Gabriel Dumont

Hybrid Artificial Intelligence for Root Cause Analysis of Maritime Cyberattacks

Maritime systems are evolving to become smarter and more connected thanks to the Industry 4.0 revolution. Due to this digitalization, cybersecurity has become a major concern for the maritime sector, raising new and challenging questions. Thus, we must be prepared to detect, understand, and respond to a wide variety of unknown cyberattacks and malfunctions [1-2]. Today, maritime cybersecurity situational awareness [3] relies on indicators, measurements, and data collected from sensors and alarms. However, it is currently impossible to fully understand the precise causes of all potential cybersecurity events. One of the main reasons is that only the consequences of these events are directly experienced or observed, without knowing at that moment what the causes were and the associated context. For instance, we may know that the GNSS (Global Navigation Satellite System) position was lost due to an alert from an ECDIS (Electronic Chart Display and Information System), but we cannot determine whether the cause is a jamming attack, an internal malfunction, or simply that the vessel is in a blind spot. Additionally, a single malfunction can trigger multiple alarms, making it difficult to understand the situation.

Root Cause Analysis (RCA) is a commonly applied approach to understanding complex abnormal events in fields such as system and accident analysis, telecommunications, and industrial processes [4]. It is a technique that seeks the origin of a real problem by applying a methodological approach to determine how it occurred, distinguishing causative factors. RCA in maritime cybersecurity incidents will be useful for SIEM (Security Information & Event Management) systems to aggregate events, generate relevant responses, and provide initial feedback and explanations that help both the crew and cybersecurity experts make the right decisions. To achieve this goal, SIEM should consider maritime IT (Information Technology) and OT (Operational Technology) systems, transmission bandwidth, known vulnerabilities, past incidents in the maritime domain, and risk situations adapted to operational conditions, among other factors. To handle this large number of variables, Artificial Intelligence (AI) appears to be a suitable solution. However, rule engines, knowledge bases, and symbolic reasoning will be necessary to guide machine learning algorithms towards more controlled solutions, leading to hybrid AI.

Furthermore, beyond the classic analysis of visible effects and the deployment of corrective measures to prevent similar incidents, we believe it is necessary to capitalize on potential causes to gather knowledge that improves cyberattack detection and understanding. This requires taking into account contextual information and knowledge of the technical infrastructure, as well as additional data from other sensors. By developing a tailored hybrid AI approach, this thesis will explore how to integrate relevant RCA elements, contextual information, and technical infrastructure knowledge to study naval cyberattacks, develop a tool to apply the resulting model, and enhance the understanding of protection measures.

Research Question

Widely applied in other fields, RCA has been explored in information security [5] and studied in the maritime sector, for example, to examine navigation accidents [6-8] and their economic consequences [9]. However, these studies have not addressed maritime cybersecurity issues. We are particularly interested in defining a hybrid AI-based methodology for analyzing naval cyberattacks from an RCA perspective. Therefore, the main research question this doctoral thesis aims to answer is: What are the characteristics of an RCA model for maritime cybersecurity, using hybrid AI that integrates situational context and technical infrastructure knowledge, to provide assessments for cyber-awareness decision support?

Given the aforementioned framework and based on a preliminary functional characterization of ship IT and telematics systems, this thesis will address the following aspects of the research question:

RCA of known incidents [10] and potential vulnerability scenarios, using representation approaches, quantification measures, knowledge-based exploitation of representations, and associated reasoning.

Comparison of these documented RCA incidents with models such as the Cyber Kill Chain [11] and knowledge bases like the MITRE ATT&CK matrix [12].

Definition of suitable strategies for event aggregation and propagation [13].

Definition of a hybrid AI model [14-16] adapted to RCA, along with associated quality and evaluation indicators.

Evaluation of the integration of contextual representation into the proposed model.

Establishment of the function of technical infrastructure knowledge representation and its integration into the model.

Definition of security strategies based on the defined RCA strategy.

Integration of all previous results to conceptualize an RCA model for maritime cybersecurity.

Definition and implementation of cyberattack scenarios using available facilities and/or simulators.

Development, verification, and testing of a tool with cyberattack scenarios to experiment whether the defined model can help improve operator reactions and/or be used in specialized training.

Références

[1a] Merino Laso, P., Brosset, D., Puentes, J. (2017). Dataset of anomalies and malicious acts in a cyber-physical subsystem. Data in brief, 14, 186-191.

[2] Merino Laso, P., Brosset, D., & Puentes, J. (2017). Analysis of quality measurements to categorize anomalies in sensor systems. In IEEE. Computing Conference, 1330-1338.

[3] Jacq, O., Laso, P. M., Brosset, D., Simonin, J., Kermarrec, Y., Giraud, M. A. (2019). Maritime cyber situational awareness elaboration for unmanned vehicles. In Maritime Situational Awareness Workshop.

[4] Andersen, B., & Fagerhaug, T. (2006). Root cause analysis: simplified tools and techniques. Quality Press.

[5] Hellesen, N., Torres, H., Wangen, G. (2018). Empirical case studies of the root-cause analysis method in information security. International Journal On Advances in Security, 11, 26-33.

[6] Baalisampang, T., Abbassi, R., Garaniya, V., Khan, F., Dadashzadeh, M. (2018). Review and analysis of fire and explosion accidents in maritime transportation. Ocean Engineering, 158, 350-366.

[7] Kececi, T., Arslan, O. (2017). SHARE technique: A novel approach to root cause analysis of ship accidents. Safety science, 96, 1-21.

[8] Barnett, M. L. (2005). Searching for the root causes of maritime casualties. WMU Journal of Maritime affairs, 4(2), 131-145.

[9] Parra Jimenez, M. F. Application of Root Cause Analysis in Marine Accident Investigation: Case Study SMIT Transport & Heavy Lift Europe, Master of Science thesis, Erasmus University Rotterdam, 2010.

[10] Advanced database of maritime cyber incidents. URL: https://gitlab.com/m-cert/admiral/

[11] Bahrami, P. N., Dehghantanha, A., Dargahi, T., Parizi, R. M., Choo, K. K. R., Javadi, H. H. (2019). Cyber kill chain-based taxonomy of advanced persistent threat actors: Analogy of tactics, techniques, and procedures. Journal of information processing systems, 15(4), 865-889.

[12] Adversarial Tactics, Techniques, and Common Knowledge. URL: https://attack.mitre.org/

[13] Pelissero, N., Merino Laso, P., Puentes, J. (2020). Naval cyber-physical anomaly propagation analysis based on a quality assessed graph. In IEEE International Conference on Cyber Situational Awareness, Data Analytics and Assessment, 1-8.

[14] Jia, Y., Qi, Y., Shang, H., Jiang, R., Li, A (2018). A practical approach to constructing a knowledge graph for cybersecurity. Engineering 4(1), 53–60.

[15] Chen, X., S. Jia, and Y. Xiang (2020). A review: Knowledge reasoning over knowledge graph. Expert Systems with Applications, 141, 112948

[16] A. Piplai, S. Mittal, A. Joshi, T. Finin, J. Holt, R. Zak (2020). Creating Cybersecurity Knowledge Graphs from Malware After Action Reports. IEEE Access, 8, 211691-211703, doi: 10.1109/ACCESS.2020.3039234.