The following is an excerpt from Port Cybersecurity by author Nineta Polemi and published by Syngress. This section from chapter 3 explores the Security of Ports' Critical Information Infrastructures.
The main concern of all organizations is to be able to identify their threats and estimate their risks, which is the main goal of risk management, i.e., to protect business assets (physical and cyber) and minimize costs in case of failures. Security management represents a core duty of successful corporate governance. Hence, risk management describes a key tool for the security within organizations, and it is essentially based on the experience and knowledge of best practice methods. These methods consist of an estimation of the risk situation based on the business process models and the infrastructure within the organization. In this context, these models support the identification of potential risks and the development of appropriate protective measures. The major focus lies on the organizations (e.g., port authorities) for the identification, analysis, and evaluation of threats to the respective corporate values.
The outcome of a risk analysis is in most cases a list of risks or threats to a system, together with the corresponding probabilities. International standards in the field of risk management are used to support the identification of these risks or threats as well as to assess their respective probabilities. These standards range from general considerations and guidelines for risk management processes to specific guidelines for the IT sector all the way to highly specific frameworks as, for example, in the maritime sector. Most of these standards specify framework conditions for the risk management process but rarely go into detail on specific methods for the risk analysis or risk assessment. This is one reason why differences in the risk assessment often arise within the specific areas of application, making a direct comparison of the results difficult. Furthermore, the aforementioned efforts are not sector specific; as a result, they are too generic and difficult to be applied in the complex maritime sector.
In principle, choosing the right method and the right tool for risk analysis and risk evaluation proves to be complicated. A huge emphasis in the security and risk management in the maritime sector is laid on the physical security. The International Ship and Port Facility Security (ISPS) Code (as well as the respective EU regulation) defines a set of measures to enhance the security of port facilities and ships. Additionally, several methodologies and tools exist aimed at strengthening the safety level of the ports' infra-structures (physical risk assessment). Nevertheless, due to the increased interaction and exchange of port's information with other critical infra-structures in the maritime ecosystem (e.g., port authorities, ministries, maritime companies, ship industry, etc.) the sole focus on physical security is not sufficient anymore. In the same way, the security of the ports' ICT and physical-related components, elements, and systems becomes equally important.
However, by security management, we mean the effective implementation, establishment, assessment, monitoring, improvement, and auditing of the security of the ICT system (all assets in the six layers of the ports' ICT systems). Managing security requires a continuous and systematic process of identifying, analyzing, mitigating, reporting, and monitoring technical, operational, and other types of security risks (risk management) as well as implementing appropriate security measures and controls. Although various efforts and processes can be found in security management of ports' critical infrastructures (CIs), none of them address the security management of all layers of ports' CIs. They only treat the physical security, and they only deal with safety management of port systems.
Safety Management: A Restricting Approach
Traditionally, targeted methodologies for risk assessment of ports like MSRAM (Maritime Security Risk Analysis Model) and its extended version MSRAM-PLUS/FORETELL address only physical security, and they are only compatible with the ISPS. Similarly, the available maritime risk assessment systems like MARISA concentrate on the safe navigation of ships during their presence in the port. The risk assessment system CMA detects abnormal behavior of ships and identifies respecting physical threats.
The ILO Port Health and Safety systems recognize that risk assessment is an essential part of safety management. It provides a sound basis for the improvement of safety. It covers tasks and physical hazards in the workplace and allows hazards to be assessed to see how harmful they are. But cybersecurity threats are not covered in the ILO code.
The World Bank Group, together with the International Finance Corporation, released in 2007 a document called "Environmental, Health, and Safety Guidelines for Ports, Harbours, and Terminals." The Environmental, Health, and Safety Guidelines are technical reference documents with general and industry-specific examples of Good International Industry Practice concentrating on physical hazards.
Various research efforts concentrate on physical threats, ignoring the cyber risks. Some examples follow.
Safety4Sea is a dedicated Maritime Safety and Environmental portal, a PRO BONO project to promote maritime safety and environmental aware-ness, operational safety, and environmental excellence. Safety4Sea's mission is to make practical safety and environmental excellence easy to understand for everyone in the industry, promote best practices, and improve people perception by promoting safety and environmental awareness in a wide range of maritime aspects.
