Managing Cyber Security Risks of the Cyber-Enabled Ship

: One aspect of the digital transformation process in the shipping industry, a process often referred to as Shipping 4.0, is the increased digitization of on board systems that goes along with increased automation in and autonomy of the vessel. This is happening by integrating Information Technology with Operation Technology systems that results in Cyber Physical Systems on which the safe operations and sailing of contemporary and future vessels depend. Unavoidably, such highly interconnected and interdependent systems increase the exposure of the vessel’s digital infrastructure to cyber attacks and cyber security risks. In this paper, we leverage the STRIDE and DREAD methodologies to qualitatively and quantitatively assess the cyber risk of Cyber Physical Systems on board digitalized contemporary and future ships. Further, we propose appropriate cyber security baseline controls to mitigate such risks, by applying a systematic approach using a set of criteria that take into account the security requirements; the cyber risks; the possible attacks; and the possibly already existing controls, to select from the list of controls provided in the Industrial Control Systems (ICS) overlay of the NIST Guide to ICS Security. The results are expected to support the decision-making and the design of a security architecture for the cyber-enabled ship.


Introduction
Despite the fact that today almost all ships are to some extent digitalized, the shipping industry addresses the digital transformation challenge, including the emergence of crew-less vessels [1]. Such vessels come in two broad categories, namely the remotely operated vessel and the autonomous vessel; both kinds are referred to as cyber-enabled ships (C-ES) [2]. The C-ES is a cyber physical ecosystem which consists of the vessel itself, a Shore Control Center (SCC) that controls and handles the C-ES, the communication links between the vessel and the SCC, and other ships in the vicinity.
The integration of Information Technology (IT) and Operation Technology (OT) to form Cyber Physical Systems (CPS), which constitute a central element of the digital transformation process in many application domains is unavoidably accompanied by an increase and a diversification of the cyber risks that the domain is facing. This is mainly due to the fact that whereas traditional operations were designed with no need for cyber security in mind, modern IT-enabled operations are allowed to be accessed and controlled by outward-facing information systems, through interfaces that are rarely adequately secure [3].
The C-ES is no exception. Although most of the C-ES CPSs are parts of today's conventional ships, their exposure to contemporary technologies, aiming to be controlled and monitored remotely, increases the attack surface and makes them more vulnerable to cyber-attacks. Indeed, research on the cyber security risks of autonomous and unmanned vessels [2,4] has revealed an increased attack surface and several vulnerable systems. Thus, ship-side cyber security incidents, such as, for example, the ones reported in Reference [5][6][7] , have already occurred; in fact, such incidents have been increasing at an alarming rate over the last three years [8]. Such incidents may also impact the safety of humans, operations, and cargo.
In the light of these findings, of the increased financial value of the sector [9], and of the multitude of potential attackers, including such with advanced capabilities, the promotion of cyber security and safety of the C-ES ecosystem becomes very important [10]. The first step towards strengthening the cyber security posture of an ecosystem is to understand, analyze, and manage the cyber risks that it faces; this will eventually drive the design of a security architecture that includes appropriate cyber security controls that will mitigate the risks.
Risk is defined as "the effect of uncertainty on objectives" [11]. Cyber Security risk is associated with the potential that threats will exploit vulnerabilities of an asset or group of assets and thereby cause harm to an organization. Cyber risk is assessed in terms of the likelihood of a threat 1 occurring, the extent of the vulnerabilities 2 to the threat, and the magnitude of the impact 3 ; these constitute the elements of cyber risk.
The risk management process as specified in ISO 31000 [13] comprises five sub-processes [11], as shown in Figure 1: 1.
The external and internal context for cyber security risk management should be established, which involves setting the basic criteria necessary for cyber security risk management, defining the scope and boundaries, and establishing an appropriate organization operating the cyber security risk management.

