Port Cybersecurity

Safety Management: A Restricting Approach

Traditionally, targeted methodologies for risk assessment of ports like MSRAM (Maritime Security Risk Analysis Model) and its extended version MSRAM-PLUS/FORETELL address only physical security, and they are only compatible with the ISPS. Similarly, the available maritime risk assessment systems like MARISA concentrate on the safe navigation of ships during their presence in the port. The risk assessment system CMA detects abnormal behavior of ships and identifies respecting physical threats.

The ILO Port Health and Safety systems recognize that risk assessment is an essential part of safety management. It provides a sound basis for the improvement of safety. It covers tasks and physical hazards in the workplace and allows hazards to be assessed to see how harmful they are. But cybersecurity threats are not covered in the ILO code.

The World Bank Group, together with the International Finance Corporation, released in 2007 a document called "Environmental, Health, and Safety Guidelines for Ports, Harbours, and Terminals." The Environmental, Health, and Safety Guidelines are technical reference documents with general and industry-specific examples of Good International Industry Practice concentrating on physical hazards.

Various research efforts concentrate on physical threats, ignoring the cyber risks. Some examples follow.

Safety4Sea is a dedicated Maritime Safety and Environmental portal, a PRO BONO project to promote maritime safety and environmental aware-ness, operational safety, and environmental excellence. Safety4Sea's mission is to make practical safety and environmental excellence easy to understand for everyone in the industry, promote best practices, and improve people perception by promoting safety and environmental awareness in a wide range of maritime aspects.

FLAGSHIP is a partially EU-funded project, focusing on improvement of safety, environmental friendliness, and competitiveness of European maritime transport. The project contributes to a further increase in the capacity and reliability of freight and passenger services and to a reduction of negative impact from accidents and emissions. The emphasis of the project is on onboard systems and procedures, ship management systems on shore, impact of new technology on present ship owner and operator organizations, effective and efficient communication interfaces, and impact of standards and regulations. FLAGSHIP aimed to create the mechanism by which the expertise of all the required actors can be brought together in real time, independently of their location, and given to the right people, in the right format, at the right time, and incorporating the highest level of knowledge, so they can better manage all the questions that confront a ship operator: issues relating to the ship itself and its equipment (e.g., hull monitoring, equipment diagnostics, maintenance planning), its day-to-day operation (e.g., navigation, cargo, rule compliance), as well as emergencies and other exceptional situations (collision, fire, etc.).

The SafePort was a collaborative project under the EU Seventh Framework Programme. Many European ports will reach full capacity in the next few years. SafePort takes its cue from the aviation industry, which has addressed safety issues created by increased traffic through increasing automation and the use of sophisticated traffic management systems. SafePort developed and demonstrated an active vessel traffic management and information system (A-VTMIS) to manage vessel movement within its jurisdiction. This will ensure that vessels follow safe paths without conflicting with other vessels and improve the efficiency of port operations.

Several Preparatory Action on Security Research and EU FP7 Security Research programs initiated over the last decade addressing issues relating to strengthening the safety of ports and/or their ports' CI systems. Most of these projects have fallen in three main categories, as follows:

Improved maritime surveillance systems: by enhancing the interoperability of local and national surveillance systems through the pooling of cross-sectoral surveillance information and its fusion into a central database. Representative examples are the following:

• The Autonomous Maritime Surveillance System (AMASS) project focused on strengthening maritime surveillance and on better integrating information and data between relevant agencies. The focus was on developing a cutting-edge early warning system that provides maritime authorities and law enforcement agencies with information about attempts at illegal immigration and other criminal activities at sea.
• The Underwater Coastal Sea Surveyor project is a cost-effective response to new terrorism attacks especially against underwater improvised explosive device threats. It provides a fundamental technology for the global issue of maritime surveillance and port/naval infrastructure protection.
• The Surveillance of Borders, Coastlines and Harbors project attempted to combine and maximize the use of existing surveillance technologies to model the most effective operational procedures for enhancing the surveillance of borders, coastlines, and harbors.
• The Sea Border Surveillance (SEABILLA) project aims to define the architecture for cost-effective European sea border surveillance systems, integrating space, land, sea, and air assets, including legacy systems. The project is applying advanced technological solutions to improve the performance of surveillance functions.

Interoperability of ports' CI systems: by enhancing the capability to collect and merge maritime-related data into a common and comprehensive picture to be shared among relevant organizations. Projects of this category are the following:

• The InterOPERAble Approach to European Union MARitime Security Management (OPERAMAR) project attempted to solve the issue of fragmentation between member states caused by the persistence of nation-specific procedures, legislations, and systems that hamper interop-erability, greater information sharing, and improved coordination.
• The SECure CONtainer Data Device (SECCONDD) project was designed to initiate the international standardization of the technical interface between a secure container or vehicle and a data reader at a port or border crossing. The interface should enable law enforcement and trade officials to read security data, including stored information from internal security and location sensors.

Protection of critical maritime infrastructure: by mitigating the risks of maritime safety (physical) incidents. A notable number of projects are the following:

• The Security System for Maritime Infrastructure, Ports, and Coastal Zones (SECTRONIC) project attempted to improve the safety of civilian ships (passenger and cargo carriers), energy platforms and facilities, and ports through advanced information, sensor, and response technologies. It aimed to develop an integrated security system combining surveillance, intrusion detection, and response to events and incidents.
• The Security Upgrade for Ports (SUPPORT) project aims to raise the current level of port safety by integrating legacy port systems with new surveillance and information management systems. Furthermore, the SUPPORT project has a special focus on border control, aiming to secure uninterrupted flows of cargos and passengers while allowing for the effective elimination of illegal immigration and trafficking.

