Modeling ship cybersecurity using Markov chains: an educational approach Nataliia Kaminska1 , Lyudmyla Kravtsova1 , Hennadiy Kravtsov2 and Tatyana Zaytseva1 1 Kherson State Maritime Academy, 20 Ushakov Ave., Kherson, 73000, Ukraine 2 Kherson State University, 27 Universytetska Str., Kherson, 73003, Ukraine Abstract The strengthening of the role of information in the economy, in particular in transport, is accompanied by the growth of cyber threats. The International Maritime Organization has developed and adopted a number of foundational cybersecurity documents that define requirements for cybersecurity management on board ships. These documents oblige the administration of maritime companies to ensure proper consideration of cyber risks and the application of protection methods in security management systems. The development and establishment of relevant uniform rules is an urgent task for both maritime companies and ships. The most promising direction of ensuring information security is, of course, the use of mathematical models. Such models describe the processes of interaction of a cyberspace violator and the protection system, which should take into account possible cyberattacks on the ship and ensure the preservation and inviolability of the ship’s information as much as possible. Analysis of research in the field of building mathematical models of processes taking place in cyberspace shows that, firstly, this is a really relevant research direction, and, secondly, at the moment there are many different theories that form the basis of modeling. The authors of this work propose a new approach to the mathematical modeling of the cyber security management system on the ship, namely, the use of the theory of Markov chains, since a cyberattack on a ship can happen at any random moment, and this event does not always depend on cyberattacks that occurred some time ago. Therefore, a model of the cyber security management system on the ship as a subsystem of the enterprise security management system was built using mathematical modeling methods. Such concepts as the state of cyber security of the ship, the probabilistic relationship between the states, regulation of actions according to the state are defined. The mathematical model of the cyber security management system is based on the model of discrete Markov processes, in which the vertices of the digraph of the Markov chain are the cyber security states of the ship. Connections between the states of the ship’s cyber security system were investigated using an expert method. The developed model is illustrated on the example of accounting for the state of cyber security of a ship. The considered methods and technologies of the ship’s cyber security system are implemented in the educational process of the Kherson Maritime Academy in the distance course “Cyber security of ship computer systems and networks”. Keywords cybersecurity in maritime transport, Markov chain model, distance course 1. Introduction Humanity has entered the stage of development, which is called the “age of information technologies” and is characterized by the growth of the role and value of information. The strengthening of the role of information in the economy, in particular in transport, is accompanied by the growth of cyber threats [1, 2]. The European Union, which wants to strengthen cyber and information security measures in its institutions and business companies, drew attention to this problem. In today’s interconnected business environment, a single cybersecurity incident can cause extensive damage to an entire organization. The European Commission points out that the context of the COVID-19 pandemic and growing geopolitical challenges have confirmed the need for a common EU approach to cyber and information security. So the European Commission proposed the corresponding uniform regulations. This point of view is supported by the International Maritime Organization (IMO), which has developed and adopted a CTE 2023: 11th Workshop on Cloud Technologies in Education, December 22, 2023, Kryvyi Rih, Ukraine " natalikamkam@gmail.com (N. Kaminska); limonova@ukr.net (L. Kravtsova); kgmkherson@gmail.com (H. Kravtsov); zaytseva1966sunny@gmail.com (T. Zaytseva)  0000-0002-9975-7403 (N. Kaminska); 0000-0002-0152-635X (L. Kravtsova); 0000-0003-3680-2286 (H. Kravtsov); 0000-0001-6780-719X (T. Zaytseva) © 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR ceur-ws.org Workshop ISSN 1613-0073 Proceedings 22 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 number of documents on cybersecurity [3]. These documents oblige the administration of institutions and enterprises to ensure proper consideration of cyber risks in security management systems. The maritime industry needs specialists who can adequately monitor the situation at all facilities that may be targeted by a cyberattack by cybercriminals. One of the requirements related to the aggravation of cybersecurity caused by the total digitalization in all spheres of human activity is to ensure the training of maritime specialists in the basics of cybersecurity on a sea vessel. As emphasized by the IMO, effective cyber risk management must embed a culture of cyber risk awareness at all levels, and ensure a holistic and flexible cyber risk management regime. In June 2017, the IMO Maritime Safety Committee adopted Resolution MSC.428(98) on the management of maritime cyber risks in safety management systems [3]. The resolution calls on the administration of ship companies to ensure the accounting of cyber risks in the existing information security management systems on the ship. In 2019, the International Chamber of Shipping jointly with BIMCO