Method and System for Developing Cyberattack Scenarios on Ships
The method and system address the limitations of traditional cyberattack scenario development by using an attack graph combining cyberattack trees and diamond analysis models to analyze ship systems, providing comprehensive visualization and response strategies for cyberattacks.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- HANWHA OCEAN CO LTD (KR)
- Filing Date
- 2024-05-31
- Publication Date
- 2026-06-18
AI Technical Summary
Existing cyberattack scenario development technologies do not adequately account for the unique characteristics of ship systems, such as communication protocols and hardware/software, and traditional methods like cyberattack trees are limited in explaining interrelationships and become complex with increased data.
A method and system that utilizes an attack graph combining a cyberattack tree (CAT) and diamond analysis model to visualize all possible attack paths, identify potential attack surfaces, and develop countermeasures by analyzing penetration techniques, attributes, and impacts, incorporating the MITRE ATT&CK framework for ship systems.
Enables comprehensive visualization and analysis of cyberattack scenarios on ships, identifying potential attack surfaces and enabling effective response strategies through attack graph modeling, enhancing cyber resilience and risk management.
Smart Images

Figure 2026519782000001_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to a method and system for developing a ship cyber attack scenario that can identify a potential attack surface by visualizing all the paths through which an attacker can penetrate a target through a ship attack scenario model via an attack graph and capturing the scope of attack techniques and characteristics.
Background Art
[0002] As the threat of cyberattacks continues to increase, governments and international organizations are demanding the development of means to respond to these threats. In response to these demands, research on the development of cyberattack scenarios is progressing in South Korea. The Korea Electronics and Telecommunications Research Institute (KEE) published "Trends in Cyberattack Simulation Technology" in 2020, emphasizing the importance of developing cyberattack simulations to identify the security status of systems and attack surfaces at an early stage. For cyberattack scenario development, the Korean patent "Method and System for Addressing Security Vulnerabilities in a Standard Database for Cyber Warfare Scenario Creation and Validation," registered by the Agency for Defense Development in 2018, developed a system that selects vulnerabilities suitable for generating cyber warfare scenarios based on open standard data that manages security vulnerability data, and provides solutions for addressing security vulnerabilities in the standard database. Furthermore, as another scenario production processing method, "Design and Implementation of Cyber Attack Simulator based on Attack Techniques Modeling," published in the Journal of the Korea Association of Computer Information Engineers, derives diverse attack scenarios by modeling cyberattack techniques and developed a simulator for cyber security training. Furthermore, the paper "A Stage-Based Flowgraph Model Study for Representing Cyber Attack Training Scenarios," published in the Journal of Information Protection, presents a stage-based flowgraph model that can represent diverse cyber attack training scenarios that were difficult to represent through attack tree modeling techniques. Along with such active research, the shipbuilding and marine industries are actively investing in autonomous vessels and smart ships, collectively known as marine mobility, but there has been a problem in that specific regulations and scenarios for cybersecurity have not been developed.
[0003] Furthermore, conventional technologies do not take into account the unique characteristics of ships operating at sea, thus limiting their applicability. One of the unique characteristics of ship systems is that ship communication systems use communication protocols optimized for use at sea, thus differentiating them from land-based communication protocols. In addition, Computer Based Systems (CBS) used on ships have specific hardware and software designed for use on ships. It is essential to develop a ship cyberattack scenario system that takes into account the unique characteristics of ship systems, reflecting the specific characteristics of ship communication protocols and the specific hardware and software used in ship systems.
[0004] Traditional cyberattack trees (CATs), used to visualize the attack procedures of cyberattack scenarios, have limitations in explaining the interrelationships of cyberattacks because the attack procedures are linear and hierarchical. Semantic graphs, on the other hand, suffer from the problem of becoming complex and difficult to interpret as the amount of data increases.
