Leveraging Artificial Intelligence for Maritime Cybersecurity
1.1. Background
Today, AI has impacted seafaring in many ways, including the texts that talk in terms of artificial intelligence futures directly derived by generic concepts floating throughout the seafarer operating environment. Whether the AI method adopted relative to a vessel application necessitates a comprehensive opinion or a series of relatively discrete responses. The anti-viral verse in AI and maritime cyber approach tasks manifest conflicting core rules. The unsteady guidance made for nominally non-thread derogation concepts in AI may result in inherently insecure inikaai performing and dumb down compiled. While AI has its own particularities that give rise to dissimilar direct losses in comparison to normal calculations, the situation affects one of the distinct advantages that these intelligent systems have is to do vast amounts of data, potentially in an open endless cycle, to decide under unreliable situations.
Maritime cyber security has been significantly affected by technology innovation, and even decisions made intentionally to push the envelope in technology production capacity. Through the years, advancements such as trans-Atlantic and railway milestones became apparent triggers in the modern era towards economic growth. Enhancements in communication systems, as well as the major shift of cargo shipping from the water to mainly air, played a significant part. Computers’ roles in maritime projects have also affected the creation of autonomous vessels recently. The fast-moving pace in actualizing autonomous vehicles in major markets has also directly and gradually affected several aspects in seafaring.
1.2. Research Objectives
The second one is that once a mandate has been made by these leading maritime organizations for ships to meet specific standards, it is highly likely that a great number of shipping companies and shipyards would embrace the recommendation, as it remains cost-efficient, and no one organization’s history of successfully cyber-attack has hitherto totally shielded the system from further attack. Therefore, the project will be able to leverage artificial intelligence in predicting future attacks and to guide the design of future autonomous maritime vessels to robustly wade off anticipated emerging attacks.
The first one is, given that the maritime industry was reported to purely depend on human operators, and control communication systems among other rudimentary critical technology components, keeping in mind that humans are prone to errors – as valid record has it, it is highly certain that adversaries whose ultimate goal is to disrupt systems can effectively bypass these conventional security measures.
The project research is quite important as it can be noted in recent times that the maritime industry is evolving, and a good advocate of this is the ongoing research by Stellenbosch University of South Africa on Small Autonomous Vessels which are built to conduct a series of increasingly challenging tasks. Moreover, apparently as a result of recent discoveries of cyber-threatening attacks in the maritime system, which was previously assumed to still be robust, the International Association of Classification Societies is developing cyber-attack prevention standards to facilitate insurance of ships against cyberattacks, as well as the World Maritime University is also developing cybersecurity strategies. The implications of these are twofold:
3) To showcase the applicability of these research theorems being assumed, we intend to develop Contain-AI: A container ship that is totally managed by AI, and running on green energies.
2) Acknowledging humans as the weakest link in the current system, we are integrating AI and Blockchain towards a super intelligent autonomous maritime security system. The aim is to use AI in sifting through the volume of data being generated through the features used by attackers, and subsequently use a decentralized solution in enforcing the decisions being made by AI. In this way, the humans in the loop are passively executing the decisions made by AI.
1) Tracking the history of cyber-related events to identify the features being utilized by attackers across different maritime domains, and upon it develop an intelligent system that can foresee future attacks. The advantage of having this research objective is we will be able to identify the features being utilized by attackers to track future attacks to be able to implement intelligent systems to tackle future attacks.
This research aims to address a plethora of cybersecurity challenges in the maritime industry which are grounded on humans’ decision making. These challenges range from highly targeted spear phishing attacks by pretending as port authority across many different ports, to Waypoint Deception Attacks which hacker provides fake positioning information through multiple nodes, and poisoning the sea traffic management system, as well as unknown future attacks. To this end, we intend to achieve the following research objectives:
1.3. Scope of the Study
A.12. Scope of the Study. A primary limitation of this research is that it is built upon a niche within an emerging technology and the cybersecurity and maritime industries. The universality of the findings and the generalizability of the conclusions, therefore, are inherently constrained by this predication and the broader empirical limitations discussed within the central methodology of this thesis. This reliance on a preliminary categorization framework may also inaccurately identify this research within an existing discipline. This categorization, for example, ignores the antecedent subcategories of artificial consciousness, automation, and assisted machine learning. And iconifying this perspective may lead to juxtaposing, as Pessoa discusses and Langley corroborates, artificial biology and artificial engineering. Research in new areas is intractable, and explanations provided here are inherently limited by the scope of the study: exploring the use of artificial intelligence technology in developing and executing threat intelligence and forensic capabilities for maritime cybersecurity program improvement.
