cysm.eucysm.eu/.../private/Workpackage2/Activity+21/D2.1_PP… · Web viewcysm.eu

"PREVENTION, PREPAREDNESS AND CONSEQUENCE MANAGEMENT OF TERRORISM AND OTHER SECURITY-

RELATED RISKS"

HOME/2012/CIPS/AG

Call identifier: CIPS/ISEC 2012 Project acronym: CYSMProject full title: Collaborative Cyber/Physical Security Management SystemGrant agreement no.:

D2.1 Desk Research and State-of-the-Art

Deliverable Id : D2.1Deliverable Name : Desk Research and State-of-the-Art

Due date of deliverable : M2Actual submission date : M2

Work Package : WP2Organisation name of lead

contractor for this deliverable:

PPA

Author(s): N. Polemi, C. Douligeris, I. Koliousis, G. Papagianopoulos and members of WP2

Partner(s) contributing :

AbstractThe deliverable provides a desk research assessment of the available maritime safety (physical) and security assessment and management standards, methodologies, best practices, tools and frameworks as well as an analysis of the existing national and European legal and regulatory regime. In addition, the deliverable also captures the security awareness level of the ports and their critical ICT infrastructure is described (physical infrastructure, telco infrastructure equipment, software, services, users etc.)

Copyright by CYSM

Name Month Year

HistoryVersion Date Modification reason Modified by

CYSM of 68

Name Month Year

Table of contents1. INTRODUCTION (PPA).........................................................................9

1.1. THE IMPACT OF CYBER-ATTACK IN THE GLOBAL SUPPLY CHAIN....................................9

1.2. LIST OF IT THREATS RELATED TO PORT SECURITY...................................................10

1.2.1. THREATS RELATED TO VIOLATION OF CONFIDENTIALITY........................................10

1.2.2. THREATS RELATED TO THE VIOLATION OF INTEGRITY............................................12

1.2.3. THREATS RELATED TO THE VIOLATION OF AVAILABILITY........................................13

1.3. DESCRIPTIONS OF THREAT ACTORS RELEVANT FOR IT THREATS..................................13

1.3.1. NORMAL USER.............................................................................................13

1.3.2. PRIVILEGED USER.........................................................................................14

1.3.3. INFORMATION EXCHANGE PARTNER..................................................................14

1.3.4. SERVICE PROVIDER.......................................................................................14

1.3.5. SERVICE CONSUMER.....................................................................................14

1.3.6. BYSTANDER................................................................................................14

1.3.7. PHYSICAL INTRUDER.....................................................................................14

2. MARITIME SAFETY APPROACHES (FEPORTS).......................................15

2.1. STANDARDS AND STANDARDIZATION BODIES.........................................................15

2.2. SAFETY MANAGEMENT APPROACHES.....................................................................15

2.3. RESEARCH INITIATIVES......................................................................................15

2.4. EUROPEAN LEGAL AND REGULATORY REGIME........................................................15

2.5. OPEN ISSUES..................................................................................................15

3. ICT SECURITY APPROACHES (UPRC)...................................................16

3.1. SECURITY MANAGEMENT STANDARDS...................................................................17

3.1.1. ISO FAMILY OF STANDARDS...........................................................................17

3.1.1.1. ISO/IEC 27005:2008 INFORMATION TECHNOLOGY-SECURITY TECHNIQUES-INFORMATION SECURITY RISK MANAGEMENT......................................................................17

3.1.1.2. ISO/IEC 27001:2005 INFORMATION TECHNOLOGY — SECURITY TECHNIQUES — INFORMATION SECURITY MANAGEMENT SYSTEMS — REQUIREMENTS.......................................19

CYSM of 68

Name Month Year

3.1.1.3. ISO/IEC 27002:2005 INFORMATION TECHNOLOGY — SECURITY TECHNIQUES — CODE OF PRACTICE FOR INFORMATION SECURITY MANAGEMENT.............................................20

3.2. SECURITY MANAGEMENT METHODOLOGIES............................................................21

3.2.1 NIST 800-30 METHODOLOGY..............................................................................21

3.2.1. OPERATIONALLY CRITICAL THREAT, ASSET, AND VULNERABILITY EVALUATION (OCTAVE) METHOD...................................................................................................22

3.2.2. CCTA RISK ASSESSMENT AND MANAGEMENT METHODOLOGY (CRAMM)................23

3.2.3. EBIOS........................................................................................................25

3.2.4. IT-GRUNDSCHUTZ........................................................................................26

3.2.5. MAGERIT..................................................................................................27

3.2.6. MEHARI....................................................................................................29

3.2.7. INFORMATION SECURITY ASSESSMENT & MONITORING METHOD (ISAMM)..............30

3.2.8. THE STORM METHODOLOGY..........................................................................30

3.2.9. EVALUATION OF SECURITY MANAGEMENT APPROACHES........................................31

3.3. CRITICAL INFORMATION INFRASTRUCTURES (CII) SECURITY MANAGEMENT APPROACHES.39

3.3.1. CRITICAL INFORMATION INFRASTRUCTURES PROTECTION (CIIP) METHODOLOGIES.....39

3.3.2. EVALUATION OF CIIP APPROACHES..................................................................42

3.4. RESEARCH INITIATIVES......................................................................................45

3.5. EUROPEAN LEGAL AND REGULATORY REGIME........................................................46

3.6. OPEN ISSUES..................................................................................................48

4. CAPTURING PORTS SECURITY AND SAFETY PRACTICES AND FRAMEWORKS........................................................................................50

4.1. PIRAEUS PORT CASE (PPA)...............................................................................50

4.1.1. ORGANIZATIONAL STRUCTURE..................................................................................50

4.1.2. STRATEGY - VISION...................................................................................................51

4.1.3. PIRAEUS, INTERNATIONAL HUB.................................................................................52

4.1.4. PIRAEUS PORT COMPETITIVE ADVANTAGES.............................................................52

4.1.5. SOCIAL RESPONSIBILITY............................................................................................52

4.1.6. PORT SERVICES..........................................................................................................54

CYSM of 68

Name Month Year

4.1.6.1 SERVICES TO SHIPS................................................................................................54

4.1.6.2 CONTAINER TERMINAL..........................................................................................54

4.1.6.3 CAR TERMINAL (HTTP://OLP.GR/EN/SERVICES/CAR-TERMINAL)............................55

4.1.6.4 CONVENTIONAL CARGO (HTTP://OLP.GR/EN/SERVICES/CONVENTIONAL-CARGO). 56

4.1.6.5 LAND AREA DEVELOPMENT (HTTP://OLP.GR/EN/SERVICES/UTILIZATION-OF-LAND-

AREAS) 56

4.1.6.6 CRUISE SERVICES..................................................................................................57

4.1.6.7 COASTAL SHIPPING SERVICES (HTTP://OLP.GR/EN/COASTAL-SHIPPING/COASTING)

59

4.1.7. SECURITY AWARENESS REPORT................................................................................60

4.2. VALENCIA PORT CASE (VPF)..............................................................................60


4.2.2. PORT SERVICES..........................................................................................................60


4.3. PORT OF MYKONOS CASE (SILO/PORT OF MYKONOS).............................................60


4.3.2. PORT SERVICES..........................................................................................................60


4.4. PORT OF GENOA CASE (DITEN- UNIGE).............................................................61


4.4.2. PORT SERVICES..........................................................................................................61


5. CONCLUSIONS (PPA).........................................................................62

GLOSSARY..............................................................................................63

REFERENCES...........................................................................................64

A. APPENDIX A – “QUESTIONNAIRE FOR THE INVOLVED COMMERCIAL PORTS ON SECURITY AWARENESS” (UPRC)...............................................68

CYSM of 68

Name Month Year

List of figuresError! No table of figures entries found.

CYSM of 68

Name Month Year

List of tablesError! No table of figures entries found.

CYSM of 68

Name Month Year

Executive summary (PPA)

CYSM of 68

Name Month Year

1. Introduction (PPA)

[This section will introduce the main concepts of the Deliverable in a very high-level description]

1.1. The impact of cyber-attack in the Global Supply Chain

Commercial ports are among the key transportation Critical Information Infrastructures (CII). The degradation, interruption or impairment of ports’ ICT Systems has serious impacts on economy, national security, health, safety, and the welfare of citizens and nations. Therefore, there is a pressing need for ports to deal with the growing number of cyber threats and attacks (e.g., masquerading identities, network traffic monitoring, theft or modification of personal/cargo/ship data).

Unlike other transport CIIs (e.g. railroads, airports) ports’ CIIs are characterized by multiple, divergent interdependencies with other entities (e.g., ships, port authorities, maritime / insurance companies, customs, ship-industry), and other CII infrastructures (e.g. railroads, airports), thereby facing the danger of diffusing cyber- threats. Furthermore, ports’ CIIs feature a dual “cyber”/“physical” nature: their physical nature is related with the establishments of the port (e.g., buildings, platforms, gates, marinas, data centres, personnel and users), while their cyber nature is related to their ICT infrastructure, systems and services.

The next figure shows the global supply chain from the beginning of transportation until the delivery to the end customer or whatever.

CYSM of 68

Name Month Year

Also, we see the different transportation segment until goods reach to the port and every one can understand what will happen if we have a cyber-attack in a point of the supply chain.

