Towards Cyber Incident Response on Naval Ships: The Cyber Incident Response Decision Model

(1)

Master Thesis

Towards Cyber Incident Response on Naval Ships: The Cyber Incident Response Decision Model

C. Visscher

23-2-2021

(2)

Towards Cyber Incident Response on Naval Ships:

The Cyber Incident Response Decision Model Master Thesis

23-02-2021 Author

Name: C. Visscher (Christiaan)

Program: MSc Business Information Technology

Institute: University of Twente

PO Box 217 7500 AE Enschede The Netherlands Email address:

Graduation Committee

Prof. Dr. M.E. Iacob (Maria)

Industrial Engineering and Business Information Systems (IEBIS) Behavioral, Management and Social Sciences (BMS)

University of Twente m.e.iacob@utwente.nl

Dr. Ir. M. van Sinderen (Marten) Services and Cybersecurity (SCS)

Electrical Engineering, Mathematics and Computer Science (EWI) University of Twente

m.j.vansinderen@utwente.nl Dr. Ir. R. van Buuren (René) Standard Solution Management Thales Nederland B.V.

rene.vanbuuren@nl.thalesgroup.com

Disclaimer

(3)

PREFACE

Dear Reader,

The thesis that is laying in front of you marks the completion of the Master Business Information Technology at the University of Twente (UT) by me. In 2013 I started on the UT with the Bachelor Business & IT. The choice for this bachelor I have never regretted, as it combines two of my favorite topics. As a result, I decided to enroll in the follow-up master’s degree. The bachelor and master also allowed me to carry out interesting projects in addition to the study itself. This has made me the person who I am today.

First, I want to thank Maria Iacob and Marten van Sinderen for their valuable insights and feedback, which was not always easy for them to give due to the confidentiality in this thesis.

Furthermore, they provided me with advice on literature to read, which led has to sharpening of the research.

Secondly, I would like to thank my supervisor of Thales, René van Buuren. The conversations we had regularly always gave new insights and new challenges, which kept the research always interesting. Also, his guidance improved the quality of this thesis and helped me to reflect on myself. Furthermore, I would like to thank the other colleges at Thales for their contributions and small talk.

Finally, I would like to express my gratitude to my family and friends that supported me during my study and throughout the writing of this thesis. If there were any issues, I could rely on them and they would support me, motivate me or were simply a listing ear.

I wish you a pleasant reading and I hope it gives you plenty of new insights,

Christiaan

(4)

MANAGEMENT SUMMARY

In the last decade, the cyber threat from state actors has been increasing. As a result, it has become necessary for armed forces to invest in cyber capabilities, such as cyber security.

This can be seen in the cyber security requirements that are imposed on projects for the replacement and purchase of naval ships.

The Thales Group, as a supplier of systems for naval ships, has to incorporate these requirements in their products. However, the Thales Naval Cyber Security vision, safeguarding your strength@sea, has a broader ambition than just delivering security by design. The ambition includes the goal to support navies in performing on-board cyber incident response in order to increase the mission sustainability. However, current incident response processes and models do not take into account the circumstances that originate in a navy, both military and maritime. Therefore, this research aims to provide a solution to the following problem statement:

Improve cyber incident handling on naval ships by designing a cyber incident response decision model that satisfies the military boundary conditions in order to support mission sustainability.

The structured literature review (SLR) shows that maritime cyber security is in its infancy.

Current literature covers problems with cyber security on maritime vessels as well as

(potential) cyber-attacks. However, response and recovery methods to counter cyber-attacks and are able to coop with the conditions on sea are rare. Furthermore, the literature review also explores current cyber incident response frameworks and literature. These frameworks are mature, though they do not include a distinction between response and recovery. This distinction is important in the military domain, because for full recovery, time and resources are not available during a mission. Instead, the main goal is simple during a mission; keep things running. Finally, the SLR explored the different systems aboard a naval ship, as the different systems might require a different approach in cyber incident response. The main difference that is found for the cyber incident response process are the cyber security goals, Confidentiality, Integrity and Availability. Depending on which goal has the highest priority in the system, the resulting impact on a military operation differs.

Besides the SLR, armed forces and naval doctrine has been examined to determine what the conditions or factors of influence are during a military mission. The answer to this has been found in military decision-making processes, these factors are already analyzed to decide on the course of action for a military mission.

Based upon reviewed cyber security standards and naval doctrine, the Cyber Incident

Response Decision Model (CIRDM) has been proposed as solution to the problem statement.

Subsequently, CIRDM has been validated by two different methods. The first method that has

been used is a case study, with the case study the expressiveness of CIRDM has been

explored and the requirements have been verified. The second method, mapping CIRDM to

(5)

Finally, through this research various contributions have been made to science and practice:

• Recent literature on cyber security of maritime vessels has been categorized based upon the functions of the NIST Computer Security Incident Handling Guide.