[0005] As a related prior art document, Korean Patent No. 10-1697189 (published January 17, 2017) is available. [Overview of the Initiative] [Problems that the invention aims to solve]
[0006] The object of the present invention is to provide a method and system for developing ship cyberattack scenarios that visualizes all possible paths an attacker can take to penetrate a target through a ship attack scenario model via an attack graph, identifies potential attack surfaces by analyzing various penetration techniques, attack technologies, attributes, and impacts, and enables the development of countermeasures. [Means for solving the problem]
[0007] A method for developing a ship cyberattack scenario according to one aspect of the present invention for achieving the aforementioned technical challenges may include: an asset identification step for identifying ship systems and the assets of stakeholders; a threat data confirmation step for analyzing the asset information identified through the asset identification step and confirming the presence or absence of threat data; an attack target selection step for selecting an attack target if it is confirmed that at least one of the assets identified through the threat data confirmation step belongs to threat data; an attack scenario creation step for creating an attack scenario against the attack target selected through the attack target selection step; and an attack graph output step for outputting an attack graph based on the scenario created through the attack scenario creation step.
[0008] Furthermore, in a method for developing a ship cyberattack scenario according to one aspect of the present invention, the attack scenario creation step may include: an attack target vulnerability assignment step of assigning vulnerabilities to selected targets; an attack execution step of executing an attack based on the vulnerabilities of the targets assigned through the attack target vulnerability assignment step; a follow-up attack execution step of executing a follow-up attack through other techniques or tactics after the attack execution step; an attack target strike step of striking the attack target after the follow-up attack execution step; a post-condition derivation step of deriving post-conditions after striking the attack target through the attack target strike step; an additional attack surface identification step of identifying an additional attack surface based on the content derived through the post-condition derivation step; and an attack graph formation step of forming an attack graph based on the executed attack scenario.
[0009] Furthermore, in a method for developing a ship cyberattack scenario according to one aspect of the present invention, the attack scenario creation step may further include a subsequent attack execution step in which a subsequent attack is executed if an additional attack surface is identified in the additional attack surface identification step; and n additional attack target strike steps in which an additional attack is executed by n additional attack strikes.
[0010] Furthermore, in the ship cyberattack scenario development method according to one aspect of the present invention, the attack graph output stage can combine a cyberattack tree (CAT) model and a diamond analysis model to visualize and output the attack graph.
[0011] Furthermore, in the ship cyberattack scenario development method according to one aspect of the present invention, the attack graph output stage can capture the range of attack techniques and characteristics and identify potential attack surfaces.
[0012] Furthermore, a ship cyberattack scenario development system according to another aspect of the present invention may include: an asset identification unit that identifies ship systems and the assets of stakeholders; a threat data confirmation unit that analyzes the asset information identified through the asset identification unit and confirms the presence or absence of threat data; an attack target selection unit that selects an attack target if it is confirmed that at least one of the assets identified through the threat data confirmation unit belongs to threat data; an attack scenario creation unit that creates an attack scenario against the attack target selected through the attack target selection unit; and an attack graph output unit that outputs an attack graph based on the scenario created through the attack scenario creation unit.
[0013] Furthermore, in a ship cyberattack scenario development system relating to another aspect of the present invention, the attack scenario creation unit may include: a target vulnerability assignment unit that assigns vulnerabilities to selected targets; an attack execution unit that executes attacks based on the vulnerabilities of the targets assigned through the target vulnerability assignment unit; a follow-up attack execution unit that executes follow-up attacks using different techniques or tactics than the attack execution unit; an attack target strike unit that strikes the targets attacked by the follow-up attack execution unit; a post-condition derivation unit that derives post-conditions after the attack target has been struck by the attack target strike unit; an additional attack surface identification unit that identifies additional attack surfaces based on the content derived through the post-condition derivation unit; and an attack graph formation unit that forms an attack graph based on the executed attack scenario if there are no additional attack targets identified by the additional attack surface identification unit.
[0014] Furthermore, in a ship cyberattack scenario development system relating to another aspect of the present invention, the attack scenario creation unit may further include a subsequent attack execution unit that executes a subsequent attack when an additional attack surface is identified by an additional attack surface identification unit; and n additional attack target strike units that execute an additional attack by n additional attack strikes.
[0015] Furthermore, in a ship cyberattack scenario development system relating to another aspect of the present invention, the attack graph output unit can combine a cyberattack tree (CAT) model and a diamond analysis model to visualize and output an attack graph.
