Port Cybersecurity: Securing Critical Information Infrastructures and Supply Chains
5/5
()
About this ebook
Port Cybersecurity: Securing Critical Information Infrastructures and Supply Chains examines a paradigm shift in the way ports assess cyber risks and vulnerabilities, as well as relevant risk management methodologies, by focusing on initiatives and efforts that attempt to deal with the risks and vulnerabilities of port Critical Information Infrastructures (CII) ecosystems. Modern commercial shipping ports are highly dependent on the operation of complex, dynamic ICT systems and ICT-based maritime supply chains, making these central points in the maritime supply chain vulnerable to cybersecurity threats.
- Identifies barriers and gaps in existing port and supply chain security standards, policies, legislation and regulatory frameworks
- Identifies port threat scenarios and analyzes cascading effects in their supply chains
- Analyzes risk assessment methodologies and tools, identifying their open problems when applied to a port’s CIIs
Nineta Polemi
Nineta Polemi works for the European Comission and was previously an Associate Professor at the University of Piraeus in Piraeus, Greece, teaching cryptography, ICT system security, port security, and e-business and innovation. She has been a security project manager for organizations such as the National Security Agency, NATO, Greek Ministry of Defense, INFOSEC, TELEMATICS for Administrations, and the European Commission (E.C.) She has acted as an expert and evaluator in the E.C. and the European Network and Information Security Agency (ENISA). She is the director of the UPRC Department of Informatics security graduate program, and has participated in the national and European cyber security exercises in the last four years. Polemi has been published in more than one hundred publications, including the International Journal of Electronic Security and Digital Forensics, and International Journal of Electronic Security and Digital Forensics.
Related to Port Cybersecurity
Related ebooks
Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure Rating: 5 out of 5 stars5/5Computer and Information Security Handbook Rating: 2 out of 5 stars2/5Transportation Security Rating: 0 out of 5 stars0 ratingsNIST Cybersecurity Framework: A pocket guide Rating: 0 out of 5 stars0 ratingsRisk Management Framework: A Lab-Based Approach to Securing Information Systems Rating: 2 out of 5 stars2/5Cyber-Physical Attacks: A Growing Invisible Threat Rating: 4 out of 5 stars4/5Implementing Digital Forensic Readiness: From Reactive to Proactive Process Rating: 0 out of 5 stars0 ratingsAdvances in Cyber Security: Technology, Operations, and Experiences Rating: 0 out of 5 stars0 ratingsDesigning and Building Security Operations Center Rating: 3 out of 5 stars3/5Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems Rating: 0 out of 5 stars0 ratingsThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsSecurity Controls Evaluation, Testing, and Assessment Handbook Rating: 5 out of 5 stars5/5Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response Rating: 4 out of 5 stars4/5The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCyber Security and Policy: A substantive dialogue Rating: 0 out of 5 stars0 ratingsManaging Cybersecurity Risk: Book 3 Rating: 0 out of 5 stars0 ratingsManaging Information Security Rating: 5 out of 5 stars5/5Wireless Operational Security Rating: 0 out of 5 stars0 ratingsBuilding an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsApplied Network Security Monitoring: Collection, Detection, and Analysis Rating: 3 out of 5 stars3/5Cyber Security Resilience Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsCyber Warfare: Techniques, Tactics and Tools for Security Practitioners Rating: 4 out of 5 stars4/5Maritime Security: An Introduction Rating: 5 out of 5 stars5/5How to Define and Build an Effective Cyber Threat Intelligence Capability Rating: 4 out of 5 stars4/5Managing Cybersecurity Risk: How Directors and Corporate Officers Can Protect their Businesses Rating: 5 out of 5 stars5/5Building a Practical Information Security Program Rating: 5 out of 5 stars5/5The Basics of Cyber Warfare: Understanding the Fundamentals of Cyber Warfare in Theory and Practice Rating: 4 out of 5 stars4/5Assessing Information Security: Strategies, Tactics, Logic and Framework Rating: 5 out of 5 stars5/5
Social Science For You