• A clear difference between response and recovery in the cyber incident handling process has been proposed.

• It has been discovered that depending on the type of system and situation the priority of the security goals alternates

• The Designed CIRDM is a first step toward cyber incident response on naval ships.

• Two additions are proposed to the ArchiMate, the “Fulfilment” Relationship and the design CIRDM can be used a specialization.

• Finally, the work will support Thales Nederland in development of new products and

services for their customers.

(6)

PREFACE ... 3

MANAGEMENT SUMMARY ... 4

CONTENTS ... 6

LIST OF TABLES ... 9

LIST OF FIGURES ... 10

LIST OF ABBREVIATIONS ... 11

1. INTRODUCTION - OPEN ... 12

1.1. Thales Group and Thales Netherlands B.V. - OPEN ... 13

1.2. Structure of the Report – OPEN ... 13

2. RESEARCH DESIGN - OPEN ... 14

2.1. Design Problem and Research Questions - OPEN ... 15

2.2. Mission Assurance – OPEN ... 16

2.3. Research Domains - OPEN ... 18

3. PROBLEM INVESTIGATION - OPEN ... 19

3.1. Literature Review Methodology - OPEN ... 19

3.1.1. Systematic Literature Review - OPEN ... 19

3.1.2. Snowballing Literature Search - OPEN ... 21

3.1.3. Data Collection - OPEN ... 21

3.2. Cyber security on maritime Vessels - OPEN ... 27

3.2.1. Distribution of Literature - OPEN ... 30

3.2.2. Cyber-Attacks on Ships - OPEN ... 31

3.2.3. Findings - OPEN ... 33

3.3. Cyber Incident Response - OPEN ... 34

3.3.1. Cyber Security Standards - OPEN... 34

3.3.2. Literature Analysis - OPEN ... 38

3.3.3. Incident Management in other applications – OPEN ... 41

3.3.4. Findings - OPEN ... 42

3.4. Maritime Systems: IT & OT - OPEN... 45

3.4.1. Findings – THALES GROUP INTERNAL ... 47

4. THE NAVAL COMPONENT - OPEN ... 48

4.1. Main Tasks & Operations - OPEN ... 49

4.2. Command and Control - OPEN ... 50

4.3. Military Decision Making - OPEN ... 52

4.4. Military Operational Planning Process – OPEN ... 53

4.5. Internal Battle & External Battle – THALES GROUP INTERNAL ... 55

5. FIELD RESEARCH – OPEN ... 56

(7)

