A System-Aware Cyber Security Method for

Shipboard Control Systems With a Method Described

to Evaluate Cyber Security Solutions
Guy L. Babineau

Rick A. Jones and Barry Horowitz

Northrop Grumman, Naval & Marine Systems Division

1580B West Nursery Rd., Suite 595
Linthicum, MD 21090
Guy.Babineau@ngc.com

University of Virginia
Department of Systems and Information Engineering
151 Engineer's Way, Charlottesville, VA, 22903
raj2u@virginia.edu, bh8e@virginia.edu
attacks and 19 hijackings [2]. To date, piracy may not include
cyber attacks, but just as cyber crime on land has increased,
there exists the potential for future shipboard piracy to employ
cyber attacks.

Abstract Current shipboard control systems contain significant

levels of automation to perform complex functions such as
navigation and propulsion control. The purpose for employing
automated systems has been to reduce costs and improve
performance. While automation offers great benefits, it also
introduces a set of corresponding cyber security related risks.
Current ships carry only limited cyber security systems. In order
to advance the level of cyber security in shipboard control
systems, this paper introduces novel security design methods
which are designed to be embedded within the control system
itself. This paper also outlines a potential method for evaluating
the cyber security value of such patterns in the context of
shipboard control systems.

B. Terrorism
Opportunities for terrorist attacks include obtaining control
of or grounding of vessels carrying hazardous cargo; e.g.
liquefied natural gas or petroleum. The energy stored in a
liquefied natural gas carrier is a potential terrorist target, if
one tank of the five on board were to spill and ignite, the
energy release would still equal more than 10 Hiroshima
bombs.[3] In 2010, the most serious environmental incident
involving ships was due to an unintentional grounding and not
the result of a cyber attack. In this case, the grounded vessel
spilled 800 tons of oil [4]. An Ultra Large Crude Container
(ULCC) carries hundreds of thousands of tons of oil. When one
considers the potential for larger spills, the great risk exposure
for environmental damage argues for vigilance.

Cyber Security; Control Systems; Shipboard

I.

INTRODUCTION

The purpose for employing automated systems on ships has

been to reduce costs through reduced crew sizes, to reduce
maintenance costs through automated and predictive
monitoring of machinery, and to achieve higher levels of
performance than could be achieved through human control. As
a result, automated systems are now common in commercial
and naval vessels, and are considered necessary for both
affordability and performance.

C. Cyber Warfare
The US Navy has increasing concerns regarding adversaries
employing cyber attacks as part of warfare. In 2010, the Navy
established a U.S. Fleet Cyber Command which coordinates
with other naval, coalition and joint task forces to execute the
full spectrum of cyber, electronic warfare, information
operations and signal intelligence capabilities and missions
across the cyber, electromagnetic and space domains. [5]
Preventing a naval vessel from performing its mission could be
part of a cyber warfare scenario.

While automation offers great benefits, it also introduces a

set of corresponding cyber security related risks. These risks
are exacerbated by the fact that significant cyber attacks on
physical systems have occurred that included the use of
insiders and infected equipment to accomplish their results.
Stuxnet is one such example [1]. In this paper we describe risks
for shipboard systems and how system-aware cyber security
can be used to address those risks.
II.

The motivation for preventing cyber attack on shipboard

control systems is clear. We will next discuss vulnerability.
III.

CYBER SECURITY RISKS FOR SHIPBOARD SYSTEMS

Ship control systems have evolved in similar ways to shore

based automation in the use of commercial off the shelf
(COTS) computing platforms. The greatly reduced acquisition
and development costs of COTS hardware and software has
lead to an evolution of ship control systems that rely upon
standard computing environments as used by shore based
control systems. This includes the use of standard operating
systems, standard network protocols, industry standard
Programmable Logic Controllers (PLC), and other highly

