没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
试读
13页
船上软件密集型IT系统的广泛采用带来了巨大的好处,但同时也为恶意网络攻击提供了新的途径,可能破坏船运业务。 因此,着眼于启用IT的船舶系统(CyberShip)的安全性和弹性属性,以了解网络威胁及其潜在风险,可以使系统设计更好地检测和应对这些攻击。 本文通过使用系统理论过程分析(STPA)方法(既考虑物理组件又考虑网络组件),通过理解舰船中各个组件之间的相互作用,探索了除组件故障之外还可以利用的漏洞。 从该分析中,可以看出STPA的两个主要优点。 首先,STPA在设计级别发现了更多的危险情况。 其次,STPA分析得出了设计建议,旨在通过关注系统结构来保护运输系统免受网络攻击,并且不受攻击源的影响。
资源推荐
资源详情
资源评论
Exploring CyberShip vulnerabilities through a Systems theoretic process
approach
D.A.Sepulveda Estay
a
, Rishikesh Sahay
b
, Weizhi Meng
c
, Christian D. Jensen
c
, Michael Bruhn Barfod
a
a
Dept. of Technology, Management and Economics, Technical University of Denmark, DK-2800 Kgs., Lyngby, Denmark
b
MAN Energy Solutions Copenhagen, Denmark
c
Dept. of Applied mathematics & Computer Science,Technical University of Denmark, DK-2800 Kgs., Lyngby, Denmark
Abstract
The widespread adoption of software-intensive IT systems in ships has brought huge benefits, yet it also
has offered new avenues for malicious cyberattacks to potentially disrupt shipping operations. It follows
that a focus on the security and resilience properties of IT-enabled ship systems (CyberShip) to understand
cyber threats and their potential risks, can result in a system design that is better prepared to detect and
react to these attacks. This paper explores the vulnerabilities that can be exploited, beyond component
failure, by understanding the interaction between the components in a ship, through the use of the system
theoretic process analysis (STPA) method, which considers both physical and cyber components. From this
analysis, two main advantages of STPA are highlighted. First, STPA uncovers more hazardous situations
at the design level. Second, STPA analysis results in design recommendations to secure shipping system
against cyber attacks, and independent of the source of the attacks, by focusing on the system structure.
Keywords: Ship systems, STPA, Cyber risk
Highlights
• Systemic risk analysis used in complex systems to discover cyber-vulnerabilities
• Structure approach is traceable
• Approach is independent of the threats and centered on system structure
• Aggregation levels are chosen according to the level of analysis and deliver design requirements
1. Introduction
In June 2017, A.P. Moller-Maersk was the subject of an attack by a malware known as non-Petya that left
its IT systems inoperable for several weeks. Beyond the immediate effects that this attack had on Maersk’s
Email addresses: dasep@dtu.dk (Corresponding author) (D.A.Sepulveda Estay), rishikesh.sahay@man-es.com (Rishikesh
Sahay), weme@dtu.dk (Weizhi Meng), cdje@dtu.dk (Christian D. Jensen), mbba@dtu.dk (Michael Bruhn Barfod)
Preprint submitted to Ocean Engineering Journal February 17, 2020
Electronic copy available at: https://ssrn.com/abstract=3753663
bottom line, and which sources calculate as over US$300 million, this attack was another clear evidence
that cyber attacks that can go beyond the loss or corruption of data to result in operational disruptions,
are also a reality in the shipping industry. Authors indicate that attacks like these result in two important
trends. First, remote cyber-attacks on industrial control systems have the potential for physical damage
and second, the number of cyber security laws and regulations continue to increase as a result of attacks
growing more severe [26].
Beyond non-Petya, many other less visible attacks are happening to shipping operations every day, in
a trend that is showing no signs of slowing down. Companies in the shipping industry, formerly inclined
to invest mainly in cyber security, have increasing evidence that failing to avert a cyber-attack is more and
more likely. Cyber-resilience, the capacity to react to cyber-attacks, becomes thus desirable, through for
example, designing a system with the ability to cope with a cyber-attack already under way through DCRA
resilience, namely Detection, Contention, Recovery and Adaptability.