2.
Risks should be assessed, i.e., identified, quantified or qualitatively described, and prioritized against risk evaluation criteria and objectives relevant to the organization. 3.
Controls to reduce, retain, avoid, or share the risks should be selected and a risk treatment plan defined.

4.
Information about risk should be exchanged and/or shared between the decision-makers and other stakeholders. 5.
Risks and their elements should be monitored and reviewed to identify any changes at an early stage and to maintain an overview of the complete risk picture. This is why, as Figure 1 illustrates, the cyber security risk management process can be iterative for risk assessment and/or risk treatment activities. A threat is the potential cause of an unwanted incident, which may result in harm to a system or organization [12]. 2 A vulnerability is a weakness of an asset or control that can be exploited by one or more threats [12]. 3 Impact or consequence is the outcome of an event affecting objectives [12] In this paper, we focus on the risk assessment and the risk treatment sub-processes. Risk assessment methods are quantitative, qualitative, or semi-quantitative. Quantitative risk assessment is based on using mathematical methods and rules and assigns a numerical value, often in the [1-x] range to each risk. The results are less subjective than those of the other two types, and therefore drive the process of control selection more effectively, but they cannot be easily communicated to non-technically oriented decision-makers. In contrast, qualitative risk assessment is based on applying non-numerical methods and assigns a level value to each risk, such as low, medium, and high. This type of assessment has a limited number of results, but these are more comprehensible to decision-makers. Finally, semi-quantitative risk assessment combines rules and methods for evaluating the risk by combining numeric values and levels; for example, the [1-x] range can easily be converted into qualitative expressions that help risk communication to decision-makers. STRIDE and DREAD have been selected for the work described herein. These methods can effectively analyze highly interconnected CPSs comprising heterogeneous components [14], and they are most appropriate for analyzing systems under development. In such systems, the operational and functional requirements are not established yet. Alternative approaches need such requirements to produce valid results. In contrast, STRIDE and DREAD facilitate the analysis of conceptual systems by answering questions regarding the security objectives of the targeted ecosystem. Moreover, the combination of qualitative and quantitative methods to analyze the cyber risk provides a holistic view, not captured by other methods. Further, this hybrid approach facilitates the communication of the results to relevant stakeholders while allowing the representation of cyber risk in numeric form, thus facilitating the assessment of the effectiveness of controls at later stages of the risk treatment process. Finally, both STRIDE and DREAD are being widely used in both academia and industry [15].
Risk treatment is the process followed to modify risk [11]. A risk can be treated by : • modifying its level, by introducing controls; • retaining it, with no further action taken; • avoiding it, by avoiding the activity or condition that gives rise to the particular risk; • sharing it with other party or parties, for example, by means of insurance and/or risk financing.
The four options for risk treatment are not mutually exclusive. Sometimes a combination of options, such as modifying risks and sharing or retaining any residual risks, can be beneficial.
Individual elements of the cyber risk of, as well as attacks 4 against individual CPSs in the C-ES, have been studied, and proposals for risk assessment approaches have appeared in the literature. However, to the best of our knowledge, a holistic assessment of the cyber risks of the whole CPS part of the C-ES ecosystem, comprising all of the aforementioned types of risk assessment methods, which leads to concrete proposals for cyber security controls and can also be used by non-technical decision-makers, has not been made available.
In this paper: • we extend our previous work in Reference [2] on qualitative risk assessment of CPSs on board the C-ES to all CPSs identified in Reference [16]; • we provide a quantitative risk assessment for all C-ES CPSs identified in Reference [16]; • we propose an approach for systematically selecting appropriate cyber security controls to mitigate the cyber risks; and • we demonstrate the workings of the approach by applying it to select cyber security controls for the most vulnerable CPSs on board the C-ES.
The remainder of the paper is structured as follows: In Section 2, we review the relevant literature. In Section 3, we use the STRIDE method [17] as modified in Reference [2] to analyze the threats and the 4 An attack is an attempt to destroy, expose, alter, disable, steal, or gain unauthorized access to or make unauthorized use of an asset [12]. An attack is a particular way of a threat to exploit one or more vulnerabilities. attack scenarios for the CPSs of the C-ES that have been identified in Reference [16] and to qualitatively assess the related risks. In Section 4, we turn our attention to quantitatively assessing the risks, by leveraging a variant of the DREAD method [18] adapted for use in CPSs. Our proposed approach for systematically selecting cyber security controls is presented in Section 5, where also its workings are demonstrated by means of applying it to select controls for the three most vulnerable on-board CPSs of the C-ES. Finally, Section 6 summarizes our conclusions and indicates directions for future research.

