Method for measuring the cybersecurity status of ships, and method for assessing cybersecurity risks and detecting abnormal signs on ships.

The method addresses the challenges of cybersecurity risk assessment on ships by using machine learning to index CBS data by area and perform real-time anomaly detection, ensuring quantified risk scoring and effective threat mitigation.

JP2026522268APending Publication Date: 2026-07-07HANWHA OCEAN CO LTD (KR) +1

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
HANWHA OCEAN CO LTD (KR)
Filing Date
2024-05-31
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing cybersecurity risk assessment methods for ships face challenges due to the unique maritime environment, leading to insufficient and ambiguous hazard assessments, excessive network traffic, and difficulty in isolating cyber threats in real time, which can result in physical damage from security equipment malfunctions.

Method used

A method for measuring cybersecurity status using machine learning to collect and index CBS data by ship area, calculate risk scores, and perform real-time anomaly detection without installing agents on the network, incorporating threat exposure assessment and machine learning-based anomaly detection to predict and mitigate cyber hazards.

Benefits of technology

Enables quantified risk scoring and real-time threat detection, preventing security incidents by predicting potential cyber hazards and reducing false detections, while meeting cybersecurity requirements for ship classification certification.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026522268000001_ABST
    Figure 2026522268000001_ABST
Patent Text Reader

Abstract

This invention proposes a method for measuring the cybersecurity status of a ship, as well as a method for evaluating ship cybersecurity risks and detecting abnormal signs, which indexes and scores risk data collected from various routes based on various criteria such as the degree of risk occurrence, divides areas of a ship according to their importance, such as cabins, bridge rooms, and engine rooms, and provides a quantitative risk scoring of the CBS for each area.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention indexes and scores risk data collected from various routes according to various criteria such as the degree of risk occurrence, divides areas according to importance such as the cabins, bridge rooms, engine rooms, etc. of a ship, and provides a quantified risk scoring of the CBS for each area. It relates to a method for measuring the cyber security status of a ship, as well as a method for evaluating cyber security risks and detecting abnormal signs of a ship.

Background Art

[0002] Conventional technologies for evaluating or quantifying cyber risks quantify in a situation connected to a network. Since this quantification method is a quantification method for a general network-connected state, there are limitations in general application depending on the industry.

[0003] Conventional technologies for current cyber threats include a method of calculating the probability between nodes by assigning a weight value to each node of the network and calculating the overall cyber risk probability, and a method of installing an agent at an endpoint and collecting and quantifying data obtained from the system.

[0004] Scoring methods for various cyber risks derive the final probability of risk occurrence by comparing with past network behaviors using Bayesian probability / statistics that require probabilistic calculations, or estimate and sum up cyber threats that can occur at each client.

[0005] However, since the conventional technology is a method of distributing an agent for risk scoring to an endpoint, collecting possible risk data, or analyzing by comparing with past behavior patterns by monitoring the network, the method of analyzing a ship network can generate excessive traffic on the network. In addition, the method of installing an agent at an endpoint may violate the availability of the ship, so there is a problem of limited use.

[0006] Furthermore, generally speaking, methods for conducting cybersecurity risk assessments on land in sectors such as finance, nuclear facilities, general companies, and infrastructure facilities perform cybersecurity risk assessments on land. Ships, however, must undergo cybersecurity risk assessments at sea, and for this purpose, the International Classification Society and each classification society have issued official notices on cybersecurity risk assessment methods.

[0007] Figure 6 compares ISO 27001 and IACS Rec 171. ISO 27001, the Information Security Management System, sets the control items for information protection as standard. IACS Rec 171 presents a risk assessment for ships.

[0008] Therefore, based on the ISO 27001 information protection control items, a ship's risk assessment can be conducted at each stage through IACS Rec 171.

[0009] In this regard, the International Organization for Standardization (ISO) ISO 31000:2018 "Risk management - Guidelines" states that risk management procedures proceed as follows: (1) Communication and consultation, (2) scope, context and criteria, (3) risk assessment, (4) risk treatment, (5) monitoring and review, and (6) recording and reporting. Here, "risk assessment" is described as the stages of risk identification, risk analysis, and risk evaluation.

[0010] According to the International Association of Classification Societies (IACS) Rec 171, "Recommendation on incorporating cyber risk management into Safety Management Systems," the method for assessing ship risks, as shown in Figure 7, consists of the following steps: (1) Scope definition (S10), (2) UR E22 category classification (S20), (3) Threat list identification (S30), (4) Impact of threats, attacks, and technologies (S40), (5) Operational threats (S50), (6) Probability assessment (S60), (7) Risk level assessment (S70), (8) Decision on risk mitigation measures (S80), (9) Risk mitigation (S90), and (10) Residual risk (S92). The ship cyber security risk assessment methods announced by various classification societies, such as Lloyd's Register in the UK, Bureau Veritas in France, Det Norske Veritas in Norway, and the Korean classification society, do not deviate from IACS Rec 171.

[0011] The three main elements of security are confidentiality, integrity, and availability, and on land, confidentiality and integrity are given priority among the three main elements of security.

[0012] Assets used for conducting hazard assessments on land are classified as servers, network equipment, security systems, DBMS, application programs, terminals, software, storage media, and control systems.

