TY - JOUR
T1 - Risk sensitivity analysis of AIS cyber security through maritime cyber regulatory frameworks
AU - Soner, Omer
AU - Kayisoglu, Gizem
AU - Bolat, Pelin
AU - Tam, Kimberly
N1 - Publisher Copyright:
© 2023 Elsevier Ltd
PY - 2024/1
Y1 - 2024/1
N2 - Given the increasing frequency and sophistication of methods and strategies employed in cyberattacks, cyber resilience has become a basic notion of cyber risk management. To be cyber-resilient against cyber risks, shipping companies must be proactive in establishing and implementing actions, constructing effective strategies, and adopting mitigation methods to strengthen their assets. However, shipping companies have only lately tended to fully recognize the necessity for a cybersecurity perspective to enable effective cyber risk management and mitigation of increasing cyberattacks. Aside from deficiencies in system design, integration, or maintenance, human factors are the prime weakness that potentially jeopardizes the ship's cybersecurity by simply making intentional or unintentional errors, revealing critical information, or generating entry points for attackers. Therefore, the current study aims to conduct a quantitative human risk assessment based on the SOHRA method, which is integrated with the NIST cybersecurity framework, to provide ships with the ability to be cyber resilient, and respond to and recover from cyber-attacks. The AIS has been considered for the research application not only because it is one of the most vulnerable systems on board a ship, but also because modifying and breaching the AIS data might have disastrous outcomes. The study results clearly indicate that the most likely error related to AIS cybersecurity risk occurs in the tasks defined under the "protect", "respond", "detect", "identify", and "recover" functions. Accordingly, suitable control and preventative measures have been developed to guarantee high-level cyber security for AIS and to provide cyber resilience and the structure for constructive decision-making by integrating various international standards, which include system security requirements and security levels for industrial communication networks, specifically with the IACS and NIST framework for the AIS cyber security.
AB - Given the increasing frequency and sophistication of methods and strategies employed in cyberattacks, cyber resilience has become a basic notion of cyber risk management. To be cyber-resilient against cyber risks, shipping companies must be proactive in establishing and implementing actions, constructing effective strategies, and adopting mitigation methods to strengthen their assets. However, shipping companies have only lately tended to fully recognize the necessity for a cybersecurity perspective to enable effective cyber risk management and mitigation of increasing cyberattacks. Aside from deficiencies in system design, integration, or maintenance, human factors are the prime weakness that potentially jeopardizes the ship's cybersecurity by simply making intentional or unintentional errors, revealing critical information, or generating entry points for attackers. Therefore, the current study aims to conduct a quantitative human risk assessment based on the SOHRA method, which is integrated with the NIST cybersecurity framework, to provide ships with the ability to be cyber resilient, and respond to and recover from cyber-attacks. The AIS has been considered for the research application not only because it is one of the most vulnerable systems on board a ship, but also because modifying and breaching the AIS data might have disastrous outcomes. The study results clearly indicate that the most likely error related to AIS cybersecurity risk occurs in the tasks defined under the "protect", "respond", "detect", "identify", and "recover" functions. Accordingly, suitable control and preventative measures have been developed to guarantee high-level cyber security for AIS and to provide cyber resilience and the structure for constructive decision-making by integrating various international standards, which include system security requirements and security levels for industrial communication networks, specifically with the IACS and NIST framework for the AIS cyber security.
KW - AIS
KW - Cyber resilience
KW - Cyber risk management
KW - HRA
KW - Ship cyber security
UR - http://www.scopus.com/inward/record.url?scp=85180609207&partnerID=8YFLogxK
U2 - 10.1016/j.apor.2023.103855
DO - 10.1016/j.apor.2023.103855
M3 - Article
AN - SCOPUS:85180609207
SN - 0141-1187
VL - 142
JO - Applied Ocean Research
JF - Applied Ocean Research
M1 - 103855
ER -