© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
Master Thesis
Towards Cyber Incident Response on Naval Ships: The Cyber Incident Response Decision Model
C. Visscher
23-2-2021
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
Towards Cyber Incident Response on Naval Ships:
The Cyber Incident Response Decision Model Master Thesis
23-02-2021 Author
Name: C. Visscher (Christiaan)
Program: MSc Business Information Technology
Institute: University of Twente
PO Box 217 7500 AE Enschede The Netherlands Email address:
Graduation Committee
Prof. Dr. M.E. Iacob (Maria)
Industrial Engineering and Business Information Systems (IEBIS) Behavioral, Management and Social Sciences (BMS)
University of Twente m.e.iacob@utwente.nl
Dr. Ir. M. van Sinderen (Marten) Services and Cybersecurity (SCS)
Electrical Engineering, Mathematics and Computer Science (EWI) University of Twente
m.j.vansinderen@utwente.nl Dr. Ir. R. van Buuren (René) Standard Solution Management Thales Nederland B.V.
rene.vanbuuren@nl.thalesgroup.com
Disclaimer
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
PREFACE
Dear Reader,
The thesis that is laying in front of you marks the completion of the Master Business Information Technology at the University of Twente (UT) by me. In 2013 I started on the UT with the Bachelor Business & IT. The choice for this bachelor I have never regretted, as it combines two of my favorite topics. As a result, I decided to enroll in the follow-up master’s degree. The bachelor and master also allowed me to carry out interesting projects in addition to the study itself. This has made me the person who I am today.
First, I want to thank Maria Iacob and Marten van Sinderen for their valuable insights and feedback, which was not always easy for them to give due to the confidentiality in this thesis.
Furthermore, they provided me with advice on literature to read, which led has to sharpening of the research.
Secondly, I would like to thank my supervisor of Thales, René van Buuren. The conversations we had regularly always gave new insights and new challenges, which kept the research always interesting. Also, his guidance improved the quality of this thesis and helped me to reflect on myself. Furthermore, I would like to thank the other colleges at Thales for their contributions and small talk.
Finally, I would like to express my gratitude to my family and friends that supported me during my study and throughout the writing of this thesis. If there were any issues, I could rely on them and they would support me, motivate me or were simply a listing ear.
I wish you a pleasant reading and I hope it gives you plenty of new insights,
Christiaan
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
MANAGEMENT SUMMARY
In the last decade, the cyber threat from state actors has been increasing. As a result, it has become necessary for armed forces to invest in cyber capabilities, such as cyber security.
This can be seen in the cyber security requirements that are imposed on projects for the replacement and purchase of naval ships.
The Thales Group, as a supplier of systems for naval ships, has to incorporate these requirements in their products. However, the Thales Naval Cyber Security vision, safeguarding your strength@sea, has a broader ambition than just delivering security by design. The ambition includes the goal to support navies in performing on-board cyber incident response in order to increase the mission sustainability. However, current incident response processes and models do not take into account the circumstances that originate in a navy, both military and maritime. Therefore, this research aims to provide a solution to the following problem statement:
Improve cyber incident handling on naval ships by designing a cyber incident response decision model that satisfies the military boundary conditions in order to support mission sustainability.
The structured literature review (SLR) shows that maritime cyber security is in its infancy.
Current literature covers problems with cyber security on maritime vessels as well as
(potential) cyber-attacks. However, response and recovery methods to counter cyber-attacks and are able to coop with the conditions on sea are rare. Furthermore, the literature review also explores current cyber incident response frameworks and literature. These frameworks are mature, though they do not include a distinction between response and recovery. This distinction is important in the military domain, because for full recovery, time and resources are not available during a mission. Instead, the main goal is simple during a mission; keep things running. Finally, the SLR explored the different systems aboard a naval ship, as the different systems might require a different approach in cyber incident response. The main difference that is found for the cyber incident response process are the cyber security goals, Confidentiality, Integrity and Availability. Depending on which goal has the highest priority in the system, the resulting impact on a military operation differs.
Besides the SLR, armed forces and naval doctrine has been examined to determine what the conditions or factors of influence are during a military mission. The answer to this has been found in military decision-making processes, these factors are already analyzed to decide on the course of action for a military mission.
Based upon reviewed cyber security standards and naval doctrine, the Cyber Incident
Response Decision Model (CIRDM) has been proposed as solution to the problem statement.
Subsequently, CIRDM has been validated by two different methods. The first method that has
been used is a case study, with the case study the expressiveness of CIRDM has been
explored and the requirements have been verified. The second method, mapping CIRDM to
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
Finally, through this research various contributions have been made to science and practice:
• Recent literature on cyber security of maritime vessels has been categorized based upon the functions of the NIST Computer Security Incident Handling Guide.
