Multidimensional, IntegraTed, rIsk assessment framework and dynamic, collaborative Risk ManaGement tools for critical information infrAstrucTurEs
General awareness of the need for cyber security and cyber risk management increases with each new incident. However, modern risk management methods for maritime environments focus only to a limited extent on cyber security. Motivated by these limitations, the MITIGATE project developed a novel risk management approach that promotes stakeholder collaboration in identifying, evaluating and mitigating risks associated with cyber security resources and supply chain processes. The overall concept is to build up a collaborative risk assessment system to provide insights into risk assessment and risk mitigation. ICT systems in ports are classified as Critical Information Infrastructures (CII) because ports are crucial for unrestricted supply, trade and the economy. Several initiatives and directives have been recently put into place to improve IT security in the maritime domain, e.g. by the EU, by the IMO (international maritime organization) and by the US government. MITIGATE addresses these requirements and offers a dynamic risk management system for actors in the maritime process chain to protect them from cybercrime activities.
The MITIGATE system
- detects weak points in the IT infrastructure,
- enables optimal security measures to be developed,
- uses social media to uncover new cyber threats, and
- enables cooperation with partners in the process chain.
- The MITIGATEC system builds onto the comprehensive MITIGATE methodology, which is laid down in great detail in this report. The development of the MTITGATE methodology suits the purposes
- to assess the cyber risks for all business partners involved in a maritime supply chain service (SCS) and
- to build the basis for the creation of the MITIGATE software solution, the MITIGATE system.
The MITIGATE methodology conforms to the main port security standards, the ISPS Code (IT section), ISO 27001 and ISO 28001. The development of the MITIGATE system closely followed the full‐featured methodology. The MITIGATE system became a prototype software with TRL 7, designed for system experts, with which a risk assessment of the your own environment or processes within the supply chain are possible through linking
- Assets as CPE,
- Vulnerabilities as CVE,
- Sites,
- Networks The approach to calculate cascading effects however requires the approval of the involved business partners.
MITIGATE has been presented in many different business and scientific occasions. It has been tested extensively internally and externally at five different port pilot sites in Europe, including the Ports of Bremen, Piraeus, Ravenna, Valencia and Livorno. These extensive user tests suited the purpose to test the functionalities, the usability and to evaluate together with the users the results of the risk assessment.
Generally potential users acknowledge the usefulness of such tools and methods, while however especially in smaller ports and maritime logistics’ organisations the efforts carrying out such useful analysis of vulnerabilities and threats were regarded as often too high. Cyber security awareness seems only prematurely developed among many maritime stakeholders. MTIGATE went beyond the state‐of‐the‐art by introducing and validating an evidence‐driven Maritime Supply Chain Risk Assessment (g‐MSRA) methodology which is able to address and cover the distributed and interconnected nature of complex, interrelated cyber components, network and operating environments composing the ports’ Supply Chain Services
- Partner:Fraunhofer Gesellschaft zur Forderung der Angewandten Forschung EV (Koordinator), AIT, UNIVERSITY OF PIRAEUS RESEARCH CENTER, MAGGIOLI SPA, SINGULARLOGIC ROMANIA COMPUTER APPLICATIONS SRL, UNIVERSITY OF BRIGHTON, PIRAEUS PORT AUTHORITY SA, FONDAZIONE ISTITUTO TECNICO SUPERIORE MOBILITA SOSTENIBILE NEI SETTORITRASPORTI MARITTIMI E DELLA PESCA-ACCADEMIA ITALIANA DELLA MARINA MERC, FUNDACION DE LA COMUNIDAD VALENCIANA PARA LA INVESTIGACION, PROMOCION Y ESTUDIOS COMERCIALES DE VALENCIAPORT, dbh Logistics IT AG, AUTORITA DI SISTEMA PORTUALE DEL MARE ADRIATICO CENTRO-SETTENTRIONALE- PORTO DI RAVENNA, SINGULARLOGIC ANONYMI ETAIREIA PLIROFORIAKON SYSTIMATON KAI EFARMOGONPLIROFORIKIS
- Project duration: 09/2015-02/2018
- Funding: H2020-EU.3.7. - Secure societies - Protecting freedom and security of Europe and its citizens, DS-06-2014 - Risk management and assurance models