Cybersecurity Regulations and Standards

Most ports are compliant with ISPS code; however, this compliance does not imply secure ports since ISPS only addresses organizational and safety issues. However, the most recent regulations and directives are cybersecurity focused, and their implementation at the EU and international level will help the port authorities to secure their ICT systems and to better mitigate existing and upcoming cyber risks. In the upcoming years, the ports will need to implement the following new regulatory framework:

• CIIP Directive (2012), critical information infrastructure protection: toward global cybersecurity;
• The Cybersecurity Strategy for the European Union (2013) and the European Agenda on Security (2015) provide the overall strategic framework for the EU initiatives on cybersecurity and cybercrime;
• eIDAS Regulation (2014) on electronic identification and trust services for electronic transactions in the internal market;
• European Parliament (2015) concerning measures to ensure a high common level of network and information security across the union;
• NIS Directive (2016) applies only to those public administrations that are identified as operators of essential services;
• cPPP Initiative (2015) ensures that Europe will have a dynamic, efficient, and effective market in cybersecurity products and services;
• Enhanced Privacy Directive (2016), mandatory reporting of security breaches;
• USA H.R. 3878, House of Representatives, "Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015."

Besides the new upcoming regulatory framework, standards and best practices embrace the effort for better ICT security management. An over-view of ICT security management standards is presented in this section. It should be noted that these standards do not constitute risk management methods, but rather, they fix a minimal framework and describe requirements, for the risk assessment process itself, for the identification of the threats and vulnerabilities allowing to estimate the risks, their level, and then to be able to define an effective treatment plan.

The most well-known cybersecurity standards are these:

ISO/IEC 27001 36 is a commercial standard that specifies requirements for the establishment, implementation, monitoring and review, maintenance, and improvement of an information security management system (ISMS). The ISMS is an overall management and control framework for managing an organization's information security risks. The ISO/IEC 27001 does not mandate specific information security controls but stops at the management and operational level. Usually, a group of analysts with high ICT expertise and experience verifies the compliance of the organization with the defined requirements. However, although the compliance process requires the involvement of multiple users, the collaborative abilities of the standard are limited due to its inherent complexity. The standard covers mostly large-scale organizations (e.g., governmental agencies and large companies), while it is considered too heavy for micro, small, and medium size businesses.

The ISO/IEC 27001 ISMS incorporates several Plan-Do-Check-Act cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities, and impacts of information security failures, using review and improvement activities specified within the management system. There exist a variety of freeware (e.g., EBIOS developed by Central Information Systems Security Division [France]) and commercial software (e.g., CRAMM developed by Insight Consulting) that verify the compliance of the organization with the ISO/IEC 27001.

ISO/IEC 27005:2008 38, a commercial standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), describes the risk management process and its activities for information security and provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001:2005 as well as the main principles and rules described in ISO/IEC 27002:2005. It is applicable to all types of organizations (e.g., governmental agencies, large companies, small and medium size enterprises) that intend to manage cyber risks that could compromise the organization's information security. Essentially, the ISO information security risk management process can be applied to the whole organization; any discrete part of the organization (e.g., a department, a physical location, a service); any ICT system; and any existing, planned, or aspect of control (e.g., business continuity planning).

ISO 27005 proposes the use of both quantitative and qualitative methods for the calculation of the risk level; however, it does not support any specific technique for this purpose or any computational method to analyze and combine the assessment information. The generic nature of the standard does not include aspects that promote the collaboration among the users.

In this context, more integrated risk management methodologies and methods such as EBIOS, MAGERIT, and MEHARI comply with the rules and obligations defined by the specific standard.

ISO/IEC 27002:2005 is a commercial standard that establishes guide-lines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It provides specifications with guidance for implementation of the ISMS in the organization. This can be used by internal and external analysts with high ICT expertise and experience, to assess an organization's ability to meet its own requirements, as well as any customer or regulatory demands.

The standard provides a list of 10 main control domains (organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development, and maintenance; information security incident management; business continuity management; compliance) comprising 36 control objectives and 127 controls, which are used for the assessment. The standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring, and improving the effectiveness of an organization's ISMS.

It should be noted that ISO/IEC 27002 is not a real method for risk analysis and management, but rather compliance standards, reporting a list of controls for good security practices and the requisites that an existing method should have to be standard compliant. However, although it is neither a method for evaluation nor for management of risks, it includes specific risk handling aspects such as the identification of risk and the creation of an initial risk treatment plan. The standard can cover all types of organizations (e.g., governmental agencies) and all sizes from micro to medium and large size businesses.

About the author:

Nineta Polemi works for the European Commission and was previously an Associate Professor at the University of Piraeus in Piraeus, Greece, teaching cryptography, ICT system security, port security, and e-business and innovation. She has been a security project manager for organizations such as the National Security Agency, NATO, Greek Ministry of Defense, INFOSEC, TELEMATICS for Administrations, and the European Commission (E.C.) She has acted as an expert and evaluator in the E.C. and the European Network and Information Security Agency (ENISA). She is the director of the UPRC Department of Informatics security graduate program and has participated in the national and European cyber security exercises in the last four years. Polemi has been published in more than one hundred publications, including the International Journal of Electronic Security and Digital Forensics, and International Journal of Electronic Security and Digital Forensics.

Reprinted with permission from Elsevier, Copyright © 2018