• A clear difference between response and recovery in the cyber incident handling process has been proposed.
• It has been discovered that depending on the type of system and situation the priority of the security goals alternates
• The Designed CIRDM is a first step toward cyber incident response on naval ships.
• Two additions are proposed to the ArchiMate, the “Fulfilment” Relationship and the design CIRDM can be used a specialization.
• Finally, the work will support Thales Nederland in development of new products and
services for their customers.
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
CONTENTS
PREFACE ... 3
MANAGEMENT SUMMARY ... 4
CONTENTS ... 6
LIST OF TABLES ... 9
LIST OF FIGURES ... 10
LIST OF ABBREVIATIONS ... 11
1. INTRODUCTION - OPEN ... 12
1.1. Thales Group and Thales Netherlands B.V. - OPEN ... 13
1.2. Structure of the Report – OPEN ... 13
2. RESEARCH DESIGN - OPEN ... 14
2.1. Design Problem and Research Questions - OPEN ... 15
2.2. Mission Assurance – OPEN ... 16
2.3. Research Domains - OPEN ... 18
3. PROBLEM INVESTIGATION - OPEN ... 19
3.1. Literature Review Methodology - OPEN ... 19
3.1.1. Systematic Literature Review - OPEN ... 19
3.1.2. Snowballing Literature Search - OPEN ... 21
3.1.3. Data Collection - OPEN ... 21
3.2. Cyber security on maritime Vessels - OPEN ... 27
3.2.1. Distribution of Literature - OPEN ... 30
3.2.2. Cyber-Attacks on Ships - OPEN ... 31
3.2.3. Findings - OPEN ... 33
3.3. Cyber Incident Response - OPEN ... 34
3.3.1. Cyber Security Standards - OPEN... 34
3.3.2. Literature Analysis - OPEN ... 38
3.3.3. Incident Management in other applications – OPEN ... 41
3.3.4. Findings - OPEN ... 42
3.4. Maritime Systems: IT & OT - OPEN... 45
3.4.1. Findings – THALES GROUP INTERNAL ... 47
4. THE NAVAL COMPONENT - OPEN ... 48
4.1. Main Tasks & Operations - OPEN ... 49
4.2. Command and Control - OPEN ... 50
4.3. Military Decision Making - OPEN ... 52
4.4. Military Operational Planning Process – OPEN ... 53
4.5. Internal Battle & External Battle – THALES GROUP INTERNAL ... 55
5. FIELD RESEARCH – OPEN ... 56
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
6.3.1. Aspects – OPEN ... 60
6.3.2. Phases - OPEN ... 60
6.3.3. Relation Types - OPEN ... 62
6.4. Prepare Phase - OPEN... 65
6.4.1. Military Aspect: Mission & Operating Environment Model - OPEN ... 65
6.4.2. Cyber Defense Aspect: Threat Model - OPEN ... 68
6.5. Detect & Analysis Phase - OPEN ... 72
6.5.1. Military Aspect: Course of Action Model - OPEN ... 72
6.5.2. Cyber Defense Aspect: Incident Model – THALES GROUP INTERNAL ... 76
6.6. Response Phase – THALES GROUP INTERNAL ... 76
6.6.1. Military Aspect: Current Situation Model – THALES GROUP INTERNAL .... 76
6.6.2. Cyber Defense Aspect: Response Model – THALES GROUP INTERNAL .. 76
6.7. Integrating the Models – THALES GROUP INTERNAL ... 76
6.7.1. Removing excess Military Concepts – THALES GROUP INTERNAL ... 76
6.7.2. Establishing the Inter-Model Relation Types – THALES GROUP INTERNAL ... 76
6.7.3. Shared Concept Interlayer – THALES GROUP INTERNAL ... 76
6.7.4. Removing excess Cyber Concepts – THALES GROUP INTERNAL ... 76
6.7.5. Curiosities – THALES GROUP INTERNAL ... 76
6.7.6. Fulfillment of a predicted Threat – THALES GROUP ... 76
6.8. Findings – THALES GROUP INTERNAL ... 76
7. TREATMENT VALIDATION – THALES GROUP INTERNAL ... 77
ABSTRACT – OPEN ... 77
7.1. Validation Method – THALES GROUP INTERNAL... 78
7.2. Case Study – THALES GROUP INTERNAL ... 78
7.2.1. Mission Solution – THALES GROUP INTERNAL ... 78
7.2.2. The Case – THALES GROUP INTERNAL ... 78
7.2.3. Case Variants – THALES GROUP INTERNAL ... 78
7.2.4. Modelling the Mission & Environment Model – THALES GROUP INTERNAL ... 78
7.2.5. Modelling the Threat Model – THALES GROUP INTERNAL ... 78
7.2.6. Modelling the Course of Action Model - THALES GROUP INTERNAL ... 78
7.2.7. Modelling the Incident Model -THALES GROUP INTERNAL ... 78
7.2.8. Modeling the Current Situation Model – THALES GROUP INTERNAL ... 78
7.2.9. Modeling the Response Model – THALES GROUP INTERNAL ... 78
7.2.10. Results – THALES GROUP INTERNAL ... 78
7.3. Specialization of ArchiMate – THALES GROUP INTERNAL ... 78
7.3.1. Results – THALES GROUP INTERNAL ... 78
7.4. Findings – THALES GROUP INTERNAL ... 78
8. CONCLUSION – OPEN ... 79
