Professional Documents
Culture Documents
Abstract— Port services and maritime supply chain processes vulnerabilities, as well as in relevant risk management
depend upon complex interrelated ICT systems hosted in the methodologies. For over a decade significant efforts have been
ports’ Critical Information Infrastructures (CIIs). Current allocated in the introduction of risk management and assurance
research efforts for securing the dual nature (cyber-physical) of methodologies for CIs [1]. Most of these risk management
the ports and their supply chain partners are presented here. methodologies focus on the identification and classification of
threats, the identification of the various vulnerabilities and
Keywords - physical /cyber security, risk assessment, supply ultimately the evaluation of the potential impact of threats and
chain
vulnerabilities (e.g., [2], [3]). These methodologies feature
differences in terms of the stakeholders that they address (e.g.,
I. INTRODUCTION policy makers, decision makers, asset managers, CI operators,
Critical Infrastructures (CIs) have become dependent on solution integrators), but also in terms of the assets that they
ICT technologies (such as networking, telecommunications, support and the level of accuracy that can handle. However,
cloud, sensor and SCADA technologies), thereby rendering they are not appropriate for dealing with contemporary ICT
Critical Information Infrastructures (CIIs) a vital element of based ports CII and dynamic maritime supply chains, due to
their functioning. This is very prominent in the case of modern their following limitations:
port infrastructures, which tend to be highly dependent on the x They are overly focused on physical-security aspects
operation of complex, dynamic ICT-based maritime supply and pay limited attention to CIIs. At the same time
chains. Ports and their supply chains are becoming a target for they tend to ignore the complex nature of the ICT
hackers [35], which are increasingly launching cyber-attacks systems and assets used in the maritime sector (e.g.,
on ports’ systems, including vessels, global navigation systems, SCADA), along with their interrelationships. This is
ports’ physical systems and cargo management systems. Such for example the case with several international
attacks can disable a vessel, highjack, divert or steal cargo, standards and legislation (e.g., International Ships and
while also compromising sensitive customer or corporate data. Port Facilities Security Code (ISPS), the International
Likewise, attacks in the ports’ Industrial Control Systems Safety Management Code and EC Regulation No
(ICSs) (e.g. supervisory control, SCADA, distributed control 725/2004 on enhancing ship and port facility security,
systems and programmable logic controllers) may cause the EC Directive 2005/65 on enhancing port security),
disruption or damage of critical port mechanical devices (e.g. as well as with related risk assessment methodologies
container cranes, safety and mechanical systems that operate e.g. MSRAM (Maritime Security Risk Analysis
locks and dams) and even worse they may cause loss of life, Model) and MARISA (MAritime RISk Assessment)
steal of cargo and destroy of ship. According to the US ICS- [4].
CERT report from 2006 to 2012, the number of cyber incidents
in SCADA systems increased 782%. An attack on a container x They do not adequately take into account security
terminal management system could disrupt intermodal processes associated with international supply chains,
container services involving maritime, rail and truck which are nowadays ICT enabled and therefore
transportation. Older port legacy ICS have long service lives severely dependent on intentional and unintentional
and they often operate in independent modes with inadequate compromise of CIIs. This is reflected in the fact that
password policies and security administration, no data up-to-date we have seen only limited/partial
protection mechanisms and protocols that are prone to implementations of relevant standards (such as ISO
snooping, interruption and interception which may cause the 28000).
disruption of various critical ports’ and SC operations and
The above listed limitations are also acknowledged in
services.
reports, standards and regulations produced by prominent
The emerging landscape of ICT-empowered ports’ CIIs- security stakeholders. For example the first ENISA (European
requires a paradigm shift in the way it assesses risks and Union Agency for Network and Information Security) report
on cyber maritime security (2011) [5] concludes that awareness rarely go into detail on specific methods for the risk analysis or
on cyber security needs in the maritime sector is currently low risk assessment. This is one reason why often differences in the
to non-existent and highlights the challenges of managing the risk assessment arise within the specific areas of application,
interdependencies between ICT systems and other port assets. making a direct comparison of the results difficult.