6.3.1. Aspects – OPEN ... 60

6.3.2. Phases - OPEN ... 60

6.3.3. Relation Types - OPEN ... 62

6.4. Prepare Phase - OPEN... 65

6.4.1. Military Aspect: Mission & Operating Environment Model - OPEN ... 65

6.4.2. Cyber Defense Aspect: Threat Model - OPEN ... 68

6.5. Detect & Analysis Phase - OPEN ... 72

6.5.1. Military Aspect: Course of Action Model - OPEN ... 72

6.5.2. Cyber Defense Aspect: Incident Model – THALES GROUP INTERNAL ... 76

6.6. Response Phase – THALES GROUP INTERNAL ... 76

6.6.1. Military Aspect: Current Situation Model – THALES GROUP INTERNAL .... 76

6.6.2. Cyber Defense Aspect: Response Model – THALES GROUP INTERNAL .. 76

6.7. Integrating the Models – THALES GROUP INTERNAL ... 76

6.7.1. Removing excess Military Concepts – THALES GROUP INTERNAL ... 76

6.7.2. Establishing the Inter-Model Relation Types – THALES GROUP INTERNAL ... 76

6.7.3. Shared Concept Interlayer – THALES GROUP INTERNAL ... 76

6.7.4. Removing excess Cyber Concepts – THALES GROUP INTERNAL ... 76

6.7.5. Curiosities – THALES GROUP INTERNAL ... 76

6.7.6. Fulfillment of a predicted Threat – THALES GROUP ... 76

6.8. Findings – THALES GROUP INTERNAL ... 76

7. TREATMENT VALIDATION – THALES GROUP INTERNAL ... 77

ABSTRACT – OPEN ... 77

7.1. Validation Method – THALES GROUP INTERNAL... 78

7.2. Case Study – THALES GROUP INTERNAL ... 78

7.2.1. Mission Solution – THALES GROUP INTERNAL ... 78

7.2.2. The Case – THALES GROUP INTERNAL ... 78

7.2.3. Case Variants – THALES GROUP INTERNAL ... 78

7.2.4. Modelling the Mission & Environment Model – THALES GROUP INTERNAL ... 78

7.2.5. Modelling the Threat Model – THALES GROUP INTERNAL ... 78

7.2.6. Modelling the Course of Action Model - THALES GROUP INTERNAL ... 78

7.2.7. Modelling the Incident Model -THALES GROUP INTERNAL ... 78

7.2.8. Modeling the Current Situation Model – THALES GROUP INTERNAL ... 78

7.2.9. Modeling the Response Model – THALES GROUP INTERNAL ... 78

7.2.10. Results – THALES GROUP INTERNAL ... 78

7.3. Specialization of ArchiMate – THALES GROUP INTERNAL ... 78

7.3.1. Results – THALES GROUP INTERNAL ... 78

7.4. Findings – THALES GROUP INTERNAL ... 78

8. CONCLUSION – OPEN ... 79

8.1. Research Questions – OPEN ... 79

8.2. Contribution – OPEN ... 82

(8)

Appendix B: Interview onboard a naval vessel - OPEN ... 93

Appendix C: ArchiMate - OPEN ... 94

Appendix D: MOEM Definition Table - OPEN... 95

Appendix E: Threat Model Definition Table - OPEN ... 97

Appendix F: CoA Model Definition Table - OPEN ... 99

Appendix G: Incident Model Definition Table – THALES GROUP INTERNAL ... 101

Appendix H: Current Situation Model Definition Table – THALES GROUP INTERNAL 102 Appendix I: Response Model Definition Table – THALES GROUP INTERNAL ... 103

Appendix J: Case Variant 1 Full Model – THALES GROUP INTERNAL ... 104

Appendix K: Case Variant 2 Full Model – THALES GROUP INTERNAL ... 105

Appendix L: Case Variant 3 Full Model – THALES GROUP INTERNAL ... 106

Appendix M: Categorizing Threat & Incident Actions – THALES GROUP INTERNAL .. 107

Appendix N: MITRE ATT&CK Tactics and Techniques – THALES GROUP INTERNAL

... 108

(9)

LIST OF TABLES

Table 1: Literature Sources ... 20

Table 2: Introductory Literature List ... 22

Table 3: Cyber Security in the maritime sector literature list ... 24

Table 4: Cyber Incident Response Literature List ... 26

Table 5: Distribution of Literature among NIST Cyber Security Framework Functions ... 31

Table 6: Cyber Attack Types in Selected Literature ... 32

Table 7: Proposed Respond and Recover Differences in a Critical Environment. ... 43

Table 8: Mapping of the Phases of Cyber Incident Handling & Command and Control... 61

Table 9: ArchiMate Relationship Types [78] ... 63

Table 10: Relationships in the MOEM Model... 67

Table 11: Relationships in the Threat Model ... 72

Table 12: Relationships in the COA Model ... 75

Table 13: IT and OT differences [67] ... 91

Table 14: MOEM Element Definitions ... 95

Table 15: Threat Model Concept Descriptions... 97

Table 16: COA Model element definitions ... 100

(10)

LIST OF FIGURES

Figure 1: The Engineering Cycle [9] ... 14

Figure 2: Design Problem ... 15

Figure 3: Research Design ... 16

Figure 4: Subdivision of Mission Assurance ... 17

Figure 5: Research Domains & Initial Questions ... 18

Figure 6: Selection Process: RQ1 ... 23

Figure 7: Selection Process RQ2 ... 25

Figure 8: Metamodel of a (naval) system [29]... 29

Figure 9: Distribution of Literature per Year ... 30

Figure 10: NIST Incident Response Cycle [59] ... 35

Figure 11: ISO/IEC 27035 Information security incident management phases [60] ... 37

Figure 12:Intitial Interaction model between infrastructure and static situational awareness [52] ... 40

Figure 13: Mission Assurance & NIST Cyber Security Functions ... 42

Figure 14:Initial Incident Response Process... 44

Figure 15: IT & OT Taxonomy ... 45

Figure 16: Maritime Operation Types ... 49

Figure 17: Command and Control: Elements, Pillars and Principles [74] ... 50

Figure 18: The Cyclic Nature of Decision Making [74] ... 52

Figure 19: The Content Framework of the Cyber Incident Response Decision Model ... 59

Figure 20: Relationship Example ... 62

Figure 21: Shared Concepts Example ... 64

Figure 22: Bridging Concept Example ... 64

Figure 23: Example of a Grouping ... 64

Figure 24: Mission & Operational Environment Model (MOEM) ... 66

Figure 25: Threat Model ... 70

Figure 26: Course of Action (COA) Model ... 74

Figure 27: ArchiMate Full Framework [78] ... 94

(11)