8.1. Research Questions – OPEN ... 79
8.2. Contribution – OPEN ... 82
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
Appendix B: Interview onboard a naval vessel - OPEN ... 93
Appendix C: ArchiMate - OPEN ... 94
Appendix D: MOEM Definition Table - OPEN... 95
Appendix E: Threat Model Definition Table - OPEN ... 97
Appendix F: CoA Model Definition Table - OPEN ... 99
Appendix G: Incident Model Definition Table – THALES GROUP INTERNAL ... 101
Appendix H: Current Situation Model Definition Table – THALES GROUP INTERNAL 102 Appendix I: Response Model Definition Table – THALES GROUP INTERNAL ... 103
Appendix J: Case Variant 1 Full Model – THALES GROUP INTERNAL ... 104
Appendix K: Case Variant 2 Full Model – THALES GROUP INTERNAL ... 105
Appendix L: Case Variant 3 Full Model – THALES GROUP INTERNAL ... 106
Appendix M: Categorizing Threat & Incident Actions – THALES GROUP INTERNAL .. 107
Appendix N: MITRE ATT&CK Tactics and Techniques – THALES GROUP INTERNAL
... 108
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
LIST OF TABLES
Table 1: Literature Sources ... 20
Table 2: Introductory Literature List ... 22
Table 3: Cyber Security in the maritime sector literature list ... 24
Table 4: Cyber Incident Response Literature List ... 26
Table 5: Distribution of Literature among NIST Cyber Security Framework Functions ... 31
Table 6: Cyber Attack Types in Selected Literature ... 32
Table 7: Proposed Respond and Recover Differences in a Critical Environment. ... 43
Table 8: Mapping of the Phases of Cyber Incident Handling & Command and Control... 61
Table 9: ArchiMate Relationship Types [78] ... 63
Table 10: Relationships in the MOEM Model... 67
Table 11: Relationships in the Threat Model ... 72
Table 12: Relationships in the COA Model ... 75
Table 13: IT and OT differences [67] ... 91
Table 14: MOEM Element Definitions ... 95
Table 15: Threat Model Concept Descriptions... 97
Table 16: COA Model element definitions ... 100
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
LIST OF FIGURES
Figure 1: The Engineering Cycle [9] ... 14
Figure 2: Design Problem ... 15
Figure 3: Research Design ... 16
Figure 4: Subdivision of Mission Assurance ... 17
Figure 5: Research Domains & Initial Questions ... 18
Figure 6: Selection Process: RQ1 ... 23
Figure 7: Selection Process RQ2 ... 25
Figure 8: Metamodel of a (naval) system [29]... 29
Figure 9: Distribution of Literature per Year ... 30
Figure 10: NIST Incident Response Cycle [59] ... 35
Figure 11: ISO/IEC 27035 Information security incident management phases [60] ... 37
Figure 12:Intitial Interaction model between infrastructure and static situational awareness [52] ... 40
Figure 13: Mission Assurance & NIST Cyber Security Functions ... 42
Figure 14:Initial Incident Response Process... 44
Figure 15: IT & OT Taxonomy ... 45
Figure 16: Maritime Operation Types ... 49
Figure 17: Command and Control: Elements, Pillars and Principles [74] ... 50
Figure 18: The Cyclic Nature of Decision Making [74] ... 52
Figure 19: The Content Framework of the Cyber Incident Response Decision Model ... 59
Figure 20: Relationship Example ... 62
Figure 21: Shared Concepts Example ... 64
Figure 22: Bridging Concept Example ... 64
Figure 23: Example of a Grouping ... 64
Figure 24: Mission & Operational Environment Model (MOEM) ... 66
Figure 25: Threat Model ... 70
Figure 26: Course of Action (COA) Model ... 74
Figure 27: ArchiMate Full Framework [78] ... 94
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
LIST OF ABBREVIATIONS
ADF Air Defense Frigate
AFNLD Armed Forces of the Netherlands AI Artificial Intelligence
BDAR Battlefield Damage Assessment and Repair BPM Business Process Modeling
C2 Command and Control
CIA Confidentiality, Integrity, Availability CIC Combat Information Center
CIRDM Cyber Incident Response Decision Model CJA Crown Jewel Analysis
CMIA Cyber Mission Impact Assessment COA Course of Action
CPS Cyber Physical System CSA Cyber Security Awareness
CSOC Cyber Security Operations Center DoD Department of Defense
DoS Denial of Service
DSM Design Science Methodology EBIOS: RM EBIOS: Risk Manager ECOA Enemy Course of Action
GMO Grondslagen van het Maritieme Optreden ICS Industrial Control System
IEC International Electrotechnical Commission IMO International Maritime Organization