As a result, most of the actors involved in the ports CII and In principle, choosing the right method and the right tool
maritime supply chain use varied and nonstandard practices to for risk analysis and risk evaluation proves to be complicated.
guarantee the credibility and the effectiveness of the full In recent years, a number of concepts, algorithms and tools
system development life cycle including design/development, have evolved from research, specially designed to protect the
acquisition of custom or commercial off-the-shelf (COTS) ICT infrastructure and related systems. Since their historical
products, delivery, integration, operations, and background is settled in a business context, in these methods a
disposal/retirement. Most of the adopted components present quantitative risk assessment is usually performed based on
significant vulnerabilities and weaknesses and might be flawed monetary costs (see [19], [20] and the EBIOS method and the
or counterfeit, or might contain malicious elements thereby aforementioned ISO / IEC 27005:2013 standard [13]). In this
jeopardizing the operation of the whole maritime supply chain. context, most of the methods and tools (see [21] for a
In this context, the lack of visibility and traceability in the often comprehensive list) just use the commonly known rule of
opaque processes and practices used to develop and acquire thumb "risk = probability x potential damage" [22]. Depending
ICT related products and services from each maritime actor on the applied method, the terms and scales for the assessment
increases the risk of not being able to detect and remedy of the probabilities as well as the potential damage are
intentional and unintentional compromises that may be predefined (such as in the NIST policy [24] or in the Mehari
introduced through a variety of means, including counterfeit method [23]). In practice, the selection of a specific risk-
materials and malicious software. assessment tool is based on practical considerations, and
depends on how well the present terminology of the application
Enhanced, global risk assessment frameworks that can deal can be mapped onto the predefined specific terminology of the
with ports ICT risks, cascading effects of ports risks to their risk assessment methodology.
supply chain, threats and vulnerabilities, of ICT-based
maritime supply chain are needed. This paper presents the In order to structure the process of risk assessment, there
escalating results from three related projects: CYSM are various attempts to develop ontologies for general risk
(http://www.cysm.eu/index.php/en/), Medusa assessments [25], [26]. For example, the AURUM system [27]
(medusa.cs.unipi.gr) and Mitigate (www.mitigateproject.eu) provides a graphical tool for the modeling based on ontologies.
and concludes with various open issues for further research. Therefore, it uses a Bayesian approach for determining threat
probabilities (which is also done by the method proposed in
II. CII RISK ASSESSMENT: THE CYSM APPROACH [28]). The OCTAVE method [29] is based on subjectively
estimated probabilities and thus can be understood as an apriori
A. State-of-the Art distribution with regards to the Bayesian approach. The
OCTAVE method uses UML as a modeling language and
The main goal of risk management is (in general) to protect represents a comprehensive collection of tools and best practice
business assets and minimize costs in case of failures and thus methods for risk management. The CORAS method [30]
it represents a core duty of successful port management. allows the integration of several different risk assessment
Hence, risk management describes a key tool for the security processes, whereas the identification of the probability of an
within organizations and it is essentially based on the attack is not done automatically but apriori to any risk
experience and knowledge of best practice methods. These assessment.
methods consist of an estimation of the risk situation based on
the business process models and the infrastructure within the In contrary to the aforementioned general and IT-specific
organization. In this context, these models support the guidelines for risk management, the security and risk
identification of potential risks and the development of management in the maritime sector a huge emphasis is laid on
appropriate protective measures. The major focus lies on the physical and object security. In particular, the International
companies and the identification, analysis and evaluation of Ship and Port Facility Security (ISPS) Code [6] (as well as the
threats to the respective corporate values. respective EU regulation [8]) defines a set of measures to
enhance the security of port facilities and ships. Therein,
The outcome of a risk analysis is in most cases a list of methodologies to perform security assessments and to detect
risks or threats to a system, together with the corresponding security threats are described and a guideline for the
probabilities. International standards in the field of risk implementation of the respective security measures is given.
management are used to support the identification of these Additionally, roles and responsibilities concerning maritime
risks or threats as well as to assess their respective security at a national and international level are defined.