[0013] Therefore, in the process of deriving the likelihood of a hazard occurring using the hazard assessment methods presented by IACS or each classification society, evaluating the classification of end-users and attacker groups requires a quantitative evaluation method for hazard assessment. This is because, when hazard assessments are conducted during the shipbuilding process or during ship operation, the hazard assessment period is physically and temporally insufficient due to the unique characteristics of the ocean, and the classification is ambiguous due to subjective human criteria.

[0014] Furthermore, ships consist of a complex system with numerous CBS (Community-Based Security) systems installed. In recent years, as the proportion of ICT-based shipboard equipment and materials has increased, the risk of hacking and malicious code attacks has also increased.

[0015] Unlike land-based systems, it is difficult to apply cyber hazard countermeasures to various factors that hinder safe ship operation.

[0016] If normal operational data is interrupted due to malfunctions, misdetections, or over-detection of security equipment such as intrusion prevention systems, serious physical damage such as collisions and groundings may occur.

[0017] In the rapidly evolving world of ICT-based vessels, it is difficult to isolate cyber threats to the ship's environment and equipment in real time, as cyber attack detection technologies specifically tailored to the unique environment of ships have not yet become widespread.

[0018] Therefore, from a proactive perspective, it is efficient to take preventative measures by predicting potential cyber hazards in the maritime environment and calculating possible damage routes and scopes.

[0019] Related prior art includes Korean Patent Application Publication No. 10-2020-0029266 (March 18, 2020), Korean Patent No. 10-2406756 (June 10, 2022), Korean Patent Application Publication No. 10-2020-0141774 (December 21, 2020), and Korean Patent No. 10-0604604 (July 24, 2006). [Overview of the Initiative] [Problems that the invention aims to solve]

[0020] The object of the present invention is to provide a method for measuring the cybersecurity status of a ship, which maintains availability without being installed in or approaching the ship's network, using a method that calculates a risk scale by comparing the ship's CBS (Computer Based System) with risks collected from various sources, and which indexes and scores risk data collected from various routes according to various criteria such as the degree of risk occurrence, and which divides areas of the ship according to importance, such as cabins, bridge rooms and engine rooms, and provides a quantified risk scoring of the CBS for each area.

[0021] Another object of the present invention is to provide a method for evaluating cybersecurity risks for ships, which enables the quantification of risk assessment by deriving a threat exposure level through the severity and degree of exposure of the threat when conducting cybersecurity risk assessment, and utilizing this as an element for deriving the likelihood of risk occurrence, and by constructing a system for evaluating the quantified cybersecurity risks for ships and applying it to risk assessment, thereby contributing to resolving the problems of risk assessment due to the unique characteristics of the sea.

[0022] Another object of the present invention is to provide a method for ship cybersecurity risk assessment that can perform risk assessments in accordance with the cybersecurity requirements of each ship classification and meet the requirements for cybersecurity at the time of ship classification certification.

[0023] Another object of the present invention is to provide a machine learning-based method for detecting anomalies in ship cybersecurity that can prevent security incidents by predicting possible cyber hazards based on ship network topology and CBS (Computer Based System) characteristic information, and real-time detected threat information, and can prevent hazard elements that may occur through real-time intrusion blocking such as false detection and over-detection by security equipment. [Means for solving the problem]

[0024] A method for measuring the cyber security state of a ship according to one aspect of the present invention to achieve the above technical problem includes a data collection stage for collecting ship CBS data and collecting cyber threat and maritime intelligence data for CBS; a CBS collection and management stage by ship area; a data indexing stage through cyber threat score criteria; a risk score calculation stage for each ship area; and a risk mitigation stage for deriving the cyber security state of the ship based on the risk score and mitigating the degree of risk.

[0025] Also, in a method for measuring the cyber security state of a ship according to one aspect of the present invention, in the cyber threat and maritime intelligence collection stage, IT cyber threat intelligence and OT cyber threat intelligence can be collected in advance and the validity of the intelligence data can be inspected.

[0026] Also, in a method for measuring the cyber security state of a ship according to one aspect of the present invention, the CBS collection and management stage by the ship area can include a CBS management stage by section; a CBS classification stage by section; a CBS listing stage by section; and a risk assessment stage by section.

[0027] Also, in a method for measuring the cyber security state of a ship according to one aspect of the present invention, in the data indexing stage through the cyber threat score criteria, it includes a cyber threat classification stage;

[0028] a stage for designating the priority of cyber threats; a stage for normalizing cyber threats; and a scoring stage by priority.

[0029] Also, in a method for measuring the cyber security state of a ship according to one aspect of the present invention, in the risk score calculation stage for each ship area, it can further include a weighting stage for classifying areas according to the importance of each ship area such as the cabins, bridge rooms, engine rooms of the ship and assigning weighting values.

[0030] Furthermore, a method for evaluating ship cybersecurity risks relating to another aspect of the present invention for achieving the aforementioned technical challenges may include: a range selection step in which the cybersecurity range is selected by referencing the cybersecurity requirements of the classification society to which the ship subject to risk assessment is certified when performing the risk assessment and identifying the ship's assets; a data collection step in which the ship's assets are classified within the security range selected through the range selection step using a CBS (Computer Based System), and transmitted and received data to and from multiple networks connected to the classified assets is collected by a data collection unit; and a risk assessment step in which a threat list is identified and analyzed using the data collected in the data collection step, and a cybersecurity risk assessment is performed for each of the multiple networks' cybersecurity threats.