ISO International Organization for Standardization ISR Intelligence, Surveillance and Reconnaissance IT Information Technology
MaCRA Maritime Cyber Risk Assessment model MOC Multifunction Operator Console
MOEM Mission & Operating Environmental Model MQ Main research Question
MS500 Mission Solutions 500
NATO North Atlantic Treaty Organization
NCTV Nationaal Coördinator Terrorismebestrijding en Veiligheid NIST National Institute of Standards and Technology
NIST CSF NIST Cyber Security Framework
NLT Not Later Than
OT Operational Technology PLC Programmable Logic Controller RNLN Royal Netherlands Navy
RQ Research Question
SCADA Supervisory Control and Data Acquisition SLR Systematic Literature Review
SOC Security Operations Center
TPVE Tactisch Planningsproces voor Varende Eenheden
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
1. INTRODUCTION - OPEN
In recent years, the National Coordinator for Security and Counterterrorism (in Dutch:
Nationaal Coördinator Terrorismebestrijding en Veiligheid, NCTV) has reported an increase of cyber threats by state actors and professional criminal organizations every year. In 2019 the NCTV even stated that state actors are the greatest cyber threat to national security [1]. The cyber threats by states are far more dangerous than other actors, as states have almost unlimited capabilities to conduct more advanced cyber-attacks, such as Advanced Persistent Threats (ATP). This development is has also become visible in the news, because recent severe attacks that have been made public are often suggested to have been carried out by state actors. The Belgacom hack, the Stuxnet attack or the attempt on the Organisation for the Prohibition of Chemical Weapons [2] are recent examples.
This development has not gone unnoticed by armies all over the world. As a result,
investments in cyber capabilities, both offensive and defensive, are increasing. For example, in the recently released Defense Vision 2035 of the Dutch Ministry of Defense the goal is set to invest into these capabilities to become one of the leading armed forces in the cyber domain [3]. However, until the results of investments into cyber capabilities are visible, armed forces will face challenges.
One of the challenges is incorporating cyber security measures into operations, organizational structure and maintenance processes of armed forces. As a result, defense organizations have become more transparent about the challenges they face. The report of the Goverment Accountability Office [4] describes that weapons systems are often not designed to be cyber secure and also acknowledges the challenge of making the systems cyber secure.
Furthermore, the Readiness Review [5] of the Navy mentions that in case of a cyber incident taking place there is no adequate knowledge on incident response.
This has also raised the awareness for cyber security of naval ships, which has never been a problem before. Because ships are often located in large water bodies, there are hardly possibilities to launch a cyber-attack via a network. However, today’s increasingly
sophisticated attacks do not always require networks. Furthermore, due to new technological developments and trends, such as Tactical Data Link to share information with friendly units, Bring Your Own Device and the extensive automation, naval ships have become increasingly vulnerable to cyber-attacks. Hence, implementation of cyber security measures is
unavoidable when a midlife upgrade for a naval ship takes place or a new naval ship is being build.
Currently, a lot of navies have plans to either replace obsolete ships or increase their fleet
size, due to destabilizing events in the world or ships reaching their end of life. This has led to
many shipbuilding projects for naval vessels, such as MKS180 [6], Type 31 [7] and the
upcoming M-Frigates [8]. In each of these projects requirements for cyber security measures
are present.
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
In the current situation cyber incident response on naval ships is often not considered, because of the lack of awareness, as mention earlier. As a baseline for implementing cyber incident response already existing cyber security frameworks or standards can be used.