My Secret Garden: Women's Sexual Fantasies Rating: 4 out of 5 stars4/5The Art of Witty Banter: Be Clever, Quick, & Magnetic Rating: 4 out of 5 stars4/5Becoming Cliterate: Why Orgasm Equality Matters--And How to Get It Rating: 4 out of 5 stars4/5King, Warrior, Magician, Lover: Rediscovering the Archetypes of the Mature Masculine Rating: 4 out of 5 stars4/5Verbal Judo, Second Edition: The Gentle Art of Persuasion Rating: 4 out of 5 stars4/5A People's History of the United States Rating: 4 out of 5 stars4/5Fervent: A Woman's Battle Plan to Serious, Specific, and Strategic Prayer Rating: 5 out of 5 stars5/5The Sun Does Shine: How I Found Life and Freedom on Death Row (Oprah's Book Club Selection) Rating: 4 out of 5 stars4/5The Like Switch: An Ex-FBI Agent's Guide to Influencing, Attracting, and Winning People Over Rating: 4 out of 5 stars4/5Ghosts of the Tsunami: Death and Life in Japan's Disaster Zone Rating: 4 out of 5 stars4/5All About Love: New Visions Rating: 4 out of 5 stars4/5Come As You Are: Revised and Updated: The Surprising New Science That Will Transform Your Sex Life Rating: 4 out of 5 stars4/5Dreamland: The True Tale of America's Opiate Epidemic Rating: 4 out of 5 stars4/5100 Amazing Facts About the Negro with Complete Proof Rating: 4 out of 5 stars4/5You're Not Listening: What You're Missing and Why It Matters Rating: 4 out of 5 stars4/5Women Don't Owe You Pretty Rating: 4 out of 5 stars4/5The Human Condition Rating: 4 out of 5 stars4/5Prisoners of Geography: Ten Maps That Explain Everything About the World Rating: 4 out of 5 stars4/5Just Mercy: a story of justice and redemption Rating: 5 out of 5 stars5/5The Denial of Death Rating: 4 out of 5 stars4/5The Song of the Cell: An Exploration of Medicine and the New Human Rating: 4 out of 5 stars4/5Homicide: A Year on the Killing Streets Rating: 4 out of 5 stars4/5
Reviews for Port Cybersecurity
1 rating0 reviews
Book preview
Port Cybersecurity - Nineta Polemi
Port Cybersecurity
Securing Critical Information Infrastructures and Supply Chains
Nineta Polemi
European Comission, Brussels, Belgium
Table of Contents
Cover image
Title page
Copyright
List of Figures
List of Tables
Acknowledgments
General Security Glossary
Maritime Glossary
Executive Summary
Chapter 1. Introduction
Chapter 2. Ports’ Critical Infrastructures
Maritime Environment: The Role of Commercial Ports
Layers of the Ports’ ICT System
Security and Safety: Two Interrelated Concepts
Maritime Security Organizations
Security of Port Services
Chapter 3. Security of Ports’ Critical Information Infrastructures
Safety Management: A Restricting Approach
Cybersecurity Regulations and Standards
Security Management: A Holistic Approach
CIIP Methodologies
CYSM Risk Assessment Tool as a Best Practice
Chapter 4. Maritime Supply Chain Risk Assessment (at Entity Level)
Supply Chain Graph Models
Medusa: A Maritime SCS Risk Assessment Methodology
The Medusa SCS Risk Assessment System
Validation Scenarios
Chapter 5. Maritime Supply Chain Risk Assessment (at Asset Level)
Standards and Methods
MITIGATE Risk Assessment SCS Methodology at Asset Level
Chapter 6. Conclusions and the Way Forward
Bibliography
Appendix A. CYSM Questionnaire for Ports’ Security Awareness
Appendix B. Threat Analysis: An Example
Appendix C. Supply Chain Controls and Vulnerabilities
Index
Copyright
Elsevier
Radarweg 29, PO Box 211, 1000 AE Amsterdam, Netherlands
The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom
50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States
Copyright © 2018 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
A catalog record for this book is available from the Library of Congress
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
ISBN: 978-0-12-811818-4
For information on all Elsevier Publishing visit our website at https://www.elsevier.com/books-and-journals
Publishing Director: Joe Hayton
Acquisition Editor: Tom Stover
Editorial Project Manager: Andrae Akeh
Production Project Manager: Punithavathy Govindaradjane
Cover Designer: Mark Rogers
Typeset by TNQ Books and Journals
List of Figures
Figure 1.1 Maritime logistics and supply chains. 4
Figure 2.1 Maritime environment. 8
Figure 2.2 Security (cybersecurity) and safety. 10
Figure 2.3 Vehicles transport service. 17
Figure 2.4 Vessel arrival and vehicles uploading process. 19
Figure 2.5 Execution steps of the vehicles robbery
attack during vessels unloading. 24
Figure 2.6 Left image: mapping SCADA vulnerabilities with BPMN events. Right image: vulnerabilities of SCADA asset. 25
Figure 3.1 Collaborative cyber/physical security management (CYSM) system. 55
Figure 3.2 CYSM Administration module. 56
Figure 3.3 CYSM Management module. 58
Figure 3.4 CYSM Risk Assessment module. 58
Figure 3.5 CYSM Risk Assessment Results module. 59
Figure 3.6 CYSM Security Policy Reporting module. 60
Figure 3.7 CYSM Risk Assessment Toolkit architecture. 61
Figure 4.1 An example of an SC-directed graph. 69
Figure 4.2 The components and layers of the Medusa system. 87
Figure 4.3 Using the control implementation level, as provided in the Security Declaration Statement, to assess the vulnerability level for each threat in the Medusa system. 89
Figure 4.4 Assessment of each threat scenario that is relevant to the vehicle transport SCS in the Medusa system. 90
Figure 4.5 The risk assessment phase of the Vehicle Transport SCS in the Medusa system. 90
