A novel cyber-risk assessment method for ship systems

Recent advances in the maritime industry include research and development of new sophisticated ships with a number of smart functionalities and enhanced autonomy. The new functions and autonomy levels though come at the cost of increased connectivity. This results in increased ship vulnerability to cyber-attacks, which may lead to ﬁ nancial loss, environmental pollution, safety accidents. The aim of this study is to propose a novel method for cybersecurity risk assessment of ship systems. In this novel method, the Cyber-Preliminary Hazard Analysis method steps are enriched with new steps supporting the identi ﬁ cation of cyber-attack scenarios and the risk assessment implementation. The proposed method is applied for the cyber-risk assessment and design enhancement of the navigation and propulsion systems of an inland waterways autonomous vessel. The results demonstrate that several critical scenarios can arise on the investigated autonomous vessel due to known vulnerabilities. These can be su ﬃ ciently controlled by introducing appropriate modi ﬁ cations to the systems design.


Background
Cyber-Physical Systems (CPSs) represent a class of systems consisting of software and hardware components, which are used to control physical processes (Gunes et al., 2014). CPSs have been advancing in a number of application areas, including the maritime industry (DNV GL, 2015). CPSs are expected to increase the productivity and safety levels by removing, substituting and/or supporting the operator in the decision-making process, thus reducing the number of human errors leading to accidents. Typical examples of the existing marine CPSs include the Diesel-Electric Propulsion plant, the Safety Monitoring and Control System, the Dynamic Positioning System as well as the Heating, Ventilation & Air Conditioning systems (DNV GL, 2015). The number of the CPSs is expected to increase in autonomous ships, which are considered to be the ultimate marine CPS.
The maritime industry has demonstrated a strong interest in the development of the next generation ships such as smart ships or autonomous ships, employing CPSs. Examples of relevant projects include the autonomous Yara Birkenland ship design and construction (Yara, 2018), as well as the MUNIN (MUNIN, 2016), AAWA (AAWA, 2016), SISU and SVAN (Daffey, 2018) projects. The most recent initiative is the AUTOSHIP project (AUTOSHIP, 2019), which aims at converting a short sea going vessel (as a demonstrator) and an inland waterways vessel (as a demonstrator too) into autonomous vessels, thus pushing the available technology and autonomy levels further on larger size vessels.
The introduction of CPSs is accompanied by an increased complexity attributed to the heterogeneous character of the installed CPSs, the dependence on information exchanging with other systems, the additional new interactions with humans, the increased number of controllers running complex software and the increased interconnectivity required for implementing the desired CPSs' functionalities (Bolbot et al., 2019c). All these parameters, especially the latter, introduce new hazards, as cyber-attacks can exploit vulnerabilities in the communication links and directly affect the integrity or availability of the data and control systems, leading to accidents (Bolbot et al., 2019c;Eloranta and Whitehead, 2016).
A number of incidents have been reported with unauthorised people gaining access to various conventional ship control systems. In one case, the Electronic Chart Display Information System (ECDIS) was infected, resulting in a disruption of the ship operation with significant financial consequences (BIMCO, 2018a). In another attack, the ECDIS updates constituted a bridge for implementing the attack on a radar system allowing the attacker to manipulate the radar measurements displayed on screen (Wingrove, 2017). In another case, a malware was installed through a USB memory stick on a power management system, degrading its performance (BIMCO, 2018a). Satellite communication systems of another ship were also compromised by white hackers via a tracking system due to weak passwords (Doyle, 2017;Munro, 2017). Global Positioning System (GPS) spoofing attacks were reported in the 1.2. Literature review A number of standards are available for systems cybersecurity assessment and assurance, including ISO 27000 series standards (ISO/ IEC, 2016), NIST SP 800 series standards (NIST, 2019), IEC 62433 series standards (IEC, 2018) and specific standards in automotive and aerospace industries (Flaus, 2019). As there is an increasing number of concerns with respect to the ship systems vulnerability to cyber-attacks in the maritime industry, a number of guidelines have been developed to address potential threats ( France, 2016;United States Coast Guard, 2015).
In addition, a number of previous research studies focused on the high-level cyber security assessment of the ship control systems and ship networks in autonomous ships. Jones et al. (2016) provided an overview of different attack scenarios for a typical cargo ship. Tam and Jones (2019) proposed a model-based approach for the risk assessment of cyber-threats named MaCRA (Maritime Cyber-Risk Assessment) by considering the technological systems vulnerabilities as well as the ease-of-exploiting and the potential hackers rewards. Using the same model-based approach, Tam and Jones (2018) implemented a risk assessment for a number of vessels including Yara Birkenland, Rolls Royce AAWA ocean-going reduced crew vessel and Mayflower autonomous ship. Kavallieratos et al. (2019) employed the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) method to assess risks in a generic autonomous vessel.
Other approaches used more detailed methods for cyber-security analysis. Omitola et al. (2018) analysed an unmanned surface vessel navigation system using the System-Theoretic Process Analysis for cyber-attacks (STPA-sec) targeting at modifying data that are provided as input to the vessel navigation system. Shang et al. (2019) combined attack trees with fuzzy ranking for assessing the likelihood of successful cyberattacks on ship propulsion/power generation systems. Guzman et al. (2019) suggested a new method, named uncontrolled flows of information and energy, which uses diagrammatic dependencies within CPSs for risk analysis of the collision avoidance function of an autonomous surface vessel. Svilicic et al. (2019a) proposed a risk assessment framework, which is based on a combination of questionnaires, vulnerability scanning and penetration testing results. Glomsrud and Xie (2019) suggested the use of the STPA with attack trees for the safety assessment of autonomous vessel. Kavallieratos et al. (2020) used STPA with security analysis in parallel for identification of safety and security requirements.
