Trust Management and Attribute-Based Access Control Framework for

Protecting Maritime Cyber Infrastructure

Yunpeng Zhang

1

, Izzat Alsmadi

2

, Yi Qi

3

and Zhixia Li

Abstract:

The modern world depends on maritime supply chains to sustain flows of international commercial, industrial,

and economic activities. As the maritime supply chain heavily utilizes cyber operations to manage commu-

nications and physical processes, maritime cybersecurity emerges as an imperative aspect for maritime safety

and security. The maritime cyber infrastructure displays distributed, heterogeneous, networked, and volatile

characteristics. This article first studies the effectiveness of the mechanism of traditional access control sys-

tems for maritime cyber infrastructure. The research also examines the shortcomings associated with the

existing network wide access control and identity theories to develop solutions. In order to develop a suitable

method for the maritime context, the paper presents an Attribute-Based Access Control (ABAC) framework

which is adaptable and highly scalable for the complex maritime cyber space. The analytical results show that

tential cyber-attacks, ensure trustable services, repair

damages, and improve security and operational per-

formance. Breaches in the cyber space of a critical

infrastructure may lead to a variety of consequences.

Specifically, cyber-attacks can cause disruptions of

the infrastructure systems, leakage of crucial informa-

tion of people and assets, financial losses, economic

damages, and even injuries or losses of lives.

The critical infrastructure studied in this research

is the maritime cyber infrastructure. The maritime

nomic, military, or humanitarian systems. The cyber

space of the maritime infrastructure is an extremely

infrastructure includes, but is not limited to: net-

worked facilities, software programs, operating sys-

tems, database servers, large-scale data storage, and

local/remote instruments, wired/wireless sensors, so-

phisticated workforce, personnel, and wired/wireless

and/or satellite networks that connect to other criti-

cal infrastructures. This globally distributed, inter-

connected ecosystem presents unique security chal-

forth. The recent maritime attacks caused the global

economy around $7 billion USD and multiple losses

of lives.(A. Bowden and Lee, 2010) According to

multiple reports (Keefe, 2012; Hayes, 2016; Belmont,

2015; Wagstaff, 2014), the emerging organized cyber

attacks presents new threats to both cyber and physi-

cal maritime operations. A hacking incident in 2001

caused severe Denial of Service problems for the Port

of Houston authority (BBC, 2003). In 2011-2013, in-

ternational drug traffickers worked with local hack-

ers to intrude the maritime cyber spaces at the Port

of Antwerp, Belgium. The criminals IT weaknesses

and manipulate sensitive data such as shipment char-

acteristics and pickup schedules to conceal drugs and

illegally import them without being detected.

An alarming trend is the emerging cyber-physical

attacks against maritime ICT systems. In the Antwerp

case, hackers breached physical communication ma-

maritime stakeholders. (Vanek et al., 2013) In a vul-

nerable cyber space, access control is a fundamen-

tal mechanism to prevent not only accidental but also

malicious violations of security requirements. An ac-

cess control system regulates user access to resources.

It defines the conditions under which to whom access

to resources can be granted. Each access request will

result in an access decision such as permit or deny.

This research contributes to the maritime supply

chain security literature by developing a system of

The remaining of the paper is organized into three

additional sections. In section 2, the related work

is discussed to provide the basis for framework and

approach development. Section 3 introduces the ac-

cess control framework for protecting maritime cyber

infrastructure. Section 4 presents the concluding re-

marks and directions of future work.

2 RELATED WORK

In the area of maritime operations and information se-

curity literature, papers regarding maritime cyberse-

evant to maritime cyber operations.

The authors examine and discuss the literature

through the lens of the computer security policy

(CSP), the supreme principle to govern the goals and

elements of the computer systems within an organiza-

tion. (Li et al., 2015) For a normal maritime supply

chain, multiple CSPs may co-exist because of the par-

ticipation of various supply chain partners. The for-

mulation of any CSP is important because it defines

what it means to be secured within the organization

boundaries.

In the following discussion, we first discuss the

recent trends of maritime cyber-attacks. Secondly, we

Modern maritime industries are heavily reliant on the

information and communication technologies and the

use of data. On the one hand, this represents a shift

towards safer,more efficient and profitable operations.

cyber maritime domains. (Brasington and Hadwin,

2016) As clearly stated in (Bull, 2016), “There is also

a very real danger that emails being sent to and from

ships are monitored or altered. This could have a huge

commercial effect on vessels.”

More specifically, vessels for both passengers and

cargo transportation are equipped with navigation

and communication technologies, such as Electronic

Charter Display & Information System (ECDIS),

Global Positioning System (GPS), Automatic Iden-

goods, container specifics, approved carriers, and so

forth. Past maritime cybersecurity incidents have

caused the following damages:

• Automated systems malfunctioned or failed entirely;

• Expensive and valuable cargoes were stolen;

• Maritime stakeholders incurred financial, reputa-

tional, and/or physical risks;

• Crew on vessels and operators in transit and at crit-

ical maritime nodes (e.g., ports, terminals, etc.) were

gained by social engineering attacks, as well as by

more sophisticated hacking techniques. An adversar-

ial incident of this nature could affect all of the organi-

zations connected to a port’s infrastructure, including

those who are not in a position to influence the port’s

cyber-security or have a role in responding to the in-

cident. (Brasington and Hadwin, 2016)

IBM (International Business Machines) reports

that cybersecurity is not only about trying to iden-

tify and to prevent systems on board ships from get-

erations started to be under the scrutiny by public.