1.2. List of IT threats related to Port Security

The following is a description of IT threats that are most common and are divided in three parts depending on the type of information compromise. In literature, the three tenets of data security are Confidentiality, Integrity and Availability of Information. If one of these is violated, Information is compromised. Their definitions are as follows:

- Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities or processes (ISO/IEC 13335-1:2004)

- Integrity: The property of safeguarding the accuracy and completeness of Assets (in this case Information). This may include the ability to prove an action or event has taken place, such that it cannot be repudiated later.

- Availability: The property of being accessible and usable upon demand by an authorised entity.

Information Compromise, therefore, is the violation of one of the above concepts.

The list is followed by a section with more detailed descriptions of the different threat actors.

1.2.1. Threats related to violation of Confidentiality

1.1. Member of staff, cleaner or visitor find or steal user password or observe user entering password and use the password to gain access to confidential information about cargo contents, cargo location, security arrangements, financial and contractual information, passenger lists, route information, operational information or anything else stored on port IT systems. This information is leaked to criminal actors.

2.2. Member of staff, cleaner or visitor installs hardware key logger locally or remotely to intercept password and leak information about cargo contents, cargo location, security arrangements, financial and contractual information, passenger lists, route information, operational information or anything else stored on port IT systems to criminal actors, terrorists, mafia etc.

A more concrete example of the above could be; a malicious code, disguised as an acceptable file type is installed by member of staff, which logs data from the keyboard and return personal details to the sender.

CYSM of 68

Name Month Year

3.3. Member of staff, cleaner or visitor cracks or guesses user password remotely (or on location) and leak information about cargo contents, cargo location, security arrangements, financial and contractual information, passenger lists, route information, operational information or anything else stored on port IT systems to criminal actors, terrorists, mafia etc

4.4. A known virus, worm or Trojan Horse is sent by an information exchange partner through an infected website (could also be through business data, email, questionable material downloaded by staff, fishing attack) that leads to an invisible leak that continues to leak confidential information without knowledge of operators

5.5. An unknown virus, worm or Trojan Horse in an email leads to an invisible leak of confidential information, which continues leaking information without knowledge of operators

6.6. A virus, worm or Trojan Horse is planted in the information system that allows sporadic access of confidential information, making detection of information leaks more difficult.

7.7. A criminal actor obtains password from user by social engineering (e.g. user persuaded to reveal it over the phone by an attacker impersonating a system administrator) and gets access to confidential information that is used by criminal actors or terrorists for follow-on attacks

8.8. A service provider copies the data physically and releases sensitive information about the consumer or just changes the permission on the website to let criminal actors get access to sensitive information about the consumer.

9.9. An information exchange partner releases information by making physical copies of information and selling them to the highest bidder.

10.10. A cleaner, visitor, or staff member attaches its laptop to the network and gets hold of confidential information about cargo contents, or cargo location, which is leaked to criminal actors planning a large-scale theft of the content.

11.11. Using a “man in the middle attack”, a criminal actor either observes trusted communications between staff, or pretends to be a trusted partner

Physical attack, by observing Wi-Fi traffic, or plugging into the network lines, or through a virus giving full control

Non-physical attack, by faking a trusted web server, pretending to be a trusted person, or otherwise convincing victim that attacker should be privy to restricted information

12.12. A person who is within emanation range uses HERF1 methods to obtain information from port information systems.

1 High Energy Radio Frequency

CYSM of 68

Name Month Year

1.2.2. Threats related to the violation of Integrity

1.1. Known/Unknown virus, worms or Trojan Horse is planted in the information system which attacks business data by overwriting it with ‘junk’ data or, more seriously, adds fake but legitimate looking data, resulting in unreliable data, leading to financial loss and, potentially, unpredictable behaviour of any connected hardware. Integrity violation may also be aimed at hiding evidence of theft or other tampering

2.2. User deliberately overwrites another user’s data or makes inappropriate changes to data, thus compromising integrity.

3.3. Member of staff, cleaner, or a visitor find or steal user password or observe user entering password (either directly or through a key logger) and use the password to change confidential information. Security passwords may be corrupted/changed, leading to no access or control by port staff

4.4. A bystander tampers with equipment to launch a network attack that corrupts information with the aim to hide evidence of a theft.

5.5. A privileged user changes and corrupts information about certain passengers or cargo content with the aim to help criminals to smuggle humans or cargo.

6.6. An information exchange partner provides misleading or false information about dangerous cargo content with the aim to damage the reputation of the port. The false information makes the port treat the cargo in an inappropriate way, which later might lead to further litigation action against the port due to this.

7.7. A bystander steals a legitimate user’s password and substitutes or deletes information about cargo content and cargo location to create a chaos in the port, which results in several days of disruption of the port activity in order to sort out everything.

8.8. A service consumer launches a network attack that changes the information about other consumers in order to disrupt port activity and cause economic damage by leading to breakdown of information exchange (and thus follow-on costs through missed delivery, etc.), or to achieve a rerouting of information to criminal consumers

9.9. Member of staff, cleaner or visitor installs hardware key logger (either locally or remotely) to intercept password and delete/destroy information resulting in several hours of downtime and unresponsiveness.

10.10. A person who is within emanation range carries out a HERF attack to corrupt the data, which leads to a damaged information system and disruption of the port activity.

CYSM of 68

Name Month Year

1.2.3. Threats related to the violation of Availability

1.1. A known/unknown virus, worm or Trojan Horse is inserted through the exchange of business data. The virus causes damage to the Operating System leading to a crash of the port systems and leaving the port unresponsive.

2.2. A privileged user enters wrong data into the information system that results in a crash and subsequently unavailability of the system for some time.

3.3. A bystander steals parts or the entirety of critical computer system equipment, leading to widespread disruption and unavailability of any service or information.

4.4. A person who is within emanation range carries out a HERF jamming attack to deny availability of Wi-Fi networks and reduce or completely deny availability of any other information held in port information systems.

5.5. A hacker group launches a Denial-Of-Service attack on the port systems, leading to several hours of downtime and system unavailability.

6.6. The Service Provider deletes the DNS/URL address details of the port systems, thus removing the port systems’ availability

7.7. The Service Provider changes the access permissions of the port’s IT systems, thus removing access to them

8.8. The Service Provider deletes the port systems from the web server, leading to hours/days of chaos until systems are restored.

1.3. Descriptions of threat actors relevant for IT threats

1.3.1. Normal User

A registered user/account holder who uses the applications, services and equipment to handle, process, store and/or exchange information in support of Enterprise business objectives. In some cases, this may include the general public and use of systems may be anonymous.

1.3.2. Privileged User

A registered user/account holder who manages the applications, services, equipment and security defences of the IT systems. A Threat Actor of this type usually cannot be constrained in the same way as a Normal User.

CYSM of 68

Name Month Year

1.3.3. Information Exchange Partner

Someone who needs to exchange information with the Normal or Privileged Users, whether through direct or indirect electronic connection or media exchange. The person will be an originator and/or recipient of information in support of normal business.

1.3.4. Service Provider

Someone who provides services, including but not limited to communications, shared databases, internet access or web-site hosting, resource sharing, archive services or intrusion detection services.

It could be subdivided according to the type of service provided, such as Communication Service Provider, Website Provider, Monitoring Service Provider

1.3.5. Service Consumer

Someone who is an authorised user of the services provided but who is not a registered user or account holder who manages the equipment.

1.3.6. Bystander

Someone with authorised access to a place where the equipment is located and/or account holders work, but with no business need to access the system. This will usually include cleaners and visitors but could also include the general public.

1.3.7. Physical Intruder

Someone who does not have authorised access to the rooms/buildings/sites/vehicles etc. that contain the equipment.

CYSM of 68

Name Month Year

2. Maritime Safety Approaches (FEPORTS)

2.1. Standards and Standardization Bodies

[Overview of the national and international standards and the effort of the standardization bodies in the safety of maritime sector]

2.2. Safety management approaches

[Overview of the Safety management methodologies, frameworks, tools and best practices etc.]

2.3. Research Initiatives

[Objectives and outline of the existing researcher initiatives]

2.4. European Legal and Regulatory Regime

[Analysis of the European legal and regulatory framework]

2.5. Open Issues

CYSM of 68

Name Month Year

3. ICT Security Approaches (UPRC)

The Ports’ Information and Communication Technologies (PICT) systems consist (as all ICT systems) of the following successive layers [1]Error: Reference source notfound, [2]:

1. Physical infrastructure (e.g. buildings, platforms, gates, marinas, data centers, platforms)

2. ICT infrastructure (e.g. networks, equipment, satellites, servers, relay stations, tributary stations);

3. Systems and software (e.g. communications networks, transmission systems, data identification, maritime navigation, Enterprise Resource Planning –ERPs-, ticketing, GIS, port resilience systems);

4. Information and electronic data (e.g. marine and coastal data, trade data);

5. Services (e.g. invoicing, navigation, luggage/cargo/ vessel management, logistics, e-health);

6. Users: a. internal users (e.g. administrators, personnel) b. external users (e.g. port authorities, maritime companies, customs, insurance companies, IT and commercial provides) c. objects (e.g. ships, crew cargo, luggage, vehicles).