Nevertheless, the previously presented methods and standards do not seem to address properly the needs of cyber-risk assessment for maritime assets, as explained below. ISO 27000 (ISO/IEC, 2016) suggests a generic risk assessment framework, which might not be well adjusted to the industrial systems, such as ships, as the consequences are expressed in asset value and not in terms of safety, environmental and other consequences metrics. IEC 62443 (IEC, 2018) is a standard for industrial systems security, and the approach is not suitably "marinised". The NIST SP800-37 approach (NIST, 2019) focuses on the cyberattacks impact in terms of integrity, availability and confidentiality, which needs however an additional step to consider the potential safety, environmental and financial implications due to the loss of integrity, availability and confidentiality. The class societies rules for cyber-risk assessment are more suitable for ship systems; however they might either refer to other standards as IEC 62443 for carrying out the risk assessment process (LR, 2019), provide generic guidelines (ABS, 2018), assess consequences in terms of integrity, availability and confidentiality (BIMCO, 2018a;ClassNK, 2019;DNV GL, 2016) or lack in description of potential attacks types which will affect the consequences (BV, 2018).
In many of the previous research studies, such as Jones et al. (2016); Tam and Jones (2019) and Tam and Jones (2018), the risk assessment was implemented considering a high level system architecture, which does not support the system cybersecurity enhancement. The risk assessment using STRIDE, as in other studies (Kavallieratos et al., 2019), can be used to identify a number of potential attack scenarios but it did not address the safety-related consequences. The use of other approaches involving STPA (Omitola et al., 2018) and Attack Trees (Shang et al., 2019) or both (Glomsrud and Xie, 2019) can be rather labour intensive. It is deduced from previous STPA applications that this method may result in an overwhelming number of hazardous scenarios (Bolbot et al., 2020;Bolbot et al., 2019b;Bolbot et al., 2018). In V. Bolbot, et al. Safety Science 131 (2020) 104908 the authors view, such a detailed method would be beneficial to be applied after a less labour-intensive approach is used. Other approaches, as presented by Svilicic et al. (2019a), are applied in conjunction with ships systems penetration testing. This supports the risk assessment process but cannot be implemented prior to the actual system testing. Therefore, the generation of the relevant system requirements cannot be supported.
In addition, none of the previous studies conducted a risk assessment of an inland waterways autonomous vessel. Inland waterways autonomous vessels operate in a different environment in comparison to the short sea or ocean going vessels, with different systems requirements and size, and they can attract the interest from different hackers groups. For instance, it is much easier to embark an autonomous inland ship in comparison with ships that sail in open seas or in short shipping routes, but of course piracy incidents frequency will also depend on the operating area. Ships operation in canals imposes specific boundaries on the ship design, affecting the amount of transferred cargo and consequently the loss value. Additionally, autonomous inland waterways ships will use different communication protocols such as 4G, whereas ocean going ships might use satellite communication with shore. Therefore, the scenarios that can arise due to cyber-attacks and their likelihood can be different in an autonomous inland ship than in other types of ships.
In this respect, the aim of this study is to develop a novel method for conducting the risk assessment for cyber-attacks for ship systems including autonomous ships, which addresses the limitations of previous methods/approaches. The developed novel method is subsequently employed to conduct the cyber-attacks risk assessment for the navigation and propulsion systems of an inland waterways autonomous vessel. The novelty of the present research includes: (a) a novel method development for ships cyber risk assessment; (b) identification of potential vulnerabilities, attack vectors and control barriers for ships systems required to facilitate the method application; (c) identification of attack scenarios arising in the propulsion and navigation systems of the investigated inland autonomous ship, and; (e) identification of the safety/ cyber security control measures/barriers for this ship.
The remaining of this article is organised as follows. The developed method for cyber-attacks risk assessment is presented in Section 2. A description of the investigated case study of the inland waterways vessel is provided in Section 3. The derived results along with their discussion are provided in Section 4. Finally, the main findings are summarised and suggestions for future research are provided in Section 5.
2. Proposed method for the cyber risk assessment in ships 2.1. Method rationale, overview and method novelty The Cyber Preliminary Hazard Analysis (CPHA) is selected as the basis for the development of the novel method proposed in this study. This method is rather similar with classical HazId (Hazard Identification), which is widely used in maritime industry, so it can be easily understood and used by the safety engineers in its original form or a modified form. Furthermore, a similar approach based on CPHA has been adopted by Bureau Veritas (BV) according to their rules (BV, 2018). In addition, this approach seems to be more aligned with the IEC 62433 standard guidelines for cyber risk assessment of industrial systems, as HazId results are suggested to be used as input to the cyber risk assessment.
The developed method, named CYber-Risk Assessment for Marine Systems (CYRA-MS), consists of four phases (A to D) and follows in total ten steps, as illustrated in the flowchart depicted in Fig. 1. The method initiates with the identification of the system components and the mapping of the relevant connections/interactions (Step 1) as it is important first to sufficiently understand the investigated system. The proper understanding of component functions and interactions will support the identification of attack consequences. Subsequently, a specific attack group is selected for the analysis (Step 2), as different attack groups will focus on different attack scenarios. In parallel, based on the literature review and an existing vulnerabilities database, the existing vulnerabilities for the system components are identified (Step 3). The vulnerabilities are used to identify the potential attacks on various system components. Based on the specific attack group goal and vulnerabilities, the potential attacks types (Step 4) on the system components along with the potential consequences (Step 5) of each attack type are identified. In Step 6, an estimation for the success likelihood of each specific attack scenario is provided based on the following parameters: attack group goals, activity level, technological level, connectivity level, required resources for exploiting vulnerabilities and available control barriers. The different consequences are ranked in terms of their severity in Step 7. In Step 8, the control measures for each hazardous scenarios are identified/proposed. The scenarios risk is reassessed based on the new control measures in Step 9. In Step 10, the different safety requirements and suggestions for the system design are summarised based on previous steps. All these 10 Steps are elaborated in detail in the following sections.
The novelty of the CYRA-MS method compared to the CPHA include: (a) the consideration of attack group goals in the analysis; (b) the incorporation of different attack types; (c) estimating the likelihood of the successful attacks considering the attack group goals, activity level, technological level, connectivity level, required resources and available control barriers; (d) expanding the Formal Safety Assessment (FSA) consequences table to allow ranking of scenarios in financial, safety and environmental terms.