[0031] Furthermore, in a method for evaluating ship cybersecurity risks according to another aspect of the present invention, the scope selection step can query cybersecurity requirements from a database (DB) containing cybersecurity rules required by each classification society that certifies the ship, identify the ship's assets in accordance with the cybersecurity requirements of the classification society to which the ship will be certified at the time of risk assessment, and select the scope of cybersecurity risk assessment.

[0032] Furthermore, in a method for assessing ship cybersecurity risks according to another aspect of the present invention, the data collection step may involve identifying the ship's assets and setting the data collection timing after considering the asset importance according to the CBS classification.

[0033] Furthermore, in a method for assessing ship cybersecurity risks according to another aspect of the present invention, the risk assessment step may include an impact assessment step, an attack surface assessment step, a threat exposure assessment step, and a probability assessment step.

[0034] Furthermore, in a method for evaluating ship cybersecurity risks relating to another aspect of the present invention, the threat exposure assessment step is characterized in that, instead of using an end-user and attacker group to calculate the human factor, the threat exposure assessment is performed through an exposure rating calculated by evaluating the severity and degree of exposure.

[0035] Furthermore, in a method for evaluating ship cybersecurity risks relating to another aspect of the present invention, the threat exposure is calculated based on two elements, severity and degree of exposure, and is classified into grades from 1 to 4. First, severity is classified into grades 1 to 4 (Low, Medium, High, Critical); degree of exposure is classified into grades 1 to 5 (None, CVE, MCTI, Dark Web, Naval); once the grades of severity and degree of exposure are determined, the threat exposure grade can be calculated and classified into grades 1 to 5 by adding the numerical values ​​of the grades of each element.

[0036] Furthermore, a machine learning-based ship cybersecurity anomaly detection method relating to one aspect of the present invention for achieving the aforementioned technical challenges may include: a CBS attack surface information scanning step of scanning real-time CBS attack surface information through a CBS definition unit; a CBS attack surface quantification step of the CBS definition unit quantifying the CBS attack surface based on the CBS attack surface information scanned through the CBS attack surface information scanning step; a cyber risk index calculation step of the risk analysis unit calculating a cyber risk index through machine learning based on the CBS quantified through the CBS attack surface quantification step; and an anomaly symptom graph generation step of analyzing the cyber risk index calculated through the cyber risk index calculation step and generating an anomaly symptom graph of the risk analysis unit that generates a path with a high risk of hacking occurring to the CBS.

[0037] Furthermore, in a machine learning-based method for detecting anomaly signs in ship cybersecurity according to one aspect of the present invention, the cyber risk index calculation step is characterized in that it generates a risk level table based on CBS security vulnerability information, CVE and attack surface information of the ship detected inside the ship, and information identified from an intrusion detection system installed in the network inside the ship.

[0038] Furthermore, in the machine learning-based ship cybersecurity anomaly detection method according to one aspect of the present invention, in the cyber risk index calculation step, the identified information generates a risk table based on source IP, destination IP and detection rule importance information; and if CBS security controls are set, the cyber risk index can be calculated by referring to the security control table.

[0039] Furthermore, in the machine learning-based ship cybersecurity anomaly detection method according to one aspect of the present invention, in the anomaly symptom graph generation stage, a risk level table and a security control table are substituted onto the network topology, and routes with a high risk of hacking occurring at the CBS can be mapped.

[0040] Furthermore, in the machine learning-based ship cybersecurity anomaly detection method according to one aspect of the present invention, in the anomaly symptom graph generation step, the network topology can be used to generate the anomaly symptom graph through a tree topology. [Effects of the Invention]

[0041] According to the present invention, a method for calculating a risk scale by comparing a ship's CBS (Computer Based System) with risks collected from various sources is used. This method maintains availability without being installed in or approaching the ship's network, and has the effect of indexing and scoring risk data collected from various routes according to various criteria such as the degree of risk occurrence. It also divides areas of the ship according to importance, such as cabins, bridge rooms, and engine rooms, and provides a quantified risk scoring of the CBS for each area.

[0042] Furthermore, according to the present invention, when conducting a cybersecurity risk assessment, a threat exposure level can be derived through the severity of the threat and the degree of exposure, and this can be used as an element to derive the likelihood of a risk occurring, thereby enabling the quantification of the risk assessment.

[0043] Furthermore, according to the present invention, by constructing a system for evaluating quantified ship cybersecurity risks and applying it to risk assessment, it has the effect of contributing to resolving the problems of risk assessment due to the unique characteristics of the ocean.

[0044] Furthermore, according to the present invention, risk assessments can be conducted in accordance with the cybersecurity requirements of each ship classification, and the requirements for cybersecurity can be met at the time of ship classification certification.