This situation indicated that the industry is not im-

mune from cyber threats and must deploy cybersecu-

rity techniques to protect itself. Luck, inaction, and

practitioners’ tight-lipped community prevent mali-

cious attacks. (Belmont, 2015) In this context, at

the most basic level, trustworthy access control tech-

through providing quality service in a random man-

ner; and (5) on-off attacks, which provide poor ser-

vices intermittently. Saied, et al. (Y. B. Saied and

Laurent, 2013) presented a method to evaluate the

trust value of nodes. The method considers all re-

ceived reports and past interactions and takes into ac-

count parameters of the network’s context (service)

and resource capabilities. Trust computation mod-

els and trust management systems have been im-

isfy the desired security objectives, it becomes un-

trustworthy. The tools in that research provide infor-

mation about how and why the failure occurs. Such

information can assist policymakers in designing ap-

propriate policies. The approach to perform the anal-

ysis is based on model checking. To ensure the ef-

fectiveness of the approach, a collection of reduction

techniques was introduced. The paper proved the cor-

their effectiveness. The class of analysis problem in-

thority to communicate with external entities and send

any action orders, e.g. turning the ship, stopping the

ship, resetting cruise routes, etc. In contrast, a sailor

only has a limited access to maritime data and does

not have the authority to send any order and com-

municate with external entities. Other people in the

maritime supply chain are not allowed to access or

modify any information mentioned above. Without

access control, an inside or outside attacker can break

cyber infrastructure.

In Fig. 1, the access control framework consists

of two modules: Authentication and Service. The

Authentication module is mainly responsible for the

two-way authentication between the user and the Au-

thentication System. The features of the user authen-

tication system include identity verification, verifica-

tion information feedback, policy assignment, service

request, and so on. In the authentication process, the

authentication module firstly verifies the identity in-

imacy of the authentication system. The second is a

request list of user’s information based on which, the

authentication system can do a deeper level authenti-

cation. After the user has verified the feedback mes-

sage, the information requested in the feedback infor-

mation will be sent to the authentication system. The

authentication system completes the distribution of

user privilege according to the information and sends

termediate certification process fails, the verification

nent and attacks-against component. The service pro-

cessing sub-module includes node joint work and

trust evaluation components which do trust evalua-

tion for each node according to the trust computing

method and corresponding trust management mecha-

nism. Then it selects the node with the highest reli-

ability for the user. The attack-against component is

the runtime performance of the Framework. These

crypted.

b) AU submits service request to SHU, AU SHU:

(AU-ID*, TemporaryCertificate*, ServiceRequest)

c) SHU sends service node selection request to SNSU,

SHU-SNSU: (TemporaryCertificate*, Request)

d) SNSU broadcasts the request to all nodes within

the maritime infrastructure, gets feedback from

nodes, and then selects the service node: SNSU*:

(SNSU-ID*, TemporaryCertificate*, Request), Node

SNSU: (NodeID*, TemporaryCertificate*, Trust-

Then SPU passes the result to SNSU. SPU User, SPU

SNSU: (NodeID*, TrustValue)

The formal verification of the service management

(trust management) module is described as follows:

• Th SHU formal Framework includes: (i) initiating a

start status, (ii) receiving a service request from AU,

and (iii) sending the selected node service request to

SNSU;

node trust value from SPU after the completion of ser-

vice;

• The SPU formal Framework includes: (i) initiating

a start status, (ii) receiving information of the selected

node from SNSU, (iii) using the received node infor-

mation and user information to provide appropriate

services to users, and then assessing the node trust

value, and (iv) sending node trust values involved in

4 CONCLUDING REMARKS AND

The maritime cyber space has become a critical do-

main to operate global economic, financial, social,

and military systems. However, a series of recent re-

ports regarding data breaches in the international mar-

itime industries expose the vulnerabilities in the mar-

itime information and communication systems. To

protect maritime cyber infrastructure, the present re-

search developed a novel trust management frame-

defined boundaries, namely, a boat. Further stud-

ies may consider a more complex setting, such as a

supplier-customer pair with multiple information sys-

tems. Secondly, the access control framework stud-

ied here does not detect attacks going through remote

nodes beyond the well-defined maritime environment.

As such, more research may design and develop in-

trusion detection systems that span across a more dis-

tributed ecosystem, such as a supply chain. Lastly,

maritime supply chains may adopt a whole variety of

of different systems may result in performance vari-

ations of the access control method. Therefore, re-

searchers may need to establish systematic metrics to

evaluate the effectiveness of access control systems in

different maritime information systems.

(CYBER-CARE).

REFERENCES

A. Bowden, K. Hurlburt, E. A. C. M. and Lee, A. (2010).

BBC (2003). Questions cloud cyber crime cases.

Belmont, K. B. (2015). Maritime cyber attacks: Changing

Brasington, H. and Hadwin, S. (2016). Cyber risks and the

Fasoulis, I. and Kurt, R. E. (2019). Determinants to the

Gupta, B. B., Gaurav, A., Hsu, C., and Jiao, B. (2023).

Hayes, C. R. (2016). Maritime cybersecurity: The future of

Jeong, M. and Li, A. Q. (2022). Motion attribute-

Keefe, M. (2012). Timeline: Critical infrastructure attacks

Li, A., Li, Q., Hu, V. C., and et al (2015). Evaluating the

Singh, D., Sinha, S., and Thada, V. (2022). A novel attribute

Vanek, O., Jakob, M., Hrstka, O., and Pechoucek, M.

Wagstaff, J. (2014). All at sea: global shipping fleet exposed

Y. B. Saied, A. Olivereau, D. Z. and Laurent, M. (2013).