Phase A -Preparation for analysis (Steps 1-3)
The prerequisite for the CYRA-MS is the identification of: (a) the control system elements; (b) the control elements functions and functionalities; (c) the control system elements interfaces (sensors and actuators) with the physical word; (d) the controlled processes; (e) the interfaces among the control systems; (f) the data flow in the system, and; (g) the potential entry points into the system (physical and logical access points) (IEC, 2018). This is implemented in Step 1 (Fig. 1), by analysing the available system information and developing the system physical and logical mapping (Flaus, 2019). An example of what this information includes is provided in the results for the case study presented in Section 4.1 in Fig. 3 and Table 11.
As the attackers do not have neither the same motives nor the same resources when attacking a ship network (Tam and Jones, 2019), the attack scenarios assessed in Steps 4 to 7 ( Fig. 1) for each attack group will vary. In this respect, the potential attack groups (or threat groups) are selected in Step 2 ( Fig. 1). Using previous research studies ( BIMCO, 2018a;Boyes and Isbell, 2017;BV, 2018;Flaus, 2019;IEC, 2011a;Tam and Jones, 2019), the attack groups were identified and presented in Table 1. The technological level of each attack group according to the Bureau Veritas (BV) guidelines is also presented in Table 1.
The known vulnerabilities, the potential entry points and attack types are identified in Step 3 ( Fig. 1) by using the information provided in the following resources: (a) previous research publications e.g. (Flaus, 2019;Kavallieratos et al., 2019;Omitola et al., 2018;Tam and Jones, 2018); (b) the available maritime standards (BIMCO, 2018a; Boyes and Isbell, 2017;DNV GL, 2016;IMO, 2016a; Maritime affairs directorate of France, 2016); (c) relevant generic standards (IEC, 2011a), and; (d) the Cybersecurity and Infrastructure Security Agency (CISA) database (CISA, 2019a). A generic list of the vulnerabilities, the potential entry points and the attack types for the various system components, which are identified based on the existing literature and reported cyber-attack cases, is provided in Table B.1 in Appendix B. Whilst this list is provided in Table B.1, it is highly recommended to keep updating this list due the evolving nature of this area, as it is expected that new vulnerabilities and attack types will be discovered, which may result in new attack scenarios.