This section highlights three domains of cyber security risk

related to shipboard control systems. These are piracy,
terrorism, and cyber warfare.
A. Piracy
Sea-based piracy continues to be a major problem.
Motivations for piracy include holding crew and cargo for
ransom. For the year 2012, as of June 25th, there have been 168

978-1-4673-2709-1/12/$31.00 2012 IEEE

VULNERABILITY TO CYBER ATTACK

99

commoditized devices. The shipboard control systems are

similar to industrial control systems which have been
successfully attacked.

programs, and the establishment of formal information

assurance plans. Insider attacks and equipment infections
continue to pose increasing risks, even to disconnected
systems. For example, the ability to attack systems has been
demonstrated via embedded instructions in USB devices. [1]

As indicated above, a well known example of an attack on

an industrial control system was Stuxnet, which involved an
attack on a PLC. Once the exploit was activated in the PLC, it
was able to cause damage to physical equipment. The use of
PLCs for shipboard control system is commonplace, so that it
is a plausible hypothesis that similar attacks could be made
against shipboard systems.

A. Addressing the Risk

Recognizing the security risks to ship control systems,
concepts have recently been developed for protecting systems
beyond the perimeter. [12] These techniquesidentified as
System-Aware security services because they depend on the
specifics of a systems designhave integrated fault-tolerant
technologies with cyber security technologies to deter, defend,
and restore systems from cyber attacks. Jones [12] describes
four security services:

The following examples illustrate attacks on industrial

control systems analogous to control systems aboard ships:
Environmental Control System - Environmental damage
was the objective of a cyber attack conducted in Australia in
2000. The attack targeted an industrial control sewage
treatment system and caused 800,000 liters of raw sewage
to spill out into local parks, rivers and even the grounds of a
Hyatt Regency hotel. [6]

1. Diversity. The concept of diversity, which is well

established in the reliability field, employs redundant but
diverse system elements. This reduces the chance that both
elements could have the same vulnerability to attack or the
same failure mode. This increases the effort and complexity of
attacking a system which could serve as a deterrent.

Pressure Control System - In another example, A gas

pipe in Siberia explodes after its computer control system
malfunctions. ... The resulting blast and fire could be seen from
space [7]

2. Configuration Hopping. Configuration hopping is a

technique which changes (hops) between diverse
configurations on a randomized basis. Configuration hopping
reduces vulnerability by making it more difficult for an attacker
to know exactly the configuration being attacked.

Power Control System Power systems on ships are

similar to land based power systems. An unsuccessful attack
occurred in 2010 when an unidentified computer intruder tried
to penetrate the Lower Colorado River Authority's power
generation network with 4,800 high-speed log-in attempts that
originated at an Internet address in China [8].

3. Data continuity checking. Data continuity checking

compares data at different points in the system to ensure
integrity. In the field of reliable systems, data continuity
checking has been combined with majority voting for
determining the correct system state and for fault isolation.

Attacks on shipboard control systems are less well known.

However, there are events that have occurred that serve as
indicators of potential vulnerability. For example, an accidental
operator entry caused a US Naval vessel to be unable to operate
for over two hours in 1998. [9] One can hypothesize that a
cyber attacker could purposefully create the same scenario.

4. Tactical Forensics. Tactical forensics are used to

distinguish between faults induced by cyber attack and faults
induced through system failure.
In section V, we will address how System-Aware security
services can be applied to a high risk system vulnerability that
commonly exists as part of a ship control systems design.

Over the last few years new forms of cyber attack have
become more prevalent, including insider and supply chain
injected infections. It has been recognized that much of the
commercial technology referred to above are produced by
industries that are potential sources of such attacks.[10] As a
result new solutions are called for in order to protect against
these types of attacks on ships with modern commercial control
equipment. In addition, the number of ships that connect their
systems to the Internet is increasing. This is because shipboard
connection to the Internet serves a variety of purposes ranging
from providing the crew with Internet access for personal use,
to providing access for the remote control and monitoring of
engines. For example, Wartsila is a well known company
which provides remote engine monitoring. [11]

IV.