prepared “The Guidelines on Cybersecurity Onboard Ships. Version 4” [4], which contains general updates of best practices in the field of cyber risk management, and as a key feature includes a section with improved guidance on the concept of risk management. The most significant differences of the fourth version include the inclusion of sections devoted to the participation of top management in cyber risk management; distribution of duties and tasks within the company; quantitative threat assessment; detection of vulnerabilities, including when visiting courts and remote access; assessment of the probability of cyber danger; impact assessment; interrelationships of factors affecting risks; development of detection measures. In November 2020, the International Chamber of Shipping, in cooperation with BIMCO and Witherbys, released the second edition of the “Cybersecurity Workbook for use on board ships”. The workbook provides ship crews with practical tools for identifying cyber threats and protecting vulnerable onboard systems. The International Chamber of Shipping in the workbook considers that at the operational level, the disadvantage of the digital revolution is the growing vulnerability of the operator to cyberattacks. As internet connectivity on board becomes more common, ship systems are increasingly digitized and integrated, and ships are now a target for hackers worldwide, it is critical that the entire crew has an idea of how and when cyberattacks can occur. The International Organization for Standardization and the International Electrotechnical Commis- sion developed and published the standard ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection – Guidance on managing information security risks. This document provides guidance to assist organizations to: • fulfill the requirements of ISO/IEC 27001 concerning actions to address information security risks; • perform information security risk management activities, specifically information security risk assessment and treatment. The Kherson State Maritime Academy is deservedly considered the flagship of maritime education in Ukraine. This status was preceded by very painstaking and long work of the management, teachers, and employees of the academy, connected with the formation of the strategy of its formation, the introduction of a competence approach to the training of marine specialists [5, 6, 7, 8, 9]. The great reward for this is the recognition of academy graduates on the world labor market, their competitiveness and demand by leading crewing companies. But such a level must be constantly confirmed, updating and modernizing both the material and technical base and the sailors’ training programs. First of all, this means that the academy bears full responsibility for the level of knowledge, skills and abilities that the graduate received during his studies, taking into account all the latest trends and requirements of international crewing. 2. Relevance of research and problem statement There are enough articles devoted to the problems of cybersecurity in maritime transport, methods of analysis and forecasting of cybercrimes, the authors of which are, as a rule, experienced sailors who have encountered the problem of protecting and preserving information in practice. Thus, Lahno 23 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 [10] emphasized that in order to increase the information security of transport systems, it is necessary to conduct research aimed at the further development of methods and models for recognizing cyber threats to the transport information and communication environment (ICT) and making decisions with vaguely specified input information. The author also offers methods of intelligent recognition of threats on a wide class of tasks of quantitative and qualitative recognition of cyberattacks. As Captain Emil Muccin [11] noted, the US executive branch stated that the cyber threat is one of the most serious problems in the field of economy and national security. Unauthorized access by cybercriminals leads to a new area of potential threats that go far beyond physical piracy. This definitely needs to be recognized and appropriate action taken to assist ship owners and operators in maintaining ship information systems, which also includes an understanding of cyberattack analysis and forecasting techniques. Vilskyi [12], Semenov [13] paid a lot of attention to cybersecurity in maritime transport in their works. Chiappetta [14] provides an overview of the main implications associated with cyber threats and shipping. Bateman [15] examined security threats and vulnerabilities in the modern shipping industry. In this context, various types of cyberattacks that ships face, as well as real incidents, were discussed. Considered possible countermeasures that can mitigate potential cyberattacks and make the shipping industry more cyber-secure, such as implementing a new security standard that reduces the number and scale of cyberattacks. The relevance of the issue of cybersecurity is given a lot of attention by the media. For example, the head of the European Crime Agency warned of the growing risk of cyberattacks being used by organized crime groups to enable them to trade drugs [16]. The media reported that in February 2017, hackers took control of the navigation systems of a German-owned 8.250 TEU container ship en route from Cyprus to Djibouti for 10 hours [17]. One of the fundamental studies is the book by Foote [18], which explores cybersecurity in the marine transportation. The article by Coq [19] is devoted to modeling the cybersecurity system in maritime transport. There are general provisions and standard requirements for the organization of cybersecurity on a ship. But it is the shipping companies that are responsible for ensuring the security of the information system. Therefore, the search and implementation of an effective ship cybersecurity system is an important and urgent task. The purpose of this work is to describe, develop, and implement a ship cybersecurity model into the educational process of the Kherson Maritime Academy. 