[0016] Furthermore, in a ship cyberattack scenario development system relating to another aspect of the present invention, the attack graph output unit can capture the range of attack techniques and characteristics and identify potential attack surfaces. [Effects of the Invention]
[0017] According to the present invention, through a ship attack scenario model, all possible paths through which an attacker can penetrate a target are visualized via an attack graph. By analyzing various penetration techniques, attack technologies, attributes, and impacts, potential attack surfaces can be identified, and response strategies can be developed. [Brief explanation of the drawing]
[0018] [Figure 1] This is a flowchart showing the method for generating a ship cyberattack scenario model according to the present invention. [Figure 2] There are also many examples of the ship cyberattack scenario development method according to the present invention. [Figure 3] This is a flowchart showing the method for creating attack scenarios according to the present invention. [Figure 4] This figure shows a ship cyberattack scenario algorithm according to one embodiment of the present invention. [Figure 5] Figure 4 shows an attack graph against an algorithm according to one embodiment of the present invention. [Figure 6] FIG. is a diagram showing a ship cyber attack scenario algorithm according to another embodiment of the present invention. [Figure 7] FIG. is a diagram showing an attack graph against an algorithm according to another embodiment of the present invention in FIG. 6.
BRIEF DESCRIPTION OF THE DRAWINGS
[0019] Details regarding the object, technical configuration, and the actions and effects thereof of the present invention will be more clearly understood by a detailed description based on the drawings attached to the specification of the present invention.
[0020] The terms used in this specification are merely for explaining specific embodiments and are not intended to limit the present invention. For example, terms such as "configured" or "including" used in this specification should not necessarily be interpreted as including all of the many components or many steps described in the invention, but may be interpreted as not including some of the components or some of the steps, or further including additional components or steps. Also, the singular expressions used in this specification include plural expressions unless they have clearly different meanings in the context.
[0021] Hereinafter, the present invention will be described in detail by explaining preferred embodiments of the present invention with reference to the attached drawings. Each of the embodiments described below is provided so that those skilled in the art can easily understand the technical idea of the present invention, and it should not be construed that the present invention is limited thereby. Naturally, each embodiment of the present invention can be variously applied by an ordinary technician in this field.
[0022] In the method and system for developing a ship cyber attack scenario according to the present invention, the ship attack scenario model visualizes all the paths through which an attacker can penetrate the attack target through an attack graph. The attack graph uses a graph in which a cyber attack tree (CAT) and a diamond analysis model are combined to provide a comprehensive insight into the dependency relationships between cyber attacks.
[0023] In addition, by utilizing the MITRE ATT&CK framework, various penetration techniques, attack technologies, attributes, and impacts are analyzed. By analyzing the attack scenario model, the scope of attack technologies and characteristics can be captured, and potential attack surfaces can be identified.
[0024] FIG. 1 is a flowchart showing a method for generating a ship cyber attack scenario model according to the present invention.
[0025] It can include an asset identification stage (S100) for identifying ship systems and stakeholders' assets, a threat presence / absence determination stage (S200) for confirming whether the identified asset information belongs to a set of threat databases, and an attack scenario modeling stage (S500) for generating a cyber attack scenario by modeling an attack scenario when it is confirmed that the asset information identified in the threat presence / absence determination stage (S200) belongs to the set of threat databases.
[0026] In addition, when the asset information identified in the threat presence / absence determination stage (S200) does not belong to the set of threat databases, it can further include a threat data collection stage (S300) for collecting additional threat data, and a confirmation stage (S400) for confirming whether the asset information identified through the threat data collection stage (S300) belongs to the set of threat databases with the additional collected data. Therefore, when the identified asset information belongs to the set of threat databases with the additional collected data, a cyber attack scenario can be generated by performing attack scenario modeling.
[0027] More specifically, referring to Figures 2 and 3, the ship cyberattack scenario development method and attack scenario creation method according to the present invention can include a ship system and stakeholder asset identification stage (S510), an attack target selection stage (S520), an attack scenario creation stage (S530), and an attack graph output stage (S540).
[0028] In this case, the asset identification step (S510) may include a step of confirming whether the identified asset information belongs to the threat database set (S510-1) and a step of analyzing the asset information and matching assets that have vulnerabilities (S510-2).
[0029] Furthermore, the attack target selection stage (S520) can select one or more of the assets that have been combined throughout the asset identification stage as attack targets.