The central purpose of the present study has been described under different headings throughout this introductory chapter. In brief, the primary purpose of this dissertation is to aid law enforcement, security, and intelligence professionals in gaining new perspectives that may allow them to understand potential threats differently and thus improve, through forensic investigation, the accuracy, attribution, prognosis, response, and potential benefit to organizations of the essential information which traditionally has been conceptualized as threat intelligence. The success of these objectives, however, is limited due to the niche-ness of the subject matter.
2. Artificial Intelligence in Maritime Cybersecurity
Machine learning is a method for enabling a system to gather knowledge from the data, which are not pre-informed. It is a well-known implementation of artificial intelligence. In the field of maritime/cybersecurity, it could be used to statistically analyze log files generated by network connections, generate models, predict and manage threat detection.
Traditional cybersecurity systems currently exist and operate based on the information they receive from the user or the database, which are pre-informed. These systems create signatures of known attack patterns. If a new, yet unknown pattern arises, the old technology fails. And also, the user must manually inform if an unauthenticated activity is to be allowed, keeping the device operation. Antivirus software requires periodic updates to learn the new malware patterns. But none of these systems are able to identify or analyze the zero-day attacks. The current methodologies are therefore not efficient enough given the vast unknown areas where potential threats exist and where adequate discovery, monitoring, and control options are required.
The maritime industry is facing these challenges as ships are increasingly becoming digital. The traditional ways of securing the ships are no longer efficient in this digital age as the complexity of networks, hardware, and software grows larger. The offshore systems are mostly remotely located, suffering from intermittent connectivity from the onshore management systems. Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), and traditional antivirus are not efficient anymore. These systems, stored in servers, would constantly learn from the incoming data, ultimately minimizing the human intervention. Even if the human intervention is inevitable, it would save a lot of time to make decisions. As the technology is being enhanced for cybersecurity, the same technology could be used for its intrusion. This leads to a virtual cycle enabling constant improvements in cybersecurity, making them safeguarding systems.
Artificial intelligence has wide applications and a lot of scope in the security industry. It has opened new possibilities, making the security systems more intelligent. Cybersecurity is one of the fields in which AI can be of greater use because of the large amount of data, dynamic nature of threats, and the quick advances in technology.
2.1. Overview of Artificial Intelligence
In the healthcare sector, machine learning is helping hospital doctors and bioinformatics researchers around the globe in structuring unstructured data like clinical notes or information from healthcare advocacy groups. In manufacturing, machine learning systems have been implemented for quality inspection and real-time anomaly detection. In the maritime sector, machine learning is finding applications for predicting maintenance tasks and equipment failures.
In current times, there are numerous examples of successful machine learning. In the finance sector, various recommendation engines like Customer Relationship Analytics (CRA) have been implemented to provide personal financial counseling. Machine learning algorithms are being applied to predict when borrowers will pay off their loans or default, and if borrowers should be considered for the loan based upon their social network.
Machine learning today has various subtypes such as supervised learning, unsupervised learning, semi-supervised learning, and reinforcement learning. Each type is used to solve different types of problems, and so a combination of various learning techniques may be used in a problem. Machine learning algorithms have been used in various disciplines such as pattern recognition, data mining, and predictive analytics.
The aim of machine learning is to allow computers to automatically learn and adapt to new data, while traditionally, computers had to be programmed explicitly to carry out defined tasks. Deep learning is a class of machine learning technologies based on the composition of many layers of simple interconnected computational nodes or neurons. It is considered a high-performance solution to solve complex learning problems in large data environments.