3. Results and discussion 3.1. Description of the ship’s information security system Today, cybersecurity is one of the priorities in the national security system of Ukraine and the whole world [20, 21, 22]. Operators of ships and port facilities use computers and cyber-dependent technologies for navigation, communication, design, transportation of cargo, ballast, security, environmental control and many other purposes, so the share of cyber risks in the total volume of vulnerabilities faced by the maritime transport system is constantly increasing. This certainly indicates the need for training maritime industry specialists in this direction. Therefore, the list of disciplines of the training program for future sailors includes the course “Cybersecurity of shipboard computer systems and networks”, the purpose of which is a comprehensive analysis of the sources of cyber threats, the goals of cyberattacks, methods of forecasting and protection against possible manifestations of danger, as well as improving the safety of sailors, the surrounding environment, ship and cargo. Cybersecurity issues, including in maritime transport, are dealt with by specialized companies, as ignoring or underestimating these issues can lead to loss of trust of potential customers, financial losses, as well as such consequences as physical damage to the ship’s security system, loss of confidential information, including commercial or proprietary data, and generally criminal activity, installation of ransomware and much more. In order to better systematize cases of cyberattacks in the maritime industry, we propose to use a mathematical apparatus that will allow, on the basis of research and mathematical calculations, to 24 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 determine the state of the ship’s information security based on a probabilistic approach to modeling the occurrence of cyber threats taking into account their types. First, we need to decide which of the system modules that can be attacked by attackers, we will investigate. Therefore, we will conduct a structuring of cybersecurity according to the degree of its consequences, the goals of cyberattacks, and their sources. At the same time, an important element in this process is the human factor, since most incidents are initiated by the actions of the ship’s personnel. But it must be emphasized that the adjustment of the ship’s control systems, its Internet networks, monitoring of cyberattacks of any direction are handled by special services, highly qualified specialists who have access to all systems and the appropriate authorization for actions aimed at preventing cyberattacks or eliminating their consequences. The aim of the specified course “Cybersecurity of ship computer systems and networks” is to teach future sailors elementary rules of conduct related to the use of Internet networks on ships, interfaces of cargo management systems, bridge systems, ship traffic management systems, as well as the operation of ship communication systems systems vulnerable to external cyberattacks. The International Maritime Organization refers to cyber-vulnerable ship systems [3]: • running bridge systems; • cargo handling and management systems; • engine, machine and power supply control systems; • access control systems; • passenger service and management systems; • ship’s public Internet networks intended for use by passengers; • administrative systems and networks; • communication systems. That is, the fact of the ship’s great vulnerability to a planned attack is obvious. First of all, let’s list the most common cyber vulnerabilities that can be identified both on board already existing and some new ships: • outdated and non-updated operating systems; • outdated or completely missing anti-virus software and anti-malware software; • ineffective network management and use of administrator accounts and passwords; • shipboard computer networks that do not have means of border protection and network segmen- tation; • danger from safety-critical equipment or systems connected to shore systems; • lack or incomplete access control for third parties, including contractors and service providers. But the global threat is defined by cyberattack vectors through or in the maritime environment. We emphasize that the indicated problem belongs to the field of activity of MTS specialists, that is, the maritime transport system, but the management of each sea vessel and its crew must have a clear idea of all sources and channels of cybersecurity. This area includes: • work with ships, which is provided by operational networks of ship management, cargo, naviga- tion and communication systems, other specific functions; • ensuring the operation of external and internal networks, such as company websites, portals for customers and partners, reservation systems and other commercial operations; • personnel management, robot and maintenance schedules, legal support and much more; • a huge range of port operations, such as management of ships entering or leaving the port; control of the work of customs services, immigration, logistics and inventory services; 25 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 • management of the flow of ships in ports, canals, systems for