However, these frameworks do not consider the unique characteristics of the operating conditions of a naval ship. For example, a navy ship has limited space to carry extra
knowledgeable personnel and equipment. As a result, personnel with cyber security expertise might not be available. Furthermore, external resources or personnel might also not be available due to the geographical location or communication restrictions. In addition, mission comes first, mission requirements, data classification or the combat situation could hamper the execution of cyber incident response.
In this research the aim is to design an incident response decision model for naval ships that takes into account the operating conditions of the navy. By providing a decision model the first step towards cyber incident response is set, because it allows personnel on a naval vessel to analyze their potential responses.
1.1. Thales Group and Thales Netherlands B.V. - OPEN
The Thales Group is a large multinational operating in 68 countries with 80000 employees.
The company, with its current name, was founded on 6 December 2000. However, through its predecessor the origin can be traced back till 1893. Thales Group is an electronics company that is active in the Aerospace, Space, Defense, Transport and Security markets.
This research is conducted at one of the subsidiaries, Thales Nederland B.V. Thales Nederland B.V was acquired in 1989, as Hollandse Signaalapparaten, with the purchase of the defense electronics businesses from Philips. The primary business of Thales Nederland is naval defense systems, but Thales Nederland has also ventured into security and
transportation systems.
1.2. Structure of the Report – OPEN
The structure of the report is as followed:
• Chapter 2 presents the design of the research, the design problem and the research questions that will be addressed.
• Chapter 3 presents and discussed the results of the problem investigation.
• Chapter 4 covers important facts of the naval domain.
• Chapter 5 shows the results of a Field Research onboard a naval ship.
• Chapter 6 presents the design of the Cyber Incident Response Decision Model
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
2. RESEARCH DESIGN - OPEN
The goal of this research is ideal to be conducted as a design science. In design science an artifact is developed to improve a problem context. In this research the artifact that will be developed is a Cyber Incident Response Decision Model (CIRDM). To develop this artifact a scientific methodology is needed, as a methodology gives guidance to the research process and ensures that the characteristics of scientific research are met.
The methodology that will be used during this research is Design Science Methodology (DSM) by Wieringa [9]. For a design science project, DSM acknowledges five tasks, which together are called the engineering cycle. The engineering cycle can be seen in Figure 1.
However, according to Wieringa in practice a research often only covers the first three tasks.
These three tasks, problem investigation, treatment design and treatment validation are called the design cycle by Wieringa.
Figure 1: The Engineering Cycle [9]
During problem investigation phase the goals is to develop an understanding of the
problematic situation, which should be improved. Task related to problem investigation are
identifying the problem and describing the problem context. This is phase is followed by
treatment design, in which an artifact is designed. Finally, during treatment validation the
artifact will be tested to see if it contributes to the goal of this research.
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
2.1. Design Problem and Research Questions - OPEN
According to Wieringa [9] a design science research contains a design problem. In the DSM a template for formulating a design problem is suggested with the following format: Improve < a problem context > by <(re)designing an artifact > that satisfies <some requirements> in order to <help> stakeholders achieve some goals. In Figure 2 the design problem formulated for this research is presented.
Improve cyber incident handling on naval ships
by designing a cyber incident response decision model That satisfies the military boundary conditions
In order to support mission sustainability Figure 2: Design Problem
This research will attempt to solve this design problem. However, most research is often expressed in a research question (RQ). Wieringa provides a guideline for transforming the design problem into a technical research problem, which essentially is a research question.
Transforming the design science problem to a main research question (MQ) results in the following:
How to design an incident response decision model that satisfies the military boundary conditions so that mission sustainability is supported by enabling cyber incident handling on naval ships?
To achieve a better understanding of the design problem and find a solution to the problem the following research questions were formulated:
RQ1. What is the current state of cyber security on maritime vessels?
The goal of this question is to explore what the current situation is of cyber security aboard vessels and what kind of research is conducted to improve cyber security onboard.
RQ2. What are the response and recovery models in existing cyber security standards?
To develop the cyber incident response decision model, first the process of cyber incident response has to be understood. This question provides insight into how these processes should be organized according to cybersecurity standards and what is important data in
RQ3. What are the differences between the main types of maritime ship systems?
On a ship there a several types of systems in use. Some of these systems
are information systems, such as the Automatic Identification System. Other
systems are to keep the ship operational, such as the propulsion. By
answering this question, the different types of systems on a ship are
explored, with a focus on the differences in cyber security.
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
Figure 3 presents these research question in relation to the different phases of research Design. It also shows what will be addressed in each stage of the report. The first phase, problem investigation, will focus on the first three research questions. The second phase, Treatment Design, focuses on the naval domain and will contain the design of the artifact. In the final phase, treatment validation, the artifact is tested by a Case Study and by relating the artifact to an existing modelling language.