Artificial intelligence refers to a group of technologies, such as machine learning, in which computers are trained to perform tasks that normally require human intervention. Machine learning, in particular, is a fundamental technology that drives the growth of artificial intelligence. It involves the development of algorithms that enable computer systems to learn from stored data and make decisions based on that information.
2.2. Application of Artificial Intelligence in Cybersecurity
Cybersecurity fundamentally means securing networks and computer systems from intentional attacks, as well as protection against unintentional attacks such as natural disasters. Furthermore, cybersecurity aims to ensure that digital assets of the maritime transportation industry are not compromised in any way. Digital assets are defined as computers/servers, network monitoring devices, access control systems, email systems, radar and other navigation systems, propulsion and steering systems (ECDIS, DP, etc.) and related operations/technical support systems. Digital assets do not only refer to physical hardware within communication networks but also critical operations/technical enablers like the global positioning system, satellite, internet, etc. Digital assets in the shipping industry are also present in shore service providers such as tugboat services, maritime traffic control systems, and shore health/safety management services. An AI-model-based intrusion detection system (IDS) is proposed as a promising approach to address digital asset-intervention point concerns. The model-based approach specifically refers to the supervised learning models built from training data to predict the likelihood of an asset’s exposure to threats and vulnerabilities, subsequently providing automatic responses in a real-time setting based on the predicted output.
Numerous security measures in the maritime industry are configured in a way that they require manual labor of highly skilled professionals. This becomes increasingly challenging because the shipping industry is evolving to be highly digitalized. Installing and managing many different security tools can be a major burden for shipping organizations and makes them prone to security measure deployment misconfiguration, which could lead to exploitable vulnerabilities. There are also security tools in the process of control and defense that produce an overwhelming amount of data. Keeping our ships and critical infrastructures secure, in general, requires more than just traditional security systems at the process level; it requires an advanced capability of processing huge structured and unstructured data derived from a variety of interconnected security systems. Significant progress in artificial intelligence (AI) and machine learning indicates that these techniques have the potential of providing comprehensive data analysis of security measures at the critical maritime transportation process level.
2.3. Challenges and Opportunities in Maritime Cybersecurity
Current maritime business models are driven by factors such as integrating supply chain, intelligent port and vessel operations, and other new business cases, which makes the sector evolve for digital connectivity. As a result, the potential attack surface is enormously increased. This increase is not specific to the maritime sector, but for other vertical sectors as well. A discussion about the immense digital transition of ports and vessels towards being SMART comes with an equivalent debate for risks and vulnerabilities arising out of that. There are many entry points in the maritime domain encountering cyber risks; they include Nuclear Missile Carrying Submarines (SSBN), Commercial Ammunition Carrying Ships, Oil or Gas Carrying Tankers, and long-range Radio navigation/radio communication networks.
When we refer to cybersecurity in the maritime field, we mean securing all maritime assets and systems (merchant ships, offshore and port platforms, companies, organizations and institutions, transportation and merchandise, government agencies or institutions, etc.) in cyberspace. The underwater part of the communications world and remote naval systems can be called maritime cyberspace. Cybersecurity and physical security are equally important for the maritime industry, to ensure the safe operation of the ships and the continuity of the extraction of goods at sea, as well as the security of maritime installations. Therefore, the cyber-threats could be converted directly into physical threats to the maritime platforms. Incorporation of sensors and other technologies for enhancing the security of maritime platforms has been a remarkable emerging technology.
3. Threat Detection using Artificial Intelligence
Human error, often induced by constrained resources and other factors, remains a concern despite several security-aware methodologies and solutions. Therefore, successful handling of the ships/OT based situations necessitates methodologies/solutions that involve explicit mapping of the elements of a maritime environment with risk (Threat, Vulnerability, Consequence (TVC)) characteristics. A recent effort that focuses on creating Digital Twins (DTs) and associated data-driven prediction models can be leveraged to implement them effectively, based on GDPR-compliant model training and testing methods, for a realistic maritime environment. In particular, usage of decision-theoretic modeling, Bayesian networks, causal models, or some equivalent, which are capable of capturing a maritime environment’s knowledge, inference, and decision-making capabilities to robustly describe ship/OT based maritime situation is essential.