determining the location of the ship, navigation and time and many other functions that ensure the safe and efficient movement of ships, cargo, passengers. Each of the listed points is potentially dangerous from the point of view of the probability of cyberattacks. For example, if a ship carrying a dangerous cargo such as oil, liquefied gas falls under the control of cybercriminals, the consequences can be irreversible. This means that if the ship’s management or one of the crew members notices some inconsistencies in the operation of the ship’s system or the surrounding transfer of ships, it is necessary to immediately inform the management about the incident. We will remind that cybersecurity can be defined as a certain superposition of security concepts, policies, management principles, risk management, actions, training, technology, practices, that is, everything that can be used to protect the cyber environment of the existence of the system, taking into account the interest of the organization and the preservation of its assets. A well-planned and implemented cyber defense protects not only the organization’s own systems, but also all systems with which the organization’s data comes into contact. The motivation of a cyberattack on a ship system can be schematically presented as follows (figure 1). Organized crime, including blackmail Terrorism Cyber abuse Attack motivators Espionage (including Warfare industrial espionage) Activist groups (called hacktivism) Figure 1: Motivation of a cyberattack on a ship system. Let’s focus on such a widespread and most frequently occurring phenomenon as the misuse of cyberspace, that is, cyber abuse, which includes low-level criminal activities, including vandalism, disruption of systems, damage to websites and unauthorized access to the system. Such actions can be carried out both by not very experienced specialists and by insiders, i.e. employees who have the right to access confidential information of this organization, or by staff or contractors who are dissatisfied for some reason; researchers still get access to the information system without the sanction of the system manager. Although such actions may not always carry any malicious intent, it may be a lack of necessary legal knowledge or ordinary curiosity, but according to the law such actions are considered a criminal offense. It should be noted that cyberattacks, as a rule, are carried out in stages. The preparation of a cyberattack takes some time, which is determined by the attacker’s goal, the reliability of technical 26 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 means of cyber risk control, and the degree of updating of the software of the ship’s systems. An experienced, trained specialist, who is not a professional system administrator, is nevertheless able to detect criminal attempts, track the most vulnerable key positions and, based on the analysis of the received information, draw conclusions about some criminal interest in the cybersecurity of the ship and its support systems. This will allow you to predict more serious cyberattacks in advance and save time and costs for updating the system. So, let’s assume that the specialist responsible for the cybersecurity of the ship monitors several positions, based on the analysis of which it is possible to claim about attempts to carry out cyberattacks on the ship. First, it can detect the presence of an email from an unknown sender. Such email may contain malicious files or links to malicious websites. Secondly, an experienced specialist will never use the ship’s or own computer to communicate on social networks, technical forums, etc., but team members can ignore the ban and open suspicious sites, so it is necessary to track which sites were opened on board the ship with any device. Third, the specialist periodically monitors fake or malicious sites that force or encourage personnel to disclose confidential information. The specialist responsible for cybersecurity also carries out control of external media that can be used to update the software of the onboard system, as well as a mandatory check of the actual data arriving on the ship or transmitted from the ship to the shore. If an attacker gains access to the system in one way or another, he will try to exploit the entire system in stages. This will lead to an attempt to download scripts, exploits, network scans. In turn, it can install persistent tools or a system access logger. 3.2. Security model of the ship’s information system From the point of view of the theory of random processes, a cyberattack (in any form) is a continuous random variable, because it can happen at any moment. But control by the CySO (Cybersecurity officer) is carried out periodically according to the established schedule, that is, discretely, which indicates the discreteness of the monitoring results. Of course, for a certain period, statistical information is accumulated about all cases of cyberattacks that were detected and tracked. Analysis of this information will help to predict the appearance of the next cyberattack and, if possible, to take measures to prevent it. A careful analysis of the sources of cyberattacks, which occur most often, allows us to assume that this is a random process that obeys the laws that are called Markov processes in the theory of probabilities (or, more precisely, stochastic processes) [23]. By definition, a Markov process is a random process for which the “future” depends only on “today” and does not depend on “yesterday”, i.e., a random process is called a Markov process (or a process without an aftereffect) if for each moment of time t the probability of any state of the system in