FLAGSHIP is a partially EU-funded project, focusing on improvement of safety, environmental friendliness, and competitiveness of European maritime transport. The project contributes to a further increase in the capacity and reliability of freight and passenger services and to a reduction of negative impact from accidents and emissions. The emphasis of the project is on onboard systems and procedures, ship management systems on shore, impact of new technology on present ship owner and operator organizations, effective and efficient communication interfaces, and impact of standards and regulations. FLAGSHIP aimed to create the mechanism by which the expertise of all the required actors can be brought together in real time, independently of their location, and given to the right people, in the right format, at the right time, and incorporating the highest level of knowledge, so they can better manage all the questions that confront a ship operator: issues relating to the ship itself and its equipment (e.g., hull monitoring, equipment diagnostics, maintenance planning), its day-to-day operation (e.g., navigation, cargo, rule compliance), as well as emergencies and other exceptional situations (collision, fire, etc.).
The SafePort was a collaborative project under the EU Seventh Framework Programme. Many European ports will reach full capacity in the next few years. SafePort takes its cue from the aviation industry, which has addressed safety issues created by increased traffic through increasing automation and the use of sophisticated traffic management systems. SafePort developed and demonstrated an active vessel traffic management and information system (A-VTMIS) to manage vessel movement within its jurisdiction. This will ensure that vessels follow safe paths without conflicting with other vessels and improve the efficiency of port operations.
Several Preparatory Action on Security Research and EU FP7 Security Research programs initiated over the last decade addressing issues relating to strengthening the safety of ports and/or their ports' CI systems. Most of these projects have fallen in three main categories, as follows:
Improved maritime surveillance systems: by enhancing the interoperability of local and national surveillance systems through the pooling of cross-sectoral surveillance information and its fusion into a central database. Representative examples are the following:
- The Autonomous Maritime Surveillance System (AMASS) project focused on strengthening maritime surveillance and on better integrating information and data between relevant agencies. The focus was on developing a cutting-edge early warning system that provides maritime authorities and law enforcement agencies with information about attempts at illegal immigration and other criminal activities at sea.
- The Underwater Coastal Sea Surveyor project is a cost-effective response to new terrorism attacks especially against underwater improvised explosive device threats. It provides a fundamental technology for the global issue of maritime surveillance and port/naval infrastructure protection.
- The Surveillance of Borders, Coastlines and Harbors project attempted to combine and maximize the use of existing surveillance technologies to model the most effective operational procedures for enhancing the surveillance of borders, coastlines, and harbors.
- The Sea Border Surveillance (SEABILLA) project aims to define the architecture for cost-effective European sea border surveillance systems, integrating space, land, sea, and air assets, including legacy systems. The project is applying advanced technological solutions to improve the performance of surveillance functions.
Interoperability of ports' CI systems: by enhancing the capability to collect and merge maritime-related data into a common and comprehensive picture to be shared among relevant organizations. Projects of this category are the following:
- The InterOPERAble Approach to European Union MARitime Security Management (OPERAMAR) project attempted to solve the issue of fragmentation between member states caused by the persistence of nation-specific procedures, legislations, and systems that hamper interop-erability, greater information sharing, and improved coordination.
- The SECure CONtainer Data Device (SECCONDD) project was designed to initiate the international standardization of the technical interface between a secure container or vehicle and a data reader at a port or border crossing. The interface should enable law enforcement and trade officials to read security data, including stored information from internal security and location sensors.
Protection of critical maritime infrastructure: by mitigating the risks of maritime safety (physical) incidents. A notable number of projects are the following:
- The Security System for Maritime Infrastructure, Ports, and Coastal Zones (SECTRONIC) project attempted to improve the safety of civilian ships (passenger and cargo carriers), energy platforms and facilities, and ports through advanced information, sensor, and response technologies. It aimed to develop an integrated security system combining surveillance, intrusion detection, and response to events and incidents.
- The Security Upgrade for Ports (SUPPORT) project aims to raise the current level of port safety by integrating legacy port systems with new surveillance and information management systems. Furthermore, the SUPPORT project has a special focus on border control, aiming to secure uninterrupted flows of cargos and passengers while allowing for the effective elimination of illegal immigration and trafficking.
Learn more about the Security of Ports' Critical Information Infrastructures from publisher Syngress
At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles
Cybersecurity Regulations and Standards
Most ports are compliant with ISPS code; however, this compliance does not imply secure ports since ISPS only addresses organizational and safety issues. However, the most recent regulations and directives are cybersecurity focused, and their implementation at the EU and international level will help the port authorities to secure their ICT systems and to better mitigate existing and upcoming cyber risks. In the upcoming years, the ports will need to implement the following new regulatory framework:
- CIIP Directive (2012), critical information infrastructure protection: toward global cybersecurity;
- The Cybersecurity Strategy for the European Union (2013) and the European Agenda on Security (2015) provide the overall strategic framework for the EU initiatives on cybersecurity and cybercrime;
- eIDAS Regulation (2014) on electronic identification and trust services for electronic transactions in the internal market;
- European Parliament (2015) concerning measures to ensure a high common level of network and information security across the union;
- NIS Directive (2016) applies only to those public administrations that are identified as operators of essential services;
- cPPP Initiative (2015) ensures that Europe will have a dynamic, efficient, and effective market in cybersecurity products and services;
- Enhanced Privacy Directive (2016), mandatory reporting of security breaches;
- USA H.R. 3878, House of Representatives, "Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015."