[0045] Furthermore, according to the present invention, security incidents can be prevented by predicting potential cyber hazards based on ship network topology and CBS (Computer Based System) characteristic information, as well as real-time detected threat information. This also has the effect of preventing potential hazards that may arise from real-time intrusion blocking, such as false detections and over-detection by security equipment. [Brief explanation of the drawing]

[0046] [Figure 1] This figure shows a method for measuring the cybersecurity status of ships according to the present invention, specifically a method for calculating risk scores for each ship area and assigning weighted values ​​based on the importance of each area. [Figure 2] This is a schematic block diagram illustrating the method for measuring the cybersecurity status of a ship according to the present invention. [Figure 3] This figure shows the stages of CBS collection and management by ship area in the method for measuring the cybersecurity status of ships according to the present invention. [Figure 4] This figure shows the data indexing steps through cyber threat score criteria in the method for measuring the cyber security status of ships according to the present invention. [Figure 5] This is a flowchart showing the method for measuring the cybersecurity status of a ship according to the present invention. [Figure 6] This diagram compares the information protection criteria of the International Organization for Standardization (ISO) with the risk assessment criteria of the International Association of Classification Ships (IACS). [Figure 7] This is a block diagram illustrating the procedure for conducting a hazard assessment at the International Association of Classification Ships (IACS). [Figure 8] This is a block diagram illustrating the procedure for performing a ship cybersecurity risk assessment according to an embodiment of the present invention. [Figure 9] This is a block diagram showing the configuration of the evaluation system for performing ship cybersecurity risk assessment according to the present invention. [Figure 10] This figure shows the detailed configuration of the ship cybersecurity risk assessment method according to an embodiment of the present invention. [Figure 11] This flowchart shows the sequence of the machine learning-based ship cybersecurity anomaly detection method according to the present invention. [Figure 12] This figure shows a risk level table, including a security control table, in the machine learning-based ship cybersecurity anomaly detection method according to the present invention. [Figure 13] This figure shows a map of routes with a high risk of hacking occurring at the CBS, obtained by substituting risk levels and security control tables into a ship network topology according to one embodiment of the present invention. [Modes for carrying out the invention]

[0047] The objectives, technical configuration, and detailed aspects of the present invention, as well as its operation and effects, will be better understood through a detailed description based on the drawings attached to the specification of the present invention.

[0048] The terms used herein are for the purpose of describing specific embodiments and are not intended to limit the invention. For example, terms such as “composed of” or “including” as used herein should not be interpreted as necessarily including all of the many components or steps described in the invention, but rather as either not including some of the components or steps, or potentially including additional components or steps. Furthermore, singular expressions used herein include plural expressions unless the context clearly indicates otherwise.

[0049] The present invention will be described in detail below by referring to the attached drawings to describe preferred embodiments of the present invention. Each embodiment described below is provided so that the technical concept of the present invention can be easily understood by those skilled in the art, and should not be construed as limiting the present invention, and it is natural that each embodiment of the present invention can be applied in various ways by those ordinary in the art.

[0050] Figure 1 is a diagram showing the method for calculating risk scores by ship area and assigning weighted values ​​based on importance by area in the method for measuring the cyber security status of ships according to the present invention; Figure 2 is a schematic block diagram showing the method for measuring the cyber security status of ships according to the present invention; Figure 3 is a diagram showing the CBS collection and management stages by ship area in the method for measuring the cyber security status of ships according to the present invention; Figure 4 is a diagram showing the data indexing stage through cyber threat score criteria in the method for measuring the cyber security status of ships according to the present invention; and Figure 5 is a flowchart showing the method for measuring the cyber security status of ships according to the present invention.

[0051] Referring to Figures 1 to 5, the method for measuring the cybersecurity status of a ship according to the present invention collects cyber threat / maritime intelligence.

[0052] Cyber ​​Threat Intelligence (CTI) refers to methods for analyzing a situation by collecting threat information and responding effectively to threats.

[0053] At this time, CBS (Computer Based System) data is collected and managed by vessel area, the data is indexed through cyber threat scoring criteria, and a risk score is calculated for each vessel area.

[0054] At this time, a weighted value based on the importance of each shipping area can be assigned, and a risk score for each shipping area can be calculated.

[0055] Furthermore, the ship cybersecurity status measurement system for performing the method for measuring the ship cybersecurity status of the present invention may include a cyber threat / maritime intelligence data collection unit 10, a CBS data management unit 20, a cyber threat indexing unit 30, a ship area-specific risk score calculation unit 40, and a cybersecurity status derivation and risk mitigation unit 50.

[0056] As shown in Figure 1, a risk score from 0 to 100 can be calculated by collecting cyber threat / maritime intelligence and assigning weights based on the severity level (A to D) for each shipping area.

[0057] Furthermore, the method for measuring the cybersecurity status of a ship according to the present invention, as shown in Figure 2, may include a data collection stage 10 for collecting CBS data for the entire ship and collecting cyber threat and maritime intelligence data for the CBS; a CBS collection and management stage 20 by ship area; a data indexing stage 30 through a cyber threat score criterion; a risk score calculation stage 40 for each ship area; and a risk mitigation stage 50 for deriving the ship's cybersecurity status based on the risk score and mitigating the risk level.

[0058] Furthermore, data collection stage 10, which collects cyber threat and maritime intelligence data, can collect IT (Information Technology) cyber risk intelligence and OT (Operational Technology) cyber risk intelligence data and test the effectiveness of the intelligence data.

[0059] Furthermore, the CBS data collection and management stage 20 by vessel area may include a section-specific CBS management stage 21, a section-specific CBS classification stage 22, a section-specific CBS listing stage 23, and a section-specific risk assessment stage 24, as shown in Figure 3.

[0060] Furthermore, the data indexing stage 30 through the cyber threat scoring criteria may include a cyber threat classification stage 31, a cyber threat prioritization stage 32, a cyber threat standardization stage 33, and a priority-based scoring stage 34, as shown in Figure 4.