the future depends only on its state at the present time and does not depend on how the system came to this state. So-called Markov chains are robust and widely known stochastic modeling tools that can be useful to expert analysts. Therefore, a random variable 𝑋 is considered to be a variable determined as the result of a random phenomenon. In our case, the result of the event may be detection of interference in the information system, loss of data (full or partial), failure of the system or its elements. In general, the space of possible results of the implementation of a random variable can be discrete or continuous, depending on this, its behavior corresponds to one or another distribution law, for example, normal (continuous random variable) or Poisson (discrete random variable). A random process, which is otherwise called stochastic, is defined as a set of random variables that can be represented in the form of an indexed one-dimensional array 𝑇 , the elements of which are the time moments of the occurrence of an event. If this array is the set of natural numbers, then we have a discrete-time random process, otherwise it will be a continuous-time random process. Random variables may or may not be dependent on each other at different points in time. Yes, cyberattacks can be carried out by completely different criminals, both individually and by organized, highly qualified groups. But it is also possible that someone carried out a cyberattack, but was not 27 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 detected and punished for this crime, so this person will carry out such attacks in the future, and each time improving the methods of attacks and deploying their goals. In the theory of random processes, various types of models have been studied and are widely used: Gaussian, Poisson, auto-regression, Markov chains, and many others. The choice of the model necessarily corresponds to the essence of the phenomenon under study, an in-depth analysis of its characteristic features, statistical analysis of numerical results. The built model allows you to study the process in more detail, perform analysis and forecast the development of the event, and make a management decision on further constructive actions in a timely manner. A careful analysis of cybersecurity problems on sea vessels allowed us to assume that the results of observations are subject to the properties of discrete Markov processes. This means that in order to determine the forecast regarding the behavior of the process in the future, there is enough information about the current state of this process, that is, data on its behavior in the past will in no way affect the forecast of the future. It can also be noted that in order to determine the forecast and understand the trend, it is not necessary to have any information about the past. Otherwise, this is called the “out of memory” property. Thus, discrete-time homogeneous Markov chains, or simply Markov chains, are Markov processes with discrete time and discrete state space. Otherwise, a Markov chain is a discrete sequence of states, each of which is obtained from a discrete state space, which can be finite or infinite, and satisfies the corresponding properties. Mathematically, we define a Markov chain as follows: 𝑋 = (𝑋𝑛 ) = (𝑋0 , 𝑋1 , 𝑋2 , . . . , 𝑋𝑛 ), 𝑛 ∈ N, where at each moment of time the process takes a value from a discrete set 𝐸 such that 𝑋𝑖 ∈ E, ∀𝑖 ∈ N. Then the sequence of states can be determined by the following ratio: 𝑃 (𝑋𝑛+1 = 𝑠𝑛+1 |𝑋𝑛 = 𝑠𝑛 , 𝑋𝑛−1 = 𝑠𝑛−1 , . . . ) = 𝑃 (𝑋𝑛+1 = 𝑠𝑛+1 |𝑋𝑛 = 𝑠𝑛 ). That is, such a mathematical description reflects the basic essence of the Markov process: the probability distribution of the next state of the system depends only on its current state, but does not depend on the past state. Of course, at this stage of research, we believe that the process under consideration is a simple homogeneous Markov chain with discrete time. In the course of future research, we will add additional characteristics of the system that more fully describe it, thereby expanding the probabilistic description of the model. Thus, it is possible to characterize the probability dynamics of the Markov chain. For this, we define only two aspects: the initial probability distribution, that is, the probability distribution at the time 𝑛 = 0, namely, 𝑃 (𝑋0 = 𝑠) = 𝑞0 (𝑠), ∀𝑠 ∈ E, and the transition probability matrix, which provides information about the following states are possible, which can be defined as 𝑃 (𝑋𝑛+1 = 𝑠𝑛+1 |𝑋𝑛 = 𝑠𝑛 ) = 𝑝(𝑠𝑛 , 𝑠𝑛+1 )∀(𝑠𝑛+1 , 𝑠𝑛 ) ∈ E × E. Such a description allows you to determine the full dynamics of the entire process, which, in fact, is cyclical. In our case, we will investigate four positions of possible cyberattacks on the system that can be detected during system monitoring. According to the model, it is necessary to determine the probability that the system takes the following state: 𝑠0 , 𝑠1 , 𝑠2 , 𝑠3 . Then the formal description of the state will have the following form: 𝑃 (𝑋0 = 𝑠0 , 𝑋1 = 𝑠1 , 𝑋2 = 𝑠2 , 𝑋3 = 𝑠3 ), that is, the result will be the probability of a system’s cybersecurity based on an analysis of its previous state. From the probability theory course, it is known that the formula for the full probability of obtaining the state 𝑠0 , 𝑠1 , 𝑠2 , 𝑠3 takes into account the probability of the next state occurring, provided that the 28 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 previous state was realized. But the assumption that the process can be defined as a Markov chain greatly simplifies mathematical calculations, without violating the main trends of the development of events. Then the probabilistic dynamics of the process has the form: 𝑃 (𝑋0 = 𝑠0 , 𝑋1 = 𝑠1 , 𝑋2 = 𝑠2 , 𝑋3 = 𝑠3 ) = 𝑃 (𝑋0 = 𝑠0 )𝑃 (𝑋1 = 𝑠1 | 𝑋0 = 𝑠0 ). 