LIST OF ABBREVIATIONS

ADF Air Defense Frigate

AFNLD Armed Forces of the Netherlands AI Artificial Intelligence

BDAR Battlefield Damage Assessment and Repair BPM Business Process Modeling

C2 Command and Control

CIA Confidentiality, Integrity, Availability CIC Combat Information Center

CIRDM Cyber Incident Response Decision Model CJA Crown Jewel Analysis

CMIA Cyber Mission Impact Assessment COA Course of Action

CPS Cyber Physical System CSA Cyber Security Awareness

CSOC Cyber Security Operations Center DoD Department of Defense

DoS Denial of Service

DSM Design Science Methodology EBIOS: RM EBIOS: Risk Manager ECOA Enemy Course of Action

GMO Grondslagen van het Maritieme Optreden ICS Industrial Control System

IEC International Electrotechnical Commission IMO International Maritime Organization

ISO International Organization for Standardization ISR Intelligence, Surveillance and Reconnaissance IT Information Technology

MaCRA Maritime Cyber Risk Assessment model MOC Multifunction Operator Console

MOEM Mission & Operating Environmental Model MQ Main research Question

MS500 Mission Solutions 500

NATO North Atlantic Treaty Organization

NCTV Nationaal Coördinator Terrorismebestrijding en Veiligheid NIST National Institute of Standards and Technology

NIST CSF NIST Cyber Security Framework

NLT Not Later Than

OT Operational Technology PLC Programmable Logic Controller RNLN Royal Netherlands Navy

RQ Research Question

SCADA Supervisory Control and Data Acquisition SLR Systematic Literature Review

SOC Security Operations Center

TPVE Tactisch Planningsproces voor Varende Eenheden

(12)

1. INTRODUCTION - OPEN

In recent years, the National Coordinator for Security and Counterterrorism (in Dutch:

Nationaal Coördinator Terrorismebestrijding en Veiligheid, NCTV) has reported an increase of cyber threats by state actors and professional criminal organizations every year. In 2019 the NCTV even stated that state actors are the greatest cyber threat to national security [1]. The cyber threats by states are far more dangerous than other actors, as states have almost unlimited capabilities to conduct more advanced cyber-attacks, such as Advanced Persistent Threats (ATP). This development is has also become visible in the news, because recent severe attacks that have been made public are often suggested to have been carried out by state actors. The Belgacom hack, the Stuxnet attack or the attempt on the Organisation for the Prohibition of Chemical Weapons [2] are recent examples.

This development has not gone unnoticed by armies all over the world. As a result,

investments in cyber capabilities, both offensive and defensive, are increasing. For example, in the recently released Defense Vision 2035 of the Dutch Ministry of Defense the goal is set to invest into these capabilities to become one of the leading armed forces in the cyber domain [3]. However, until the results of investments into cyber capabilities are visible, armed forces will face challenges.

One of the challenges is incorporating cyber security measures into operations, organizational structure and maintenance processes of armed forces. As a result, defense organizations have become more transparent about the challenges they face. The report of the Goverment Accountability Office [4] describes that weapons systems are often not designed to be cyber secure and also acknowledges the challenge of making the systems cyber secure.

Furthermore, the Readiness Review [5] of the Navy mentions that in case of a cyber incident taking place there is no adequate knowledge on incident response.

This has also raised the awareness for cyber security of naval ships, which has never been a problem before. Because ships are often located in large water bodies, there are hardly possibilities to launch a cyber-attack via a network. However, today’s increasingly

sophisticated attacks do not always require networks. Furthermore, due to new technological developments and trends, such as Tactical Data Link to share information with friendly units, Bring Your Own Device and the extensive automation, naval ships have become increasingly vulnerable to cyber-attacks. Hence, implementation of cyber security measures is

unavoidable when a midlife upgrade for a naval ship takes place or a new naval ship is being build.

Currently, a lot of navies have plans to either replace obsolete ships or increase their fleet

size, due to destabilizing events in the world or ships reaching their end of life. This has led to

many shipbuilding projects for naval vessels, such as MKS180 [6], Type 31 [7] and the

upcoming M-Frigates [8]. In each of these projects requirements for cyber security measures

are present.

(13)

In the current situation cyber incident response on naval ships is often not considered, because of the lack of awareness, as mention earlier. As a baseline for implementing cyber incident response already existing cyber security frameworks or standards can be used.

However, these frameworks do not consider the unique characteristics of the operating conditions of a naval ship. For example, a navy ship has limited space to carry extra

knowledgeable personnel and equipment. As a result, personnel with cyber security expertise might not be available. Furthermore, external resources or personnel might also not be available due to the geographical location or communication restrictions. In addition, mission comes first, mission requirements, data classification or the combat situation could hamper the execution of cyber incident response.

In this research the aim is to design an incident response decision model for naval ships that takes into account the operating conditions of the navy. By providing a decision model the first step towards cyber incident response is set, because it allows personnel on a naval vessel to analyze their potential responses.