[0061] Furthermore, the risk score calculation stage 40 for each ship area may further include a weighting stage 45 in which areas are divided according to their importance, such as cabins, bridge rooms, and engine rooms, and weighted values ​​are assigned to them.

[0062] Referring more specifically to Figure 5, in the method for measuring the cyber security status of a ship according to the present invention, the data collection step (S1) for collecting cyber threat and maritime intelligence data can collect IT (Information Technology) cyber risk intelligence and OT (Operational Technology) cyber risk intelligence through data sources and inspect the effectiveness of the intelligence data (S11).

[0063] In this case, during the data collection phase (S1), ocean intelligence data may be collected in advance and stored in a data source, or it may be collected by receiving the stored data.

[0064] The CBS collection and management phase by ship area (S2) involves collecting ship CBS data through data sources (S21), analyzing CBS classification / function (S22), inspecting the effectiveness of the classified CBS (S23), correcting the CBS data if it is not effective (S24), and managing the CBS system (S25).

[0065] The data indexing stage (S3) through the cyber threat scoring criteria is a process in which a multidimensional risk matrix lists the risk matrices that can occur in the registered CBS and assigns scores for rating, with risk scores assigned to CBS category classification, access rights, breach incidents, vulnerabilities, external connectivity status, accessible ports, and power, respectively.

[0066] Therefore, the data indexing stage through the cyber threat score criteria (S3) generates a multidimensional risk matrix (S31), examines the effectiveness of the matrix factors (S32), and finally generates a single risk matrix (S33), deriving a matrix that integrates the scores of all registered CBSs.

[0067] In this case, if it is not possible to generate a single risk matrix, the matrix elements are re-searched (S34), or if a CBS that does not conform to the multidimensional risk matrix is ​​registered, it is calculated as an exception and assigned an N / A rating.

[0068] The risk score calculation stage for each vessel area (S4) measures the degree of risk / severity for each area (S41).

[0069] At this time, a weighting value can be set according to the importance of each area (S45), and a lower weighting value can be set if an area (room) is isolated (closed) from the outside when the area is divided.

[0070] The risk mitigation stage (S5) assigns a grade based on the risk level.

[0071] By deriving a ship's cybersecurity status based on a risk score, the level of risk can be mitigated.

[0072] Therefore, according to the present invention, a method for calculating a risk scale by comparing the ship's CBS (Computer Based System) with risks collected from various sources is used, maintaining availability without being installed in or approaching the ship's network, and the risk data collected from various routes is indexed and scored according to various criteria such as the degree of risk occurrence. It has the effect of dividing areas of the ship according to importance, such as cabins, bridge rooms, and engine rooms, and providing a quantified risk scoring of the CBS for each area.

[0073] Referring to Figures 8 to 10, the method for evaluating ship cybersecurity risks according to the present invention includes: a range selection step in which the cybersecurity requirements of the classification society to which the ship subject to risk assessment is certified are consulted when performing the risk assessment, and a range of cybersecurity is selected from the identified assets of the ship; a CBS classification step in which CBS categories are classified within the cybersecurity range selected through the range selection step; a data collection step in which a data collection unit collects transmitted and received data for multiple networks connected to the assets classified through the CBS classification step; and a risk assessment step in which a threat list is identified and analyzed from the data collected in the data collection step, and a cybersecurity risk assessment is performed for each of the multiple networks' cybersecurity threats.

[0074] More specifically, as shown in Figure 8, the process may consist of the following steps: (1) Scope selection stage (S110), (2) CBS (Computer Based System) category classification (S120), (3) Threat list identification (S130), (4) Threat impact (S140), (5) Operational threat (S150), (6) Probability assessment (S160), (7) Risk level assessment (S170), (8) Decision on risk mitigation measures (S180), (9) Risk mitigation (S190), and (10) Residual risk (S192).

[0075] In the scope selection stage (S110), the cybersecurity scope can be selected by referring to the cybersecurity requirements of the classification society to which the vessel subject to risk assessment is certified, and by identifying the vessel's assets.

[0076] The CBS (Computer Based System) category classification stage (S120) classifies the assets on board a ship that correspond to the CBS (Computer Based System) category.

[0077] In the case of ships, availability is given priority among the three major elements of security. Furthermore, ship assets are classified as systems that fall under the category of CBS (Computer Based System). Therefore, when identifying and classifying assets during a ship cybersecurity risk assessment, they must be classified according to the CBS, and risk analysis and risk mitigation should be carried out considering availability.

[0078] The threat list identification stage (S130) identifies a list of assets that may pose cybersecurity threats in a classified CBS category and can collect transmitted and received data for multiple networks to which those assets are linked.

[0079] Core equipment and system identification can identify and assess key onboard assets that are vulnerable to cyberattacks.

[0080] Impact assessments can take into account the threat outcomes in terms of system availability.

[0081] In this case, the network may include VSATs (Very Small Aperture Terminals) that interact with satellites, IT (Information Technology) networks, OT (Operational Technology) networks, and so on.

[0082] Furthermore, the system may include a risk assessment stage in which the threat list identified through the threat list identification stage (S130) is analyzed, and a cybersecurity risk assessment is performed for each cybersecurity threat to multiple networks.

[0083] In this case, the risk assessment stage may include a threat impact assessment stage (S140), an operational threat assessment stage (S150), and a probability assessment stage (S160).