𝑃 (𝑋2 = 𝑠2 |𝑋1 = 𝑠1 )𝑃 (𝑋3 = 𝑠3 |𝑋2 = 𝑠2 ) = 𝑞(𝑠0 )𝑝(𝑠0 , 𝑠1 )𝑝(𝑠1 , 𝑠2 )𝑝(𝑠2 , 𝑠3 ). In this way, it is possible to obtain the full probabilistic dynamics of the process only on the basis of the initial probability distribution 𝑞0 and the transition probability matrix 𝑃 , that is, the probability distribution at time 𝑛 + 1 relative to the probability distribution at time 𝑛: 𝑞𝑛+1 (𝑠𝑛+1 ) = 𝑃 (𝑋𝑛+1 = 𝑠𝑛+1 ) = ∑︁ ∑︁ = 𝑃 (𝑋𝑛 = 𝑠)𝑃 (𝑋𝑛+1 = 𝑠𝑛+1 |𝑋𝑛 = 𝑠) = 𝑞𝑛 (𝑠)𝑝(𝑠, 𝑠𝑛+1 ), 𝑠 ∈ E Markov chains obey all the rules of actions with matrix forms. If the set of possible final states of the system 𝑁 is represented as a string vector 𝐸 = 𝑒1 , 𝑒2 , . . . , 𝑒𝑁 , then the transition probabilities can be represented by an N × N matrix, so that (𝑞0,𝑖 ) = 𝑞0 (𝑒𝑖 ) = 𝑃 (𝑋0 = 𝑒𝑖 ) 𝑝𝑖,𝑗 = 𝑝(𝑒𝑖 , 𝑒𝑗 ) = 𝑃 (𝑋𝑛+1 = 𝑒𝑗 |𝑋𝑛 = 𝑒𝑖 ) In other words, with such a description of the process, to obtain relationships between the current and next state of the system, you can use ordinary matrix forms and, accordingly, ordinary actions on matrices, for example, in our case, the rule 𝑞𝑛+1 = 𝑞𝑛 𝑝, 𝑞𝑛+2 = 𝑞𝑛+1 𝑝 = (𝑞𝑛 𝑝)𝑝 = 𝑞𝑛 𝑝2 , . . . , 𝑞𝑛+𝑚 = 𝑞𝑛 𝑝𝑚 . Obviously, such a representation greatly simplifies the process of forecasting the situation, that is, cyberattacks on the ship’s information system based on probabilistic data analysis at the present time. For clarity, you can use the form of the connection in the form of a normalized directed graph, where each node defines a state, and the transition from state i to state j characterizes the probability 𝑃𝑖𝑗 of the occurrence of such an event (figure 2). Figure 2: Example graph of the transition from state 𝑖 to state 𝑗. Consider the generally accepted 4 states of the ship’s cybersecurity system 𝐸 = (𝑠0 , 𝑠1 , 𝑠2 , 𝑠3 ), where state 𝑠0 is safe (green zone), state 𝑠1 is the existence of a cyber-threat or cyber vulnerability (yellow zone), state 𝑠2 is the existence of a risk of a cyberattack (orange zone), state 𝑠3 – the presence of a cyberattack (red zone). In accordance with the state of the ship’s cybersecurity, the procedure for ensuring it, as well as interaction with the shipping company, is regulated. Let’s consider the states of the ship’s cybersecurity system regulated by the Guide on cybersecurity on board ships [13]: 29 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 1. Threats. In general, there are two categories of cyber threats that can affect companies and courts: • untargeted attacks, in which the company or ship systems and data are one of many potential targets, • targeted attacks, when the intended target or one of several targets is the company or the ship’s systems and data. Untargeted attacks will most likely use tools and methods available on the Internet that can be used to detect and exploit widespread vulnerabilities that may also exist in the company and on board the ship. Targeted attacks can be more sophisticated and use tools and methods specially designed to attack a specific company or ship. 2. Vulnerabilities. The following are common cyber vulnerabilities that can be found aboard existing ships and some new ships: • outdated and unsupported operating systems, • uncorrected or unlicensed system software, • outdated or missing anti-virus software and anti-malware software, • inadequate security settings, including inefficient network management and careless use of accounts and passwords, • safety-critical equipment or systems connected to the shore, • insufficient control of access to cyber assets, networks, etc. for third parties, including contractors and service providers. 3. Risks. Risk assessment of the presence of cyber threats and vulnerabilities can be carried out both by IT specialists on the ship and by the company, which owns the ship. At the same time, it is possible to include penetration tests in critical IT infrastructure to determine whether the actual level of protection corresponds to the desired level specified in the company’s cybersecurity strategy. 4. Attacks. A cyberattack is an attempt to disable an information system or steal information due to a vulnerability in the device or software. There are several types of cyberattacks: • phishing, • installation of malicious software, • the use of encryption viruses, • DDoS and others. The safety model of the ship’s information system using Markov chains is presented in figure 3. Here, the states of the system 𝐸 = (𝑠0 , 𝑠1 , 𝑠2 , 𝑠3 ) are connected to each other by the transition probabilities 𝑃𝑖𝑗 , where 𝑖 = 0, 1, 2, 3, 𝑗 = 0, 1, 2, 3. The transition probabilities 𝑃𝑖𝑗 are set parameters of the model. If the ship company does not define the values of the transition probabilities of the matrix 𝑃𝑖𝑗 , then an expert method can be used to determine them [24]. 