Port Cybersecurity: Securing Critical Information Infrastructures and Supply Chains

By Nineta Polemi

Port Cybersecurity: Securing Critical Information Infrastructures and Supply Chains examines a paradigm shift in the way ports assess cyber risks and vulnerabilities, as well as relevant risk management methodologies, by focusing on initiatives and efforts that attempt to deal with the risks and vulnerabilities of port Critical Information Infrastructures (CII) ecosystems. Modern commercial shipping ports are highly dependent on the operation of complex, dynamic ICT systems and ICT-based maritime supply chains, making these central points in the maritime supply chain vulnerable to cybersecurity threats.

• Identifies barriers and gaps in existing port and supply chain security standards, policies, legislation and regulatory frameworks
• Identifies port threat scenarios and analyzes cascading effects in their supply chains
• Analyzes risk assessment methodologies and tools, identifying their open problems when applied to a port’s CIIs

• Language: English
• Publisher: Elsevier Science
• Release date: Oct 30, 2017
• ISBN: 9780128118191

Nineta Polemi

Nineta Polemi works for the European Comission and was previously an Associate Professor at the University of Piraeus in Piraeus, Greece, teaching cryptography, ICT system security, port security, and e-business and innovation. She has been a security project manager for organizations such as the National Security Agency, NATO, Greek Ministry of Defense, INFOSEC, TELEMATICS for Administrations, and the European Commission (E.C.) She has acted as an expert and evaluator in the E.C. and the European Network and Information Security Agency (ENISA). She is the director of the UPRC Department of Informatics security graduate program, and has participated in the national and European cyber security exercises in the last four years. Polemi has been published in more than one hundred publications, including the International Journal of Electronic Security and Digital Forensics, and International Journal of Electronic Security and Digital Forensics.

Book preview

Port Cybersecurity

Securing Critical Information Infrastructures and Supply Chains

Nineta Polemi

European Comission, Brussels, Belgium

Table of Contents

Cover image

Title page

Copyright

List of Figures

List of Tables

Acknowledgments

General Security Glossary

Maritime Glossary

Executive Summary

Chapter 1. Introduction

Chapter 2. Ports’ Critical Infrastructures

Maritime Environment: The Role of Commercial Ports

Layers of the Ports’ ICT System

Security and Safety: Two Interrelated Concepts

Maritime Security Organizations

Security of Port Services

Chapter 3. Security of Ports’ Critical Information Infrastructures

Safety Management: A Restricting Approach

Cybersecurity Regulations and Standards

Security Management: A Holistic Approach

CIIP Methodologies

CYSM Risk Assessment Tool as a Best Practice

Chapter 4. Maritime Supply Chain Risk Assessment (at Entity Level)

Supply Chain Graph Models

Medusa: A Maritime SCS Risk Assessment Methodology

The Medusa SCS Risk Assessment System

Validation Scenarios

Chapter 5. Maritime Supply Chain Risk Assessment (at Asset Level)

Standards and Methods

MITIGATE Risk Assessment SCS Methodology at Asset Level

Chapter 6. Conclusions and the Way Forward

Bibliography

Appendix A. CYSM Questionnaire for Ports’ Security Awareness

Appendix B. Threat Analysis: An Example

Appendix C. Supply Chain Controls and Vulnerabilities

Index

Copyright

Elsevier

Radarweg 29, PO Box 211, 1000 AE Amsterdam, Netherlands

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom

50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States

Copyright © 2018 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-0-12-811818-4

For information on all Elsevier Publishing visit our website at https://www.elsevier.com/books-and-journals

Publishing Director: Joe Hayton

Acquisition Editor: Tom Stover

Editorial Project Manager: Andrae Akeh

Production Project Manager: Punithavathy Govindaradjane

Cover Designer: Mark Rogers

Typeset by TNQ Books and Journals

List of Figures

Figure 1.1   Maritime logistics and supply chains.   4

Figure 2.1   Maritime environment.   8

Figure 2.2   Security (cybersecurity) and safety.   10

Figure 2.3   Vehicles transport service.   17

Figure 2.4   Vessel arrival and vehicles uploading process.   19

Figure 2.5   Execution steps of the vehicles robbery attack during vessels unloading.   24

Figure 2.6   Left image: mapping SCADA vulnerabilities with BPMN events. Right image: vulnerabilities of SCADA asset.   25

Figure 3.1   Collaborative cyber/physical security management (CYSM) system.   55

Figure 3.2   CYSM Administration module.   56

Figure 3.3   CYSM Management module.   58

Figure 3.4   CYSM Risk Assessment module.   58

Figure 3.5   CYSM Risk Assessment Results module.   59

Figure 3.6   CYSM Security Policy Reporting module.   60

Figure 3.7   CYSM Risk Assessment Toolkit architecture.   61

Figure 4.1   An example of an SC-directed graph.   69

Figure 4.2   The components and layers of the Medusa system.   87

Figure 4.3   Using the control implementation level, as provided in the Security Declaration Statement, to assess the vulnerability level for each threat in the Medusa system.   89

