Maritime Cyber Risk Assessment Tooling

Maritime Cyber Risk Assessment Tooling led by University of Plymouth

Cybercrime is increasing in size and complexity and maritime is one of the sectors seeing a significant increase of cyber activity. Maritime Cyber incidents are occurring on a daily basis but go largely unreported. Maersk, a rare high-profile incident with accidental malware infection, lost portside systems for two days, costing an estimated £280m. More recent reports of hypothetical cyber-attacks, such as 15 major ports across Asia Pacific, estimated losses up to £90 billion.  In 2022, there was a cyber-attack on the London Port Authority. The scenarios in the Asia Pacific estimated economic losses by downstream impact, factoring in transportation, and productivity losses. 

The concept of MaCRA was used in the H2020 Cyber-MAR research project to estimate maritime cyber-attack triggered loss to European countries, after an attack in the Port of Valencia.  This also showed that feeding real port/maritime data into the software would yield real results, allowing us to test with more than dummy data.  Beyond accidental infections, targeted attacks of ransom ware, or altering ledgers to enable drug or arms smuggling are also possible. 

Beyond this, Global Navigation Satellite System (GNSS) spoofing from state sponsored terrorism could lead to serious disruption to operations, loss of life and threats to National Security. Currently mitigation approaches are limited to information technology (IT) aspects of the ship’s system of systems, but these are not addressing the problem because vessels also incorporate a plethora of Operational Technology (OT) of increasing complexity in the overall system, that requires a different approach for the maritime specific problem.

Growing demands for cyber-safety and technology require a new industry-ready solution offered by the published Maritime Cyber Risk Assessment framework (MaCRA), that will give an analytical assessment of cyber-physical risk. This is a multi-dimensional model that can assess risks instead of be reliant on statistical-based risk, because maritime-cyber is a new area of study and robust statistics do not yet exist.  The MaCRA model is based on a better understanding of threat based by modelling a number of factors that can be split into three key dimensions: (1) System vulnerability and effect (2) ease-of-exploit and (3) reward.  MaCRA is also crucially a dynamic Risk Assessment Framework that can respond to changes in any of these parameters, so the introduction of a new system, patching, cargo or route changes.  This enabling any operator, carrying any cargo on any route to quickly assess new threats to the overall system, and what mitigation action is required.  This has been key for complex system-of-systems that have physical moving components, and move geographically themselves.

While increased connectivity between ships, personal devices, and on-shore infrastructure has improved operational efficiency and physical safety, it also increases vulnerabilities across IT and OT systems. This ship diversity mandates that a risk assessment solution needs to be flexible without losing detail.  The MaCRA software and the services we can provide with it can now;

(1) Offer accurate characterization of maritime-cyber risks and their severity;

(2) provide scalable measurements from single systems or ships to fleets;

(3) Identify systems that would most benefit, or need, additional security;

(4) Identify top risk outcomes, attackers, attack-vectors;

(5) Provide risk data in useful views to support human decisions.

For further information, please visit https://riskocity.com/