3.3. An example of cyberattack analysis and forecasting So, according to the proposed model, consider the state space of the ship’s cybersecurity system as a string vector 𝐸 = (𝑠0 , 𝑠1 , 𝑠2 , 𝑠3 ). Suppose that the system is in the yellow zone, the current information about the events, that is, the probability distribution vector, has the form (based on the previous analysis): 𝑞0 = (0.3, 0.5, 0.1, 0.1), that is, with a probability of 0.3, the return probability was detected in the green zone, with a probability of 0.5, the fact of leaving the system in the yellow zone was recorded, with a probability of 0.1, a transition of the system to the orange zone was detected, and with a probability 30 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 P00 s0 P03 P01 P30 P20 P10 P33 P13 P11 s3 s1 P31 P02 P23 P12 P32 P21 s2 P22 Figure 3: Security model of the ship’s information system. of 0.1, cyberattacks on the ship’s information security system were expected. The transition matrix provides information about the probabilities of changing the state of cybersecurity: ⎛ ⎞ 0.6 0.2 0.1 0.1 ⎜0.4 0.4 0.1 0.1⎟ 𝑝=⎜⎝0.2 0.3 0.3 0.2⎠ ⎟ 0.2 0.3 0.3 0.2 Recall that each line of the matrix is the possible probabilities of events according to the investigated states, the sum of the values in each line is equal to one, that is, the probability of a reliable event. Then, according to the rules of actions with matrix forms, we determine the probability of each state 𝐸 = (𝑠0 , 𝑠1 , 𝑠2 , 𝑠3 ) for the next day: ⎛ ⎞ 0.6 0.2 0.1 0.1 ⎜0.4 0.4 0.1 0.1⎟ 𝑞1 = 𝑞0 𝑝 = (0.3, 0.5, 0.1, 0.1) ⎜ ⎝0.2 0.3 0.3 0.2⎠ = (0.42, 0.32, 0.14, 0.12) ⎟ 0.2 0.3 0.3 0.2 i.e. with a probability of 0.42 you can expect the system to return to the green zone, with a probability of 0.32 the system remains in the yellow zone, with a probability of 0.14 the system will move to the orange zone and with a probability of 0.12 you should expect a cyberattack on the ship’s information security system. Thus, it is most likely to return to the green zone. The probability of remaining in the yellow zone is significant. Let’s pay attention to the fact that the sum of the values of the result line is equal to 1, that is, the probabilistic laws are indeed subject to the laws of matrix algebra. The obtained result makes it possible to predict cases of cyberattacks at the next moment in time, to carry out appropriate work in advance and to warn of possible interventions by intruders. Let’s present the transition matrix more clearly graphically, which makes it possible to visually assess the probability of a change in the state of the ship’s cybersecurity system (figure 4). 31 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 0.6 s0 0.1 0.2 0.2 0.2 0.4 0.2 0.3 0.4 s3 s1 0.1 0.3 0.3 0.2 0.1 0.1 s2 0.3 Figure 4: Graphic representation of the transition matrix. Using the properties of Markov chains, it is possible to reveal interesting and useful results of process research. Yes, it is easy to prove that in our example the chain is aperiodic, does not decompose and all its states are positively inverse. This allows you to calculate the period of return to the current state, that is, for any initial state, the process receives a stationary distribution. 4. Introduction of ship cybersecurity methods and technologies into the educational process The provided model is implemented in the lecture part of the distance course “Cybersecurity of ship computer systems and networks” [25]. Understanding the importance of ensuring the cybersecurity of the maritime industry, the leading teachers of the Department of Innovative Technologies and Technical Devices of Navigation offered Masters of Shipping subjects of qualification works that are specifically related to the provision of cybersecurity in maritime transport. Masters, especially part-time students, professional sailors who already have sufficient experience working on sea vessels, deliberately chose scientific topics that are currently relevant for those who apply for a leadership position in this field. But for the researchers, the participation of active sailors-shipmasters is also an important factor, as it provides an opportunity to analyze the state of cybersecurity of the ship’s information systems directly based on the experience of shipmasters, to understand in detail the most vulnerable objects on the ship from the point of view of cyberattacks, and to prepare students of higher education as best as possible to work as an officer in the ship’s crew. It must be noted that according to the plan for the preparation of the diploma thesis, the master’s student, being on a flight, i.e. on a ship, must conduct an experiment, the results of which either confirm a scientific hypothesis or refute it. In this work, the hypothesis is that it is possible to mathematically predict the occurrence of an event related to a cyberattack on a ship system. In particular, several master’s students, with the permission of the ship’s management, were asked to survey crew members about their awareness of possible cyberattacks and methods of countering such 32 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 Figure 5: Fragment of the questionnaire for testing the ability of crew members to protect against external cyber attacks. phenomena (figure 5). The results of surveys conducted on different ships with different crews allow to systematize the main mistakes in the use of innovative technologies from the standpoint of their cybersecurity, and to correct the influence of the human factor on the part of the crew to improve the quality of protection against cyber threats during the voyage. 5. Conclusions The authors of the paper proposed a new approach to the mathematical modeling of the cybersecurity management system on the ship, namely, the use of the theory of Markov chains. Cybersecurity was structured according to the degree of its consequences, the goals of cyberattacks, and their sources. Cases of cyberattacks in the maritime industry have been systematized, based on the analysis of which it is possible to assert the types of attempts to carry out cyberattacks on the ship. It is also determined that in the process of carrying out cyberattacks on a ship, the human factor is an important element, since most incidents are initiated by the actions of the ship’s personnel. A mathematical method was used, which made it possible, based on research and mathematical calculations, to determine the state of information security of the ship based on a probabilistic approach to modeling the