[0030] Furthermore, the attack scenario creation stage (S530) involves assigning vulnerabilities to the target (S531), executing a vulnerability-based attack (S532), executing a follow-up attack after the vulnerability-based attack (S533), striking the target (S534), deriving post-event conditions (S535), identifying additional attack surfaces after deriving the post-event conditions (S536), and, if there are no additional attack surfaces, forming an attack graph (S539).
[0031] Furthermore, if additional attack surfaces are identified in the additional attack surface identification stage (S536), a subsequent attack can be executed (S537), striking n additional attack targets (S538), and an attack graph can be formed (S539).
[0032] Furthermore, as cyberattack tactics exploiting vulnerabilities in specific systems become more sophisticated, it is essential to detect intrusions as quickly as possible in order to identify vulnerabilities and minimize damage from attacks. Among the mechanisms used to detect intrusions, the Cyberattack Tree (CAT), which represents the attack process in a tree structure, can provide a systematic and organized solution for establishing security measures against a variety of attacks on network systems.
[0033] Furthermore, the ship cyberattack scenario development system according to the present invention may include: an asset identification unit 100 that identifies ship systems and the assets of stakeholders; a threat data confirmation unit 200 that analyzes the asset information identified through the asset identification unit and confirms the presence or absence of threat data; an attack target selection unit 300 that selects an attack target if it is confirmed that at least one of the assets identified through the threat data confirmation unit belongs to threat data; an attack scenario creation unit 400 that creates an attack scenario against the attack target selected through the attack target selection unit; and an attack graph output unit 500 that outputs an attack graph based on the scenario created through the attack scenario creation unit.
[0034] Furthermore, the attack graph output unit 500 can combine a cyberattack tree (CAT) model and a diamond analysis model to visualize and output an attack graph.
[0035] Furthermore, the attack graph output unit 500 can capture the range of attack techniques and characteristics and identify potential attack surfaces.
[0036] Figure 4 shows a ship cyberattack scenario algorithm according to one embodiment of the present invention. Figure 5 shows an attack graph against the algorithm according to one embodiment of the present invention shown in Figure 4.
[0037] When examining attack graphs using cyberattack trees (CATs) and diamond analysis models, multiple nodes in the cyberattack tree (Root Nodes) can be described by a variety of attack methods aimed at achieving the ultimate goal of the target (Victim).
[0038] In the diamond analysis model, nodes represent attack techniques and status, vectors represent activity threads, and graphs represent the attack graph.
[0039] The attack direction is from top to bottom, with one or more nodes targeting the victim, generating attack scenarios and forming an attack graph.
[0040] When examining the algorithm, it selects nodes belonging to prior data that indicate potential attack vectors, and then selects victims from targets that represent ships or CBS (Computer Based Systems).
[0041] Next, each node in the attack vector is iterated over to check if it is a subset of the previous node. If the current node is a subset of the previous node, the process continues to the next node.
[0042] Additionally, if a node belongs to a subset of targets, it moves to the next node in the attack vector.
[0043] Next, if a node is a subset of the target of the attack, the cyberattack is considered successful.
[0044] The data collection criteria allow for the collection of a threat database (DB) based on maritime threat intelligence information (IoC, CVE, CPE, CWE, CVSS, Dark Web, Attack Case).
[0045] In identifying ship systems and stakeholder assets, assets can be identified using ship system information, stakeholder accounts including crew members, and related company network information (IP, Domain, DNS, etc.).
[0046] By selecting the Cyber Attack Tree (CAT) model and the Diamond Model used in this invention, a comprehensive and flexible approach to understanding cyber attack scenarios can be provided through the combination of these models, and downward and vertical attack directions can provide a deep understanding of the dependency relationships between cyber attacks.
[0047] Furthermore, the compatibility of the MITRE ATT&CK framework with the Diamond Model is useful for analyzing intrusion techniques, attack methods, and attack strategies.
[0048] Through this, it becomes possible to effectively analyze various forms of cyberattack scenarios.
[0049] Therefore, in analyzing cyberattack models, we use the MITRE ATT&CK framework to systematically understand the various stages and components of an attack.
[0050] The framework's techniques can be used to classify the attack stages of a model, and the attack state and techniques of each node can be analyzed through sub-techniques or tactics.
[0051] This approach helps to gain a deeper understanding of the tactics and strategies used by attackers and to grasp their motivations. In addition, the IACS No. 171 guidelines can be consulted to determine the impact of cyberattacks on the availability, confidentiality, integrity, and traceability of systems and equipment.