probabilities. These standards range from general Nevertheless, due to the increased interaction and exchange of
considerations and guidelines for risk management processes information of ports with other critical infrastructures in the
(e.g. [16], [17], [15]) to specific guidelines for the IT sector maritime eco-system (e.g. port authorities, ministries, maritime
(e.g. [14], [12], [13], [11], [10], [9]) all the way to highly companies, ship industry, etc.) the sole focus on physical
specific frameworks as, for example, in the maritime sector security is not sufficient any more. Moreover, the security of
(e.g., [8], [7], [6], [18]). Most of these standards specify the port’s cyber-physical systems becomes equally important.
framework conditions for the risk management process, but
c) Risk analysis in MITIGATE for the ports’ supply a set of ICT technologies, including semantic web
chain is based on a more rigorous, rational approach that technologies (for ontology management, context management
produces high quality scientific and experimental based proofs and profiling), cloud computing and BigData and crowd-
and findings (e.g. simulation results, indicators, sourcing technologies (i.e. in order to collect and analyze open
recommendations). information from public resources).
7) Computational model:
VI. CONCLUSIONS AND FURTHER RESEARCH
a) In CYSM a multi–criteria group decision making
model has been developed and adopted in order to calculate The security of global maritime supply chains remains an
the actual risk factor. The proposed model takes into open, multi-dimensional problem requiring technological
consideration a set of criteria and parameters as well as the interoperability, maritime policy harmonization, common legal
opinion of various users’ groups with different vision angle. framework respecting security, privacy and accountability
principles at international level. The security of the EU
b) MEDUSA adopts an approach based on game theory commercial ports require the facilitation and implementation of
and graph theory techniques to minimize the consequences of an EU Maritime Security Policy acknowledging the dual
cascading effects in multi-sector cross-border port security nature of the ports (physical and cyber) and their importance as
scenarios. Critical Information Infrastructures to EU and global digital
c) MITIGATE leverages simulation models (based on economy. Finally a series of maritime governance issues seek
game theory and graph theory techniques) combined with a solutions:
multi–criteria group decision making approach in order to x Harmonisation of critical maritime practices (e.g.
produce timely, accurate, objective, reliable, relevant and high border control, container authentication, logistics);
quality evidence, information, indicators, factors and
parameters associated based on which the multi-dimensional x Strengthening the compatibility of the security
approaches adopted by the EU Countries with
risks will be assessed.
international standards and EU legislation;
8) Standards Compliance:
a) CYSM is in-line with the requirement, rules and x Establishment of trust chains of maritime entities at
obligations imposed by security and safety related standards national, regional and European level, the lack of
which is considered the most important obstacle in the
(ISO27001, 27005, ISPS) that focus on the protection of the
way they manage security processes in the e-maritime
ports’ facilities.
world;
b) MEDUSAs’ emphasis on the supply chain is
reflected in the provision of support for ISO28000. x Development of the local and regional business and
manufacturing sector facilitating the effective and
c) MITIGATE leverages and implements existing efficient transport of bulk cargos and manufactured
security standards (such as ISO27001, 27005, ISPS, ISO2800, goods.
ISO28001) associated with the protection of the maritime
ICT-based maritime supply chain. ACKNOWLEDGMENT
9) Predictive and forecasting capabilities:
The author is grateful to the European Commission
a) CYSM evaluates a predefined list of threats ("Prevention, Preparedness and Consequence Management of
associated with ports’ ICT and physical infrastructures. Terrorism and other Security related Risks for the Period 2007-
b) MEDUSA evaluates a predefined list of threats 2013" and Digital Security: CyberSecurity, Privacy and Trust
associated with ports supply chain (H2020-DS-2014-1) Programme) for funding the projects:
CYSM, MEDUSA, MITIGATE. Special thanks to the
c) MITIGATE leverages appropriate simulation models consortium members of these projects for their work in
and processes for the representation and prediction of the achieving the above mentioned results. Finally the author
possible attacks/threats paths and patterns. These models will acknowledges the contribution of the Research Center of
be used to measure their effectiveness and applicability, as University of Piraeus (UPRC).