Figure 4.4   Assessment of each threat scenario that is relevant to the vehicle transport SCS in the Medusa system.   90

Figure 4.5   The risk assessment phase of the Vehicle Transport SCS in the Medusa system.   90

Figure 4.6   The cascading dependency risk assessment phase by the Medusa system.   91

Figure 4.7   An SCG based on the dependencies of the Purchase and Shipment SC.   92

Figure 5.1   MITIGATE high-level architecture.   122

Figure 5.2   MITIGATE dashboard overview.   123

List of Tables

Table 2.1     Vehicles transport supply chain service   18

Table 2.2     Threat analysis of the SCS Vehicles’ Transport   21

Table 3.1     Assessment of Security Management Methods and criteria   42

Table 3.2     CIIP methodologies short description   47

Table 3.3     Assessment of suitable CIIP methods   50

Table 4.1     Part of a security declaration statement   70

Table 4.2     Security vulnerabilities and the corresponding security controls   71

Table 4.3     Assigning threat scenarios to threat categories   73

Table 4.4     Assigning security vulnerabilities and security controls to threat categories and their related threat scenarios   75

Table 4.5     Threat scale   76

Table 4.6     A likelihood scale   77

Table 4.7     A consequence scale   78

Table 4.8     A risk scale   79

Table 4.9     Product of likelihood values calculation   85

Table 4.10   An example of input values for the calculation of cascading risk   85

Table 4.11   Validation scenario 1: implementation of different security controls and related risk levels   94

Table 4.12   Validation scenario 2: variation of the expected consequences and related risk levels   96

Table 4.13   Validation scenario 3: variation of the probability of occurrence of the threat scenarios and related risk levels   98

Table 4.14   Validation scenario 4: cascading risks   100

Table 4.15   Dependency chains with the port authority as the destination for the threat scenario TS1.1   101

Table 5.1     Mapping between SCRA main blocks and substeps   109

Table 5.2     Mapping of the CVSS metrics on the MITIGATE vulnerability level   114

Table 5.3     Mapping of the attacker’s capability and the IVL onto the likelihood of exploitation   114

Table 5.4     Description of the probability scale in MITIGATE   115

Table 5.5     Mapping of the CVSS metrics on the MITIGATE impact level   118

Table 5.6     Mapping of the impact level and the ICVL onto the individual chain impact level   118

Table C.1    Medusa’s security declaration statement   176

Table C.2    Security vulnerabilities and related security controls related with supply chain security   180

Acknowledgments

The author is grateful to the European Commission (Horizon 2020 programme) for funding the maritime cybersecurity projects CYSM (CIPS 2012), MEDUSA (CIPS 2014), and MITIGATE (Horizon 2020); this book is based upon the main findings of these projects of which the author served as project/technical manager. The author also thanks all partners involved in these projects, namely:

• Port Institute for Studies and Co-Operation in the Valencian Region, FEPORTS

• University of Piraeus, Research Center

• SingularLogic

• Port Authority of Pireaus

• Università degli Studi di Genova (DITEN)

• Fundación Valencia Port

• Europhar

• Austrian Institute of Technology

• University of Cyprus

• Fraunhofer CML

• Maggioli Group

• University of Brighton

The author is also thankful to the European Union Agency for Network and Information Security (ENISA) that allowed her to contribute in the first study on maritime cybersecurity issues in 2011 entitled Cyber Security Aspects in the Maritime Sector. Finally, the author would like to express her acknowledgment to the University of Piraeus, Research Center.

(To my beloved mother and daughter for all their support in my life)

General Security Glossary

Maritime Glossary

Executive Summary

The maritime ecosystem is complex and involves many entities that interact with each other. Examples of these entities are ports, ships, port authorities, maritime and insurance companies, customs, the ship industry, banks, ministries, other commercial providers, and other infrastructures (e.g., railroads, airports). All these interactions are supported by complex and heterogeneous information and communication technology (ICT) systems.

Commercial ports are among the transportation critical infrastructures since they are large-scale infrastructures of which the degradation, interruption, or impairment of their physical or cyber (ICT) systems has serious consequences on national security, health, safety, economy, and welfare of citizens and nations, and they are characterized by multiplicity of interdependencies with other entities in the maritime ecosystem.

The normal functionality of the commercial ports depends largely on the proper operation of both their physical and cyber systems. The large amount of critical and sensitive data, the information and services that are managed daily, the large number of entities called to be served, and the interdependencies with the other infrastructures require effective security management.

This book explores the existing picture in the security of the commercial ports’ critical information infrastructures (CIIs) and their supply chains and goes a step