1.1. Thales Group and Thales Netherlands B.V. - OPEN

The Thales Group is a large multinational operating in 68 countries with 80000 employees.

The company, with its current name, was founded on 6 December 2000. However, through its predecessor the origin can be traced back till 1893. Thales Group is an electronics company that is active in the Aerospace, Space, Defense, Transport and Security markets.

This research is conducted at one of the subsidiaries, Thales Nederland B.V. Thales Nederland B.V was acquired in 1989, as Hollandse Signaalapparaten, with the purchase of the defense electronics businesses from Philips. The primary business of Thales Nederland is naval defense systems, but Thales Nederland has also ventured into security and

transportation systems.

1.2. Structure of the Report – OPEN

The structure of the report is as followed:

• Chapter 2 presents the design of the research, the design problem and the research questions that will be addressed.

• Chapter 3 presents and discussed the results of the problem investigation.

• Chapter 4 covers important facts of the naval domain.

• Chapter 5 shows the results of a Field Research onboard a naval ship.

• Chapter 6 presents the design of the Cyber Incident Response Decision Model

(14)

2. RESEARCH DESIGN - OPEN

The goal of this research is ideal to be conducted as a design science. In design science an artifact is developed to improve a problem context. In this research the artifact that will be developed is a Cyber Incident Response Decision Model (CIRDM). To develop this artifact a scientific methodology is needed, as a methodology gives guidance to the research process and ensures that the characteristics of scientific research are met.

The methodology that will be used during this research is Design Science Methodology (DSM) by Wieringa [9]. For a design science project, DSM acknowledges five tasks, which together are called the engineering cycle. The engineering cycle can be seen in Figure 1.

However, according to Wieringa in practice a research often only covers the first three tasks.

These three tasks, problem investigation, treatment design and treatment validation are called the design cycle by Wieringa.

Figure 1: The Engineering Cycle [9]

During problem investigation phase the goals is to develop an understanding of the

problematic situation, which should be improved. Task related to problem investigation are

identifying the problem and describing the problem context. This is phase is followed by

treatment design, in which an artifact is designed. Finally, during treatment validation the

artifact will be tested to see if it contributes to the goal of this research.

(15)

2.1. Design Problem and Research Questions - OPEN

According to Wieringa [9] a design science research contains a design problem. In the DSM a template for formulating a design problem is suggested with the following format: Improve < a problem context > by <(re)designing an artifact > that satisfies <some requirements> in order to <help> stakeholders achieve some goals. In Figure 2 the design problem formulated for this research is presented.

Improve cyber incident handling on naval ships

by designing a cyber incident response decision model That satisfies the military boundary conditions

In order to support mission sustainability Figure 2: Design Problem

This research will attempt to solve this design problem. However, most research is often expressed in a research question (RQ). Wieringa provides a guideline for transforming the design problem into a technical research problem, which essentially is a research question.

Transforming the design science problem to a main research question (MQ) results in the following:

How to design an incident response decision model that satisfies the military boundary conditions so that mission sustainability is supported by enabling cyber incident handling on naval ships?

To achieve a better understanding of the design problem and find a solution to the problem the following research questions were formulated:

RQ1. What is the current state of cyber security on maritime vessels?

The goal of this question is to explore what the current situation is of cyber security aboard vessels and what kind of research is conducted to improve cyber security onboard.

RQ2. What are the response and recovery models in existing cyber security standards?

To develop the cyber incident response decision model, first the process of cyber incident response has to be understood. This question provides insight into how these processes should be organized according to cybersecurity standards and what is important data in

RQ3. What are the differences between the main types of maritime ship systems?

On a ship there a several types of systems in use. Some of these systems

are information systems, such as the Automatic Identification System. Other

systems are to keep the ship operational, such as the propulsion. By

answering this question, the different types of systems on a ship are

explored, with a focus on the differences in cyber security.

(16)

Figure 3 presents these research question in relation to the different phases of research Design. It also shows what will be addressed in each stage of the report. The first phase, problem investigation, will focus on the first three research questions. The second phase, Treatment Design, focuses on the naval domain and will contain the design of the artifact. In the final phase, treatment validation, the artifact is tested by a Case Study and by relating the artifact to an existing modelling language.

Figure 3: Research Design

2.2. Mission Assurance – OPEN

The goal of this study is to contribute to mission sustainability. However, mission sustainability is part of mission assurance. In this section, mission assurance and its building blocks, mission readiness and mission sustainability are explored.