7. Other equipment (e.g. fire alarm systems, CCTV)

A PICT system is secure if all assets in the above seven (7) layers satisfy all four dimensions of security i.e. confidentiality, integrity, availability and authenticity/access control. By safety (or physical security) we mean the satisfaction of the two components of security namely access control and availability of the assets in the first (1st) and sixth (7th) layers. Therefore safety is a subset of PICT security as illustrated in Figure 1.

Safety

Security

Figure 1: Security and Safety

CYSM of 68

Name Month Year

However, the existing maritime security standards, methodologies and tools concentrate only on the physical security of the ports (safety) [3]. This usually includes access control measures for risk management, while the goal is to guarantee ship safety. The various maritime standardization bodies (e.g. IMO, EMSA, EASA, TEN-T EA) do not refer to in their memorandum IT/cyber security [2]. ICT systems security is only assessed in relation to port and ship safety. The relevant guidelines and standards do not describe security controls that need to be applied to the ICT systems of the port, in order for the port to gain compliance to regulations or standards. Finally ports are not considered as Critical Information Infrastructures and they do not use the appropriate standards and legislation for their protection (CCIP standards).

European ports need to follow ICT security and CCIP standards and directives as well as common security methodologies and practices in order to build a trusted, interoperable and secure E.U. maritime environment. The adoption of ad-hoc, generic or even commercial driven security practices provides an ambiguous level of ports’ ICT security management. Managing ICT security requires a continuous and systematic process of identifying, analyzing, mitigating, reporting and monitoring technical, operational and other types of security risks (risk management) as well as implementing appropriate security measures and controls. This process should take into account the particularities, the needs and constraints of the ports ICT (PICT) infrastructure.

This section provides an assessment of the security and critical infrastructure protection (CIP) management standards and methodologies are presented with respect to their suitability in the Ports’ ICT (PICT) systems. Gaps, open issues and constraints are identified.

3.1. Security Management Standards

In this section we provide an overview of ICT security management standards and methodologies and examine their suitability for PICT systems.

3.1.1. ISO Family of Standards

3.1.1.1. ISO/IEC 27005:2008 Information technology-Security techniques-Information security risk management

The ISO/IEC 27005:2008 [4], a new commercial standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), describes the Risk Management Process and its activities for

CYSM of 68

Name Month Year

information security and provides guidelines for Information Security Risk Management and supports the general concepts specified in ISO/IEC 27001:2005 as well as the main principles and rules described in ISO/IEC 27002:2005. It is applicable to all types of organizations (e.g. governmental agencies, large companies. small and medium size enterprises) which intend to manage risks that could compromise the organization's information security. Essentially, the ISO information security risk management process can be applied to the organization as a whole; any discrete part of the organization (e.g. a department, a physical location, a service); any information system; and any existing, planned, or particular aspect of control (e.g. business continuity planning).

The information security risk management process consists of:

Context Establishment: intends to define the risk management’s boundary.

Risk Analysis (Risk Identification & Estimation phases): intends to evaluate the risk level.

Risk Assessment (Risk Analysis & Evaluation phases): used to make decisions and take into account the objectives of the organization.

Risk Treatment (Risk Treatment & Risk Acceptance phases): to reduce, retain, avoid or transfer the risks.

Risk Communication: to achieve agreement on how to manage risks by exchanging and/or sharing information about risk between the decision makers and other stakeholders.

Risk Monitoring and Review: to detect any chances in the context of the organization at an early stage, and to maintain an overview of the complete risk snapshot.

However, it should be noted that the objective of this standard are not to constitute a risk management method but, rather, to fix a minimal framework and to describe requirements, for the risk assessment process itself, for the identification of the threats and vulnerabilities allowing to estimate the risks, their level and then to be in a position to define an effective treatment plan. ISO 27005 proposes the use of both quantitative and qualitative method for the calculation of the risk level, however it does not support any specific technique for this purpose or any computational method to analyze and combine the assessment information. The generic nature of the standard does not include aspects that promote the collaboration among the users.

CYSM of 68

Name Month Year

In this context, more integrated risk management methodologies and methods such as Ebios, MAGERIT and MEHARI comply with the rules and obligations defined by the specific standard.

3.1.1.2. ISO/IEC 27001:2005 Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27001 [5] is a commercial standard that specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of an Information Security Management System (ISMS). The ISMS is an overall management and control framework for managing an organization’s information security risks. The ISO/IEC 27001 does not mandate specific information security controls but stops at the Management and Operational level. Usually, a group of analysts with high ICT expertise and experience verifies the compliance of the organization with the defined requirements. However, although, the compliance process requires the involvement of multiple users the collaborative abilities of the standard is limited due to its inherent complexity.

The standard covers mostly large scale organizations (e.g. governmental agencies and large companies) while it is considered too heavy for micro, small and medium size businesses.

Bringing information security under management control is a prerequisite for sustainable, directed and continuous improvement. The ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management system.

It should be noted that ISO/IEC 27001 is actually not real methods for RM, but rather compliance standards, reporting a list of controls for good security practices and the requisites that an existing method should have to be standard-compliant. Specifically, it provides generic requirements that a risk analysis and management has to be made through a recognized method without to provide a specific method.

Currently, there exist a variety of freeware (e.g. Ebios developed by Central Information Systems Security Division (France)) and commercial software (e.g. CRAMM developed by Insight Consulting) that verify the compliance of the organization with the ISO/IEC 27001.

CYSM of 68

Name Month Year

3.1.1.3. ISO/IEC 27002:2005 Information technology — Security techniques — Code of practice for information security management

ISO/IEC 27002:2005 [6] comprises ISO/IEC 17799:2005 [7] and ISO/IEC 17799:2005/Cor.1:2007. ISO/IEC 27002:2005 is a commercial standard that establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It provides specifications with guidance for implementation of the ‘Information Security Management System’ (ISMS) in the organization. This can be used by internal and external analysts with high ICT expertise and experience, to assess an organization’s ability to meet its own requirements, as well as any customers or regulatory demands.

The standard provides a list of 10 main control domains (organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; compliance.) comprising of 36 control objectives and 127 controls, which are used for the assessment. The standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring and improving the effectiveness of an organization’s ISMS.

It should be noted that ISO/IEC 27002 is actually not real methods for risk analysis and management, but rather compliance standards, reporting a list of controls for good security practices and the requisites that an existing method should have to be standard-compliant. However, although, it is neither a method for evaluation nor for management of risks, it includes specific risk handling aspects such as the identification of risk and the creation of an initial risk treatment plan.

The standard is able to cover all types of organizations (e.g. governmental agencies) and all sizes from micro to medium and large size businesses.

Various applications exist that implement ISO/IEC 27002:2005. The most representative examples are the freeware standalone tool Ebios developed by Central Information Systems Security Division (France) and the commercial standalone software RiskWatch.

CYSM of 68

Name Month Year

3.2. Security Management Methodologies

3.2.1 NIST 800-30 Methodology

NIST 800-30 [8] is a free guide that provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help mostly large scale organizations (such as governmental agencies and large companies) to better manage IT-related mission risks.

The risk management methodology described by this guide encompasses the following three processes:

Risk assessment, includes identification and evaluation of risks and risk impacts, and recommendation of risk-reducing measures. The risk assessment process incorporates nine primary steps:

o Step 1 - System Characterization

o Step 2 - Threat Identification

o Step 3 - Vulnerability Identification

o Step 4 - Control Analysis

o Step 5 - Likelihood Determination

o Step 6 - Impact Analysis

o Step 7 - Risk Determination

o Step 8 - Control Recommendations

o Step 9 - Results Documentation

According to NIST 800-30, Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The final determination of mission risk (Low - Medium - High) is based on an primitive calculation and is derived by multiplying the ratings assigned for threat likelihood (High, Medium, and Low) and threat impact (High, Medium, and Low)

Risk mitigation, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.

CYSM of 68

Name Month Year

Evaluation and assessment, provides guidelines of an effective and efficient ongoing risk evaluation and assessment and describes the factors that will lead to a successful risk management program.

It should be noted that the use of primitive method for the calculation of the risk level in combination with the lack of an effective computational technique to analyze and correlate the knowledge located in a corporate environment reduce the abilities of the NIST 800-30 for a more integrated approach. In addition, despite the fact that the method has adopted and uses extensive technical and operational questionnaires that require the involvement of a variety of users the concept of collaboration in the determination of the overall results and the formulation of the final treatment plan is limited. The risk analysis and management process defined in NIST 800-30 is usually executed by a dedicated group of ICT experts.

The method is compliant with the ISO/IEC 27001:2005 addressing all the requirements for the establishment and implementation of an Information Security Management System (ISMS). Currently NIST 800-30 is not supported by any freeware or commercial application.

3.2.1. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method

OCTAVE [9] is a free of charge approach to information security risk evaluations that is comprehensive, systematic, context-driven, and self-directed. The approach is embodied in a set of criteria that define the essential elements of an asset-driven information security risk evaluation [10]. Initially, it was designed with larger organizations in mind; however, a targeted method for small organizations has been developed.