[0084] Furthermore, the operational threat assessment stage (S150) may include a first assessment stage, the attack surface assessment stage (S155), and a second assessment stage, the threat exposure assessment stage (S159).

[0085] Furthermore, the attack surface evaluation stage (S155) allows for the evaluation of the attack surface while taking into account connectivity (S152) and complexity (S154).

[0086] Furthermore, the threat exposure assessment stage (S159) can evaluate threat exposure by deriving an exposure level through the severity of the threat (S157) and the degree of exposure (S158).

[0087] In other words, when conducting a risk assessment using IACS Rec 171, which takes into account the differences between land and sea, Severity, Degree of Exposure, and Threat Exposure are presented as elements that replace the difficult-to-measure elements of End-User, Attacker Group, and Human Factor. This has the effect of allowing for the assessment of clearly and quantitatively defined risk levels on a vessel.

[0088] Therefore, according to the present invention, since it is difficult to clearly distinguish between end-users and attacker groups when calculating the Human Factor in the IACS Rec 171 Risk Assessment, this can be replaced with a Threat Exposure assessment to evaluate a clear and quantifiable risk level.

[0089] Referring to Figure 9, the ship cybersecurity risk assessment system 100 may include a risk assessment range selection unit 110 that sets cybersecurity ranges based on cybersecurity for each ship classification and selects risk assessment ranges; a data collection unit 120 that collects transmitted and received data for multiple networks; an analysis unit 130 that identifies and analyzes threat lists by CBS category and performs cybersecurity risk assessments for each cybersecurity threat on multiple networks; a database unit 140 that stores cybersecurity rules required by each ship classification; and a control unit 150 that controls the risk assessment timing based on the importance of the assets.

[0090] Accordingly, the ship cybersecurity risk assessment method according to the present invention includes a range selection step in which the cybersecurity range based on cybersecurity for each ship classification is set and stored in a database by the risk assessment range selection unit 110 of the ship cybersecurity risk assessment system 100; a data collection step in which the ship's assets are classified by CBS (Computer Based System) within the security range selected through the range selection step and stored in the database unit 140, and the data collection unit 120 collects transmission and reception data for multiple networks connected to the classified assets; and a risk assessment step in which a threat list is identified from the data collected in the data collection step, and the risks considering availability are analyzed by the analysis unit 130, thereby performing a cybersecurity risk assessment for each cybersecurity threat of multiple networks.

[0091] Furthermore, during the scope selection stage, the cybersecurity regulations required by each classification society that certifies a vessel are compiled into a database (DB), allowing the scope of cybersecurity risk assessment to be selected in accordance with the cybersecurity requirements of the classification society to which the vessel will be certified during the risk assessment.

[0092] Furthermore, during the data collection phase, the control unit 150 can set the data collection timing after identifying the ship's assets and considering the asset importance according to the CBS classification.

[0093] Furthermore, the risk assessment stage may include an Impact grade assessment stage, an Attack Surface assessment stage, a Threat Exposure assessment stage, and a Likelihood assessment stage, and the Threat Exposure assessment stage is

[0094] Threat exposure can be assessed by deriving an exposure level based on the severity of the threat and the degree of exposure.

[0095] As shown in Figure 10, the detailed configuration of the ship cybersecurity risk assessment method according to an embodiment of the present invention can include a preliminary consultation and scope selection stage (S100), a risk analysis stage (S150), and a completion stage (S200). The preliminary consultation and scope selection stage (S100) can include preliminary preparation (S101), project execution request (S102), certified classification society consultation (S103), legal compliance national consultation (S104), subject, scope and duration consultation (S105), risk analysis procedure consultation (S106), and CBS identification request (S107).

[0096] Furthermore, the risk analysis stage (S150) may include the preliminary analysis, actual vessel analysis, and evaluation stages.

[0097] The preliminary analysis phase may include the CBS classification (S120), impact assessment (S140), attack surface grading (S155), threat exposure grading (S159), probability grading (S160), and hazard level calculation (S170) phases.

[0098] Furthermore, the Threat Exposure (S159) rating is calculated based on two factors: Severity and Degree of Exposure. First, Severity is classified into four grades: Low, Medium, High, and Critical. Degree of Exposure is classified into five grades: None, CVE, MCTI, Dark Web, and Naval. Once the Severity and Degree of Exposure grades are determined, the Threat Exposure grade is calculated by adding the numerical values ​​of each element's grade, classifying it into five grades. Degree of Exposure classified as Naval can be calculated as grade 5, regardless of Severity.

[0099] Furthermore, the actual ship analysis stage may include the stages of hazard confirmation (S171), penetration testing (S172), hazard analysis checklist (S173), and hazard identification and analysis (S174).

[0100] Furthermore, the evaluation stage may include the stages of risk mitigation level assessment (S191a), risk mitigation period assessment (S191b), RRL (Response Rate Limiting) calculation (S191c), and protective measures establishment (S191d).

[0101] Furthermore, the completion stage may include the stages of developing a response plan (S201), preparing a report (S202), reviewing the report (S203), submitting the report (S204), and completing the project (S205).

[0102] According to the present invention, when assessing cybersecurity risks, a threat exposure level is derived from the severity of the threat and the degree of exposure, and this is used as an element to derive the likelihood of a risk occurring, thereby enabling the quantification of risk assessment.

