STPA-Cyber: A semi-automated cyber risk assessment framework for maritime cybersecurity

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-06-16 DOI:10.1016/j.cose.2025.104559

Awais Yousaf , Sean Gunawan , Sunil Basnet , Victor Bolbot , Jianying Zhou , Osiris A. Valdez Banda

{"title":"STPA-Cyber: A semi-automated cyber risk assessment framework for maritime cybersecurity","authors":"Awais Yousaf , Sean Gunawan , Sunil Basnet , Victor Bolbot , Jianying Zhou , Osiris A. Valdez Banda","doi":"10.1016/j.cose.2025.104559","DOIUrl":null,"url":null,"abstract":"<div><div>Cybersecurity incidents in the maritime sector are growing in number and the requirement of cyber risk management onboard ships is an inescapable reality today. Multiple cyber risk assessment frameworks exist today but they are all cumbersome to be applied in today’s state-of-the-art modern maritime systems. Most of the frameworks require experts’ involvement, their precious time and cognitive efforts. The application of these frameworks are also prone to human biases. Moreover, due to the rapid evolution of malicious actors and the inclusion of state-of-the-art toolsets in their arsenal, the completeness of the coverage of the cyber risk analysis for modern maritime systems is also open to questions. In response to these emerging challenges and threat landscape, a modified system theoretic process analysis for cybersecurity is proposed that not only inspects the control actions from a controller but also investigates the incoming feedback signals from the controlled process. The rationale behind the two-way cyber risk analysis within a system, i.e., for a control action as well as for a feedback signal, is that the attackers can target both the links within a feedback loop with comparable likelihood and impact, which could result in gruesome consequences. This work also contributes by semi-automating the labor intensive steps of the cyber risk assessment that results in significant reduction of involvement of experts, cognitive efforts, time requirement and human biases. Lastly, semi-automated generation of security causal scenarios in this work also contributes to the completeness of the cyber risk assessment process because human involvement and manual efforts required in the cyber risk assessment of a cyber–physical system could result in incomplete analysis due to the limitations in human comprehension. Hence, considerable reductions in time, cognitive efforts, human involvement and human biases are achieved in this work.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104559"},"PeriodicalIF":4.8000,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002482","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Cybersecurity incidents in the maritime sector are growing in number and the requirement of cyber risk management onboard ships is an inescapable reality today. Multiple cyber risk assessment frameworks exist today but they are all cumbersome to be applied in today’s state-of-the-art modern maritime systems. Most of the frameworks require experts’ involvement, their precious time and cognitive efforts. The application of these frameworks are also prone to human biases. Moreover, due to the rapid evolution of malicious actors and the inclusion of state-of-the-art toolsets in their arsenal, the completeness of the coverage of the cyber risk analysis for modern maritime systems is also open to questions. In response to these emerging challenges and threat landscape, a modified system theoretic process analysis for cybersecurity is proposed that not only inspects the control actions from a controller but also investigates the incoming feedback signals from the controlled process. The rationale behind the two-way cyber risk analysis within a system, i.e., for a control action as well as for a feedback signal, is that the attackers can target both the links within a feedback loop with comparable likelihood and impact, which could result in gruesome consequences. This work also contributes by semi-automating the labor intensive steps of the cyber risk assessment that results in significant reduction of involvement of experts, cognitive efforts, time requirement and human biases. Lastly, semi-automated generation of security causal scenarios in this work also contributes to the completeness of the cyber risk assessment process because human involvement and manual efforts required in the cyber risk assessment of a cyber–physical system could result in incomplete analysis due to the limitations in human comprehension. Hence, considerable reductions in time, cognitive efforts, human involvement and human biases are achieved in this work.

查看原文本刊更多论文

STPA-Cyber：海上网络安全半自动化网络风险评估框架

海事领域的网络安全事件越来越多，船上网络风险管理的需求是当今不可避免的现实。目前存在多种网络风险评估框架，但它们在当今最先进的现代海事系统中应用起来都很麻烦。大多数框架需要专家的参与，他们宝贵的时间和认知努力。这些框架的应用也容易受到人类偏见的影响。此外，由于恶意行为者的快速发展以及其武器库中包含最先进的工具集，现代海事系统网络风险分析覆盖范围的完整性也存在问题。针对这些新出现的挑战和威胁形势，提出了一种改进的网络安全系统理论过程分析方法，该方法不仅检查控制器的控制动作，还研究来自被控过程的传入反馈信号。系统内双向网络风险分析背后的基本原理，即控制行动和反馈信号，是攻击者可以以相当的可能性和影响瞄准反馈回路中的两个链接，这可能导致可怕的后果。这项工作还有助于将网络风险评估的劳动密集型步骤半自动化，从而大大减少专家的参与、认知努力、时间要求和人类偏见。最后，本工作中安全因果场景的半自动生成也有助于网络风险评估过程的完整性，因为由于人类理解的局限性，网络物理系统的网络风险评估中需要人工参与和人工努力，可能导致分析不完整。因此，在这项工作中，大大减少了时间、认知努力、人类参与和人类偏见。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.