Figure 3: Research Design
2.2. Mission Assurance – OPEN
The goal of this study is to contribute to mission sustainability. However, mission sustainability is part of mission assurance. In this section, mission assurance and its building blocks, mission readiness and mission sustainability are explored.
According to Bigelow [10], the North Atlantic Treaty Organization (NATO) has no formal definition of mission assurance. However, the Department of Defense (DoD) of the United States has made a formal definition of Mission assurance. The DoD has defined mission assurance as [11]:
“A process to protect or ensure the continued function and resilience of capabilities and assets – including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains – critical to the performance of DoD Mission-Essential Functions.”
Another viewpoint pointed out by Bigelow that has to be mentioned is the one of Peake, Underbrink and Potter [12]:
“Mission Critical Assets do not have to be perfectly secure; they just have to be
secure enough to reliably accomplish their missions”
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
In this research both viewpoints are recognized. During a mission it is essential that the capabilities of a naval vessel are kept available. However, this does not mean that all capabilities have to be fully available, they can be considered “good” enough. In fact, some might not be available as they are not needed for the mission or some can be substituted by other systems. Combining the above viewpoints this research defines mission assurance as follows:
Mission Assurance is to ensure that a Naval vessel can function or has the capabilities to at least accomplish the desired end state of a mission.
Furthermore, mission assurance can be divided into two branches, see Figure 4. The branches are a distinction based on a military context, namely being inside the preparations phase for a mission or being inside the mission itself.
The first branch is mission readiness. Mission readiness is to ensure that a naval vessel has the capabilities to conduct a mission in the future. To achieve mission readiness there are two important concepts. From a military viewpoint, the first concept is to accept only military platforms that pass accreditation and the second to keep the platform at a sufficient level to being able to perform military operations. In the civil market the first concept can be seen as the delivery of a platform that contains “security by design” measures, whereas the second concept is known as life-cycle assurance. The goal of life-cycle assurance is to maintain the security level of a platform. The second branch is mission sustainability. Mission sustainability is to ensure that a naval vessel has the capabilities to continue operating during a mission. In the civil markets mission sustainability is comparable with business continuity.
Figure 4: Subdivision of Mission Assurance
Mission Assurance
Mission Readiness
Mission
Sustainability
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
2.3. Research Domains - OPEN
The research area in which the research goal is situated is composed of multiple focus areas.
The first focus area is incident management, because the to-be designed artifact will support the handling of incidents. These incidents originate from the cyber threats, hence cyber security is the second focus area in which this research takes place. The third and final focus area is Naval. Naval itself is consisting of two subdomains, maritime and military. The choice to not list military and maritime individually was made based upon the scope of this research, naval ships. However, maritime and military need to be mentioned as subdomains, because they could be used as information source, as research on naval might be very limited.
Recognizing these focus areas supports the scoping of this research. It is expected that in the overlap between the domains useful information, which can be built upon. Hence, the focus of this research will be on the overlaps between the domains. In Figure 5 a Venn diagram of the research areas is presented. In the figure also the defined research questions are mapped, to show how these are related to the research areas.
Figure 5: Research Domains & Initial Questions
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
3. PROBLEM INVESTIGATION - OPEN
In this Chapter the Problem Investigation is performed. According to the Design Science Method from Wieringa problem investigation is gain an insight into the problem that needs to be treated and to learn about the stakeholder goal [9]. To understand the problem of Thales, three research questions were defined that will be investigated in this Chapter.
The Chapter will first introduce the methodology, that is used to investigate, in section 3.1.
This is followed by answering the research questions:
Section 3.2 RQ1: What is the current state of cyber security on maritime vessels?
Section 3.3 RQ2: What are the response and recovery models in existing cyber security standards?
Section 3.4 RQ3: What are the differences between the main types of maritime ship systems?
3.1. Literature Review Methodology - OPEN
In this section the methodologies for the literature review that is conducted will be discussed.
First, the systematic literature review will be discussed, followed by the snowballing literature review. Finally, the data collection will be shown.
3.1.1. Systematic Literature Review - OPEN
In order to perform a Systematic Literature Review (SLR) a method is needed. For this research the procedures specified by Kitchenham will be followed [13]. Kitchenham divides the literature review respectively into phases and stages:
• Planning
o Identification of need
o Development of the review protocol
• Conducting
o Identification of research o Selection of primary studies o Study quality assessment o Data extraction & monitoring o Data synthesis
• Reporting
In the paper “Systematic literature reviews in software engineering–a systematic literature
review” by Kitchenham et al these procedures are used to perform a SLR and can be seen as
an example on how to put the procedures in practice [14]. From the paper can be derived that
the planning phase consists of defining research questions, a search process, inclusion and
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
3.1.1.1. Literature Sources - OPEN
For the search process sources of literature have to be determined. In this research Scopus will be used as a primary search engine. Scopus is specifically designed to aid in literature research. It allows for the definition of queries, in which also the inclusion or exclusion criteria can be specified.