Figure 4.6 The cascading dependency risk assessment phase by the Medusa system. 91
Figure 4.7 An SCG based on the dependencies of the Purchase and Shipment SC. 92
Figure 5.1 MITIGATE high-level architecture. 122
Figure 5.2 MITIGATE dashboard overview. 123
List of Tables
Table 2.1 Vehicles transport supply chain service 18
Table 2.2 Threat analysis of the SCS Vehicles’ Transport
21
Table 3.1 Assessment of Security Management Methods and criteria 42
Table 3.2 CIIP methodologies short description 47
Table 3.3 Assessment of suitable CIIP methods 50
Table 4.1 Part of a security declaration statement 70
Table 4.2 Security vulnerabilities and the corresponding security controls 71
Table 4.3 Assigning threat scenarios to threat categories 73
Table 4.4 Assigning security vulnerabilities and security controls to threat categories and their related threat scenarios 75
Table 4.5 Threat scale 76
Table 4.6 A likelihood scale 77
Table 4.7 A consequence scale 78
Table 4.8 A risk scale 79
Table 4.9 Product of likelihood values calculation 85
Table 4.10 An example of input values for the calculation of cascading risk 85
Table 4.11 Validation scenario 1: implementation of different security controls and related risk levels 94
Table 4.12 Validation scenario 2: variation of the expected consequences and related risk levels 96
Table 4.13 Validation scenario 3: variation of the probability of occurrence of the threat scenarios and related risk levels 98
Table 4.14 Validation scenario 4: cascading risks 100
Table 4.15 Dependency chains with the port authority as the destination for the threat scenario TS1.1 101
Table 5.1 Mapping between SCRA main blocks and substeps 109
Table 5.2 Mapping of the CVSS metrics on the MITIGATE vulnerability level 114
Table 5.3 Mapping of the attacker’s capability and the IVL onto the likelihood of exploitation 114
Table 5.4 Description of the probability scale in MITIGATE 115
Table 5.5 Mapping of the CVSS metrics on the MITIGATE impact level 118
Table 5.6 Mapping of the impact level and the ICVL onto the individual chain impact level 118
Table C.1 Medusa’s security declaration statement 176
Table C.2 Security vulnerabilities and related security controls related with supply chain security 180
Acknowledgments
The author is grateful to the European Commission (Horizon 2020 programme) for funding the maritime cybersecurity projects CYSM (CIPS 2012), MEDUSA (CIPS 2014), and MITIGATE (Horizon 2020); this book is based upon the main findings of these projects of which the author served as project/technical manager. The author also thanks all partners involved in these projects, namely:
• Port Institute for Studies and Co-Operation in the Valencian Region, FEPORTS
• University of Piraeus, Research Center
• SingularLogic
• Port Authority of Pireaus
• Università degli Studi di Genova (DITEN)
• Fundación Valencia Port
• Europhar
• Austrian Institute of Technology
• University of Cyprus
• Fraunhofer CML
• Maggioli Group
• University of Brighton
The author is also thankful to the European Union Agency for Network and Information Security (ENISA) that allowed her to contribute in the first study on maritime cybersecurity issues in 2011 entitled Cyber Security Aspects in the Maritime Sector.
Finally, the author would like to express her acknowledgment to the University of Piraeus, Research Center.
(To my beloved mother and daughter for all their support in my life)
General Security Glossary
Maritime Glossary
Executive Summary
The maritime ecosystem is complex and involves many entities that interact with each other. Examples of these entities are ports, ships, port authorities, maritime and insurance companies, customs, the ship industry, banks, ministries, other commercial providers, and other infrastructures (e.g., railroads, airports). All these interactions are supported by complex and heterogeneous information and communication technology (ICT) systems.
Commercial ports are among the transportation critical infrastructures since they are large-scale infrastructures of which the degradation, interruption, or impairment of their physical or cyber (ICT) systems has serious consequences on national security, health, safety, economy, and welfare of citizens and nations, and they are characterized by multiplicity of interdependencies with other entities in the maritime ecosystem.
The normal functionality of the commercial ports depends largely on the proper operation of both their physical and cyber systems. The large amount of critical and sensitive data, the information and services that are managed daily, the large number of entities called to be served, and the interdependencies with the other infrastructures require effective security management.
This book explores the existing picture in the security of the commercial ports’ critical information infrastructures (CIIs) and their supply chains and goes a step