The OCTAVE Method uses a three-phase approach to examine organizational and technology issues, assembling a comprehensive picture of the organization’s information security needs. The method uses workshops to encourage open discussion and exchange of information about assets, security practices, and strategies. In this context, the corporate users participate actively in several parts of the evaluation process. This indicates that the method incorporates specific collaborative abilities.

Each phase consists of several processes and each process has one or more workshops led or conducted by the analysis team. Some preparation activities are also necessary to establish a good foundation for successfully completing the evaluation.

CYSM of 68

Name Month Year

These three phases and their processes are described below.

Phase 1: Build Asset-Based Threat Profiles. The processes of Phase 1 are:

o Process 1: Identify Senior Management Knowledge.

o Process 2: Identify Operational Area Management Knowledge.

o Process 3: Identify Staff Knowledge.

o Process 4: Create Threat Profiles.

Phase 2: Identify Infrastructure Vulnerabilities. The processes of Phase 2 are:

o Process 5: Identify Key Components.

o Process 6: Evaluate Selected Components.

Phase 3: Develop Security Strategy and Plans. The processes of Phase 3 are:

o Process 7: Conduct Risk Analysis.

o Process 8: Develop Protection Strategy.

It should be noted that OCTAVE uses for the risk analysis a primitive approach based on a qualitative scale (high, medium, low). In addition, the method does not integrate an advanced technique for the analysis and combination of the knowledge located in the corporate environment. Thus, the information is going through an insufficient process for the determination of the overall results.

Finally, OCTAVE Method is supported by commercial standalone software, Octave Automated Tool, implemented by Advanced Technology Institute (ATI). The tool is able to assist the user during the data collection phase, organizes collected information and finally produces the study reports.

3.2.2. CCTA Risk Assessment and Management Methodology (CRAMM)

CRAMM [11] is a method developed to assist mostly the large sized organizations (such as governmental agencies and large companies) to undertake a risk analysis of information systems and networks, to identify security requirements and possible solutions, and to detect contingency requirements and possible solutions. The method is applicable to all types of information systems and networks and can be applied at all stages in the information system lifecycle, from planning and feasibility, through development and implementation, to live operation.

CRAMM consists of three main phases:

Identification and valuation of assets:

CYSM of 68

Name Month Year

o Scope Definition: preparing a functional description of the system or project;

o Asset Identification: identifying the data, software and physical assets;

o Impact Analysis: valuing data assets in terms of the business impacts.

Risk Analysis:

o Thread identification: identifying the threats that require investigation in relation to particular assets;

o Thread Assessment: assessing the level of each threat (the likelihood of it occurring);

o Vulnerability Assessment: assessing the extent of vulnerability to each threat (the likelihood of damage or loss combined with the impact that this would cause);

o Risk Estimation: calculating the risks to the organization caused by the threats to the system or network (based on the asset valuation, threat assessment and vulnerability assessment).

Risk Management:

o Countermeasure Identification: identifying countermeasures to address the estimated risks;

o Treatment plan creation: developing recommendations on suitable countermeasures for the system or network.

In this method, an analyst or a group of analysts undertake the responsibility to evaluate the security and risk level of the organization analyzing and combining the diverse knowledge located distributed in the corporate environment. The computational method and technique that has been adopted by CRAMM for the correlation and the determination of the results is quite primitive and is based on a qualitative approach. In addition, the involvement of the users of the organizations to the actual assessment can be considered low, thus the collaborative capabilities of the method are characterized as limited. In order for the analysts to use and a execute all the phases of the method (identification and valuation of the assets and risk analysis and management) should have a high level of skills and experience at gathering and analyzing information to identify threats and vulnerabilities, to infer the risks and to define the most appropriate countermeasures that fit to the needs of the organizations.

CYSM of 68

Name Month Year

As a method, CRAMM is detailed enough and is able to cover an extensive range of features at Management, Operational and Technical level. Also, CRAMM complies with the rules and obligation imposed by the ISO/IEC 17799 standard. CRAMM is supported by a commercial standalone tool, developed by Insight Consulting that provides a way to implement the proposed method.

3.2.3. Ebios

EBIOS [12] is a risk management approach created under the French General Secretariat of National Defence. It proposes a methodology and supporting software for assessing and treating risks in the eld of information systems security.

EBIOS approach consists of a cycle of 5 phases:

1. Phase 1 deals with context analysis in terms of global business process dependency on the information system (contribution to global stakes, accurate perimeter definition, relevant decomposition into information flows and functions).

2. Both the security needs analysis and threat analysis are conducted in phases 2 and 3 in a strong dichotomy, yielding an objective vision of their conflicting nature.

3. In phases 4 and 5, this conflict, once arbitrated through a traceable reasoning, yields an objective diagnostic on risks.

EBIOS methodology is easy to understand and deploy, thus it can be applied by a set of organizations that vary from governmental agencies and large companies to small and medium size enterprises. Its overall philosophy is straightforward and intuitive and it follows a natural sequence. It consists in formalizing the sensitivities and threats and determining the associated risks for the organization. Any user can grasp the method and adapt its approach to the subjects studied. The methodology possesses collaborative abilities since it gathers and combines the corporate knowledge in a smooth and efficient manner based on a qualitative approach. However, the lack of an advanced computational schema for the correlation and determination of the results can be considered a main disadvantage.

EBIOS has been applied both to basic systems and to complex systems (human resources management system interconnecting several elements), at the pre-design stage or on existing systems, to complete information systems or to subsystems. Although, it should be noted that level of detail of the method is limited to Management and Operational issues and characteristics.

CYSM of 68

Name Month Year

EBIOS is able to cover all the requirements, steps and processes defined by a variety of IT standards such as the ISO/IEC 27001:2005, the ISO/IEC 27002:2005 and the ISO/IEC 27005:2008. The method is supported by an open source tool developed by Central Information Systems Security Division (France) and is a standalone application that is based on a java and xml technologies. The tool integrates all risk analysis and management steps defined by the five EBIOS phases assisting users with low IT expertise and experience to evaluate and mitigate the corporate risks.

3.2.4. IT-Grundschutz

IT-Grundschutz [13], [14], and [15] has been developed by the Federal Office for Information Security in Germany. IT-Grundschutz provides a configuration for the establishment of an integrated and effective IT security management. The proposed IT security process incorporates the following steps:

Initialization of the process:

o Definition of IT security goals and business environment

o Establishment of an organizational structure for IT security

o Provision of necessary resources

Creation of the IT Security Concept:

o IT-Structure Analysis

o Assessment of protection requirements

o Modeling

o IT Security Check

o Supplementary Security Analysis

o Implementation planning and fulfillment

o Maintenance, monitoring and improvement of the process

o IT-Grundschutz Certification (optional)

The method, before starting the risk analysis, does a basic security check to verify implemented security measures. Risk assessment identifies threats, which are not avoided by the measures, such as residual threats. These threats can be eliminated by additional security measures. In this way, risk will be reduced to an acceptable level.

IT-Grundschutz has been designed to apply to organizations with complex underlying infrastructure such as governmental agencies and large companies as well as to

CYSM of 68

Name Month Year

small and medium size businesses with basic systems. The method can be deployed by users with standard IT related expertise and experience that undertake the responsibility to execute the evaluation process. However, the collaborative abilities of the method can be considered low since the corporate users are involved only in specific steps of the risk assessment.

IT-Grundschutz incorporates a qualitative risk analysis approach associated with a primitive computational technique for the analysis and correlation of the assessment information. The method is compliant to ISO/IEC 27001:2005 addressing the defined requirments as well as is suitable for the implementation of the ISMS process described by ISO/IEC 27002:2005. In this context, IT-Grundschutz aims at assisting all users with managerial, operational and technical responsibilities in their efforts to manage the security of Information and IT resources and to reduce the associated risks.

The method is supported by a commercial software, GStool, developed by Federal Office for Information Security (BSI). GSTOOL is a stand-alone application with database support.

3.2.5. MAGERIT

Magerit [16] is an open methodology for Risk Analysis and Management, developed by the Spanish Higher Council for Electronic Government, offered as a framework and guide to the Public Administration. It is the answer in the increasing dependency of the public and private organizations on information technologies to fulfill their mission and reach their business objectives. The purpose of Magerit is directly related to the generalized use of IT systems, communications, and electronic media, which bring evident benefits for the users but which is also subject to certain risks that must be kept under control by means of security countermeasures that generate confidence in the use of these media.

Various organizations that possess complex IT infrastructure (governmental agencies and large companies) as well as basic systems (small and medium size enterprises) are able to apply this method in order to identify and mitigate their security risks. Magerit can be used and maintained only by users with high ICT expertise and experience. These users undertake the responsibility to run the risk analysis process via workshops and interviews with specific representatives of the organization which participate only in specific phases of the assessment process. In this context, the method does not support sufficient collaborative capabilities and features.

The latest version of Magerit consists of three main guides:

CYSM of 68

Name Month Year

Methodology: It describes the core steps and basic tasks of the design and implementation of the risk analysis (Step 1: Assets, Step 2: Threats, Step 4: Determination of the impact, Step 5: Determination of the risk, Step 3: Safeguards, Revision of step 4: residual impact, Revision of step 5: residual risk) and management process. The evaluation of the risk may be quantitative (with a quantity using a primitive function) or qualitative (on a scale of levels (very low, low, medium, high very high)). For the calculation of the risk two parameters are taken into account the impact on an asset arising from a threat and the frequency of threats. It also should be noted that the computational technique implemented in Magerit is not adequate since the analysis and correlation of the assessment information is based on primitive functions.