Besides the new upcoming regulatory framework, standards and best practices embrace the effort for better ICT security management. An over-view of ICT security management standards is presented in this section. It should be noted that these standards do not constitute risk management methods, but rather, they fix a minimal framework and describe requirements, for the risk assessment process itself, for the identification of the threats and vulnerabilities allowing to estimate the risks, their level, and then to be able to define an effective treatment plan.
The most well-known cybersecurity standards are these:
ISO/IEC 27001 36 is a commercial standard that specifies requirements for the establishment, implementation, monitoring and review, maintenance, and improvement of an information security management system (ISMS). The ISMS is an overall management and control framework for managing an organization's information security risks. The ISO/IEC 27001 does not mandate specific information security controls but stops at the management and operational level. Usually, a group of analysts with high ICT expertise and experience verifies the compliance of the organization with the defined requirements. However, although the compliance process requires the involvement of multiple users, the collaborative abilities of the standard are limited due to its inherent complexity. The standard covers mostly large-scale organizations (e.g., governmental agencies and large companies), while it is considered too heavy for micro, small, and medium size businesses.
The ISO/IEC 27001 ISMS incorporates several Plan-Do-Check-Act cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities, and impacts of information security failures, using review and improvement activities specified within the management system. There exist a variety of freeware (e.g., EBIOS developed by Central Information Systems Security Division [France]) and commercial software (e.g., CRAMM developed by Insight Consulting) that verify the compliance of the organization with the ISO/IEC 27001.
ISO/IEC 27005:2008 38, a commercial standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), describes the risk management process and its activities for information security and provides guidelines for information security risk management and supports the general concepts specified in ISO/IEC 27001:2005 as well as the main principles and rules described in ISO/IEC 27002:2005. It is applicable to all types of organizations (e.g., governmental agencies, large companies, small and medium size enterprises) that intend to manage cyber risks that could compromise the organization's information security. Essentially, the ISO information security risk management process can be applied to the whole organization; any discrete part of the organization (e.g., a department, a physical location, a service); any ICT system; and any existing, planned, or aspect of control (e.g., business continuity planning).
ISO 27005 proposes the use of both quantitative and qualitative methods for the calculation of the risk level; however, it does not support any specific technique for this purpose or any computational method to analyze and combine the assessment information. The generic nature of the standard does not include aspects that promote the collaboration among the users.
In this context, more integrated risk management methodologies and methods such as EBIOS, MAGERIT, and MEHARI comply with the rules and obligations defined by the specific standard.
ISO/IEC 27002:2005 is a commercial standard that establishes guide-lines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It provides specifications with guidance for implementation of the ISMS in the organization. This can be used by internal and external analysts with high ICT expertise and experience, to assess an organization's ability to meet its own requirements, as well as any customer or regulatory demands.
The standard provides a list of 10 main control domains (organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development, and maintenance; information security incident management; business continuity management; compliance) comprising 36 control objectives and 127 controls, which are used for the assessment. The standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring, and improving the effectiveness of an organization's ISMS.
It should be noted that ISO/IEC 27002 is not a real method for risk analysis and management, but rather compliance standards, reporting a list of controls for good security practices and the requisites that an existing method should have to be standard compliant. However, although it is neither a method for evaluation nor for management of risks, it includes specific risk handling aspects such as the identification of risk and the creation of an initial risk treatment plan. The standard can cover all types of organizations (e.g., governmental agencies) and all sizes from micro to medium and large size businesses.
Read an excerpt
Download the PDF of chapter 3 in full to learn more!
About the author:
Nineta Polemi works for the European Commission and was previously an Associate Professor at the University of Piraeus in Piraeus, Greece, teaching cryptography, ICT system security, port security, and e-business and innovation. She has been a security project manager for organizations such as the National Security Agency, NATO, Greek Ministry of Defense, INFOSEC, TELEMATICS for Administrations, and the European Commission (E.C.) She has acted as an expert and evaluator in the E.C. and the European Network and Information Security Agency (ENISA). She is the director of the UPRC Department of Informatics security graduate program and has participated in the national and European cyber security exercises in the last four years. Polemi has been published in more than one hundred publications, including the International Journal of Electronic Security and Digital Forensics, and International Journal of Electronic Security and Digital Forensics.
Reprinted with permission from Elsevier, Copyright © 2018