Assessing ship cyber risks: a framework and case study of ECDIS security

Abstract

The growing reliance of the shipping industry on information and communication technologies places a high premium on cyber risk management. The International Maritime Organization has imposed improvement of the approved safety management system of ships by incorporating the cyber risk management no later than the first annual verification of a shipping company’s document of compliance following 1 January 2021. In this paper, we present a framework for assessing cyber risks that affect safe operation of ships. The framework relies on an on-board survey to identify existing safeguards, cyber security testing to detect vulnerabilities and threats, and determination of the cyber risk level. The cyber security testing of the ship’s critical systems and assets, as the specific part of the framework, is introduced and studied. The cyber security testing method is based on computational vulnerability scanning and penetration testing techniques, which is aligned with the upcoming maritime standard IEC 63154. For a case study, the testing of a shipboard Electronic Chart Display and Information System cyber security was performed using an industry vulnerability scanning tool.