Related Work
A wealth of cyber risk assessment methods applicable to general purpose IT systems exists. Whilst these can be and have been applied to IT systems in the maritime domain, they cannot accurately assess cyber risks related to CPSs [19]. Cyber risk assessment methods for CPSs more often than not are domain specific, as they need to take into account safety as an impact factor additional to the "traditional" impact factors of confidentiality, integrity, and availability [3]. In the maritime domain, a review of cyber security risk assessment methods appeared in Reference [20]. Rødseth et al. in Reference [21] proposed a risk assessment method for the unmanned merchant ship. Although the method aims to identify both safety and security risks, particular focus is given on hazard identification and to the accordant risks, with cyber security left largely unaddressed. Tam et al. in Reference [4] proposed the MaCRA model-based framework for maritime cyber-risk assessment and applied it to a number of example scenarios [22]. However, the aim of MaCRA is not to assess the risks or flaws of specific systems, but rather to facilitate the understanding of cyber risks in the maritime domain. B. Svilicic et al. in Reference [23] proposed a framework for assessing cyber risks in ships and applied it to the case of the Electronic Chart Display and Information System (ECDIS).
Several works in the literature have analyzed security threats and risks for specific systems used in specific types of autonomous and remotely controlled vessels. Among these, Bolbot et al. in Reference [24] identified and analyzed safety related cyber-attacks in an autonomous inland ferry; their analysis covers safety aspects regarding the navigational and propulsion system of the ferry. Silverajan [29] presented a security evaluation of the Automatic Identification System (AIS), by introducing threats affecting both the implementation in online providers and the protocol specification. Lund et al. in Reference [30] described a proof-of-concept attack on an INS and its integrated ECDIS, and demonstrated the attack on a vessel. Kavallieratos et al. in Reference [2] identified potential cyber attack scenarios and qualitatively evaluated the accordant risks for a number of CPSs of the C-ES ecosystem, both on-board and in the SCC.
Systematic methods for selecting security controls for IT systems either view the problem of control selection as an investment problem and apply management tools and financial analysis to optimize the selection [31], or in the context of responding to an intrusion, i.e., when a specific attack has been already detected as taking place [32]. A combinatorial optimization model to efficiently select security controls was proposed in Reference [31]. However, security control selection is still largely performed empirically, particularly for CPSs. In the maritime domain, potential cyber security controls for systems on board autonomous and remote controlled vessels have also been proposed. Bothur et al. in Reference [33] discussed the security vulnerabilities that smart ships face, and described security countermeasures, particularly procedural and technical solutions, by following a defense in depth approach. Silverajan et al. in Reference [25] analyzed the main systems of an unmanned smart ship and proposed defense strategies against previously discussed cyber attacks and threats. Bolbot et al. in Reference [24] analyzed safety-related cyber attacks for the navigational and propulsion systems, evaluated the accordant risks and proposed general security recommendations. Sahay et al. in Reference [34] proposed an SDN framework to mitigate cyber attacks and improve the resilience in the smart ship's communication network. None of the above works followed a systematic, risk-based process for selecting the controls. Further, the aforementioned analyses focused on defense strategies and controls that are not system-specific.