COMMUNICATIONS NETWORK FOR CONTROL SYSTEMS

For a substantial number of ships, a communications

network switch is central to the ship control system design.
Networks offer the ability to easily distribute feedback
measurements and control signals among diverse elements of
the overall system.
The use of networks has created a potential vulnerability
associated with automated control systems. For example, a
denial of service attack on the network could result in the
inability to control the engine or rudder, endangering the vessel
and preventing mission essential functions. Such denial of
service attacks are frequently levied against other systems. [13]

Ship operators have recognized these risks by taking certain

actions to ameliorate them. These include (1) adding perimeter
security to remote access of ship networks; (2) extending
perimeter security for control systems via firewalls, password
protection and operating system configuration; and (3)
employing a variety of other security measures such as
personnel training, control of physical access to control
systems, cyber related penetration testing and evaluation

Based on these factors, one can identify the embedded

network as a high value component for attackers. Shipboard
control systems can manage numerous, sometimes redundant,
sub-systems. These include Navigation, Steering, Propulsion,
Electrical Power Distribution,
Fire Detection, and Fire
Suppression all critical subsystems which could create
problems if attacked.

100

to be compatible with the pre-existing system design. For the

purposes of this example, diverse redundancy drawn from the
fault-tolerant system design community and configuration
hopping drawn from the moving target cyber security
community are the suggested solutions.

A. Potential Cyber Attacks Against Control Networks

As a preamble to discussing specific cyber attack scenarios,
a simplified representation of a ship control system, including
its embedded network, is introduced. Consider a system
consisting of two operator control stations, two network
switches, two propulsion controllers, and two engines under
control. This simplified control system representation consists
of eight components and is illustrated in Fig 1.
Operator
Interface
1

Operator
Interface
2

Network
Switch 1

Network
Switch 2

Propulsion
Controller 1

Propulsion
Controller 2

A. Augmenting the System with System-Aware Security

A diversely redundant solution is introduced by substituting
an alternate implementation for Network Switch 2. In Fig. 2,
we show different model switches. This configuration requires
an attacker to develop separate exploits to accomplish the same
result as discussed earlier.

Engine
1

Engine
2

Figure 1. Simplified Control System the Baseline

In this system, the propulsion controller provides local

control of each engine. It acts upon commands from the
network switch to change speed or perform other high level
functions such as start or stop. Once the controller receives a
command from the network, it performs the detailed control of
the engine to achieve the command.

Network
Switch 1
Model A

Propulsion
Controller
1

Engine
1

Operator
Interface
2

Network
Switch 2
Model B

Propulsion
Controller
2

Engine
2

Hopper

Figure 2.

For this example, it is assumed that Network Switch 2 will

assume the roles of Network Switch 1 in the event of a failure
to that switch. Redundancy is a common design method for
critical system functions to avoid the consequences of a single
point of failure leading to catastrophic results.

Simplified diagram with configuration hopping

In addition to diverse redundancy, a moving target solution

is introduced into the security design through the
implementation of a supervisory process which causes the
active communication switch to be dynamically hopped
between Network Switch Model A to Network Switch Model
B. The frequency of hopping is a balance between the
overhead and dropped messages from hopping too frequently
and the risk exposure to not hopping fast enough.

Now consider that the network switch has been subjected to

a cyber attack, disabling the ability to communicate control
requests for changes to engine speed. Since the system has
been designed with a second switch, Network Switch 2, if
uncompromised, would take over, thereby avoiding immediate
adverse impacts to system performance.

The block diagram of Fig. 2 has the advantage that if a

switch were disabled by cyber attack the other switch would be
able to process information. In a more sophisticated attack
where the switch was compromised to pass false messages, but
not disabled, a third switch with a voting mechanism would be
needed to determine which switch is in error.

