HE01340 - Vessel Cybersecurity Risk Analysis

21 Aug 2015 Bulletin: Issue 39 - Risk management Resource

Introduces vessel cybersecurity risk analysis and shows an example of its application to the Information and Communications Technology (ICT) assets in the Integrated Bridge System of a vessel.

Information security is usually characterized by three dimensions as defined in the information security standard ISO27000:

  • Confidentiality: Information is not made available or disclosed to unauthorized individuals, entities, or processes
  • Integrity: Information and assets are accurate and complete.
  • Availability: Information and assets are accessible and usable upon demand by an authorized entity.

According to NIST SP800-30, risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, typically a function of:

  • Adverse impacts that would arise if the circumstance or event occurs

  • Likelihood of occurrence.

When an attacker compromises an ICT asset, any of its information security dimensions can be affected.

Information security risks in the maritime context can be defined as those risks that arise from the loss of confidentiality, integrity or availability of information or ICT systems with the potential to cause adverse impacts in ship or port operations.

The impact from the loss of confidentiality, integrity or availability will be different depending on the mission of the organization. For a business firm confidentiality is usually important. However, in navigating a vessel the important dimensions will usually be integrity and availability.

page1image17360 page1image17520 page1image17680

Page 1

We evaluate risk as the probability of a threat exploiting a vulnerability that results in an undesirable consequence. The evaluation of risk can be calculated as:

Risk=Threat x Vulnerability x Impact

The threat level will be evaluated taking into account the cyber threats that may be present in the context of the vessel bridge.

Vulnerability level will be evaluated as a function of the vulnerabilities in the ICT assets that enable the materialization of threats.

We calculate impact as the asset aggregated loss value of its three security dimensions Confidentiality, Integrity or Availability in case any of these are compromised.

For this example, we use a semi-quantitative approach for the values of threats and vulnerabilities with possible values low, medium and high. Impact and risk will be calculated using ad-hoc numbered scales as follows:

  • Asset impact level will range from 0 (no impact) to 10 (maximum impact)

  • Likelihood of threats will be assigned low probability (1), medium probability (2) or high probability (3).

  • Vulnerabilities will be assigned values as low (1), medium (2) or high (3).

  • Aggregate likelihood of the incident will be calculated as the product of the likelihood of the threat and the level of vulnerability of the asset from 1(lowest) to 9 (maximum).

  • Risk is assigned a number between 1 (lowest) to 100 (highest).

As we can see, when calculating risks in this example we give equal importance to threat and vulnerability levels and significantly more relevance to asset impact and risk values.

The proposed risk analysis methodology is comprised of these steps:

  • Define scope of the analysis and assets to evaluate

  • Identify threat sources and events

  • Identify vulnerabilities

  • Determine likelihood of occurrence

  • Determine magnitude of impact

  • Determine Risk

  • Communicate risk

  • Manage risk levels

  • Revise the analysis periodically

    In the following paragraphs I apply the above methodology to develop a cybersecurity risk analysis in the context of an Integrated Bridge System.