Threat detection is a significant challenge for maritime cybersecurity. Cyber attacks like Denial of Service (DoS) and Distributed Denial of Service (DDoS), Man-in-the-Middle (MitM), and others against the Confidentiality, Integrity, and Availability (CIA) of input/output data are real threats with potential impact. Threats impact existing legacy systems like Integrated Platform Management System (IPMS) and Operational Technology (OT) on ships, deployment of AMCSs (Advanced Maritime Communication Systems) like Ship to Shore (S2S), and Ship to Ship (S2S), as well as deployment of new ITS like e-Navigation and connected shipping infrastructure among others. Furthermore, efficient reliable AI/ML based threat detection on ships/OT necessitates addressing unique challenges including, but not limited to, dependent sensors, non-stationary environment, resource-constrained devices, and uncertainty quantification due to drifts in input/output data.
3.1. Importance of Threat Detection in Maritime Cybersecurity
Primarily, threat detection and risk assessment are the key continuous processes, particularly since power execution support (power-opt in support and power consumption optimization) and energy efficient machine execution of Multi-stakeholder Policies (MSP) in MCPSs (machine and human CPSs with common objectives and resource competition relationships) stands as core enabling technologies leveraging the multifaceted maritime asset infrastructure. Attackers typically go through a series of steps – Reconnaissance, Scanning, Gaining Access, Maintaining Access, Escalating Privileges which lead to their primary objective – either disrupt the system operation or profit from damaging and affecting the system’s assets and operations. Moreover, it is intrinsically difficult to prevent cyber attacks in maritime environment due to physical connection of certain computing devices such as transceivers of marine systems which are required to be highly versatile to make opportunistic computing decisions. Thus building strong threat detection tools and techniques to visually indicate the potential cyber attack behaviors are critical in protecting the maritime transportation systems. While multiple defensive sensors may be employed, developing of early alerting techniques for detection of cyber attacks will aid in adversarial actions within the maritime cyber physical systems.
Cybersecurity within networks and systems of systems is concerned with preventing large-scale outages, particularly those that may result in Byzantine actions by large numbers of intelligent agents. In the maritime industry, cybersecurity is particularly important since the large and complex systems that are being developed to drive the industry forward, the maritime cyber physical systems (MCPSs), are particularly vulnerable to cyber-attacks due to their globally distributed, heterogeneous nature and are expected to be serving major critical infrastructures. The MCPSs must be protected against cyber-attacks that can target different nodes of the MCPSs such as the intra-ship and inter-ship systems, cloud-based maritime services, and external MCS services, etc. Thus designing effective MCPS cybersecurity has gained momentum among researchers as addressing the critical issues associated with maritime cybersecurity is crucial to safely evolve together with technological and industrial movements.
3.2. Techniques and Algorithms for Threat Detection
The deception techniques and attacker deterrence, as in existing land-based systems, which mainly rely on the sensor node or the network/security device nearest to the sensor node, currently has the advantage that the communication system dependent on the maritime system, especially in the ship slightly supported by the victim. Specifically, side-channel attacks using the physical secrets of integrated circuits and printed circuit boards are becoming serious concerns in modern computing systems because they can extract essential security information such as cryptographic keys. Most techniques for preventing side-channel attacks are based on cryptography, and it is not well known how cryptography-based countermeasures can be exploited by deep learning-based side-channel attacks. The side problem is accurately estimating the possibility of classifying attacks.
The problem of detecting attacks on maritime networked systems is extremely challenging due to the complex interactions among different system components and extensive sea environments, making most existing solutions difficult to adapt to maritime environments. However, most modern techniques can be helpful with conventional classification techniques and more advanced deep learning algorithms, which can significantly improve the generalization capability of the detection capabilities. Most of current technology prediction methods are classification problems. When data reaches a certain size, deep learning methods have some advantages in prediction within the same data distribution, but it is difficult to see the accuracy of prediction in the sea environment with insufficient data.