[0103] Furthermore, according to the present invention, by constructing a system for evaluating quantified ship cybersecurity risks and applying it to risk assessment, it has the effect of contributing to resolving the problems of risk assessment due to the unique characteristics of the ocean.

[0104] Furthermore, according to the present invention, risk assessments can be conducted in accordance with the cybersecurity requirements of each ship classification, and the requirements for cybersecurity can be met at the time of ship classification certification.

[0105] Figure 11 is a flowchart showing the sequence of the machine learning-based ship cybersecurity anomaly detection method according to the present invention, Figure 12 is a diagram showing a risk level table including a security control table in the machine learning-based ship cybersecurity anomaly detection method according to the present invention, and Figure 13 is a diagram showing the mapping of routes with a high risk of hacking occurring at CBS by substituting the risk level and security control table onto a ship network topology according to one embodiment of the present invention.

[0106] Referring to Figures 11 to 13, one embodiment of the present invention of a machine learning-based ship cybersecurity anomaly detection method may include a CBS attack surface information scanning step (S300), a CBS attack surface quantification step (S310), a cyber risk index calculation step (S320), and an anomaly indicator graph generation step (S330).

[0107] More specifically, as shown in Figure 11, the CBS (Computer Based System) attack surface information scanning stage (S300) scans information of the CBS attack surface through the CBS definition unit 310.

[0108] In the CBS attack surface quantification step (S310), the CBS definition unit 310 can quantify the CBS attack surface based on the CBS attack surface information scanned through the CBS attack surface information scanning step (S300).

[0109] In other words, as the proportion of ICT-based ship equipment and materials increases, it becomes possible to quantify the attack surface of CBS specific to the ship's environment, predict cyber risks in advance, and prevent them by calculating possible damage routes and scope.

[0110] Furthermore, in the cyber risk index calculation stage (S320), the risk analysis unit 320 can calculate the cyber risk index for the CBS quantified through the CBS attack surface quantification stage (S310) using machine learning.

[0111] The probability of a cyber threat occurring can be calculated using the following formula:

[0112]

number

[0113] Furthermore, the following formula shows the probability that a cyberattack could occur due to a CBS detected inside a ship.

[0114]

number

[0115] Furthermore, the abnormality indicator graph generation stage (S330) analyzes the cyber risk index calculated through the cyber risk index calculation stage (S320), and the risk analysis unit (320) can generate, map, and display pathways with a high risk of hacking occurring to the CBS.

[0116] In this case, the CBS value can be obtained from a risk table generated based on security vulnerability information of CBS detected inside the vessel, CVE and attack surface information of the vessel, and information identified from intrusion detection systems installed in the network inside the vessel.

[0117] Ship attack surface information can be obtained through data such as open port information, operational service information, and operational demonstration information.

[0118] Furthermore, in the cyber risk index calculation stage (S320), the identified information includes source IP, destination IP, and detection rule importance information, which can be used to generate a risk table.

[0119] Furthermore, if CBS security controls are established, the cyber risk index can be calculated by referring to the security control table.

[0120] In other words, if CBS security controls are established, the risk level can be reduced, and a risk level table can be generated that includes a security control table, as shown in Figure 12.

[0121] Furthermore, as shown in Figure 13, in the machine learning-based ship cybersecurity anomaly detection method according to one aspect of the present invention, in the anomaly symptom graph generation stage (S130), a risk level table and a security control table are substituted onto the network topology, and routes with a high risk of hacking occurring at the CBS can be mapped.

[0122] Network topology refers to the pattern or arrangement of network devices and computer systems that are interconnected, while a network refers to a node that represents a computer or device connected to share information and data.

[0123] Furthermore, topology describes the connection patterns and designs between many interconnected nodes that oversee the flow of information.

[0124] Furthermore, in the anomaly indicator graph generation stage (S330), the network topology can generate an anomaly indicator graph through a tree topology.

[0125] Tree topology may be formed by a combination of star and bus topology.

[0126] Tree topology facilitates the installation of new extension networks due to the star properties of the topology, and the ease of resolving problems with connected nodes enhances network efficiency without affecting the main network.

[0127] Furthermore, tree topology has the advantage of being able to transmit signals over long distances without signal loss.

[0128] Therefore, according to the present invention, security incidents can be prevented by predicting potential cyber hazards based on ship network topology and CBS (Computer Based System) characteristic information, as well as real-time detected threat information, and hazardous elements that may arise from real-time intrusion blocking such as false detection and over-detection by security equipment can be prevented.

[0129] The embodiments of the present invention described above are embodied in the form of program instructions that can be executed through a variety of computer components and can be recorded on a computer-readable recording medium. The computer-readable recording medium may include program instructions, data files, data structures, etc., individually or in combination. The program instructions recorded on the computer-readable recording medium may be specially designed and configured for the present invention, or they may be known and usable by those skilled in the field of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, magneto-optical mediums such as floptical disks, and hardware devices specially configured to store and execute program instructions, such as ROMs, RAMs, and flash memories. Examples of program instructions include not only machine code produced by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. Hardware devices may be modified into one or more software modules to perform the processing according to the present invention, and vice versa.

[0130] The embodiments described above are provided so that those skilled in the art can easily understand the technical concept of the present invention, and should not be construed as limiting the present invention. It is obvious to those ordinary skill in the art that each embodiment of the present invention can be modified and transformed in various ways without departing from the spirit and scope of the present invention. Therefore, such modifications or variations can be said to fall within the scope of the claims of the present invention.