An additional scenario is when one switch has been

compromised in such a way that the operator is unaware of the
failure. The result to the ship might be increased uncertainty
and result in a longer time to address the issue, putting the ship
at greater risk. We address this in our discussion of Voting.

B. Impact of hopping on the performance of the network

To determine the feasibility of our security implementation,
we developed a test to address whether the hopping between
switches would be an adverse impact on system performance.
System performance would be adversely impacted if the
control functions were disrupted to the point that they were
compromised. We identified the following criteria to establish
whether control functions were compromised, including; (1)
critical messages could not be lost, (2) information critical for
control functions could not be delayed beyond the point that the
control function was adversely impacted (<25ms), (3) message
loss be limited (<1%), and (4), information critical for review
by an operator could not be delayed beyond the point that the
operator would lose confidence in the control system
(<1000ms).

In redundant designs the replicated components usually

have the same design, implementation, and supplier. This
provides economic advantages for the purchase and integration
of a control system, and also results in reduced spares and
training for maintenance personnel. In this example, it becomes
possible for both switches to be successfully attacked with a
single exploit, resulting in a situation where the control system
would be disabled and no further control actions could be
performed.
V.

Operator
Interface
1

A SYSTEM-AWARE CYBER SECURITY SOLUTION

To address this class of vulnerabilities, a System-Aware

Cyber Security solution is suggested, integrating techniques
developed for fault-tolerant systems with techniques suggested
for cyber security. [12] The System-Aware security concept
augments traditional perimeter level security by embedding
cyber security within the control system itself, and is designed

Furthermore, in order to provide additional security to the

system it is desirable that configuration hopping be as fast as
possible while sustaining control over the system.

101

To ensure that critical messages are not lost, one can

consider the fact that message loss can occur even in a
configuration where no hopping is occurring due to normal
network activity such as message collision. For this reason,
control systems are designed to ensure that critical messages
are retransmitted. Therefore, we considered that the first
criteria would not be impacted by hopping unless the messages
were also delayed, which would be tested by our second
criteria.

Emulation was used to analyze the performance of

diversely redundant network switches while simulation was
used to model the traffic generated by the automated control
subsystems and operator messages. The network switches were
emulated to capture all of the possible effects due to a vendors
design choices. Simulation was used to generate the network
traffic as it was not necessary to either accurately model the
specific information sent in each packet or emulate the actual
control actions taken by the automated control systems or
operator interfaces.

To address the second criteria, one can consider the types of

systems to be controlled over the network and the typical rates
at which they operate. Consider the example of a ships heading
which is used in a closed loop control by the autopilot to
control the rudder for steering. The commercial specification
for ships heading only requires heading to be updated at 1-10
HZ for large vessels and 40 HZ for a high speed craft [14].
Thus, in the worst case (High Speed Craft) messages could not
be delayed beyond 25ms.

For this experiment, a typical traffic load for an automated

ship control system operating under normal conditions was
generated. This involved the simulation of 100 separate
channels of information, each generating traffic at a rate of 250
Kbps and sending data packets of 1KB in size; i.e., a total
traffic load of ~25 Mbps. In addition, approximately one third
of the traffic is TCP and two thirds of the traffic load is UDP.
Thus, 33 of the 100 channels sent their information using the
TCP, and 67 of the 100 channels sent their information using
the UDP. This traffic load of ~25 Mbps was sent over two
diversely redundant gigabit network switches for one hour (i.e.,
network switch one had a load of ~25 Mbps and network
switch two had a load of ~25 Mbps). It is noted that these
switches are over specified for the traffic load; however, this is
typically the case for automated ship control systems. Over the
course of the hour the sending and receiving time of every
packet was recorded. This information was then used to
estimate the number of packets that would have been lost if
various configuration hopping rates had been applied.

