Abstract

The maritime sector, similar to other industries, is swiftly adapting to evolving technologies. However, these advancing technologies also bring forth cyber security concerns. Attacks on ships and findings from scientific studies confirm such concerns. Because of their long service lives, technologies on ships lag behind, making it challenging to address risks arising from operational principles. Moreover, many commercially operated vessels typically lack a cyber security expert. The limited support available from cyber security experts leaves the ship’s crew directly confronting cyber attacks occurring nautical miles away from the shore.

Modern ships are equipped with computerized systems for various purposes. The Integrated Navigation System (INS) is one such system that improves navigation safety by integrating data from multiple devices onboard, aiding the Officer of the Watch (OOW) in ship navigation planning and monitoring. The INS’s ability to gather information from various components exposes it to cyber risks associated with these connected components, resulting in a broad attack surface. The cyber security of such a system with an extensive attack surface should be ensured, considering all three dimensions of cyber security: people, process, and technology.

The objective of this thesis is to provide effective recommendations for enhancing the cyber security of INS by considering all three aspects of cyber security. The focus includes understanding testbed requirements for the technology aspect, implementing risk assessment methodologies for the process aspect, and developing a training programme for the people aspect.

In the initial phase, a reference architecture for INS is created, identifying its components, subcomponents, connections, dependencies, interfaces, data flows, and communication protocols. Concurrently, testbed requirements are outlined to facilitate cyber security research on INS, encompassing activities such as vulnerability analysis. This process aims to achieve a comprehensive technical understanding of an INS while integrating testbed requirements.

Subsequently, potential risks to which INS may be exposed are identified by reviewing the literature, academic studies, and incidents of cyber security breaches in the maritime sector. The identified risks are assessed for INS using both novel and customized methods, incorporating mitigation measures from academic studies and industry practices.

Lastly, considering risks and preventive measures, a training programme is proposed and evaluated through four distinct training sessions. This programme aims not only to enhance the cyber security awareness of seafarers but also that of various professionals in the other fields of the maritime domain.

This thesis provides a comprehensive contribution to enhancing the resilience of INS against cyber risks by considering the foundational elements of people, process, and technology in the proposed recommendations. The findings, observations, methodologies, and recommendations presented in this thesis can be valuable resources for both researchers and industry professionals aiming to protect INS and its associated components from cyber attacks.