Catalogue of elements. It provides standard elements and criteria for information systems and risk modeling; it also describes the reports containing the findings and conclusions.

Practical techniques. It describes techniques frequently used to carry out risk analysis and management projects such as: tabular and algorithmic analysis; threat trees, cost-benefit analysis etc.

Magerit complies with a set of IT standards. Specifically, it addresses all the rules and obligations imposed by the risk analysis and management standards ISO/IEC 27005:2008, covers all the requirements defined by the ISO/IEC 27001:2005 and conforms with the code of implementation of an ISMS specified by the ISO/IEC 27002:2005.

A commercial software that implements and expands Magerit Methodology is the EAR / PILAR. This is a standalone application (based on Java and XML technologies), developed by A.L.H. J. Mañas that has been designed to support and execute the defined risk management process.

3.2.6. MEHARI

MEHARI [17], [18], and [19] is a free of charge qualitative risk analysis and management method developed by CLUSIF (CLub for the Security of Information in France or CLub de la Sécurité dde l'Information Français). MEHARI provides a consistent methodology, with appropriate knowledge bases (e.g. manuals and guides that describe the different modules (stakes, risks, vulnerabilities)), that has been designed to assist people implicated in security management (CISOs, risk managers, auditors, CIOs), in their different tasks and actions. Specifically, it is targeted to users with managerial, operational as well as more technical responsibilities. The

CYSM of 68

Name Month Year

methodology is suitable for the implementation of the ISMS process described by ISO/IEC 27001:2005

MEHARI main objective is to provide a risk analysis (Step 1 - Context establishment, Step 3 - Stakes analysis and assets classification, Step 3 - Risk identification, Step 4 - Risk analysis, Step 4 - Risk evaluation) and management (Step 1 - Risk assessment, Step 2 - Risk treatment, Step 3 - Risk acceptance, Step 4 - Risk communication) method, specifically in the domain of information security, compliant to ISO/IEC 27005:2008 requirements and providing the set of tools and elements required for its implementation.

The fundamental aspects of the method summarized to the following:

Its risk model;

the consideration of the efficiency of the security measures in place or planned;

the capability to evaluate and simulate the residual risk level resulting from additional measures.

MEHARI is most appropriate for medium to large scale organizations such as governmental agencies and medium and large size companies. The corporate users are able to participate only to specific phases of the methodology related to the identification of assets and vulnerabilities. In this context, the collaborative capabilities of the methods can be considered as limited, since the users are not involved directly to the risk calculation and the formulation of the risk treatment plan. In addition, the method uses a primitive computational method to analyze and combine the diversity of the information in order to deduce the final results.

MEHARI is supported by two standalone toolkits. The first one is commercial software managed by the company Risicare and the second is a freeware application, MEHARI 2010 - basic tool, developed by CLUSIF.

3.2.7. Information Security Assessment & Monitoring Method (ISAMM)

ISAMM [20] is a quantitative type of risk management methodology that can be applied by a various organizations such as governmental agencies, large companies and small and medium size enterprises. ISAMM risk assessment contains 3 main parts:

scoping;

assessment - compliance and threats;

CYSM of 68

Name Month Year

result – calculation and reporting.

In this method, the assessed risks are expressed, through their Annual Loss Expectancy (ALE), in monetary units. ALE being the annual expected loss or cost should a threat or a group of threats being materialised.Annual Loss Expectancy (ALE) = [probability] x [average impact]

This forms the basis for the Return On Investment (ROI) based approach and the economical justification capabilities of ISAMM with respect to the risk treatment plan. ISAMM allows showing and simulating the reducing effect on the risk ALE for each improvement control and to compare this with its cost of implementation.

ISAMM is compliant to ISO/IEC 27002 and provides maximal support of the ISO/IEC 27001 ISMS standard. Also it is supported by a freeware tool, ISAMM Consultant tool, and a commercial application named ISAMM Client tool.

3.2.8. The STORM methodology

The STORM-RM methodology [21], [22], and [23] is a collaborative and multicriteria risk management methodology allowing all organization users to participate in the various risk assessment and treatment phases. More specifically, STORM-RM takes into account the requirements of ISO27001 security standards, and is based on the ISO27005 risk management standard, combining the AHP algorithm in the risk calculation process. STORM-RM treats risk management as a complex multicriteria and group decision problem enabling different users (e.g. administrators, business owners, managers, security team, end users) to provide input for the impact assessment, threat/vulnerability identification and assessment, risk identification and evaluation and the selection of appropriate countermeasures.

3.2.9. Evaluation of Security Management Approaches

This Section describes the results of the evaluation of the security management approaches described above. The overall assessment is presented in Error: Referencesource not found and aims to identify gaps and barriers. In context, the following assessment criteria, proposed by the literature [24], [25] have been applied:

C1. Scope: the applicability of the method. The following types have been identified:

o General-purpose method – covering only specialized ICT requirements.

o Targeted-purpose method - covering specific sectoral characteristics, particularities, needs and requirements.

CYSM of 68

Name Month Year

C2. Target group: the most appropriate type of organisations the method aims at.

C3. RA/RM support: the phases that the method supports (risk analysis or/and risk management).

C4. Evaluation scale: the approach (quantitative or qualitative) used in the methods to evaluate the risk level.

C5. Impact evaluation: the approach adopted in the methods to determine the impact level. Each method uses specific scenarios, factors, parameters, and guidelines to define the impact of an event.

C6. Risk evaluation: the approach used in the methods to calculate risk level. According to the survey [[25]] the following approaches have been identified:

o Type 1: Risk(Threat, Asset) = Likelihood(Threat) ⊗ Vulnerability(Threat, Asset) ⊗ Impact (Threat, Asset)

The concept of the risk is related to a threat and an asset (or a group of assets) and it comprises the likelihood of the threat, the vulnerability level of the asset(s) to the threat and the impact of the threat on the asset(s).

o Type 2: Risk(Threat, Asset, Needs) = Impact (Threat, Needs) ⊗ Vulnerability(Threat, Asset)

The concept of the risk is related to a threat, an asset and specific security needs. It comprises the vulnerability of the asset and the impact of the threat on the security needs.

o Type 3: Risk(Threat, Asset) = ALE(Threat, Asset) = Probability(Threat, Asset) ⊗ Average Loss(Threat, Asset)

The concept of the risk (defined as Annual Loss Expectancy (ALE)) is related to a threat and an asset, and it comprises the probability of the threat affecting the asset and the average loss of the resulting incident.

o Type 4: Risk(Threat, Critical Asset) = Impact (Threat, Critical Asset) ⊗ Vulnerability(Critical Asset)

The concept of the risk is related to a threat and a critical asset, and it comprises the impact of the threat on the critical asset and the vulnerability of the asset.

o Type 5: Risk(Incident, Asset) = Likelihood(Incident) ⊗ Consequences(Incident, Asset)

CYSM of 68

Name Month Year

The concept of the risk is related to an incident (i.e., a threat exploiting vulnerability) and an asset, and it comprises the likelihood of the incident and the consequences of the incident itself.

C7. Collaboration capabilities: the capacity of the methods to promote the collaboration of the users in the evaluation process.

C8. Computational capabilities: the capacity of the methods to analyze and combine diverse and distributed corporate knowledge.

C9. Required skills: the level of skills needed to use and maintain the method.

C10. Cost: the licensing schema available for the method.

C11. Automated Tools: availability of tools that support the method.

C12. Compliant with standards: compliance with national or international standards.

CYSM of 68

Criteria

Methods

C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12

ISO/IEC 27005:2008

General-purpose

Government, agencies,

Large companies.

SME

RA/ RM Quantitative / Qualitative

Based on the business harm

N/A Low Low Standard Commercial

No ISO/IEC 27001:2005,

ISO/IEC 27002:2005

NIST 800-30

General-purpose


Large companies

RA/ RM Qualitative Based on open damage scenarios

Type 1 Low Low ITC Experts

Free No ISO/IEC 27001:2005

OCTAVE General purpose


Large companies.