To address the third criteria, one can consider that systems

are designed to handle loss of messages. For non-critical
messages such as those containing information about
continuous measurements, such as temperature, the loss of a
single message is not critical. In fact, implementations often
use a non-guaranteed method of delivery for these types of
messages such as Universal Datagram Protocol (UDP). For
messages like temperature measurement, using something
similar to UDP, we considered losses up to 1% to be
acceptable. For the messages requiring ensured receipt, such as
offered by Transmission Control Protocol (TCP), any message
loss will be automatically handled by the transmission protocol
and resent.

Fig. 3 shows the number of UDP packets lost per 10,000 for
a series of ten separate experimental runs for configuration
hopping at rates of five, ten and twenty seconds. A
reconfiguration rate of five seconds was chosen as being
sufficiently fast enough to detect the erroneous behavior of a
network switch before permanent damage could be caused to
the ships systems. Ten and twenty second reconfiguration rates
were selected to assess the relationship between performance
impact of reconfiguration and its impact on performance.

To address the fourth criteria one can consider that in

multiple systems, the operator interface is only updated at a 1
HZ rate. Therefore information for the operator cannot be
delayed more than 1 second. This is a relatively slow rate for
the systems controlling ships and is not a major factor since the
automatic control requires much smaller delays.
C. Experimental Results
To explore the relationships between hopping, lost data,
and delayed data, we conducted a laboratory experiment using
a combination of emulation and simulation to model a simple
ship control system. This allowed us to assess the possible
impacts of configuration hopping to the model when applied to
a diversely redundant set of network switches. The decision to
focus on the messages of the automated control functions and
operator messages was due to the use of UDP to transmit
information. As explained above, the UDP protocol does not
ensure delivery, and thus carries the potential for packet loss. In
addition, the vendors of network switches can employ a variety
of hardware, software, and configuration settings to optimize
the performance of their product offerings. This can possibly
result in different rates of forwarding packets. Thus, when the
system dynamically reconfigures from one switch to another,
this can result in packets being dropped and information being
lost. This can possibly lead to negative impacts on the
performance of the automated control systems and operator
interfaces as messages are lost, which, in turn, can lead to
updated status information being delayed.

Figure 3. UDP packets lost per 10,000 sent due to configuration hopping for
a set of 10 experiments. The packet losses for each experiment are shown for
reconfiguration rates of five, ten, and twenty seconds.

As seen in Fig. 3 the number of packets lost due to

configuration hopping is minimal. Thus, the impact of packet
loss on operator messages and its corresponding affect on the

102

delay of automated control system messages is minimal. In

addition, it can be observed that the number of packets
decreases approximately linearly as the rate of reconfiguration
increases. This linear relationship is expected, as the rate of
reconfiguration is relatively large compared to the rate at which
information is being generated, and the traffic load is low
compared to the network switch capacity. As a result, each
instance in which the system reconfigures can be considered
independent of the last. Finally, it is noted that the average
packet delay is ~10ms across all experiments.

Operator
Interface
2

Network
Switch 1
Model A

Propulsion
Controller
1

Network
Switch 2
Model B

Propulsion
Controller
2

Network
Switch 2
Model C

Network
Switch 2
Model B

Operator
Interface
2

Network
Switch 2
Model C
Hopper

D. Voting
In the example shown in Fig. 2, there are two network
switches. If a problem is detected, one may not know which of
the network switches had been compromised. As discussed
previously, a mechanism is needed to isolate the network
switch producing the erroneous results. One such mechanism is
voting. Voting would require a third switch and a method to
assign the correct answer as that coming from two of the three
switches. Voting can also be compromised but again, the
difficulty is increased. Fig. 4 illustrates a revised system with a
third network switch and a voter added.
Operator
Interface
1

Network
Switch 1
Model A

Operator
Interface
1

Propulsion
Controller
1

Engine
1

Propulsion
Controller
2

Engine
2

Voter

Figure 5. System with Hopping andVoting

VI.

