ORCID

Abstract

The maritime industry is a well-established sector, with the shipping industry dating back hundreds of years. The devices in this sector differ from those in the Information Technology (IT) sector in their usage, operations, hardware, andprotocols. Technological advancements have introduced new challenges in the sector, including the increased risk of cyber attacks. To effectively identify, respond to, and analyse these threats, it is essential to understand the cyber securityvulnerabilities in maritime systems and system-of-systems.Currently, there are no standardised methods or automated tools for conducting cyber security testing of maritime systems. This thesis presents an automated vulnerability scanning and security audit framework for maritime systems thatwill perform cyber security testing on real-world hardware systems and system-of-systems to identify and assess vulnerabilities. The proposed framework, BridgeAudit, is divided into three phases, each comprising various modules that assist in the automation of testing and security assessments. These phases– asset profiling, auditing, and reporting– feature different functionalities that work together to produce comprehensive security audit reports. The Asset Profiling phase focuses on profiling and managing devices onboard a vessel to support in automated testing while also assisting in compliance, utilising a machine learning algorithm. The Auditing phase examines the security of vessel networks to detect vulnerabilities and identify potential attack paths using optimisation techniques and heuristics. Meanwhile, the Reporting phase simplifies the presentation of results and findings, generating clear and accessible reports. To validate the effectiveness of the framework, an implementation of BridgeAudit was executed on real hardware systems and networks within a maritime cyber-physical testbed. This implementation led to the identification of vulnerabilities,including a few undocumented ones within the systems. BridgeAudit aims to assist stakeholders, maritime professionals, and testers in better understanding their devices, enabling them to implement mitigation strategies and prepare forpotential cyber attacks.

Keywords

Cyber Security, Maritime Security, Penetration Testing, Vulnerability, Security Audit, Maritime Cyber

Document Type

Thesis

Publication Date

2025

Embargo Period

2025-05-29

Creative Commons License

Creative Commons Attribution-NonCommercial 4.0 International License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License

Download

Share

COinS