode and Effect Analysis: FMEA From Theory to Execution. Milwaukee, Wisconsin: Quality Press.Google Scholar
Svilicic, B., Kamahara, J., Celic, J. and Bolmsten, J. (2019a). Assessing ship cyber risks: A framework and case study of ECDIS security. WMU Journal of Maritime Affairs, 18(3), 509520.CrossRefGoogle Scholar
Svilicic, B., Rudan, I., Frančić, V. and Doričić, M. (2019b). Shipboard ECDIS cybersecurity: Third-party component threats. Pomorstvo, 33(2), 176180. doi:10.31217/p.33.2.7CrossRefGoogle Scholar
Svilicic, B., Kamahara, J., Rooks, M. and Yano, Y. (2019c). Maritime cyber risk management: An experimental ship assessment. The Journal of Navigation, 72(5), 11081120.CrossRefGoogle Scholar
Tam, K. and Jones, K. (2018). Cyber-risk Assessment for Autonomous Ships. In 2018 International Conference on Cybersecurity and Protection of Digital Services (Cybersecurity). IEEE, pp. 18.CrossRefGoogle Scholar
Tam, K. and Jones, K. (2019). MaCRA: A model-based framework for maritime cyber-risk assessment. WMU Journal of Maritime Affairs, 18(1), 129163. doi:10.1007/s13437-019-00162-2CrossRefGoogle Scholar
Tam, K., Moara-Nkwe, K. and Jones, K. (2021). A Conceptual Cyber-Risk Assessment of Port Infastructure. 2021 World of Shipping Portugal. An International Research Conference on Maritime Affairs. 28-29 January 2021, Virtual Conference, Parede, Portugal.Google Scholar
Tam, K., Hopcraft, R., Moara-Nkwe, K., Misas, J. P., Andrews, W., Harish, A. V., Giménez, P., Crichton, T. and Jones, K. (2022). Case study of a cyber-physical attack affecting port and ship operational safety. Journal of Transportation Technologies, 12(01), 127. doi:10.4236/jtts.2022.121001CrossRefGoogle Scholar
Tran, K., Keene, S., Fretheim, E. and Tsikerdekis, M. (2021). Marine network protocols and security risks. Journal of Cybersecurity and Privacy, 1(2), 239251. doi:10.3390/jcp1020013CrossRefGoogle Scholar
Zhou, X. Y., Liu, Z. J., Wang, F. W., Wu, Z. L. and Cui, R. D. (2020). Towards applicability evaluation of hazard analysis methods for autonomous ships. Ocean Engineering, 214, 107773.CrossRefGoogle Scholar
Zhou, X. Y., Liu, Z. J., Wang, F. W. and Wu, Z. L. (2021). A system-theoretic approach to safety and security co-analysis of autonomous ships. Ocean Engineering, 222, 108569.CrossRefGoogle Scholar