AN EVALUATION OF CYBER SECURITY SOLUTIONS

While system-aware security methods are new techniques,

there are recommended methods for protecting control systems.
The National Institute of Standards and Technology has
updated its recommendations for Information Systems to
include Control Systems [15]. This special publication outlines
policy and procedures but does not offer a method for
evaluating the merits of different Cyber Security methods
which may address the same risk but do not have a formally
provable level of benefit. Other methods employ security audits
which increase security but may not address all risks fully.

Engine
1

Given the affordability challenge of addressing all potential

Cyber Security threats, it is important to have a mechanism
which allows methods to be compared in a repeatable way.

Engine
2

In the context of an acquisition, a system owner provides

the system context, a risk analysis and scoring guidelines. A
prospective implementer of a solution provides a description of
the security method and an estimate of the mitigation of risk
when employed along with the costs associated with the
method. The system owner may then compare potential
solutions against each other.

Voter

Figure 4. System with Voting Added

There are some considerations critical to the design of the

voter. Our initial conclusion was that a very simple voter
implemented in a simple hardware gate logic circuit, for
example, would be the best solution because it could not be
compromised itself (without physical access) and it would be
both fast enough to perform the voting and inexpensive enough
not to add too much cost. However, such a voter would be very
limited in the information which it checked. A more complex
voter would be able to check multiple values and thereby
prevent more types of attack. A more complex voter, however,
would be more expensive and possibly developed in
programmable firmware or software which would be more
readily compromised than hardware.

We use following weighted factors to score the solutions.

1) Security Score factors:
Deterrence: The mitigation of risk based on the mere
implementation of such a system. For example, a hard
target may be less likely to be attacked because it is
known as hard.
Real Time Defense: The mitigation of risk based on the
systems ability to prevent an attack underway.
Restoration: A score representing the systems ability to
restore itself after an attack. For example a system
could be designed either to simply halt, or to be able to
detect, and eliminate the source of attack in-stride.

A further refinement of the method is to combine hopping

and voting as shown in Fig. 5. This provides the benefits of
both techniques at a cost of increased complexity.

2) Cost Score Factors:

Collateral System Impacts: A score representing the
impact to the system in performance, weight, size, or
other technical performance measures.
Implementation Cost: A score representing the cost to
implement the solution

103

have also outlined a set of possible security solutions using the

techniques of the System-Aware Cyber Security method.
Furthermore, we have provided an initial assessment to
evaluate the potential security afforded by the proposed
solution. We believe that providing the motivation for
enhanced security, providing System-Aware Cyber Security
techniques, and providing an initial evaluation of the potential
solutions will be a benefit to the maritime community.

Life Cycle Cost: A score representing the operational

cost of the solution. For example, a solution might
require the operation of a monitoring facility.
B. An evaluation of the methods proposed
We evaluated the security methods described above:
Baseline No additional security (Fig. 1), Hopping Only (Fig.
2), Voting Only (Fig. 4), and Hopping and Voting (Fig. 5)
The results of this evaluation are summarized in Fig. 6. For
each of the four options a score between 1 and 10 was assigned
for each of the six factors. The security and cost scores were
the weighted sum of their respective factors. We assigned
representative weights and scores based on a hypothetical
customer and our background in costs for similar systems.
Higher cost scores represent lower (better) costs and higher
security scores represent higher (better) security.

REFERENCES
[1]

[2]

Security Factors

Cost Factors
Collateral
Life
Real Time
System
Implement. Cycle Security Cost
Deterrence Defense Restoration Impacts
Costs
Costs Score
Score
weight
0.4
0.4
0.2
0.5
0.25
0.25
1
1
Baseline
1
1
1
10
10
10
1
10
Hopping
Only
5
4
1
4
4
4
3.8
4
Voting
Only
4
5
8
8
6
6
5.2
7
Hopping
With
Voting
8
7
8
4
3
3
7.6
3.5

[3]

[4]
[5]

[6]

Figure 6. Evaluation of Security Options-Example

The individual options are plotted by security and cost

scores in Fig. 7. This graphically demonstrates the best choices
among the security options. As an example, hopping has a
relatively low (poor) cost score for a relatively low (poor)
security score.

