Security Testing for Naval Ship Combat System Software

Yi, Cheol-Gyu; Kim, Young-Gab

doi:10.1109/access.2021.3076918

Cited by 5 publications

(6 citation statements)

References 19 publications

(20 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Some works evaluate the performance of target systems to assess their security or the impact of security controls on their operation. This is observed to be achieved through emulating the behavior of adversaries (i.e., adversary emulation) [66,83] or testing the functionality of a specific functional unit (i.e., unit testing) [26,82,84,85]. Other works target the exiting vulnerabilities in the system as an indicator of the efficiency of its security posture [25,86].…”

Section: Evaluation Approachesmentioning

confidence: 99%

“…On the other hand, in more advanced system development phases, approaches tend to consider more realistic settings reaching the ability to evaluate the real target system [25,26] and on some occasions simulating certain elements in the environment [89,90]. Additionally, some works address the software source code, middleware and hosting operating system for evaluating its security [82,84,85].…”

Section: Evaluation Approachesmentioning

confidence: 99%

“…Host system [25,83] What vulnerabilities exist [25,83,84] Host system and Controls [86] What errors and defects exist [86] Application SW [84] Requirements satisfaction controls [26] Are the security requirements satisfied [26,84,86] Application SW, Middleware, OS [84] Host system and Controls [86] Recommendations Controls [26] e.g., cryptographic strength Are the privacy requirements satisfied [26] Functional…”

Section: Controls Revision Vulnerabilitiesmentioning

confidence: 99%

“…Host system [83] How would the system behave under attack [83] Integration Controls [26] Are the control properly integrated [26,84] Application SW, Middleware, OS [84] Usability Controls [26,80] User acceptance testing [26,80] Feasibility and applicability Control [80,88] Compliance regime [88] Risk assessment framework [80] Cost Financial Controls [54,81] Cost of implementation [54,81] Cost saved by reducing risk [81] Operational Against host system (i.e., safety) [26,54,90] Execution Time [26,85] Controls [26,85,90] Packet loss, delay [54] Overhead [26] Harmlessness and Data lost [90] Lifecycle Control [54] Future developmnet costs [54] Governance…”

Section: Behaviormentioning

confidence: 99%

“…An observed method for evaluating the cybersecurity architecture is to check its satisfaction with the cybersecurity requirements. Yi and Kim [84] discussed the evaluation of naval ship combat software against a set of specified technical requirements related to accuracy and adequacy. Additionally, Grigoriadis et al [26] reached out to stakeholders for evaluating their risk assessment process against security, privacy, operational, and usability requirements.…”

Section: Simulation and Checklistmentioning

confidence: 99%

See 4 more Smart Citations

Cyber risk management for autonomous passenger ships using threat-informed defense-in-depth

Amro

Gkioulos

2022

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Recent innovations in the smart city domain have led to the proposition of a new mode of transportation utilizing Autonomous Passenger Ships (APS) or ferries in inland waterways. The novelty of the APS concept influenced the cyber risk paradigm and led to different considerations regarding attack objectives, techniques as well as risk management approaches. The main factor that has led to this is the autoremote operational mode, which refers to autonomous operations and remote supervision and control in case of emergency. The autoremote operational mode influences the risk of cyber attacks due to the increased connectivity and reliance on technology for automating navigational functions. On the other hand, the presence of passengers without crew members imposes a safety risk factor in cyber attacks. In this paper, we propose a new cyber risk management approach for managing the cyber risks against cyber physical systems in general and Autonomous Passenger Ships in particular. Our proposed approach aims to improve the Defense-in-Depth risk management strategy with additional components from the Threat-Informed Defense strategy allowing for more evolved cyber risk management capabilities. Moreover, we have utilized the proposed cyber risk management approach for the proposition of a cybersecurity architecture for managing the cyber risks against an APS use case named milliAmpere2. Additionally, we present our results after conducting a Systematic Literature Review (SLR) in cybersecurity evaluation in the maritime domain. Then, the findings of the SLR were utilized for a suitable evaluation of the proposed risk management approach. Our findings suggest that our proposed risk management approach named Threat-Informed Defense-in-Depth is capable of enriching several risk management activities across different stages in the system development life cycle. Additionally, a comprehensive evaluation of the cybersecurity posture of milliAmpere2 has been conducted using several approaches including risk evaluation, simulation, checklist, and adversary emulation. Our evaluation has uncovered several limitations in the current cybersecurity posture and proposed actions for improvement.

show abstract