SME

RA/ RM Qualitative Based on critical assets

Type 4 Medium

Low Standard Free Yes / Commercial

-

Name Month Year

CRAMM General-purpose


Large companies



Commercial

Yes / Commercial

ISO/IEC 27002:2005

Ebios General-purpose


Large companies,

SME

RA/ RM Qualitative Based on security needs

Type 2 Medium

Low Standard Free Yes / Free ISO/IEC 27001:2005,

ISO/IEC 27002:2005,

ISO/IEC 27005:2008

IT-Grundschutz

General-purpose


Large companies,

SME


Type 5 Low Low Standard Free Yes / Commercial

ISO/IEC 27001:2005,

ISO/IEC 27002:2005

MAGERIT General-purpose


Large companies,

SME

RA/ RM Quantitative / Qualitative

Based on open damage scenarios


Free Yes / Commercial

ISO/IEC 27001:2005,

ISO/IEC 27002:2005,

ISO/IEC 27005:2008

MEHARI General-purpose

Government, agencies

RA/ RM Qualitative Based on fixed


Commercial

Yes / Commerci

ISO/IEC 27001:2005,

CYSM of 68

Name Month Year

Medium to Large companies

damage scenarios

al/ Free ISO/IEC 27005:2008

ISAMM General-purpose


Large companies,

SME

RA/ RM Qualitative Based on monetary loss

Type 3 Low Low Standard N/A Yes / Commercial/ Free

ISO/IEC 27002:2005

STORM SMEs, ports RA/RM Qualitative Based on open damage scenarios

Type 1 high Low low open free ISO/IEC 27002:2005

Table 1: Evaluation of main security management approaches

CYSM of 68

All the methodologies and methods presented describe specific implementation steps for the evaluation of the security level of the organizations. Beside ISO 27001 and ISO 27002 that provides generic requirements of risk assessment and do not include specific risk handling aspects, all the other approaches provide well defined actions and steps for the execution of the risk analysis and risk management processes. Also, most of the methods are meant to be used with qualitative measurements, and this confirms the fact that most risk assessment today are carried out in a qualitative way, mainly due to lack of reliable quantitative data or to time constraints.

We have identified the following pitfalls of the above described methodologies:

Only a part of them are supported by software (some cases freeware) tools. The general characteristics of these tools are:

o not easy to use without high security expertise;

o monolithic and standalone thus failing to address advanced requirements of the modern information systems;

o the use of advanced and interactive Web-based graphical user interfaces and the collaboration aspect are two notable requirements that the existing tools and applications do not satisfy. For this reason, these solutions fail to facilitate the distribution and sharing of the information, experience and expertise within an enterprise and encourage the users to jointly work for the implementation of the phases of the risk analysis and risk management in an effective and smoothly manner.

Regarding impact level evaluation [25], the ISO 27005 and ISO 27002 impose that the impact of a security event is assessed in terms of the business harm caused to the organisation. In MEHARI, the analysts involved in the risk analysis process measure the impact level based on a “fixed” impact scenario. On the other hand, CRAMM, IT-Grundshutz, NIST SP 800-30 and MAGERIT give the opportunity to the analysts to specify different impact scenarios (e.g., from Catastrophic to Marginal) that depict the negative effects of an event (e.g. threat, attack) on the organization. In this context, these approaches adopt the concept of damage scenarios. OCTAVE measures impact based on how “hard” a security event affect a critical asset. In EBIOS, the impact level of an event is measured taking into account the security needs that the specific event violates. Similarly, in ISAMM the impact is assessed in terms of financial losses the organization has suffered as a result of an event. The impact level evaluation approach needs to be standardised in order to achieve uniform evaluations for the E.U. ports.

Name Month Year

They fail to capture the complexity of infrastructure interconnections, cross-sector impacts, dependencies with other systems or infrastructures and cascading effects within a sector or across sectors. Therefore various modifications are required in order to be applied in the security management of the Ports ICT systems since these systems interact with many maritime external entities (interdependencies analysis).

The methodologies try to cover the obligations imposed by the ISO family of standards (ISO/IEC 27001:2005, ISO/IEC 27002:2005, ISO/IEC 27005:2008). However, only Ebios and MAGERIT achieve full compliance with their rules and procedures. CRAMM, ISAMM and IT-Grundschutz follow the code of implementation of an ISMS as described by the ISO/IEC 27002:2005 while NIST 800-30, IT-Grundschutz and MEHARI satisfy the requirements defined by the ISO/IEC 27001:2005. They are very generic, failing to provide targeted technical solutions that address specific sectoral (e.g. maritime) problems and threats e.g. interdependent threats rising from associated entities, sector-specific threats (e.g. weather conditions, strikes) and sector-specific legislation (e.g. ISPS in maritime environment). However these methods and standards provide an insight for the security management of the Ports ICT systems.

All the methods rely on interviews and workshops to aggregate and accumulate the information of the security assessment. However, most of them present limited collaborative capabilities (Except STORM) since they do not promote the extensive and efficient collaboration among the involved stakeholders, the effective discussion and exchange of information, ideas and thoughts as well as the active involvement of the corporate representatives. This is a major drawback if we want to apply them in the Ports ICT systems since there are many users and the required face-to-face interviews will require time, effort and resources. Only OCTAVE and Ebios provide basic collaboration abilities containing specific features that allow the users to participate actively in several parts of the evaluation process.

Regarding risk level evaluation, the following conclusions can be deduced. CRAMM, MEHARI and NIST SP 800-30 share the same common view on risk, i.e., they all consider risk as a combination of the likelihood and the impact of a threat to hit a group of assets and the vulnerability level of this group of assets. Similarly, IT-Grundshutz and MAGERIT consider risk as the combination of the likelihood of an incident (i.e., a threat exploiting some vulnerabilities) and the consequences (positive or negative) of this incident happening. On the other hand, Type 2, Type 3 and Type 4 profiles are intrinsically tied to a

CYSM of 68

Name Month Year

particular approach to risk analysis, since Type 2 and Type 4 rely on qualitative concepts for defining risk (e.g., critical assets, security needs) and Type 3 relies on the quantitative concepts of probability and average monetary loss. Finally, the methods of the ISO family do not adopt any risk analysis profile. This is due to the fact that ISO 27005 is a very general guideline to set up a risk management framework, while ISO 27002 and ISO 27001 are actually not real methods for risk management, but rather compliance standards, reporting a list of controls for good security practices and the requisites that an existing method should have to be standard-compliant, respectively. Another important drawback of the risk analysis approaches is the lack of efficient and advanced computational techniques. They usually rely on primitive methods to evaluate, determine and mitigate the corporate risks and use ineffective procedures and techniques to analyze and combine the diverse knowledge located disturbed in the organizations. The adoption of more advanced approaches (using new techniques e.g. fuzzy logic, graph theory, group decision making) that enhance the inherent capabilities of the risk analysis solutions will increase the accuracy of their conclusions.

3.3. Critical Information Infrastructures (CII) Security Management Approaches

In the era, the commercial ports should be considered as transport Critical Information Infrastructure (CII) since they host ICT systems in order to offer a set of e/m-services (such as Vessel management, Cargo management and Inland Logistics services) and implement their business processes. Because of their interaction with

CYSM of 68

Name Month Year

various entities (e.g. ships (with passengers, crew, cargo), port authorities, maritime and insurance companies, customs, ship-industry, banks, ministries, other commercial providers) involved in the maritime environment, Figure 2, the disruption or the destruction of their services may have significant impact on various aspects of economy, commerce, national safety etc [26].

Figure 2: Maritime Environment

This Section provides an overview and evaluation of the existing CII approaches.

3.3.1. Critical Information Infrastructures Protection (CIIP) Methodologies

A number of standards and methodologies exist emphasizing the critical information infrastructure protection (CIIP). Most of them contain procedures, definitions and explanations of techniques used to collect and analyze information in CIIP. A short description of the above CIIP methodologies is presented in the following table:

CIIP methodologies Nature Description

ATHENA Software tool Provides a model for vulnerability analysis of interdependent infrastructure networks.

Critical infrastructures interdependencies Integrator (CI3)

Software tool Estimates service’s restoration time and cost

Critical infrastructure Software tool Provides decision support for CIIP comparing the

CYSM of 68

Name Month Year

protection decision support system (CIP/DSS)

effectiveness of strategies to reduce the probability of a risk.

Critical infrastructure protection modeling and analysis (CIPMA)

Software tool Evaluates the effects on the operation disruption of CII services within and across sectors.

Agent-based simulation model of the U.S. economy (COMM-ASPEN)

Software tool Provides simulations of the effects of both market decisions and interruptions of telecom infrastructure in the economy based on an Agent-based approach.

DUTCH NRA Working Methodology

Provides a multi-criteria decision making approach for the risk evaluation considering political and societal issues.

Procedimiento informa´ tico-lo´ gico para el ana´ lisis de riesgos (EAR-PILAR)

Software tool Supports a comprehensive risk analysis method.

Electricity market complex adaptive system (EMCAS)

Software tool Provides an in-depth investigation of the operational and economic impacts on the electrical system, as affected by various external events, based on an agent-simulation approach.

Fast analysis infrastructure tool (FAIT)

Software tool Provides a framework for conducting economic impact assessment across multiple sectors.

Financial system infrastructure (FINSIM)

Software tool It applies to scenarios of crisis affecting the banking payment system, the use of plastic money, the federal funds market and the interactions between these entities.

Failure modes and effects analysis (FMEA-FMECA)

Working Methodology

Provides a procedural approach for identifying and analysing possible failures in the design, development and maintenance of a system, based upon the severity or the effect of system failures.

FORT-FUTURE Software tool Provides a framework that enables decision-makers to virtually test potential solutions running multiple dynamic simulations.

Fault tree analysis (FTA) Working Methodology

Provides a method to failure analysis, identifying the causes leading to the manifestation of a risk within a system.

Interoperability (GIS) Working Using Geographic Information Systems in

CYSM of 68

Name Month Year

Methodology emergency coordination and support for decision making.

GORAF Software tool Provides a framework for the identification and analysis of the most critical resources within an infrastructure.