[7]

[8]

[9]

[10]

[11]
[12]

[13]
Figure 7. Evaluation of Security Options

This method gives the system owner and system designer a

tool for comparison of security methods and a rational
approach to demonstrating relative merit of different options.

[14]

VII. CONCLUSION

[15]

We have provided motivation for consideration of Cyber

Security for Shipboard Control System and shown a
correspondence to vulnerability of shore based systems. We

104

Falliere, N. O. (2011, February). W32.Stuxnet Dossier. Retrieved

October
7,
2011,
from
symante.com:
http://www.symantec.com/content/en/us/enterprise/media/security_respo
nse/whitepapers/w32_stuxnet_dossier.pdf
International Crime Services of the International Maritime Board. (n.d.).
ICC International Crime Services. Retrieved July 5, 2012, from
www.icc-ccs.org:
http://www.icc-ccs.org/piracy-reportingcentre/piracynewsafigures
Husik, L. A. (2005, March 21). Planning a Sea-borne Terrorist Attack.
Retrieved
August
30,
2011,
from
fpri.org:
http://www.fpri.org/enotes/20050321.americawar.husickgale.seaborneter
roristattack.html
IHS Fairplay. (2010). 2010 World Casualty Statistics. London, UK: IHS
Fairplay.
Fleet Cyber Command/U.S. 10th Fleet Public Affairs. (2011, October 6).
U.S. Fleet Cyber Command/U.S. 10th Fleet Holds Change of Command.
Retrieved
October
7,
2011,
from
www.navy.mil:
http://www.navy.mil/search/display.asp?story_id=63080
Abrams, M. a. (2008, July 23). Malicious Control System Cyber
Security Attack Case StudyMaroochy Water Services, Australia.
Retrieved
August
30,
2011,
from
nist.gov:
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-WaterServices-Case-Study_report.pdf
Diep, F. (2011, June 20). When Hackers Knocked the Lights Out [Slide
Show]. Retrieved August 30, 2011, from ScientificAmerican.com:
http://www.scientificamerican.com/slideshow.cfm?id=lights-out-whenhackers-knocked-out-lights
Behr, P. (2011, April 19). Smart Grid Exposes Utilities to Smart
Computer
Hackers.
Retrieved
August
30,
2011,
from
SicentificAmerican.com:
http://www.scientificamerican.com/article.cfm?id=smart-grid-exposesutilities-computer-hackers
Slabodkin, G. (1998, July 13). Software glitches leave Navy Smart Ship
dead in the water. Retrieved August 30, 2011, from GCN.com:
http://gcn.com/Articles/1998/07/13/Software-glitches-leave-NavySmart-Ship-dead-in-the-water.aspx
Wartsila Corporation. (2011). Wrtsil's new PCMS collects invaluable
data on how propulsion solutions perform. Retrieved October 7, 2011,
from wartsila.com: http://www.wartsila.com/en/twentyfour7-pcms
Defense Science Board, High performance microchip supply,
Department of Defense, Washington, DC, 2005.
Jones, R. A. (2011). System-Aware Cyber Security. 2011 Eighth
International Conference on Information Technology: New Generations,
(pp. 914-917).
Lennon, M. (2011, February 1). DDoS Attacks Exceed 100 Gbps, Attack
Surface Continues to Expand. Retrieved October 7, 2011, from
securityweek.com: http://www.securityweek.com/ddos-attacks-exceed100-gbps-attack-surface-continues-expand
International Maritime Organization. (1995). Resolution A.821(19)
Performance Standards for Gyro-Compasses for High-Speed Craft ISO
16328. London, United Kingdom: United Nations International
Maritime Organization.
NIST, Computer Security Division. (2009). Recommended Security
Controls for Federal Information Systems and Organizatons.
Gaithersburg, MD: National Institute of Standards and Technology.