occurrence of cyber threats, taking into account their types. The cybersecurity system of the ship is described and a model of the cybersecurity of the ship infor- mation system is built based on homogeneous Markov chains in discrete time. Four ship cybersecurity states are proposed. Connections between the states of the ship’s cybersecurity system were investigated using an expert method. The model is illustrated by an example of a concrete implementation. The proposed model is implemented in the educational process of the Kherson State Maritime Academy. The distance course “Cybersecurity of ship computer systems and networks” has been developed. At the next stage, it is planned to expand the range of sources of cyber threats, which will allow to 33 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 improve the regulatory actions of crew members in accordance with the state of the ship’s cybersecurity system, as well as to conduct a full analytical study of the possibility of creating a cybersecurity space on board the ship. References [1] O. Y. Burov, O. P. Pinchuk, A meta-analysis of the most influential factors of the virtual reality in education for the health and efficiency of students’ activity, Educational Technology Quarterly 2023 (2023) 58–68. doi:10.55056/etq.435. [2] A. I. Jony, A. K. B. Arnob, A long short-term memory based approach for detecting cyber attacks in IoT using CIC-IoT2023 dataset, Journal of Edge Computing (2024). doi:10.55056/jec.648. [3] IMO, Maritime cyber risk management in Safety Management Systems, 2017. URL: https://wwwcdn. imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf. [4] M. K. Fraende, Industry publishes new and improved cyber security guidelines, 2020. URL: https: //www.bimco.org/news/priority-news/20201223-new-cyber-security-guidelines. [5] O. O. Dobroshtan, Introduction of cloud computing technologies into the educational process of higher maritime educational institutions, CTE Workshop Proceedings 1 (2013) 125–126. doi:10. 55056/cte.162. [6] M. S. Lvov, H. V. Popova, Simulation technologies of virtual reality usage in the training of future ship navigators, Educational Dimension 1 (2019) 159–180. doi:10.31812/educdim.v53i1.3840. [7] M. Sherman, A. Yurzhenko, Experimental research on the formation of future ship engineers’ communicative competence based on gamification approach, Educational Dimension 3 (2020) 251–266. doi:10.31812/educdim.v55i0.3939. [8] S. A. Voloshynov, I. M. Riabukha, O. O. Dobroshtan, H. V. Popova, T. S. Spychak, Adaptive learning environment design in the system of future maritime specialits’ training, Educational Dimension 5 (2021) 126–143. doi:10.31812/educdim.4722. [9] L. V. Kravtsova, T. V. Zaytseva, O. M. Bezbakh, H. M. Kravtsov, N. H. Kaminska, The optimum assessment of the information systems of shipboard hardware reliability in cloud services, CTE Workshop Proceedings 9 (2022) 200–215. doi:10.55056/cte.115. [10] V. Lahno, Ensuring of information processes’ reliability and security in critical application data processing systems, MEST Journal 2 (2014) 71–79. doi:10.12709/mest.02.02.01.07. [11] E. Muccin, Combatting Maritime Cyber Security Threats, 2015. URL: https://www.marinelink.com/ news/combatting-maritime393435. [12] G. B. Vilskyi, Informational risks of navigation, Scientific Bulletin of KhDMA 1 (2012). [13] S. Semenov, Cybersecurity in the fleet, Maritime security service 1 (2018). [14] A. Chiappetta, Hybrid ports: the role of iot and cyber security in the next decade, Journal of Sustainable Development of Transport and Logistics 2 (2017) 47–56. doi:doi.org/10.14254/ jsdtl.2017.2-2.4. [15] T. Bateman, Police warning after drug traffickers’ cyberattack, 2013. URL: https://www.bbc.com/ news/world-europe-24539417. [16] F. Akpan, G. Bendiab, S. Shiaeles, S. Karamperidis, M. Michaloliakos, Cybersecurity challenges in the maritime sector, Network 2 (2022) 123–138. URL: https://www.mdpi.com/2673-8732/2/1/9. [17] T. Blake, Hackers took ‘full control’ of container ship’s navigation sys- tems for 10 hours – IHS Fairplay, 2017. URL: https://rntfnd.org/2017/11/25/ hackers-took-full-control-of-container-ships-navigation-systems-for-10-hours-ihs-fairplay. [18] R. Foote, Cybersecurity in the Marine Transportation Sector: Protecting Intellectual Property to Keep Our Ports, Facilities, and Vessels Safe from Cyber Threats, Cybaris® 8 (2017) 3. URL: https://open.mitchellhamline.edu/cgi/viewcontent.cgi?article=1073&context=cybaris. [19] T. Coq, Cybersecurity by design, 2018. URL: https://www.dnv.com/maritime/publications/ paper-security-by-design-complex-vessels/. 34 Nataliia Kaminska et al. CEUR Workshop Proceedings 22–35 [20] D. V. Stolbov, Features of development software for teaching secondary school students the internet security, CTE Workshop Proceedings 3 (2015) 131–134. doi:10.55056/cte.255. [21] T. Vakaliuk, I. Pilkevych, D. Fedorchuk, V. Osadchyi, A. Tokar, O. Naumchak, Methodology of monitoring negative psychological influences in online media, Educational Technology Quarterly 2022 (2022) 143–151. doi:10.55056/etq.1. [22] N. M. Lobanchykova, I. A. Pilkevych, O. Korchenko, Analysis and protection of IoT systems: Edge computing and decentralized decision-making, Journal of Edge Computing 1 (2022) 55–67. doi:10.55056/jec.573. [23] R. Serfozo, Basics of Applied Stochastic Processes, Probability and Its Applications, Springer, Berlin, Heidelberg, 2009. doi:10.1007/978-3-540-89332-5. [24] M. G. Kendall, Rank correlation methods, Griffin, 1948. URL: https://psycnet.apa.org/record/ 1948-15040-000. [25] Distance learning course “Cybersecurity of ship computer systems and networks”, 2023. URL: https://mdl.ksma.ks.ua/course/view.php?id=4029. 35