Hazardous operations (HAZOP)

Working Methodology

Support a range of techniques for the identification of potentially hazardous conditions and risks based on assumptions.

Inoperability input– output model (IIM)

Software tool Provides a comprehensive framework based on analytical models to indentify and address the risks come from the intra- and inter-connectedness of economic sectors.

INTEPOINT VU Software tool Adopts a decision support model to analyze planning responses to intentional and unintentional events.

LUND Working Methodology

Provide a method for the representation of a system of roads or rail interconnected transport infrastructure.

Metodologıá de ana´ lisis ygestioń de riesgos delossistemas de informacioń (MARGERIT)

Working Methodology

Provides an approach that gives emphasis on the protection of the ICT infrastructure.

Methodology for interdependencies assessment (MIA)

Working Methodology

Aims to identify and evaluate the interdependencies among critical ICT components.

Multi-layer infrastructure (MIN)

Software Tool Provides a dynamic game theoretic model to analyze multilayer infrastructure networks.

Multi-network interdependent critical infrastructure programme for analysis of lifelines (MUNICIPAL)

Software Tool Provides a framework for identifying, analyzing and responding to events that affect the interdependence of civil infrastructure.

National agent-based laboratory for economics (N-ABLE)

Software Tool Identifies and analyzes economic factors, feedbacks, and downstream effects of road transport infrastructure and electricity markets.

Net-centric effects- based operations model (NEMO)

Software Tool Provides an environment to support decision making in the area of planning an infrastructure

CYSM of 68

Name Month Year

system.

Network security risk assessment model (NSRAM)

Software Tool Analyses interconnected multi-infrastructure networks in order to determine the system behavior to various kinds of negative events.

Risk maps Working methodology

Supports a method for identifying and recording of risks in a systematic and effective manner.

Transportation routing analysis geographic information system (TRAGIS)

Software Tool Provides a method for the optimization of transportation routes.

Urban infrastructure suite (UIS)

Software Tool Provides a simulation-based approach to represent urban infrastructures and populations

Virtual Interacting Network Community (VINCI)

Working Methodology

Provides virtualization of the network architecture for critical infrastructures.

Table 2: CIIP Methodologies Short Description

3.3.2. Evaluation of CIIP Approaches

The CIIP methodologies and standards described in the previous Section have been evaluated [27] according to the following criteria:

availability: availability of supported applications (under research (R) and/or development (D), or already available for use by the general public with commercial purposes (C) or by a limited or restricted group, normally the military (L));

CI affected: The critical infrastructure (CI) sectors that are covered based on NIPP (2009) [28] and Directive 114/08 [29] include: electricity (1); natural gas (2); oil and pipelines (3); drinking water (4); sewage and wastewater (5); industrial control (6); telecommunications (7); computer networks and information systems (8); railways (9); highways and roads (10); human activities including services and emergency evacuation (11); banking and finance (12). Also, the policies and regulations features (13);

stage: the functionality provided in each of the stages of risk management programmes: identification of assets (a); risk assessment (b); prioritisation of actions (c); implementation programs (d) and effectiveness measurement (e).

CIIP methodologies Availabilit CI Sector Stage

CYSM of 68

Name Month Year

y

ATHENA L 1,2,3,4,5,6,7,8,9,10,11,12,13 b

CI3 L 1,2,4,5,6,7 c

CIP/DSS L 1,2,3,4,5,6,7,9,10,11,12,13 a,c,d,e

CIPMA L 1,2,3,7,8,12,13 d,e

DUTCH NRA L 1,3,4, 10,11,13 a,b,c

EAR/PILAR C 8,11,13 a,b,c,d

EMCAS C 1,7,12 a,b,c

FAIT L 1,2,5,9 a,b

FINSIM R 7,12 a,b

FMEA/ FMECA C 6,7,11,12 a,b,c

FORT-FUTURE L 1,2,3,4,5,6,7,9,10,11,12,13 a,b,c,e

FTA C 6,7,11,12 a,b,c

GIS Inter- operatibility R 9,10 c,e

GoRAF R 1,4,6,8,11 b,c,d

HAZOP C 1,2,3,7,11,13 a,b,c

IIM R 1,4,7,8,10,13 a,c,d

INTEPOINT VU C 1,7,9,10,11 c

LUND R 1,9,10 a,b

MARGERIT V2 C 8,11,12,13 a,b,d

MIA R 7,8,13 a,b

MIN R 10,11 a

MUNICIPAL R 1,7,8 a,c

N-ABLE L 1,9,12 a,c,d,e

NEMO L 1,2,4,9,13 c,d,e

NSRAM R 1,7 c,d,e

Risk Maps R 1,2,3,4,5,6,7,9,10,11,12,13 A

TRAGIS L 9,10 A

UIS L 4,5,7,10,11 a,b,c,d

VINCI R 8 d

CYSM of 68

Name Month Year

Table 3: Assessment of suitable CIIP methods

The overall results of the evaluation are presented in the Table 3. According to them, the CIP methodologies mostly address safety threats, over two thirds of them are implemented in software tools and the rest are analytical and generic methodologies. About half of the applications have resulted in the development of computer platforms, whether commercial or of restricted use, e.g. corporate, institutional, private or military. One quarter of the applications have limited availability and are mostly addressed at military and governmental segments. This could be explained due the leadership taken by some US laboratories which in turn are sponsored by both the Department of Homeland Security and the Department of Energy. Another quarter of the applications have commercial purposes (computer platform licensing, consulting, etc.). These are extensively used in the energy sector, cyber-security and in the definition of emergency response strategies.

Regarding the deployed critical infrastructure sector, nearly on quarter of the applications are involved with energy infrastructure (electricity, natural gas, oil and pipelines). Other infrastructures receiving attention are those related to information technologies and communication and control systems (21%), water (13%), transportation (10%) and banking (8%). About 11% of methodologies are related to human activities queries and responses checking into critical infrastructure, which establishes responses to human users system under emergencies, industrial security, policy recommendations on assets protection (and/or) human life protection. Finally, implementation of policies and regulations has attracted special consideration in 12% of the reviewed platforms.

Regarding the risk stage, over two thirds of the approaches cover the first three steps of a complete risk management process. These steps concern the identification of the corporate assets developing an inventory, the risk assessment process focusing on the evaluation of the security level and the prioritization of actions establishing priorities for risk assessments, in order to identify where risk reduction is more compelling and then to determine protective measures that need to be taken. Nearly half of the solutions implement a protection program that include the deployment of specific protection measures while only a limited number of the applications apply the stage of measuring effectiveness establishing indicators to provide information on achieving specific security goals.

Most of CIP standards and methodologies are from the energy sector and more specifically from the U.S. Department of Energy and North American Reliability Corporation (NERC) [30]. From its eighty three (83) standards a group of specific

CYSM of 68

Name Month Year

standards (CIP-002-3 and CIP-003-3), address the protection of critical infrastructures but only for the electrical energy systems in a very abstract manner. However since they are very generic, they can provide an insight for the ports. Various national risk assessment methodologies for critical infrastructures exist that use various ways in estimating the criticality of an infrastructure even at national level (e.g. in the Netherlands we find [31] and [32]). There is not a standardized way in examining the criticality of an infrastructure or/and addressing cyber threats.

3.4. Research Initiatives

Currently, there exist only a limited number of research initiatives relating to strengthening the security of the PICT systems. Notable examples of research activities that deal with the cyber elements of the ports’ infrastructure are the following:

the Port ISAC (Information Sharing and Analysis Centre) initiative recently launched by CPNI.NL2 that focuses on the establishment of trust relationships among the public and private entities involved in the maritime sector in order to facilitate and foster the information sharing regarding cyber security incidents within the maritime context. The main objective of the activity is to provide the appropriate means that allow a secure exchange of views / experiences on cyber security issues and good practices.

The S-Port project [33] is a national effort to develop a collaborative security management environment for the PICT systems which is based on a number of security-related approaches (e.g. ISO27001). The project has been developed at the three Greek ports of: Piraeus, Thessaloniki and the Municipal Port Fund Mykonos by a consortium of private companies and by the academic sector.

The SafeSeaNet initiative [34] has been implemented under the supervision of the European Maritime Safety Agency (EMSA)3. This activity aims to implement the Directive 2010/65/EU of the European Parliament on Reporting Formalities [35] via the establishment of a centralised European platform that offers secure data exchange services among the main maritime stakeholders across Europe. More specifically, it enables Member States, Norway and Iceland to provide and receive information on ships, ship movements, and hazardous freight.

2 http://www.cpni.nl/informatieknooppunt/werkwijze-isacs 3 http://www.emsa.europa.eu/

CYSM of 68

Name Month Year

3.5. European Legal and Regulatory Regime

This Section outlines some notable aspects of the European legal and regulatory regime related to the maritime security and critical infrastructure protection. European Commission has acknowledged that the Critical Infrastructures (CI) are vulnerable to a number of activities and acts related to terrorism, natural disasters, negligence, accidents or computer hacking, criminal activity and malicious behaviour. Any disruption or destruction of CI may have significant consequences on the welfare of the Member States (MS), their citizens and the European Union.