According to Bigelow [10], the North Atlantic Treaty Organization (NATO) has no formal definition of mission assurance. However, the Department of Defense (DoD) of the United States has made a formal definition of Mission assurance. The DoD has defined mission assurance as [11]:

“A process to protect or ensure the continued function and resilience of capabilities and assets – including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains – critical to the performance of DoD Mission-Essential Functions.”

Another viewpoint pointed out by Bigelow that has to be mentioned is the one of Peake, Underbrink and Potter [12]:

“Mission Critical Assets do not have to be perfectly secure; they just have to be

secure enough to reliably accomplish their missions”

(17)

In this research both viewpoints are recognized. During a mission it is essential that the capabilities of a naval vessel are kept available. However, this does not mean that all capabilities have to be fully available, they can be considered “good” enough. In fact, some might not be available as they are not needed for the mission or some can be substituted by other systems. Combining the above viewpoints this research defines mission assurance as follows:

Mission Assurance is to ensure that a Naval vessel can function or has the capabilities to at least accomplish the desired end state of a mission.

Furthermore, mission assurance can be divided into two branches, see Figure 4. The branches are a distinction based on a military context, namely being inside the preparations phase for a mission or being inside the mission itself.

The first branch is mission readiness. Mission readiness is to ensure that a naval vessel has the capabilities to conduct a mission in the future. To achieve mission readiness there are two important concepts. From a military viewpoint, the first concept is to accept only military platforms that pass accreditation and the second to keep the platform at a sufficient level to being able to perform military operations. In the civil market the first concept can be seen as the delivery of a platform that contains “security by design” measures, whereas the second concept is known as life-cycle assurance. The goal of life-cycle assurance is to maintain the security level of a platform. The second branch is mission sustainability. Mission sustainability is to ensure that a naval vessel has the capabilities to continue operating during a mission. In the civil markets mission sustainability is comparable with business continuity.

Figure 4: Subdivision of Mission Assurance

Mission Assurance

Mission Readiness

Mission

Sustainability

(18)

2.3. Research Domains - OPEN

The research area in which the research goal is situated is composed of multiple focus areas.

The first focus area is incident management, because the to-be designed artifact will support the handling of incidents. These incidents originate from the cyber threats, hence cyber security is the second focus area in which this research takes place. The third and final focus area is Naval. Naval itself is consisting of two subdomains, maritime and military. The choice to not list military and maritime individually was made based upon the scope of this research, naval ships. However, maritime and military need to be mentioned as subdomains, because they could be used as information source, as research on naval might be very limited.

Recognizing these focus areas supports the scoping of this research. It is expected that in the overlap between the domains useful information, which can be built upon. Hence, the focus of this research will be on the overlaps between the domains. In Figure 5 a Venn diagram of the research areas is presented. In the figure also the defined research questions are mapped, to show how these are related to the research areas.

Figure 5: Research Domains & Initial Questions

(19)

3. PROBLEM INVESTIGATION - OPEN

In this Chapter the Problem Investigation is performed. According to the Design Science Method from Wieringa problem investigation is gain an insight into the problem that needs to be treated and to learn about the stakeholder goal [9]. To understand the problem of Thales, three research questions were defined that will be investigated in this Chapter.

The Chapter will first introduce the methodology, that is used to investigate, in section 3.1.

This is followed by answering the research questions:

Section 3.2 RQ1: What is the current state of cyber security on maritime vessels?

Section 3.3 RQ2: What are the response and recovery models in existing cyber security standards?

Section 3.4 RQ3: What are the differences between the main types of maritime ship systems?

3.1. Literature Review Methodology - OPEN

In this section the methodologies for the literature review that is conducted will be discussed.

First, the systematic literature review will be discussed, followed by the snowballing literature review. Finally, the data collection will be shown.

3.1.1. Systematic Literature Review - OPEN

In order to perform a Systematic Literature Review (SLR) a method is needed. For this research the procedures specified by Kitchenham will be followed [13]. Kitchenham divides the literature review respectively into phases and stages:

• Planning

o Identification of need

o Development of the review protocol

• Conducting

o Identification of research o Selection of primary studies o Study quality assessment o Data extraction & monitoring o Data synthesis

• Reporting

In the paper “Systematic literature reviews in software engineering–a systematic literature

review” by Kitchenham et al these procedures are used to perform a SLR and can be seen as

an example on how to put the procedures in practice [14]. From the paper can be derived that

the planning phase consists of defining research questions, a search process, inclusion and

(20)

3.1.1.1. Literature Sources - OPEN

For the search process sources of literature have to be determined. In this research Scopus will be used as a primary search engine. Scopus is specifically designed to aid in literature research. It allows for the definition of queries, in which also the inclusion or exclusion criteria can be specified.

Besides Scopus as primary source, several potential secondary sources will be used to find interesting literature. The list of sources for literature can be seen in Table 1.