well as to and to determine the exploitation, resilience and
reliability level of ports’ supply chains. REFERENCES
10) Risk Assessment (RA) tool: [1] Georgios Giannopoulos, Roberto Filippini, Muriel Schimmer, «Risk
a) The CYSM RA tool is based on a set of interactive assessment methodologies for Critical Infrastructure Protection. Part I: A
and collaborative technologies. state of the art», Joint Research Center Publication, JRC 70046, EUR
25286 EN, ISBN 978-92-79-23839-0, ISSN 1831-9424, doi:
b) MEDUSA tool is based on a set of visualization tools 10.2788/22260, Luxembourg: Publications Office of the European
and techniques to model and simulating ports supply chain Union, 2012.
scenarios. [2] J. P. G. Sterbenz, D. Hutchison, E. K. etinkaya, A. Jabbar, J. P. Rohrer,
M. Schoeler et al., (2010) Resilience and survivability in communication
c) The MITIGATE tool adapts and integrates a number networks: Strategies, principles, and survey of disciplines, Computer
of risk management components, modules and sub-systems Networks, Vol 54, pp. 1245-1265.
developed in the CYSM and MEDUSA and also incorporates [3] Chuvieco E, Aguado I, Yebra M, Nieto H, Salas J, Martín P, Vilar L,
Martínez J, Martín S, Ibarra P, de la Riva J, Baeza J, Rodríguez F,
Molina JR, Herrera MA, Zamora R (2010) Development of a framework [22] CCRA Working Group, “Common Criteria for Information Technology
for fire risk assessment using remote sensing and geographic Security Evaluation“, CCRA, [Online]. Available:
information system technologies. Ecological Modelling 221, 46–58. www.commoncriteriaportal.org (Access Date: 27 November, 2015).
[4] Jean-François Balmat, Frédéric Lafont, Robert Maifret, Nathalie Pessel, [23] Clusif Methods Commission, “MEHARI V3 Risk Analysis Guide”,
«MAritime RISk Assessment (MARISA), a fuzzy approach to define an 2004.
individual ship risk factor», Ocean Engineering - OCEAN ENG [24] G. Stoneburner, A. Goguen und A. Feringa, “Special Publication 800-
01/2009; 36(15):1278-1286. DOI: 10.1016/j.oceaneng.2009.07.003 30: Risk Management Guide for Information Technology Systems“,
[5] European Network and Information Security Agency, «Analysis of National Institute of Standards and Technology, 2002.
Cyber Security Aspects in the Maritime Sector», November 2011. [25] S. Kollarits, N. Wergles und H. Siegel et al., “MONITOR - An
[6] International Maritime Organisation, “International Ship and Port ontological basis for risk management“, 2008. [Online]. Available:
Facility Security Code”, London, United Kingdom, 2004 http://www.monitor-
[7] International Standardization Organization, “Ships and marine cadses.org/documents/MONITOR_BaseOntology_Report_1_0.pdf
technology – Maritime port facility security assessments and security (Access Date: 27 November, 2015).
plan development”, Geneva, Switzerland, 2007. [26] T. J. Chiang, J. S. Kouh und R. I. Chang, „Ontology-based Risk Control
[8] European Commission, “Regulation (EC) No 725/2004 of the European for the Incident Management,“ International Journal of Computer
Parliament and of the Council of 31 March 2004 on enhancing ship and Science and Network Security, Bd. 9, Nr. 11, p. 181, 2009.
port facility security”, Official Journal of the European Union, L 129/6, [27] A. Ekelhart, S. Fenz und T. Neubauer, “Automated Risk and Utility
p. 6-91, 2004. Management,“ in Proceedings of the Sixth International Conference on
[9] Common Criteria Working Group, “Common Methodology for Information Technology: New Generations, IEEE Computer Society,
Information Technology Security Evaluation - Evaluation 2009, pp. 393-398.
methodology”, CCMB-2007-09-004, [28] F. Foroughi, „Information Security Risk Assessment by Using Bayesian
http://www.commoncriteriaportal.org, 2007. Learning Technique“, in Proceedings of the World Congress on
[10] The Stationery Office (TSO), “Continual Service Improvement”, 2007, Engineering, Bd. 1, International Association of Engineers, 2008, pp. 2-
ITIL V3. 6.