Phase B -Identifying the attack scenarios (Steps 4-5)
Based on the goals of each attack group (from Step 2) as well as the system components vulnerabilities and attack vectors (from Step 3), the potential attack scenarios are identified in Step 4 ( Fig. 1). The identification of the potential attack scenarios can be implemented with the assistance of Table B.1 which connects the system components with the potential attack types.
The system components functionalities (Step 1) and the attack group goal (Step 2) are used to derive the potential consequences of the attack scenarios in Step 5 analysis (Fig. 1). The potential consequences can be categorised in the following three different types: (a) safety consequences leading to violation of the safety requirements; (b) environmental consequences leading to environmental pollution, and; (c) financial consequences. The identification of potential safety and financial inadvertent effects is enhanced through the review of accidents lists for ships according to IMO list of incidents accidents (IMO, 2008), which are provided in Table 2. The potential environmental consequences according to MARPOL (IMO, 2016b) can be of two major types: air pollution or sea pollution. The financial consequences include: (a) loss or damage of ships systems; (b) loss or damage to ship cargo, and; (c) disruptions in ship operation and associated logistic chain leading to financial loss; and (d) potential legislation effects leading to financial losses. Steps 4 and 5 are not completely independent as the attack group goal affects both the targeted inadvertent scenario and the employed attack scenario.