Table 1: Literature Sources

Source URL

Scopus https://www.scopus.com/ Primary

Google Scholar https://scholar.google.com/ Secondary

NATO Cooperative Cyber Defence Centre of Excellence Library

https://www.ccdcoe.org/library/publications/ Secondary

NATO Science and Technology Organization publications

https://www.sto.nato.int/publications/Pages/

default.aspx

Secondary

3.1.1.2. Exclusion Criteria - OPEN

In order to filter out irrelevant research the following predefined exclusion criteria will be used:

• Literature older than 2011

To avoid the use of obsolete paradigms in the fast-changing environment of cyber security, literature older than 2011 will not be included in the SLR. Other review methods might include older literature.

• Unavailable (including behind a paywall) literature

Some literature is not accessible from Scopus, for example due to the fact that there is no known location, where the literature is stored. Other literature in Scopus is not available within the University of Twente library.

• Literature that is not a conference paper or article

Scopus supports different types of literature, however not all types are useful. For

example, Scopus also includes reviews in its library. Another example books and

book chapters, that are also included into Scopus, however these are often not

available.

(21)

3.1.1.3. Quality Assessment - OPEN

The literature that is returned after applying the exclusion criteria will be reviewed on quality.

A manual quality review will be conducted based upon on the title and the abstract. Finally, the literature that is left will be assessed based upon its content. As results are very limited generally, no other quality criteria were applied.

3.1.2. Snowballing Literature Search - OPEN

Another approach to conducting a SLR is snowballing, which is described in the paper of Wohlin [15]. The procedure of snowballing starts by acquiring a start set of literature. Wohlin states that there is no clear path to identifying a good start set. In this research the start set will be determined by a “normal” SLR search process, as described in the previous section.

When the start set is determined there are two approaches in snowballing, namely backwards and forwards snowballing. In case of a backwards snowballing search the reference lists of the articles in the start set are used to identify and include new papers. Forwards snowballing is the opposite, citations to papers in the start set are used to identify and include new papers.

The two approaches can be iterative, which means that the newly identified literature is added to the start set and another snowball procedure is completed again.

3.1.3. Data Collection - OPEN

This section will describe per Research Question how data was collected. The first subsection will be an exception as this literature was provided. The rest of subsection will contain

information about, which method was used, the query that was used and in present, which

literature is selected.

(22)

3.1.3.1. Introductory Literature - OPEN

To get an introduction into the problem that Thales foresees, a list of literature was provided by Thales. The list of provided documents by Thales can be seen in Table 2. These

documents were used to get an initial overview of the problem and to specify the literature research questions. On top of that the literature was used to initialize a mind map, to keep track of ideas during conducted research activities and the writing of this report.

Table 2: Introductory Literature List

Author(s) Title Year

[16] Be Cyber Aware at Sea Phish and Ships: Issue #28 2019

[17] F.F. Brussel Design of a cybersecurity management interface for maritime vessels

2016 [4] Government Accountability

Office

Weapon Systems Cybersecurity: DoD just beginning to grapple with scale of vulnerabilities

2018 [18] International

Telecommunciation Union

Global Cybersecurity Index 2017 2017 [5] M. J. Bayer, J. M.

O'Connor, R. S. Moultrie and W. H. Swanson

Cybersecurity Readiness Review 2019

[19] Ministerie van Defensie De Grondslagen van het Maritieme Optreden 2014 [1] Nationaal Coördinator

Terrorismebestrijding en veiligheid

Cyber Security Beeld Nederland 2019 2019

[20] National Cybersecurity Agency of France

EBIOS Risk Manager – The Method 2019 [21] Thales Group Holistic Cybersecurity Operations in the coming

age

2017

[22] NATO C3 Taxonomy Baseline 3.1 2019

(23)

3.1.3.2. RQ1: Cyber Security in the Maritime Sector - OPEN

For the first research question two times a SLR was performed to get an overview of what the current state is of cyber security in the maritime sector. For both SLRs the same search query was used:

TITLE-ABS-KEY ((maritime OR naval) AND ( ( cyber AND security ) OR ( cybersecurity ) OR ( cyber-security ) ) )

After executing the query, the general exclusion criteria were applied, but also inclusion criteria specific to RQ1. This is also were both SLRs differ. For the first SLR the two specific inclusions were used:

1. The literature that will be selected has a focus on cyber security aboard ships 2. The literature that will be selected will not go in-dept on specific systems and or

attacks

This research delivered only a small amount of literature (n = 6), Hence, to broaden the scope OR (“information security”) was added to the query, however this did not result in an additional literature. Thus, a snowballing search, in both directions, was also conducted.

This resulted into the inclusion of two additional papers.

However, after reviewing the literature it was decided that including research on specific systems will still be useful in giving an overview of conducted research regarding cyber security in the maritime sector. Also papers on autonomous ships were included this time.