STRIDE
STRIDE is an acronym formed by the initials of six security threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of privileges. Spoofing is the capability of an adversary to pretend that they are someone or something else. Tampering is the alteration or disruption of aasset of the system, e.g., disk, network, or memory. Repudiation is someone's allegation that they did not do something which influences the system's operation or were not responsible for the results of their actions. Information disclosure reveals confidential information to unauthorized entities. Denial of Service reduces the availability of the system by, e.g., exhausting system resources. Elevation of Privilege is an adversary's ability to assume privileges that allow them to execute unauthorized actions.
The method was developed by Loren Kohnfelder and Praerit Garg in 1999 and is described in detail by A. Shostack in Reference [17]. Security threats are analyzed and attack scenarios are developed in light of the security objectives of Authenticity, Integrity, Non-repudiation, Confidentiality, Availability, and Authorization. STRIDE can be used to discover potential threats and vulnerabilities as early as the design phase. Therefore, it enables the analysis of systems that are under development, thus facilitating the requirements engineering elimination process and adherence to security-by-design principles [35]. STRIDE has been used in ecosystem environments similar to the C-ES, where CPSs are prominent [14,36,37].

STRIDE for the CPSs of the C-ES Ecosystem
STRIDE is a threat modeling method. In our previous work [2] we proposed a modified version of STRIDE and used it to model threats, to develop cyber attack scenarios, and to qualitatively assess the accordant risks for fourteen CPSs of the C-ES ecosystem, namely the Engine Automation System (EAS), the Bridge Automation System (BAS), the Shore Control Center (SCC), the Autonomous Engine Monitoring and Control System (AEMC), the Engine Efficiency System (EES), the Maintenance Interaction System (MIS), the Navigation Systems (NavS), the Autonomous Ship Controller (ASC), the Human-Machine Interface (HMI), the Remote Maneuvering Support System (RMSS), the Emergency Handling system (EmH), the Automatic Identification System (AIS), the Electronic Chart Display and Information System (ECDIS), and the Global Maritime Distress and Safety System (GMDSS). A reference architecture for the C-ES was proposed in Reference [16], in which five CPSs additional to those in the architecture proposed in Reference [2] were identified, namely the Collision Avoidance (C.A.), Radar, CCTV, Advanced Sensor Module (ASM), and Auto Pilot (AP) systems.
The results of the application of the modified STRIDE of Reference [2] to these systems, as well as to the Voyage Data Recorder (VDR), Cargo Management, and Engine Data Logger (EDL) systems that, due to space limitations, were not reported in Reference [2] are presented in Tables A1-A8 in the Appendix A. In these tables "I" stands for "Impact", "L" stands for "Likelihood" and "R" stands for "Risk". Three distinct values have been assigned to the impact and the risk: Low (L), Medium (M), and High (H). The possible values for the likelihood of a cyber attack are: Very Likely (VL), Moderate (M), and Rare (R). These values have been assigned by applying the criteria that are described in Tables 1 and 2, and in Figure 2 of Reference [2], and are summarized in Table 1. The values have been determined by both consulting the literature and by leveraging the authors' own expertise.

Impact Criteria High
Significant financial damage to the shipping company; or physical damage to the infrastructure; or loss of human life.

Medium
Financial damage to the shipping company; or disruption of operations; or legal sanctions; or breach of the confidentiality, integrity or availability of information.

Low
Delay of non-critical operations; or breach of the confidentiality, integrity or availability of non-sensitive information.

Very Likely
Existence of highly motivated and capable attackers and no controls in place; or wide availability of exploits; or high exposure of the system to the internet.

Moderate
Existence of highly motivated and capable attackers and inadequate controls in place; or wide availability of exploits that require physical access; indirect exposure of the system to the internet.

Rare
Absence of highly motivated and capable attackers; or adequate controls in place; no exposure of the system to the internet.

