STPA-Cyber: A semi-automated cyber risk assessment framework for maritime cybersecurity

Cybersecurity incidents in the maritime sector are growing in number and the requirement of cyber risk management onboard ships is an inescapable reality today. Multiple cyber risk assessment frameworks exist today but they are all cumbersome to be applied in today’s state-of-the-art modern maritime systems. Most of the frameworks require experts’ involvement, their precious time and cognitive efforts. The application of these frameworks are also prone to human biases. Moreover, due to the rapid evolution of malicious actors and the inclusion of state-of-the-art toolsets in their arsenal, the completeness of the coverage of the cyber risk analysis for modern maritime systems is also open to questions. In response to these emerging challenges and threat landscape, a modified system theoretic process analysis for cybersecurity is proposed that not only inspects the control actions from a controller but also investigates the incoming feedback signals from the controlled process. The rationale behind the two-way cyber risk analysis within a system, i.e., for a control action as well as for a feedback signal, is that the attackers can target both the links within a feedback loop with comparable likelihood and impact, which could result in gruesome consequences. This work also contributes by semi-automating the labor intensive steps of the cyber risk assessment that results in significant reduction of involvement of experts, cognitive efforts, time requirement and human biases. Lastly, semi-automated generation of security causal scenarios in this work also contributes to the completeness of the cyber risk assessment process because human involvement and manual efforts required in the cyber risk assessment of a cyber–physical system could result in incomplete analysis due to the limitations in human comprehension. Hence, considerable reductions in time, cognitive efforts, human involvement and human biases are achieved in this work.