3.3. Case Studies on AI-based Threat Detection Systems
Latent Structure Analysis is part of Spaf, which is a model-based approach by SRI International. The technique is so powerful one, it could uncover the hidden meanings of seemingly innocuous communication between wlan parasites by spot patterns in the pings and echoing pings deterministically. Detecting zero-day attacks is yet to be verified. Even chaotic regions where some channels are extremely busy all the time and others devoid of traffic can also be analyzed based on Spaf’s insight. Spaf, implemented on a $3000 machine, offers real-time data analysis, operates on unmodified 802.11 LAN traffic, and can detect blended zero-day worm attacks. The effectiveness of Spaf (such as 5-10 ms for handling model for worst-case workloads) indicates that any future malware-based attacks could be detected in advance if the channel dissemination effects are accurately modeled. A model with a large number of hidden cells and a small number of parameters per cell operated Spaf in real-time.
In 1977, Georgia Institute of Technology’s Knowledge Based Management System (KBMS) System Tattler was developed for real-time security monitoring, alerting, and forensic support by using a rule-based expert system. Rules like the “Monitoring for Files’ Change Detectors” went off for events like “File logical changed or modified”, which takes place after 0 or more of “Program logic modified”, “New control file generated”, etc. The detection application relied on several alarm integration techniques that combine information from diverse tools and generated a prioritized list of security alarms, which were used by the forensics application to generate supporting evidence and interpretations for the alarms in order to help human security monitors (SMs) resolve the alarms. The system could correlate attacker’s behavior with the victim system’s response actions pattern to identify and block the intrusions.
4. Incident Response and Anomaly Identification
Regarding the anonymity of onboard assets, the complex interactions between the different maritime enclaves and environments (e.g. on shore, around shore, and on board), and the diversified maritime attack vectors; in line with, we employ a set of advanced learning methods in simulating the maritime ecosystem and inject the emergent threats. To address the many challenges of bringing machine learning in decision schemes in maritime cybersecurity, we propose in this Cyber Resilience Analysis core platform (AI-component), a novel resilient AI application specifically for the maritime domain. It will analyze different maritime data sources, online and offline, provide comprehensive cyber situational awareness (both empirical and inferred), offer dynamic overall and local threat assessments for the mission of a maritime asset, and support inquiry of behavioral data in full respect of privacy rights. Inside the maritime assets, these results are then used to execute incident response for malicious activity detection, anomaly identification, and traffic modeling.
Cyber Incident Management established describes the required incident response within the maritime cybersecurity domain. Assumed to be interoperable across assets that are part of SoS, it is integrated into the overall alert notification service in the maritime domain described. Furthermore, informed by the SoS concept related security by design, following the system behavior, it is an intelligent system capable of self-updating while interacting with the threat intelligence. The system obeys the suggested inclusion of movables and environments into the general provisioning principles; that is, it is scalable, real-time operating, and contextually aware.
Optional in some cybersecurity domains and applications, incident response is mandatory in the maritime cybersecurity domain. As per a well-known saying, “a patch in time saves nine,” dealing with cybersecurity incidents at the breach or even attack recognition stage may lead to catastrophic consequences. Concisely, this is not about a potential loss of data confidentiality, integrity, and availability only, but also about personal safety concerns in the maritime domain.
4.1. Role of Incident Response in Maritime Cybersecurity
Incident response and recovery play a significant role in maritime cybersecurity, significantly impacting finance, personal health and safety, brand reputation, and operational and commercial integrity. Incident response and recovery significantly affect business processes as there are direct, indirect, and delays in making major aspects important to maritime operations such as planning, execution, testing, fault tolerance and disaster recovery, access control mechanisms, system integrity and confidentiality, access control mechanisms, and other maritime security planning and procedural areas. It is vital to appreciate that incidents should be used as learning tools. This aspect stresses the importance of utilizing resources such as time (when responding), efforts, determining financial, system, and ICT hardware and infrastructure resources, and reverse engineering aspects of the attack for improvement of the organization’s policies and strategic planning. An organization should never be passive in its response and recovery activities or adopt a reactive approach when responding and recovering.