Claims

1. The data collection phase involves collecting shipboard CBS data and gathering cyber threat and maritime intelligence data against CBS; CBS data collection and management phase by vessel area; Data indexing stage through cyber threat scoring criteria; Risk score calculation stages by vessel area; and A method for measuring the cybersecurity status of a ship, including deriving a ship cybersecurity status based on a risk score and a risk mitigation stage that reduces the degree of risk.

2. The data collection phase, which involves collecting cyber threat and maritime intelligence data, A method for measuring the cyber security status of a ship according to claim 1, comprising collecting IT cyber risk intelligence and OT cyber risk intelligence, and examining the effectiveness of the intelligence data.

3. The CBS data collection and management stage by the aforementioned vessel area is as follows: CBS management stages by section; CBS classification stages by area; CBS listing stages by section; and A method for measuring the cybersecurity status of a ship according to claim 1, comprising a hazard assessment stage for each section.

4. The data indexing step through the aforementioned cyber threat scoring criteria is: Cyber ​​threat classification stages; Prioritization stages for cyber threats; The phase of homogenization of cyber threats; and A method for measuring the cybersecurity status of a ship according to claim 1, comprising prioritizing scoring stages;

5. The aforementioned risk score calculation steps for each vessel area are as follows: The method for measuring the cybersecurity status of a ship according to claim 1, further comprising a weighting step of dividing the ship into areas according to their importance, such as cabins, bridge rooms, and engine rooms, and assigning weighting values ​​to each area.

6. The scope selection stage involves selecting the cybersecurity scope by referencing the cybersecurity requirements of the classification society to which the vessel subject to risk assessment is certified, and by identifying the vessel's assets; A data collection stage in which the ship's assets are classified within the security area selected through the aforementioned range selection stage using a CBS (Computer-Based System), and the data collection unit collects transmission and reception data for multiple networks connected to the classified assets; and A method for assessing cybersecurity risks for ships, comprising: identifying and analyzing a list of threats using the data collected in the aforementioned data collection stage; and performing a risk assessment stage to assess cybersecurity risks for each of the cybersecurity threats in multiple networks.

7. The aforementioned range selection stage is, The ship cybersecurity risk assessment method according to claim 6, comprising querying cybersecurity requirements from a database (DB) containing cybersecurity rules required by each classification society that certifies ships, and selecting the scope of cybersecurity risk assessment by identifying the ship's assets in accordance with the cybersecurity requirements of the classification society from which the ship is certified during the risk assessment.

8. The aforementioned data collection stage is, A method for assessing ship cybersecurity risks according to claim 6, comprising identifying ship assets and setting the data collection period after considering asset importance according to CBS classification.

9. The aforementioned risk assessment stage is A method for assessing ship cybersecurity risks according to claim 6, comprising an impact assessment stage, an attack surface assessment stage, a threat exposure assessment stage, and a probability assessment stage.

10. The method for evaluating ship cybersecurity risks according to claim 9, characterized in that the threat exposure assessment step is performed through an exposure grade calculated by evaluating severity and degree of exposure, instead of using an end-user and attacker group to calculate human factors.

11. The aforementioned threat exposure is calculated based on two factors: severity and degree of exposure, and is classified into four grades: Low, Medium, High, and Critical. The degree of exposure is classified into None, CVE, MCTI, Dark Web, and Naval (1-5 magnitude); The method for evaluating ship cybersecurity risks according to claim 10, wherein, once the severity and degree of exposure grades are determined, the threat exposure grade is classified into grades 1 to 5 by adding the numerical values ​​of the grades of each element.

12. CBS attack surface information scanning stage, which scans real-time CBS attack surface information through the CBS definition unit; A CBS attack surface quantification step in which the CBS definition unit quantifies the CBS attack surface based on the CBS attack surface information scanned through the CBS attack surface information scanning step; A cyber risk index calculation step in which the risk analysis unit calculates a cyber risk index for the CBS quantified through the CBS attack surface quantification step; and A machine learning-based method for detecting anomalies in ship cybersecurity, comprising: an anomaly indicator graph generation step, which involves analyzing the cyber risk index calculated through the aforementioned cyber risk index calculation step and generating an anomaly indicator graph in the risk analysis department to generate a high-risk route for hacking to occur in the CBS.

13. The aforementioned cyber risk index calculation stage is: A machine learning-based method for detecting anomalies in ship cybersecurity according to claim 12, characterized in that it generates a risk level table based on CBS security vulnerability information, CVE and attack surface information of the ship detected inside the ship, and information identified from an intrusion detection system installed in the network inside the ship.

14. In the aforementioned cyber risk index calculation stage, The identified information includes source IP, destination IP, and detection rule severity information, and generates a risk table; A machine learning-based ship cybersecurity anomaly detection method according to claim 13, wherein if CBS security controls are set, a security control table is referenced and a cyber risk index is calculated.

15. In the abnormal indicator graph generation stage, The machine learning-based ship cybersecurity anomaly detection method according to claim 12, comprising substituting a risk table and a security control table onto the network topology and mapping routes with a high risk of hacking occurring at CBS along the route.

16. In the abnormal indicator graph generation stage, The machine learning-based method for detecting anomalies in ship cybersecurity according to claim 12, wherein the network topology generates an anomaly indicator graph through a tree topology.