[0052] Furthermore, to understand the scale of damage and potential impact of the CBS on board the vessel, refer to the impact of a potential incident in UR Guideline E22.
[0053] As a method for deriving response strategies, cyberattack scenario models provide insights into the tactics and strategies used by cyber attackers, and mitigation strategies from the MITRE ATT&CK framework are used as countermeasures to mitigate the damage caused by attacks. The framework can develop countermeasures against the attack surface by analyzing the attacker's actions and presenting mitigation strategies that can respond to cyberattacks.
[0054] Furthermore, in the event of a cyberattack, the potential scale of damage to the vessel can be assessed, mitigation measures can be established, and cyberattacks can be mitigated through strengthening the cybersecurity posture and proactive planning.
[0055] Figure 6 shows a ship cyberattack scenario algorithm according to another embodiment of the present invention, and Figure 7 shows an attack graph against the algorithm according to the other embodiment of the present invention shown in Figure 6.
[0056] When examining attack scenarios at each node against a target, attack techniques and tactics can be demonstrated through three phases.
[0057] When considering cyberattack scenarios against VSAT (Very Small Aperture Terminal) communications, a list of vulnerabilities is used to gather threat information against VSAT assets. This list consists of Common Vulnerabilities and Exposures (CVEs) compiled by MITRE, a non-profit research and development organization sponsored by the U.S. federal government, which identify, classify, and collect various software and firmware vulnerabilities, and is available as pre-emptive threat data against VSAT assets.
[0058] At this point, select the node belonging to the CVE data and choose VSAT as the target of the attack.
[0059] Through Active Scanning, if node n1 belongs to node n0, information is collected; if node n2 belongs to node n1, cross-site scripting is performed.
[0060] If node n5 belongs to node n2, web session hijacking will be performed.
[0061] Additionally, if node n3 belongs to node n1, it will create arbitrary content, and if node n4 belongs to node n1, it will perform code spoofing.
[0062] Furthermore, if any one of nodes n3, n4, or n5 belongs to the target t0, a credential theft will be performed.
[0063] Furthermore, if node n6 belongs to target t0, it scans the ship network, and if node n6 belongs to node n7, it performs propagation and dissemination.
[0064] Furthermore, if the new target t1 belongs to node n7, it is determined that the cyberattack on the ship's system has been successfully initiated.
[0065] Therefore, according to the present invention, by combining a cyberattack tree (CAT) model and a diamond analysis model, an attack graph is displayed, and through the development of ship cyberattack scenarios, a system can be constructed that enables the identification of potential attack surfaces of ship systems and the securing of cyberattack response capabilities.
[0066] Furthermore, the present invention has the effect of enabling the detection of inherent and potential vulnerabilities in a ship's system through cyberattack scenarios.
[0067] Furthermore, according to the present invention, it is possible to create cyber threat scenarios that may arise from cyber attack scenarios, obtain preventive response measures, identify potential attack surfaces by understanding and analyzing the overall scope of cyber attacks through attack graphs, establish effective cyber attack response strategies, and improve overall cyber resilience.
[0068] Furthermore, according to the present invention, scenario-based graphs can be evaluated through a threat analysis approach, which has the effect of improving practitioners' cyber response capabilities and cyber risk management.
[0069] The embodiments of the present invention described above are embodied in the form of program instructions that can be executed through a variety of computer components and can be recorded on a computer-readable recording medium. The computer-readable recording medium may include program instructions, data files, data structures, etc., individually or in combination. The program instructions recorded on the computer-readable recording medium may be specially designed and configured for the present invention, or may be known and usable by those skilled in the field of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, magneto-optical mediums such as floptical disks, and hardware devices specially configured to store and execute program instructions, such as ROMs, RAMs, and flash memories. Examples of program instructions include not only machine code produced by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. Hardware devices may be modified into one or more software modules to perform the processing according to the present invention, and vice versa.
[0070] The embodiments described above are provided so that those skilled in the art can easily understand the technical concept of the present invention, and should not be construed as limiting the present invention. It is obvious to those ordinary skill in the art that each embodiment of the present invention can be modified and transformed in various ways without departing from the spirit and scope of the present invention. Therefore, such modifications or variations can be said to fall within the scope of the claims of the present invention.