Besides Scopus as primary source, several potential secondary sources will be used to find interesting literature. The list of sources for literature can be seen in Table 1.
Table 1: Literature Sources
Source URL
Scopus https://www.scopus.com/ Primary
Google Scholar https://scholar.google.com/ Secondary
NATO Cooperative Cyber Defence Centre of Excellence Library
https://www.ccdcoe.org/library/publications/ Secondary
NATO Science and Technology Organization publications
https://www.sto.nato.int/publications/Pages/
default.aspx
Secondary
3.1.1.2. Exclusion Criteria - OPEN
In order to filter out irrelevant research the following predefined exclusion criteria will be used:
• Literature older than 2011
To avoid the use of obsolete paradigms in the fast-changing environment of cyber security, literature older than 2011 will not be included in the SLR. Other review methods might include older literature.
• Unavailable (including behind a paywall) literature
Some literature is not accessible from Scopus, for example due to the fact that there is no known location, where the literature is stored. Other literature in Scopus is not available within the University of Twente library.
• Literature that is not a conference paper or article
Scopus supports different types of literature, however not all types are useful. For
example, Scopus also includes reviews in its library. Another example books and
book chapters, that are also included into Scopus, however these are often not
available.
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
3.1.1.3. Quality Assessment - OPEN
The literature that is returned after applying the exclusion criteria will be reviewed on quality.
A manual quality review will be conducted based upon on the title and the abstract. Finally, the literature that is left will be assessed based upon its content. As results are very limited generally, no other quality criteria were applied.
3.1.2. Snowballing Literature Search - OPEN
Another approach to conducting a SLR is snowballing, which is described in the paper of Wohlin [15]. The procedure of snowballing starts by acquiring a start set of literature. Wohlin states that there is no clear path to identifying a good start set. In this research the start set will be determined by a “normal” SLR search process, as described in the previous section.
When the start set is determined there are two approaches in snowballing, namely backwards and forwards snowballing. In case of a backwards snowballing search the reference lists of the articles in the start set are used to identify and include new papers. Forwards snowballing is the opposite, citations to papers in the start set are used to identify and include new papers.
The two approaches can be iterative, which means that the newly identified literature is added to the start set and another snowball procedure is completed again.
3.1.3. Data Collection - OPEN
This section will describe per Research Question how data was collected. The first subsection will be an exception as this literature was provided. The rest of subsection will contain
information about, which method was used, the query that was used and in present, which
literature is selected.
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
3.1.3.1. Introductory Literature - OPEN
To get an introduction into the problem that Thales foresees, a list of literature was provided by Thales. The list of provided documents by Thales can be seen in Table 2. These
documents were used to get an initial overview of the problem and to specify the literature research questions. On top of that the literature was used to initialize a mind map, to keep track of ideas during conducted research activities and the writing of this report.
Table 2: Introductory Literature List
Author(s) Title Year
[16] Be Cyber Aware at Sea Phish and Ships: Issue #28 2019
[17] F.F. Brussel Design of a cybersecurity management interface for maritime vessels
2016 [4] Government Accountability
Office
Weapon Systems Cybersecurity: DoD just beginning to grapple with scale of vulnerabilities
2018 [18] International
Telecommunciation Union
Global Cybersecurity Index 2017 2017 [5] M. J. Bayer, J. M.
O'Connor, R. S. Moultrie and W. H. Swanson
Cybersecurity Readiness Review 2019
[19] Ministerie van Defensie De Grondslagen van het Maritieme Optreden 2014 [1] Nationaal Coördinator
Terrorismebestrijding en veiligheid
Cyber Security Beeld Nederland 2019 2019
[20] National Cybersecurity Agency of France
EBIOS Risk Manager – The Method 2019 [21] Thales Group Holistic Cybersecurity Operations in the coming
age
2017
[22] NATO C3 Taxonomy Baseline 3.1 2019
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
3.1.3.2. RQ1: Cyber Security in the Maritime Sector - OPEN
For the first research question two times a SLR was performed to get an overview of what the current state is of cyber security in the maritime sector. For both SLRs the same search query was used:
TITLE-ABS-KEY ((maritime OR naval) AND ( ( cyber AND security ) OR ( cybersecurity ) OR ( cyber-security ) ) )
After executing the query, the general exclusion criteria were applied, but also inclusion criteria specific to RQ1. This is also were both SLRs differ. For the first SLR the two specific inclusions were used:
1. The literature that will be selected has a focus on cyber security aboard ships 2. The literature that will be selected will not go in-dept on specific systems and or
attacks
This research delivered only a small amount of literature (n = 6), Hence, to broaden the scope OR (“information security”) was added to the query, however this did not result in an additional literature. Thus, a snowballing search, in both directions, was also conducted.