DREAD
DREAD [18] stands for Damage, Reproducibility, Exploitability, Affected users/systems, and Discoverability. Damage represents the damage that a cyber attack may inflict to the system; along with the Affected Users/Systems, it represents the Impact of the attack. Reproducibility represents the ability of the attacker to reproduce the attack, whilst Exploitability their ability to exploit the system's vulnerabilities and to carry out the attack. Discoverability represents the capacity of the adversary to identify system's vulnerabilities. The sum of Reproducibility, Exploitability, and Discoverability represents the Likelihood of the cyber attack.
STRIDE and DREAD are interrelated and provide a systematic analysis of novel systems to ensure the security of such systems early in the design phase. The former facilitates the qualitative security analysis of the system by considering six security threats that violate the corresponding security objectives. The latter quantifies the identified risks that result by the attack scenarios developed with STRIDE.

DREAD for the CPSs of the C-ES Ecosystem
Quantitative risk analysis aims to assign meaningful numbers to elements of risk analysis; impact and likelihood are such elements. Assessing the cyber risk by considering the probability of an attack occurring results in rating numbers and values that can cause confusion and disagreement among stakeholders in the risk management process [18]. DREAD aims to overcome such limitations by quantifying specific aspects (Damage potential, Reproducibility, Exploitability, Affected systems, and Discoverability) of security threats and attacks to assign meaningful numbers to the elements of risk by means of Formulas (1) and (2).
Building upon the analysis of the security threats and the corresponding attack scenarios for the CPSs of the C-ES as reported in Reference [2] and in Section 3.2 above, DREAD is used to produce quantitative estimates of the risks of the identified attack scenarios. The risk value is calculated by using the following formulas: The values for the DREAD components are determined according to the criteria shown in Table 2, which have been adapted from Reference [18] so as to include CPSs aspects. These criteria are analyzed in Reference [38]. Table 2. DREAD (Damage, Reproducibility, Exploitability, Affected users/systems, and Discoverability) criteria [38].

D
The adversary is able to bypass security mechanisms; get administrator access; upload/modify the CPS content.
Leakage of confidential information of the CPSs (functions/source code); cause partial malfunction/disruption of the system.
Leaking non-sensitive information; the attack is not possible to extend to the other CPSs on-board.

R
The cyber-attack can be reproduced anytime to the targeted CPS.
The adversary is able to reproduce the attack but under specific risk conditions.
Although the attacker knows the CPS's vulnerabilities/faults, s/he is unable to perform the cyber-attack.

E
The cyber-attack can be performed by a novice adversary in a short time.
A skilled adversary may launch the attack.
The attack requires an extremely skilled person and in-depth knowledge of the targeted CPS.
A All CPSs are affected Partial users/systems, non-default configuration The attack affects only the targeted CPS.

D
The CPS's vulnerabilities are well known and the attacker is able to get access to the relevant information to exploit them.
The CPS's vulnerabilities/faults are not well known and the adversary needs to get access to the CPS.
The threat has been identified and the vulnerabilities have been patched.
Tables 3 and 4 depict the resulting risk value of each CPS for each STRIDE threat, calculated according to the Formulas (1)-(3), and by both consulting the literature, and by leveraging the authors' own expertise.