Claims
1. Asset identification stage to identify the ship system and the assets of stakeholders; A threat data verification step involves analyzing the asset information identified through the aforementioned asset identification step to confirm the presence or absence of threat data; If at least one of the assets identified through the aforementioned threat data verification stage belongs to the threat data, then the attack target selection stage is performed to select an attack target; An attack scenario creation stage in which an attack scenario is created for the attack targets selected through the aforementioned attack target selection stage; and A method for developing a ship cyberattack scenario, comprising: an attack graph output step which outputs an attack graph based on the scenario created through the aforementioned attack scenario creation step; and a method for developing a ship cyberattack scenario.
2. The aforementioned attack scenario creation stage is, The vulnerability allocation phase of the selected target; An attack execution phase in which an attack is carried out on a vulnerability-based target assigned through the vulnerability allocation phase of the target; A follow-up attack execution phase in which a subsequent attack is carried out through other techniques or tactics after the aforementioned attack execution phase; An attack target strike phase, which involves striking the attack target after the aforementioned subsequent attack execution phase; A post-condition derivation stage is performed after the attack target has been struck through the aforementioned attack target strike stage, and post-conditions are derived thereafter; An additional attack surface identification step that identifies additional attack surfaces based on the content derived through the aforementioned post-condition derivation step; and A method for developing a ship cyberattack scenario according to claim 1, comprising an attack graph formation step of forming an attack graph based on the executed attack scenarios.
3. The aforementioned attack scenario creation stage is, If an additional attack surface is identified during the additional attack surface identification phase, The follow-up attack execution phase, in which a follow-up attack is carried out; and A method for developing a ship cyberattack scenario according to claim 2, further comprising: n additional attack target strike stages that execute additional attacks by n additional attack strikes;
4. The aforementioned attack graph output stage is, A method for developing a ship cyberattack scenario according to claim 1, comprising combining a cyberattack tree (CAT) model and a diamond analysis model, and visualizing and outputting an attack graph.
5. The aforementioned attack graph output stage is, A method for developing a ship cyberattack scenario according to claim 4, which captures the range of attack techniques and characteristics and identifies potential attack surfaces.
6. Asset identification unit for identifying ship systems and the assets of stakeholders; A threat data verification unit analyzes the asset information identified through the asset identification unit and confirms the presence or absence of threat data; If at least one of the assets identified through the threat data verification unit belongs to threat data, an attack target selection unit selects an attack target; An attack scenario creation unit that creates an attack scenario for an attack target selected through the aforementioned attack target selection unit; and A ship cyberattack scenario development system comprising: an attack graph output unit that outputs an attack graph based on a scenario created through the aforementioned attack scenario creation unit; and an attack graph output unit that outputs an attack graph based on a scenario created through the aforementioned attack scenario creation unit.
7. The aforementioned attack scenario creation unit, Vulnerability allocation unit for attack targets; An attack execution unit that executes a vulnerability-based attack on the target assigned through the vulnerability allocation unit of the target; A follow-up attack execution unit that carries out a follow-up attack using a different technique or tactic than the aforementioned attack execution unit; An attack target striking unit that strikes the target attacked by the subsequent attack execution unit; A post-condition derivation unit that derives post-conditions after striking the target with the aforementioned target striking unit; An additional attack surface identification unit that identifies an additional attack surface based on the content derived through the aforementioned post-condition derivation unit; and A ship cyberattack scenario development system according to claim 6, comprising: an attack graph forming unit that forms an attack graph based on the executed attack scenario when there are no additional attack targets identified by the additional attack surface identification unit;
8. The aforementioned attack scenario creation unit, When an additional attack surface is identified by the additional attack surface identification unit, A follow-up attack execution unit that carries out a subsequent attack; and A ship cyberattack scenario development system according to claim 7, further comprising: n additional attack target striking units that perform additional attacks by n additional attack strikes;
9. The aforementioned attack graph output unit, A ship cyberattack scenario development system according to claim 6, which combines a cyberattack tree (CAT) model and a diamond analysis model to visualize and output an attack graph.
10. The aforementioned attack graph output unit, A ship cyberattack scenario development system according to claim 9, which enables the capture of the range of attack techniques and characteristics and the identification of potential attack surfaces.