[11] Bundesamt für Sicherheit in der Informationstechnik, „IT-Grundschutz [29] C. J. Alberts und A. Dorofee, “Managing Information Security Risks:
Kataloge“, 2013 online: The Octave Approach”, Addison-Wesley Longman Publishing Co., Inc.,
https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_nod 2002.
e.html (Access Date: 27 November, 2015). [30] K. Stolen, F. D. Braber, S. Lund and J. Aagedal, “Model-based risk
[12] International Standardization Organization, “ISO 27001: Information assessment – the CORAS approach,” 2002. Available:
Security Management System Requirements”, Geneva, Switzerland, https://heim.ifi.uio.no/massl/publications/nik02-coras.pdf (Access Date:
2013. 27 November, 2015).
[13] International Standardization Organization, “ISO 27005: Information [31] Makridimitris G., Polemi D., Douligeris C. "Security Risk Assessment
security risk management”, Geneva, Switzerland, 2011. Challenges in Port Information Technology Systems", Volume 441 of
the Communications in Computer and Information Science series., 2014
[14] International Standardization Organization, “ISO 20000: Information
Technology Ser-vice Management”, Geneva, Switzerland, 2005. [32] Papastergiou S., Polemi D. and Karantjias A. “CYSM: An innovative
physical/cyber security management system for ports”. Special Session
[15] Austrian Standards Institute, “ONR 49000: Risikomanagement für on “Innovative Risk Management Methodologies and Tools for Critical
Organisationen und Systeme: Begriffe und Grundlagen“, Wien, Information Infrastructures (CII)” within the 6th International
Österreich, 2004
Conference on Digital Human Modeling and Applications in Health,
[16] International Standardization Organization, “ISO 31000: Risk Safety, Ergonomics and Risk Management (HCI International 2015), 2-7
Management – Principles and Guidelines”, Geneva, Switzerland, 2009. August, 2015, Los Angeles, CA, USA.
[17] International Standardization Organization, “ISO 31010: Risk [33] Polemi N., Kotzanikolaou P. “Medusa: A Supply Chain Risk
management -- Risk assessment techniques”, Geneva, Switzerland, Assessment Methodology, CSP Forum " Cyber Security and Privacy
2009. Innovation Forum" 28- 29/4/15 https://www.cspforum.eu/2015, Lecture
[18] International Standardization Organization, “ISO 20858: Ships and Notes, Springer Verlag, 2015.
marine technology -- Maritime port facility security assessments and [34] Papastergiou S., Polemi D. and Papagiannopoulos I.. “Business and
security plan development”, Geneva, Switzerland, 2009. threat analysis of Ports’ Supply Chain Services”. Special Session on
[19] T. R. Peltier, “Information security risk analysis”, Auerbach “Innovative Risk Management Methodologies and Tools for Critical
Publications, 2001. Information Infrastructures (CII)” within the 6th International
[20] S. E. Schechter, “Computer security strength and risk: a quantitative Conference on Digital Human Modeling and Applications in Health,
approach,“ Harvard University, 2004. Safety, Ergonomics and Risk Management (HCI International 2015), 2-7
August, 2015, Los Angeles, CA, USA.
[21] European Network and Information Security Agency, “Inventory of Risk
Management / Risk Assessment Methods“, 2010. [Online], Available: [35] Allianz Global Corporate & Specialty SE’s (AGCS) third annual Safety
https://www.enisa.europa.eu/activities/risk-management/current- and Shipping Review 2015, An annual review of trends and
risk/risk-management-inventory (Access Date: 27 November, 2015). developments in shipping losses and safety, available at
http://www.agcs.allianz.com/assets/PDFs/Reports/Shipping-Review-
2015.pdf (Access Date: 27 November, 2015).