Discussion
As already mentioned in the introduction, a semi-quantitative risk assessment facilitates the communication of risks to non-technical decision-makers. In this case, expressing the results of the quantitative risk assessment in Section 4.2 will also allow comparisons to be made between these and those of the qualitative risk assessment in Section 3.2. To this end, the risk values in Tables 3 and 4 can be converted to qualitative risk levels as follows: Low: DREAD risk ≤ 1 Medium: 1 < DREAD risk ≤ 2 High: 2 < DREAD risk ≤ 3 Table 3 suggests that Spoofing and Denial of Service are the most critical threats both among the engine room and the SCC systems. Similarly, Table 4 suggests that the Spoofing, Tampering, and Denial of Service threats present the highest risk levels among the bridge systems of the C-ES. Tampering and Information disclosure are medium risk threats, and Repudiation and Elevation of privileges are low risk threats.
Moreover, a single risk value for each examined system can be assigned, equal to the largest among the risk values for the same system. Table 5 depicts these numerical values, as well as the results of the quantitative risk assessment converted to qualitative according to the rules above and those of the qualitative risk assessment. It can be noticed that none of the studied CPSs faces low risk, and that the risk levels determined by the qualitative and the quantitative risk assessment methods for most of these systems are similar; deviations should be attributed to the increased subjectivity of the qualitative risk assessment. Despite the deviations, both approaches suggest that the navigational systems are among the most vulnerable on-board CPSs of the C-ES.
In previous work [16], we analyzed the interconnections and interdependencies among the CPSs of the C-ES. By leveraging these results along with the quantitative risks depicted in Tables 3 and 4, the propagation of risks among the CPSs can be examined. Note, for example, which the AIS is interconnected and interdependent with the ECDIS, the Radar, and the ASM, systems that also face the highest risk values. This is because systems which are interconnected and interdependent share similar security risks, because they inherit the vulnerabilities of the most vulnerable CPSs which can be used as intermediate stepping stones for launching attacks [38].

Cyber Risk Treatment
The ISO27005 risk management approach aims at identifying risk treatment strategies rather than designing the security architecture of the system under study. A necessary prerequisite for designing such an architecture for the C-ES is to select appropriate controls for each individual component, and to consolidate these into a coherent and consistent whole that will take into account not only the risks, but also the requirements stemming from the C-ES's environment. Accordingly, we propose an approach for managing the risks of the C-ES, as depicted in Figure 2, where six sub-processes are specified, along with their inputs and outputs. The Environmental Analysis sub-process for the C-ES has been carried out in Reference [16]; the Threat Analysis sub-process has been carried out in Reference [2]; and the Security Requirements Elicitation sub-process has been carried out in Reference [39]. In this work we focus on the Cyber Risk Assessment sub-process (Sections 3 and 4) and on the Control Selection sub-process (Section 5.1). The Security Architecture Design sub-process is the subject of future work.

Control Selection
This activity includes the initial selection of a set of minimum security controls to protect the system based on a set of criteria that take into account the security requirements; the cyber risks; the possible attacks; and the possibly already existing controls. This set will ensure baseline protection of the system; the baseline controls are the starting point for the design of the overall security architecture, which will derive from the application of tailoring to the set of security control baselines to account for peculiarities of the system and of the organization that owns or operates the system. In the sequel our approach for selecting the set of baseline controls is described.
A number of sources (e.g., Reference [40][41][42]) provide sets of security controls from which a selection can be made. All of these sources pertain to information systems rather than cyber-physical systems; hence their applicability in the case under study is limited. However, Appendix G of the NISTGuide to Industrial Control Systems (ICS) Security [43] provides the ICS overlay, which is a partial tailoring of the controls and control baselines in Reference [41,42], which adds supplementary guidance specific to ICS. We will be using this source to select controls from, according to the following set of criteria, adapted from Reference [44]: C1: Kind of CPS that needs to be protected; C2: Security aspects that need to be protected. C3: Threats that need to be eliminated. C4: Potential control alternatives. C5: The value of the CPS to protect, according to its importance. This has been assessed within the process of attack path analysis, performed in Reference [38]. C6: The likelihood of threat occurrence. This derives from the threat analysis performed within the risk assessment process of Sections 3 and 4. C7: Risk coverage provided by alternative controls.
As an example, the values of the control selection criteria for the spoofing threat against AIS are as follows: C1: Navigational CPS; C2: Integrity and availability. These are derived from the security requirements that have been established in Reference [39]. C3: Spoofing/Tampering/DoS. These derive from the threat analysis results performed in Reference [2] and in Sections 3 and 4. C4: Encryption/Tamperproof hardware. C5: High. This has been assessed within the process of attack path analysis, performed in Reference [38]. C6: Very likely. This derives from the threat analysis performed within the risk assessment process of Sections 3 and 4. C7: Low. No alternative controls are already in place. and lead to selecting the IA-3 control category of Reference [43]. An example of a control that belongs to this category is the establishment and use of an authentication infrastructure for such devices, such as, e.g., the one proposed in Reference [45,46].