Phase C -Scenarios ranking (Steps 6-7)
In Steps 6 and 7, the scenarios are ranked according to their expected likelihood and severity. However, as the cybersecurity issues are relatively new in the maritime industry, to the best of authors' knowledge, there are no reliable statistics for different attack scenarios. For this reason, a new methodological approach is suggested below.
The likelihood of each scenario (combination of attack and consequences) is affected by: (a) the level of exposure of each system (EL) to attacks due to the connectivity level (CL1) and the complexity level (CL2) (BV, 2018); (b) the interest of the specific attack group in an attack scenario (IL), (Tam and Jones, 2019); (c) the attacker technological level (TL) (BV, 2018); (d) each attack group activity level (AL) (EBIOS, 2019); (e) the ease of exploitation (EE) (Tam and Jones, 2019) and; (f) the vulnerability level due to the absence/presence as well as the effectiveness of mitigating and preventative barriers for each scenario (VL). Therefore, the frequency (F) of the successful attack (events per ship-year) can be estimated according to the following equation:   (1) The consecutive terms in the right hand side part of Eq. (1) denote, respectively: the number of the attack attempts frequency (1) considers that if a cyber-attack attempt is implemented (depicted by AL), its success will be dependent on all the other parameters values (EL, IL, TL, EE, VL).
The assumptions behind the Eq.
(1) along with their justification are provided below in bullet points: • The base of 10 has been used in similar way with Level Of Protection Analysis (LOPA) approach (British Standards Institution (BSI), 2004) and to allow the estimation of raking according to FSA.
• The probabilities of the attack group interest and technological level lie in the range from 0.01 to 1. This assumption can be viewed as aligned with the ANSSI 2013 approach (Flaus, 2019), where the attacker technological level is divided by 2.
• For estimating the system exposure level, ease of exploitation and vulnerability level, it is assumed that their probability values are in the range between 0.0001 and 1. In this respect, the considered assumption for the exposure level is aligned with the relevant procedures in the ANSSI 2013 approach (Flaus, 2019).
• For the vulnerability level, the underlying assumption is that each protective barrier can mitigate the 90% of relevant hazardous conditions. This is a rather conservative assumption with regard to the effectiveness of the mitigation barriers (British Standards Institution (BSI), 2004). This assumption can be overcome if appropriate evidence for the barrier effectiveness is provided. For instance, higher effectiveness can be assigned to protective barriers not based on digital technologies (Cormier and Ng, 2020).
The Frequency Index (FI) is calculated according to the following equation, which was derived by summing the exponents of Eq. (1), rounding up the calculated value (to avoid non-integer values) and considering that the FI minimum value is equal to 1: The activity level (AL) corresponds to the number of an attack attempts by a specific group. It is proposed to determine the AL by using a ranking developed based on Formal Safety Assessment (FSA) Frequency Index (IMO, 2018), since the proposed method is developed for marine systems applications. The categorisation and the respective frequency ranges considered in this study are provided in Table 3. For determining the level of exposure for each system, the method proposed in (BV, 2018) is employed. Thus, each system exposure level is estimated based Table 3 Ranking for successful attack scenarios (FI) and attack group activity level (AL).
Ranking ( 1.14 · 10 −9 on the system complexity and connectivity levels as illustrated in Tables 4-6. The attacker interest level is determined by adopting and enhancing the relevant ranking of MaCRA approach (Tam and Jones, 2019) as in Table 7. Each attacker technological level is provided in Table 1 by using BV guidelines (BV, 2018). The ease of exploitation is ranked according to Table 7. The ranking for the mitigation effectiveness or preventative barriers (it is alternatively referred as the vulnerability level) is implemented according to Table 7 based on our previous research work in (Bolbot et al., 2019a). For estimating the vulnerability level ranking, the following barriers types are considered: (a) the presence of redundant components or communication lines implementing the same functionality with the one under attack; (b) the available safety or system reconfiguration functions; (c) the presence of humans operators constantly monitoring the system or potential rectification actions; (d) the presence of antivirus software on the considered components; (e) the presence of additional firewalls; (f) the incorporation of intrusion detection systems; (g) the use of enhanced security software architecture on the considered system components, and; (h) the level of access granted to the personnel to specific systems/functions. A detailed list of control barriers is provided in Table B.1.
The frequency and the severity of each attack scenario are ranked using the FSA ranking tables as proposed by (IMO, 2018), and presented in Tables 3 and 8. The severity ranking is implemented based on the consequences, where the most severe consequence among different types is selected for the risk estimation. The financial cost from the ship operation disruption is estimated based on the equivalence of a human life loss (Net cost of averting a fatality value from FSA), which is taken as $3m for 1998 according to (IMO, 2018) whilst considering the average inflation rate from 1998 to 2020 (2.29%). The consequences to the air pollution are derived according to the provided guidelines for cyber risk assessment by BV (2018). For harmonising the proposed methodology results with the pertinent IMO FSA guidelines, the attack risk is evaluated using the risk matrix presented in Table 9. In this risk matrix, higher severity but lower frequency accidents are given higher priority in comparison to lower severity but higher frequency accidents.