This resulted into the inclusion of two additional papers.
However, after reviewing the literature it was decided that including research on specific systems will still be useful in giving an overview of conducted research regarding cyber security in the maritime sector. Also papers on autonomous ships were included this time.
Hence, a second SLR was conducted with only the first inclusion criteria:
1. The literature that will be selected has a focus on cyber security aboard ships Figure 6 illustrates the literature selection process of the second SLR. The collected literature is presented in Table 3. These are a combination from the second SLR and the snowballing after the first SLR. Duplications were removed. The results of this data collection for RQ1 are discussed in Chapter 3.1.
Figure 6: Selection Process: RQ1
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page
Table 3: Cyber Security in the maritime sector literature list
Author(s) Title Year
[23] O. Jacq, X. Boudvin, D. Brosset, Y.
Kermarrec and J. Simonin
Detecting and Hunting Cyber threats in a Maritime Environment:
Specification and Experimentation of a Maritime Cybersecurity Operations Centre
2018
[24] I. Mraković and R. Vojinović Maritime Cyber Security Analysis--How to Reduce Threats? 2019 [25] J. DiRenzo, D. A. Goward and F. S.
Roberts
The little-known challenge of maritime cyber security 2015
[26] O. S. Hareide, Ø. Jøsok, M. S. Lund, R.
Ostnes and K. Helkala
Enhancing Navigator Competence by Demonstrating Maritime Cyber Security
2018
[27] K. Tam and K. Jones MaCRA: a model-based framework for maritime cyber-risk assessment
2019
[28] O. Jaqc, D. Brosset, Y. Kemarrec and J. Simonin
Cyber attacks real time detection: towards a Cyber Situational Awareness for naval systems
2019
[29] B. Sultan, F. Dagnat and C. Fontaine A Methodology to Assess Vulnerabilities and Countermeasures Impact on the Missions of a Naval System
2018
[30] M. Kardakova, I. Shipunov, A. Nyrkov and T. Knysh
Cyber Security on Sea Transport 2018
[31] B. Silverajan, M. Ocak and B. Nagel Cybersecurity Attacks and Defences for unmanned Smart Ships 2018 [32] B. Silverajan and P. Vistiaho Enabling Cybersecurity Incident Reporting and
Coordinated Handling for Maritime Sector
2019
[33] T. Omitola, A. Rezazadeh and M. Butler Making (Implicit) Security Requirements Explicit for Cyber-Physical Systems A Maritime use Case Security Analysis
2019
[34] B. Svilicic, J. Kamahara, M. Rooks and Y. Yano
Maritime Cyber Risk Management: An Experimental Ship Assessment
2019
[35] S. Ahvenjärvi, I. Czarnowski, J. Kåla, A.
Kyster, I. Meyer, J. Mogensen and P.
Szyman
Safe Information Exchange on Board of the Ship 2019
Literature on specific systems or attacks
[36] D. Billard Investigation of an alleged PLC hacking on sea vessels 2019
[37] I. Botunac and M. Gržan Analysis of Software Threats To The Automatic Identification System 2017 [38] M. Balduzzi, A. Pasta and K. Wilhoit A Security Evaluation of AIS Automated Identification System 2014 [39] B. Svilicic, I. Rudan and D. Zec A Study on Cyber Security Threats in a shipboard Integrated
Navigational System
2019
[40] B. Svilicic, J. Kamahara Assessing ship cyber risks: a framework and case study of ECDIS security
2019
[41] M. S. Lund, J. E. Gulland, O. S.
Hareide, Ø. Jøsok and K. O. Carlsson Weum
Integrity of Integrated Navigation Systems 2018
[42] B. Svilicic, D. Brčić, S. Žuškin and D.
Kalebić
Raising Awareness on Cyber Security of ECDIS 2019
[43] B. Svilicic, I. Rudan, F. Vlado and M.
Doričić
Shipboard ECDIS Cyber Security: Third-Party Component Threats 2019
[44] L. R. Shapiro, M.-H. Maras, L. Velotti, S. Pickman, H.-L. Wei and R. Till
Trojan horse risks in the maritime transportation systems sector
2018
© Thales Nederland B.V. and/or its suppliers Subject to restrictive legend on title page