Hence, a second SLR was conducted with only the first inclusion criteria:

1. The literature that will be selected has a focus on cyber security aboard ships Figure 6 illustrates the literature selection process of the second SLR. The collected literature is presented in Table 3. These are a combination from the second SLR and the snowballing after the first SLR. Duplications were removed. The results of this data collection for RQ1 are discussed in Chapter 3.1.

Figure 6: Selection Process: RQ1

(24)

Table 3: Cyber Security in the maritime sector literature list

Author(s) Title Year

[23] O. Jacq, X. Boudvin, D. Brosset, Y.

Kermarrec and J. Simonin

Detecting and Hunting Cyber threats in a Maritime Environment:

Specification and Experimentation of a Maritime Cybersecurity Operations Centre

2018

[24] I. Mraković and R. Vojinović Maritime Cyber Security Analysis--How to Reduce Threats? 2019 [25] J. DiRenzo, D. A. Goward and F. S.

Roberts

The little-known challenge of maritime cyber security 2015

[26] O. S. Hareide, Ø. Jøsok, M. S. Lund, R.

Ostnes and K. Helkala

Enhancing Navigator Competence by Demonstrating Maritime Cyber Security

2018

[27] K. Tam and K. Jones MaCRA: a model-based framework for maritime cyber-risk assessment

2019

[28] O. Jaqc, D. Brosset, Y. Kemarrec and J. Simonin

Cyber attacks real time detection: towards a Cyber Situational Awareness for naval systems

2019

[29] B. Sultan, F. Dagnat and C. Fontaine A Methodology to Assess Vulnerabilities and Countermeasures Impact on the Missions of a Naval System

2018

[30] M. Kardakova, I. Shipunov, A. Nyrkov and T. Knysh

Cyber Security on Sea Transport 2018

[31] B. Silverajan, M. Ocak and B. Nagel Cybersecurity Attacks and Defences for unmanned Smart Ships 2018 [32] B. Silverajan and P. Vistiaho Enabling Cybersecurity Incident Reporting and

Coordinated Handling for Maritime Sector

2019

[33] T. Omitola, A. Rezazadeh and M. Butler Making (Implicit) Security Requirements Explicit for Cyber-Physical Systems A Maritime use Case Security Analysis

2019

[34] B. Svilicic, J. Kamahara, M. Rooks and Y. Yano

Maritime Cyber Risk Management: An Experimental Ship Assessment

2019

[35] S. Ahvenjärvi, I. Czarnowski, J. Kåla, A.

Kyster, I. Meyer, J. Mogensen and P.

Szyman

Safe Information Exchange on Board of the Ship 2019

Literature on specific systems or attacks

[36] D. Billard Investigation of an alleged PLC hacking on sea vessels 2019

[37] I. Botunac and M. Gržan Analysis of Software Threats To The Automatic Identification System 2017 [38] M. Balduzzi, A. Pasta and K. Wilhoit A Security Evaluation of AIS Automated Identification System 2014 [39] B. Svilicic, I. Rudan and D. Zec A Study on Cyber Security Threats in a shipboard Integrated

Navigational System

2019

[40] B. Svilicic, J. Kamahara Assessing ship cyber risks: a framework and case study of ECDIS security

2019

[41] M. S. Lund, J. E. Gulland, O. S.

Hareide, Ø. Jøsok and K. O. Carlsson Weum

Integrity of Integrated Navigation Systems 2018

[42] B. Svilicic, D. Brčić, S. Žuškin and D.

Kalebić

Raising Awareness on Cyber Security of ECDIS 2019

[43] B. Svilicic, I. Rudan, F. Vlado and M.

Doričić

Shipboard ECDIS Cyber Security: Third-Party Component Threats 2019

[44] L. R. Shapiro, M.-H. Maras, L. Velotti, S. Pickman, H.-L. Wei and R. Till

Trojan horse risks in the maritime transportation systems sector

2018

(25)

3.1.3.3. RQ2: Cyber Incident Response - OPEN

The data collection for the second literature research question was done in three phases.

The first phase considered reports from authorities within the maritime sector or from authorities with an expertise in cyber security. The reports gave an overview of currently conducted practices in general and in the maritime sector.

After the first phase was completed, a SLR was conducted. The SLR was conducted to see if there are useful additions in scientific literature. The query that will be used for this SLR is:

TITLE-ABS-KEY ( cyber AND incident AND ( management OR response ))

In Figure 7 the literature selection process can be viewed. The criteria that were applied are the general criteria that were discussed earlier. The resulting literature list can be seen in The final phase was an unsystematic literature search to gain an understanding of Battlefield Damage Assessment and Repair.

Figure 7: Selection Process RQ2