Phase D -System enhancement and requirements generation (Steps 8-10)
Based on the previous step results (Steps 1-7), it assessed whether the risk for each investigated scenario is within the acceptable region. For the investigated scenarios with not acceptable risk, the appropriate preventive and mitigating control barriers are identified and proposed in Step 8. The scenarios risk can be reduced by (ISO/IEC, 2016): (a) avoiding risk, e.g. changing the operational area; (b) removing the risk source, e.g. reducing the connectivity level; (c) influencing the likelihood, e.g. adding control barriers; (d) mitigating the consequences, e.g. enhancing the response and recovery after attack, and; (e) sharing risk through insurance.
Subsequently, the scenarios risk is reassessed considering the modified system architecture that includes the proposed control barriers. If the risk is acceptable, the process terminates. Otherwise, new barriers or architecture/functions are proposed. Based on this analysis results, it is reviewed whether different control barriers are repeated several times. Based on the frequency of appearance of different control barriers, the relevant safety recommendations at this ship design stage are derived.

Case study description
The proposed methodology was applied to estimate the cyber risk of a fully autonomous version of the Pallet Shuttle Barge (PSB) (Blue Lines Logistics, 2015) operating in inland waterways in the unmanned mode. This vessel is the one of the two use-cases of the AUTOSHIP project (AUTOSHIP, 2019). The main ship particulars are provided in Table 10. It must be noted that this study considers a theoretical use case of a fully autonomous PSB and not the actual demontrator of the AUTOSHIP project. Moreover, this study focuses on this vessel navigation and propulsion systems, as they are considered the most vulnerable to cyber-attacks (BIMCO, 2018b). The systems and equipment as well as their relevant interconnections and interactions, which are used for the vessel navigation and the propulsion in the autonomous mode, are provided in the schematic shown in Fig. 2. This schematic was developed based on the information reported in (Boyes and Isbell, 2017;Höyhtyä et al., 2017; Maritime affairs directorate of France, 2016; Schmidt et al., 2015;Stefani, 2013) and available drawings for similar ships. Further information is provided in Section 4.1.

Phase A -Preparation for analysis (Steps 1-3)
The results of the developed methodology (Step 1) include the investigated autonomous ship systems control elements, their functionalities, their interactions with other control elements, the potential entry points for cyber-attacks and the relevant network zones identification. The derived results from Step 1 are presented in Fig. 3 and Table 5 Connectivity level ranking (CL1) (BV, 2018).

Connectivity Level
Description Ranking (CL) Level 1 Isolated system with no connectivity 1 Level 2 The system is connected to another system through secure (encrypted) communication and the communication is one-way from the considered system to another system.

2
Level 3 Applicable to a system with Connectivity Level 2, which employs wireless connection. The system is one-way interconnected to another system using unencrypted communication protocols. The communication is both ways between the systems using secure communication protocols.
3 Level 4 The system is connected to another system using distant link but using secure communication protocols and private network. The system is connected to another system using public network but employing protective device between the two systems.
4 Level 5 The system is exposed to public network e.g. external supplier can access the system network. 5 Table 6 Complexity level (CL2) ranking (BV, 2018).

Complexity Level Definition Ranking
Level 1 Systems with workstations and light servers; restoration of these systems is easily applied 1 Level 2 Systems with host authentication servers, database servers, supervision or programming workstations 2 Level 3 Unmanned systems, swarm connections, or systems dependent on high density of system exchange 3    Table 11. As it can be observed in Fig. 3, the investigated autonomous PSB has four major network zones. Zone 1 depicts the shore control centre, Zone 2 depicts the high level controllers, whereas Zone 3 and Zone 4 depict the engine automation and navigation systems. Typically terrorist groups mainly target a ship accident occurrence (Tam and Jones, 2019). Thus, the focus of the present case study will shift towards identifying attacks and scenarios, which may be of interest by terrorists (Step 2).
The vulnerabilities list, potential entry points and attack types (step 3) have been provided in Appendix B.