Application to the Case of the AIS, the ECDIS, and the GMDSS
The results of the application of the process described above to the three most vulnerable on-board systems of the C-ES are shown in Tables 6-8. Repudiation High The AIS should implement the security services in order to protect the system from loss of control or possession of information.
Possession and Control, Nonrepudiation Voyage data, such as destination port or cargo related information, should be confidential to prevent potential leakage to adversaries.

Denial of Service Medium
The connectivity between system and external actors and between on board systems must be continuous.

High
The AIS must be able to implement lock mechanisms (e.g., lock HMI screen) upon request by the administrator or after a configurable time of idleness.

Authenticity, Non-repudiation
Internal System Connections (CA-9), Monitoring Physical Access (PE-6) Table 7. Control selection for the Electronic Chart Display and Information System (ECDIS).

Risk Requirement Objective Control Category
Spoofing High The use of ECDIS must be restricted only to authorized and well trained personnel. Tampering Medium The ECDIS must be able to control the flows of voyage-related data sent to other ships and to the SCC.

Repudiation Medium
The ECDIS should be able to audit sent and received data to external actors.

Denial of Service Medium
Safety signals transmitted through the GMDSS to other on board systems and external actors must be continuously available.

Elevation of privileges Medium
The ASC must be able to provide security, safety, and dynamic data to the GMDSS, when needed

Authenticity, Possession and Control
Device Identification and Authentication (IA-3) Table 9 depicts the consolidated controls per studied CPS. Table 9. Baseline controls. Some of these controls are recommended for all systems (Device Identification and Authentication (IA-3), Cryptographic Protection (SC-13), Denial of Service Protection (SC-5), Physical Access Control (PE-3), Internal System Connections (CA-9)), whilst others are recommended for two or for only one of the studied systems. During the security architecture design phase, the controls identified for all systems will need to be re-considered, consolidated, checked for applicability in the specific environment, conformance to guidelines, compliance to standards etc.

AIS
As is typical with risk treatment strategies, the application of security controls does modify (reduce) the risk but does not eradicate it. To complete the risk treatment process one needs to assess the effectiveness of the applied controls, to consider the residual risk within the specific environmental and organizational context and to possibly repeat the process until the residual risk falls below the accepted risk level. This process can be effectively performed when the whole security architecture of the C-ES has been determined; accordingly, this is an item for future work.
One of the distinctive characteristics of CPSs is their ability to interconnect dynamically, sometimes to address scope beyond the originally intended one. This often results in emergent, hence unpredictable, behavior. In order to effectively secure CPSs in such situations, dynamic assessment of cyber risk is recommended. The proposed methodology, as it now stands, cannot capture such behavior. However, it can be extended, along the lines followed in Reference [36].

Conclusions
We systematically analyzed the cyber security risks of the CPSs of the C-ES. Both a qualitative and a quantitative assessment of these risks was undertaken, by using the STRIDE and DREAD methods respectively. By leveraging the results of both assessments and applying a systematic structured approach, we identified appropriate baseline cyber security controls for each of the three more vulnerable on-board CPSs. As future work, we intend to build on these results to design the security architecture of instances of the C-ES.

Conflicts of Interest:
The authors declare no conflict of interest. Tables   Table A1. Collision Avoidance-C.A.    An adversary may flood the systems with fake data, thus affecting its ability to share the valid data with the engine and navigational systems. The disruption of the system's operation may cause significant damage to the vessel and/or financial damage to the shipping company since the vessel's situational awareness capability will be adversely affected.

Appendix A. STRIDE
H M H E Due to the weak access control in the ASM, an adversary may gain system access with high administrative rights and disrupt the ASM operation and/or services.