In order to advance the proposal of explicit methods for implementing cyber resilience in the shipping
industry, the CyberShip project at the Technical University of Denmark, has researched ways of identifying
requirements for shipping systems that will make them less prone to cyber-attacks, and of systems that will
have decreased operational disruption once cyber-attacks take place.
A CyberShip is the system composed of the physical ship, human operators, all its constituent sub-
systems and components, their capabilities for computation and interaction with the environment, and
the interactions between these components and systems. By gathering information about present ship
configurations a CyberShip model was proposed, consisting of components categorized as either critical
or non-critical. The understanding of such a system is expected to reveal ways of creating or improving
DCRA resilience.
Nogal & Connor indicate that four main cyber-system layers are at risk from cyber-attacks: first a per-
ceptual layer that links cyber and physical systems through components such as wireless sensors, a second
layer of networked systems that transmit information such as satellite networks, a third layer of support
systems such as cloud computing, and a fourth layer of applications that link the users and the physical
world with cyber systems, such as industrial control systems [26].
Techniques traditionally used in the study of risks include methods such as Failure Mode and Effects
Analysis (FMEA), Event Trees, Attack Trees, Asset Based Analysis and Hazard and Operability study (HA-
ZOP), for example. These techniques assume that a disruption is the result of a chain of directly related
events. This assumption known as the "domino model" of risk, despite its widespread use, presents several
problems that make it unsuitable for its application to modern complex socio-technical systems such as a
CyberShip. Three important assumptions that exemplify some of these problems are: objectivity, compo-
nent failure, and historical information.
Objectivity assumes that the outcome of the risk analysis process is independent of who takes part in
this analysis. Yet, in traditional methods the chain of events that lead to an attack are identified by a group
2
Electronic copy available at: https://ssrn.com/abstract=3753663
of people in the organization that take part in the analysis and is thus highly dependent on the experience
of the particular group. Moreover, it has been found that risk evaluations performed by different people on
a similar system many times do not agree, and instead have bigger differences when more information is
provided for the analysis, or if the participants have more experience [6].
Component failure assumes that the cyber-attacks happen because of a specific series of failures in com-
ponents through the "domino model" view of risk. However, in the case of IT systems, the rate of failures
is very low and accidents happen rather because of a faulty design that allows an attack to use the existing
infrastructure, by functioning faithfully to its design, yet this results in a disruption.
Historical information assumes that there will be information about similar failures in the same or other
systems to make an evaluation of the risks. This does not hold true for new systems, where no history of
failures is available.
Research about the roots of failure have instead led to the understanding that an attack with disruptive
consequences is "more often due to the unfortunate combination of a number of conditions, than to the failure of
a single function or component" [12]. Thus, there is a need to understand the structure of the system where
attacks happen, this is the elements that constitute the system, their connections, and the rules that govern
these connections.
Additionally, research has shown that safety, understood as the absence of unacceptable losses, is cre-
ated through a combination of proactive processes rather than through reactive defences and barriers. In
this context, "human error" is understood as a symptom of incomplete system design, and as such "the
operator’s role is to make up for holes in the designer’s work" [22]. It is thus necessary to consider a risk analysis
process that looks at the system around the attack and disruption, beyond merely the specific interactions
that led to an undesirable event.
The systems theoretic Accident Model and Process (STAMP) method with its hazard analysis version
STPA (Systems Theoretic Process Analysis) [16] has been identified as the most cited model for systemic risk
analysis [29]. Extensive literature has been published about the description of the STAMP methodology
framework for risk analysis [9], [17], [8], [3], with examples of application in different industries, such
as medical [4], environmental [11], robotics [19], power production [14], software development [27], and
defense [7].
The rest of the paper is organized as follows. The related work that has been published on systemic risk
analyses is described in Section 2. Section 3 presents STPA risk analysis method. Section 4 describes the
cyber ship framework and its different components. The risk analysis of CyberShip framework is presented
in Section 5. Finally, Section 6 concludes the paper.
3
Electronic copy available at: https://ssrn.com/abstract=3753663
剩余12页未读,继续阅读
资源评论
weixin_38621104
- 粉丝: 1
- 资源: 957
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功