Phase B & C -Identifying and ranking the attack scenarios (Steps 4-7)
In total 52 different attack scenarios were identified in Steps 4 and 5 by focusing on each system component. An example is provided in Table 11. The calculated risk index of these scenarios are shown in Fig. 4. The components functionality, potential vulnerabilities and goal of the attacker group were considered for determining the attack consequences. However, as mentioned in Section 2.2, the identified scenarios need to be updated based on the new identified vulnerabilities to remain up-to-date.
For the investigated vessel RI calculation the following assumptions were considered: • The Activity Level (AL) of the terrorists was selected as reasonably probable (5). According to EBIOS (EBIOS, 2019), it could be ranked as low, however it is expected that the autonomous vessel will attract greater attention than the usual means of transport.
• The Technological Level (TL) was set to 4, following the guidelines provided in (BV, 2018).
• The interest level (IL) for scenarios with major safety consequences was set to 5, as terrorists are expected to cause as much damage in terms of human lives as possible. Less significant safety consequences correspond to lower IL values.
• For the Ease of Exploitation (EE) ranking, the systems with direct access to public network (Shore Control Centre, Connectivity Manager, Ship Control Station, VHF, AIS, GPS) were considered the easiest ones to be exploited. The systems in zones 2 and 4 were considered the more difficult systems to be attacked. The systems in zone 3 were considered the least accessible systems, as they hold a lower position in the control system architecture (Flaus, 2019).
• Since the ship systems are connected to the public network (4G and internet through shore control centre) (CL1 = 5) and it is a system with high complexity level (CL2 = 3), the components Exposure Level (EL) was set to 5.
• Initially, no protective measures were considered, therefore the Vulnerability Level (VL) was set to 5.
Out of the 52 identified scenarios, 4 were categorised as critical, 41 were found to be in a tolerable region and only 7 of them were initially characterised as of negligible importance. After the incorporation of the available and new safety/cyber security/security barriers, criticalscenarios were not found, 14 scenarios were considered as tolerable and the rest (38) scenarios were classified as negligible. The identified scenarios by the CYRA-MS with RI greater or equal with 8 are provided in Table 12. These scenarios are related to the access to the ship control station and the shore control station, as they may result in major consequences. Other top critical scenarios were related either to the GPS signal related attacks, as it is a scenario that can be easily exploited, or a malware installation on the collision avoidance system and the situation awareness system, as it is a scenario with potential major consequences.

Phase D -System enhancement and requirements generation (Steps 8-10)
The enhanced system logical structure is also presented in Fig. 3. For the system cyber risk reduction, it was considered that the vessel communication is implemented via a secure network with the shore control centre, whilst all the communications with the public network at the shore control centre and in other zones are cut, setting the EL to 4. In addition, it was considered that firewalls/redundant communication lines applying different technologies are installed between the different network zones. A safety system and intrusion detection systems monitoring for system safety and suspicious controllers behaviour in zone 2 are proposed as a means for the verification of the ship systems control actions. It is also proposed that these monitoring systems implement functions redundant to some of the functions of autonomous    ship controller, in case of a Denial of Service (DoS) attack. Sanity checks and filter application for the GPS signals measurements, as well as addition of anti-interference antennas are also proposed to be added in the investigated systems configuration to reduce the impact of the GPS signal loss. For some of the critical components (autonomous ship controller, intrusion detection system and navigation system), it is suggested that they operate in a kernel function, so that no software is installed without permission. It is also suggested that the situation awareness system carries out continuous sanity checks of the received measurements (speed, GPS, etc.). For the specific vessel, it is also suggested to install Power Take-In Power Take-Out technologies and interconnect them with the Diesel Generator sets, thus ensuring the propulsion power availability in case of failures in the Diesel Generator set or the ship main engine. Additional control measures are also indicated in Fig. 3.