Maritime organisations need to have predefined incident response strategies that outline what steps to take before, during, and after a cybersecurity threat, using strategic, tactical, and response level activities to protect assets, identify problems, implement effective solutions, and recover from incidents. Tactics used need to vary and adjust according to dynamics present during the attack. Associated cybersecurity training exercises have to be conducted, evaluate targeted structures, and implement structured solutions and active cybersecurity measures that change as required by the rapidly changing and adjusting solutions employed by adversaries/attackers. It is not a matter of if cyber incidents will occur but rather when they will happen. Therefore, preparation prior to the occurrence of an incident is crucial in its handling to ensure coherent decision-making processes are implemented. Statistics from the 2017 Data Breach Investigations Report (DBIR) by Verizon indicate that 75% of incidents spread from the first system compromised, through a direct attack or compromised account, to other systems in less than a day. Subsequently, cyber incidents are not isolated and simple events anymore but regularly move and evolve into complex and present-day threats spanning interconnected and interdependent network, systems, and applications.
4.2. Leveraging AI for Incident Response
Because of these AI movements, section cover strategies to step up incident response with AI-based security solutions. We also present a country-specific view for AI-based security solutions in the aftermath of intelligence overcoming mutual incidents. In our country, the United States, both ship and software benefit from these technologies. Often graceful incidents can occur on national ship and manpower among operating times. Therefore, a growing number of security and incident response concerns have shown interest in system investigation, attacks, intelligent atmosphere, inquisitional search. Other AI inputs, what is being conducted using some helping security professionals, can rely on them to last for the longest time in the event.
Most of the incidents occur during the exploitation of vulnerabilities in security solutions and operations. Therefore, to perform incident response, we need to access data that can uncover events with that symbol and violations to rules with scents. In real life, the demand for AI-based procedures in incident response has come to life. This occurrence has resulted in the frequent use of AI-based solutions with popular security solutions. Other AI ascertains professional incident response results and organizations with personalized mixtures of software. We conclude that using AI-based notion from a variety of products is creating documents that could be capable of doing incident response at the highest degree. This is due to the agent workforce leading in the proceedings of power. Such documents also serve as a method for exploiting vulnerabilities that assumes a company has a weak spot.
4.3. Anomaly Identification using Artificial Intelligence
Machine learning technologies, a concept within AI, can be used to counter stealthier attacks which have been specifically targeted towards the maritime sector as well. This concept involves training the service at runtime to automatically learn from experience. In doctrine, ship transit behaviors, routines and practices are normally repetitive other than one-off operations or unscheduled stops (moored or anchored) between two transit segments. Here it shall be validated how AI supervised and unsupervised methods to identify cyber events that have breached control systems. If the computer responses can meet the maritime characteristics (on computer, it’s similarity with the other ports or ships) or community IQs, the AI driven cybersecurity mechanism may enable an effective and efficient cyber hygiene maintenance to not only combat stealthier attacks, but traditional cyber-attacks that result in recurrent denial-of-service, unauthorized access, damaged/destroyed equipment and data theft. In doing so, this will be a proactive safety measure to enforce the system reliability and security of shipping related industries and supply chain ecosystems which produce, manufacture, enable or support trading items and non-trade interconnected affairs based on imports, exports and movements between local, national, international, and regional markets.
In maritime cybersecurity, anomaly identification is majorly used to monitor the environments and systems for any deviations from standard behaviors. The main present challenge within base rate is that the typical behaviors in a large range of possibilities. What is the true anomaly may not be easily discernible in a large “ocean” of average sea states. Computer software and machines play a vital role in the shipping and shipping related industries. Maintenance of the software and machines are necessary to exploit the advantage that they bring. A major part of this maintenance includes ensuring the software is free from malware and the machines are free from disruption. Cybersecurity has been identified as a continually developing concern for maritime systems in the past. Cyber threats in maritime cyber are growing and not slowing down. The increasing inter-connectivity via the internet, and adoption of IoT and cloud services has posed a major threat to maritime systems. As the internet of maritime system grows, so does the risk of successful cyber-attacks not only limited to shipping operations but also like environmental and third-party systems. At present, the most common malware used in cyber threats within maritime transportation are ransomware, trojan horses and viral worms, which targets SCADA systems, cellular networks, and navigation systems with standard malware. Information sharing within maritime security community is not of substantial use to help enhance cybersecurity at the top end of the most critical threats.