Discussion on the proposed method and results
Based on the CYRA-MS application, it can be stated that the method allowed for the incorporation to the cyber risk analysis of different consequences types including safety, environmental and financial. Furthermore, the method included more potential attack scenarios than the STRIDE (Kavallieratos et al., 2019) or the MaCRA (Tam and Jones, 2019) methods. The method has been aligned with the FSA risk matrix facilitating the qualification of the new system and its approval by classification societies or derivation of prescriptive requirements for similar type of vessels at national level. As it has been also demonstrated in Section 4.3, the method supported the identification of various control measures enhancing the design. The provision of specific rules and guidelines for the scenarios identification and ranking is also expected to facilitate the cyber risk assessment process and improve its repeatability. This can be argued as the identification is implemented based on a formalised system representation and the ranking is implemented based on the available resources and guidelines bypassing the lack of relevant statistical data.
The method is a way to go forward with respect to ranking, when no or scarce statistical data is available. The method results could be validated when the relevant accident statistical data is available, but this data might take long to be accumulated. The method potentially could be enhanced by analysing the incidents data and estimating the leading/lagging safety and cybersecurity indicators, which could be another way to validate and update the method. Still, it is expected that the availability of accident data would constitute a better ground for making cyber risk assessments. Improvement of the obtained results fidelity can be achieved by the involvement of an experts' team. Continuous update of the list in Appendix B is also important for the method application and accuracy.
On the other hand, it could be argued that the identified scenarios ranking can be misleading as hackers may intentionally target at implementing the scenarios with low ranking. This would be feasible, provided that hackers have access to the relevant risk assessment data. For this reason, only the critical scenarios are provided herein. In addition, the scenarios ranking considers a number of parameters, primarily the interest level, which depict the scenarios that would be of interest for each attack group. Hence, scenarios with low ranking will hardly attract the attention of specific attack groups.
In addition, it could also be argued that the derived results are generic and applicable to all types of autonomous vessels. However, as Tam and Jones (2018) demonstrated, the results of risk assessment differentiate for different vessel types. An example scenario is obtaining physical access to the ship control centre. It is much easier to get physical access to an inland waterways vessel due to its operation in canals rather than to the short sea going or oceangoing vessels. Furthermore, the ranking differentiates based on the different control measures/barriers availability, connectivity levels and architecture, as well as system complexity. Different types of control measures/barriers can be implemented to the same vessel to ensure its safety. The implementation of risk assessment is also important for obtaining the approval from the classification societies.
One deficiency of the method is that it does not consider complex attacks on the protective measures. For instance, an first attack could compromise a protective measure, so that the primary attack (identified using CYRA-MS) follows. Yet, this scenario would require much more resources. However, these scenarios can be tackled by additional analysis employing much more detailed methods. Similarly, the proposed method considers simple safety scenarios. However, more complex safety scenarios potentially could be identified using other methods, after this analysis is implemented for the initially identified critical components. The use of the FSA matrix only provided a rough estimation of the risk metrics considering simpler scenarios. The potential consequences are not considered in great detail, which can also lead to wrong rankings. Finally, the drawback of the method is the independent consideration of the different attack groups. This practically means that additional system analysis is required for each attack group. Yet, grouping and facilitating the implementation of CYRA-MS method is a suggestion for future research.

Conclusions
This study aimed at developing a novel cyber risk assessment method for ship systems. The method is based on the identification of potential attack groups, the system components vulnerabilities, attack scenarios and ranking based on specific guidelines. The method was applied for identifying and ranking the cyber-attacks scenarios, which can be implemented by terrorists, in the case of the navigation and propulsion control systems of a fully autonomous inland ship.
The main findings of this study are the following: • The proposed method allowed for estimating the risk metric for a number of attack scenarios for the investigated autonomous vessel by incorporating pertinent parameters and guided the safety enhancement of the investigated vessel system design.
• Attacks on the shore control centre and the ship control station, targeting at obtaining privileged access, have the highest potential safety implications and thus can be of high interest to terrorists for the specific vessel. Malware installation on the collision avoidance system and the situation awareness system have also significant safety implications as well.
• The investigated vessel system safety can be enhanced by adding firewalls on the conduits between the different control zones, increased redundancy in the communication between control zones as well as installing intrusion detection systems in different zones and eliminating internet communication links. V. Bolbot, et al. Safety Science 131 (2020) 104908 Table 12 Critical CYRA-MS scenarios with initial Risk Index (RI) greater or equal than 8.   In conclusion, the proposed method can constitute a valuable tool for conducting risk assessments and the design enhancement of autonomous and smart vessels facilitating the approval of a new ship design. Future research initiatives could focus on further enhancement of the presented method, on enhancing the ranking accuracy, on aggregating the different risk scores for different attack groups, supporting the cost-benefit analysis and on a more detailed cyber-security analysis.

Acknowledgements
The study was carried out in the framework of the AUTOSHIP project (AUTOSHIP, 2019), which is funded by the European Union's Horizon 2020 research and innovation programme under agreement No 815012. The authors also greatly acknowledge the funding from DNV GL AS and RCCL for the MSRC establishment and operation. The opinions expressed herein are those of the authors and should not be construed to reflect the views of EU, DNV GL AS, RCCL or other involved partners in the AUTOSHIP project. The reviewers and participants of ISSAV 2019 conference are kindly acknowledged for their valuable comments to the conference paper presented at ISSAV 2019 conference.

Appendix A. Abbreviation and nomenclature list
See Tables A.1 and A.2.