In this context, European Commission adopted on 20 October 2004 a Communication [36] on the protection of Critical Infrastructure that aims to develop an integrated approach combining prevention of and response to terrorist threats and attacks. Taking into account the conclusions of the above Communication, the European Council released a green paper [37] in 2005 making a proposal for a European Programme for Critical Infrastructure Protection (EPCIP). Responding to this, the Commission adopted a Communication [38] that sets out the principles and instruments needed to implement the EPCIP, aimed at both European and national infrastructure. Also, in 2008, the Commission announced a Directive on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. This directive establishes a European process for identifying and designating European critical infrastructures (ECIs), and sets out an approach for assessing the need to improve their protection. In its first stage, the directive focuses on the transport and energy sectors.

In 2009, the Commission adopted a Communication [39] that defines a concrete actions plan to enhance the security and resilience of Critical Information Infrastructures (CIIs). This plan aims to establish the appropriate framework that will arm the involved stakeholders with the necessary preparedness, security and resilience capabilities to deal with large scale cyber-attacks and disruptions.

In addition, in 2010, the Digital Agenda for Europe [40] has been released having as main objective to deliver sustainable economic and social benefits from a digital single market. Trust and Security have been highlighted as key aspects of this environment. The Agenda emphasized the need for all stakeholders to work jointly in order to deal with the cyber and security threats and risks in an effective manner. Only the cooperation of all actors and the information sharing on cyber security practices ensure the efficient security and resilience of the ICT infrastructures. It also defined a specific plan of actions that concentrate on the development of appropriate mechanisms to respond to the advanced and pervsasive cyber attacks and threats. In

CYSM of 68

Name Month Year

this context, European Network and Information Security Agency (ENISA) plays an important roles establishing various security related initiatives.

In particularly, in December 2011, ENISA has already published an initial study in the area of cyber security in the maritime sector [1] identifying the importance of considering and acting upon the ICT security aspects in the maritime sector. This report presented the results from the ENISA workshop4 on this topic concentrating in the ICT port security and specifically in the security management of Ports Information and Communication Technology (PICT) systems. Also, ENISA was facilitating the process of planning, conducting and evaluating Pan-European cyber security exercises (Cyber Europe 2010, Cyber Europe 2012). Specific emphasis has been given to the protection of Critical Information Infrastructures.

The most recent Communication on Critical Information Infrastructures Protection (CIIP) was announced in 2011. It focused on the growth in the number, scope, nature, sophistication and potential impact of threats to European Critical Information Infrastructures. Its objectives are to take stock of results achieved since 2009 CIIP action plan, to build on existing policy initiatives (in particular Digital Agenda for Europe, Stockholm Action Plan and Internal Security Strategy) and to highlight next steps at European and International level, focussing first on the energy and transport sectors.

Finally, in 2013, the Commission announced a European Cybersecurity Strategy [41] in order to establish an open, safe and secure cyberspace. The objectives of the Strategy are the following:

to foster the cooperation among the public and private authorities;

to improve preparedness and engagement of the private sector;

to set up coordinated prevention, detection, mitigation and response mechanisms, enabling information sharing and mutual assistance amongst the national competent authorities;

to stimulate efforts to improve security of in products, networks and services; and

to ensure a strong EU response to cybercrime.

3.6. Open Issues

The management of information security risk is a major concern of organizations worldwide and especially for CIIs. Although there are many security management methodologies available none of them targets the needs of the current complex 4 http://www.enisa.europa.eu/act/res/workshops-1/2011/cyber-security-aspects-in-the-maritime-sector

CYSM of 68

Name Month Year

ports’ ICT systems (which are distributed, interconnected with other ICT systems, handling plethora of data and services).

The current maritime legislation and the existing ICT and CIIP standardization efforts (security management methodologies, standards, frameworks and tools) do not sufficiently cover the ICT security of the commercial ports. They are very generic failing to treat the commercial ports as independent critical infrastructures that host critical ICT systems and do not provide a holistic approach to assess and manage the security level of their ICT infrastructure in an effective manner.

In particular, there does not exist targeted technical solutions that address specific maritime problems and threats e.g. interdependent threats rising from associated entities, sector-specific threats (e.g. weather conditions, strikes, terrorist attacks) as well as multilevel impacts (e.g. in national economy, national security, disruption of public order). Most of them present limited collaborative capabilities since they do not promote the extensive and efficient collaboration among the involved stakeholders, the effective discussion and exchange of information, ideas and thoughts as well as the active involvement of the corporate representatives. Finally, they rely on primitive methods to accumulate, analyze and combine the security related knowledge located disturbed in a maritime environment yielding inaccurate risk evaluations.

In CYSM we will develop a methodology for risk assessment of PICT systems and the ports infrastructure using the twelve (12) criteria (C1-C12) used in assessing the risk management methodologies combining the ISO, CIIP and ISPS standards.

CYSM of 68

Name Month Year

4. Capturing Ports Security and Safety Practices and Frameworks

[This section will describe the physical and security picture and the practices of the involved commercial ports]

4.1. Piraeus Port Case (PPA)

4.1.1. Organizational Structure

[Description of the organizational structure]

The organizational structure of PPA is posted in the following site:

http://olp.gr/GR_PDF/FEK%2089-NEOS%20KEOL-OLP-2010-02.pdf

of “GOVERNMENT GAZETTE of THE GREEK REPUBLIC” reference number #89 dated on February 2, 2010. (Greek Language).

Following is the organizational diagram of PPA. In this diagram included all the Directorates and Departments

CYSM of 68

http://olp.gr/GR_PDF/FEK%2089-NEOS%20KEOL-OLP-2010-02.pdf

Name Month Year

Personnel Analysis By Sector Education and the New Regulation INTERNAL ORGANIZATION AND OPERATION

According to Human Resources Directorate the employees’ education is as follows:

Breakdown By Sector Personnel Training31/12/2012

CATEGORYHE (Higher Education) 122TE (Technology Education) 45SE (Secondary Education) 627CE (Compulsory Education) 40Staff port workers 341Dockers Fixed Term 8Staff on mission command 13GRAND TOTAL 1196

4.1.2. Strategy - Vision

Piraeus, the largest port in Greece and one of the largest ports in the Mediterranean, plays a crucial role in the development of international trade as well as the local and national economy.

With a history dating from 1924 when major civil works started taking place, Piraeus Port today has a range of activities concerning the Commercial and Central Ports, ship services and real estate development.

Piraeus Port connects continental Greece with the islands, is an international cruise center and

CYSM of 68

Name Month Year

a commercial hub for the Mediterranean, providing services to ships of any type and size.

Today P.P.A. S.A. employs 1.196 people and annually provides services to more than 24.000 ships. P.P.A. S.A contributes towards the local and national economic growth and is further developed by upgrading both the infrastructure and the services provided.

P.P.A. is developing into a modern and dynamic company that provides high quality services, keeps investors satisfied, ensures long-term employment and serves commercial transactions in Greece in favor of the national economy and the consumers in the most efficient way and within the context of the global port industry.

4.1.3. Piraeus, International Hub

Piraeus Port offers unique advantages because of its strategic position and infrastructure. Situated at the outskirts of Athens and only 10 km away from the city

center, it acts as

the main gate for

Hellenic imports and exports.

Situated close to the international trade routes, the port is a hub of international trade being the only European port in the East Mediterranean with the necessary infrastructure for the accommodation of transhipment cargo.

CYSM of 68

http://olp.gr/GR_PDF/apostaseis%20apo%20limania.pdf

Name Month Year

4.1.4. Piraeus Port Competitive Advantages

The PPA SA competitive advantages are: Strategic geographical position at the crossroads of Asia - Africa - Europe Infrastructure and natural depths for the accommodation of even the largest

modern container ships Operation under a free zone type II status 24 hour - 365 day operation of the Container and Car Terminals Scale of tariffs based on the volume of transhipment containers and cars Competitive storage fees Extended feeder services connecting the port with almost all main ports in the

Mediterranean Integrated information system supporting port operations Operational and safety standards according to international regulations

4.1.5. Social Responsibility

Respect the environment and reduce the impact of port activities are key priorities in the political development of the PPA The granting of the island Psitalia to install sewage treatment center EYDAP, constant measurement of gaseous pollutants in the Central Harbor, the construction of noise barriers, implementation of all national and EU regulations on environmental protection, fall under this policy.

Similarly, the PPA contributing to efforts to preserve the historical memory has highlighted the archaeological finds from the time of Themistocles and Pericles and supported by grants:

humanitarian and cultural activities

nonprofit organizations to promote health and support vulnerable social groups.

The PPA more than 70 years is a pole of economic development and today continues its economic nomic offer of local and national economy with a social and environmental strategy commensurate with its history.

CYSM of 68

Name Month Year

Nature Protection

Waste management:

Disposal and Waste Management Ship

Ship Sewage Network reception -

transfer in biological treatment plants

Waste (Psyttalia)

Collection and management of waste

lubricating oil produced by the

machinery of PPA

Water Quality:

Collaboration with the University of Piraeus to monitor the water quality of Port Highlight areas in need improvement and assessment of the environmental

situation Collaboration with the National Technical University for a new management

plan for hazardous contaminated sediments

Noise and Air Quality:

Collaboration with the University to implement programs for monitoring the quality of acoustic environment and air

4.1.6. Port Services

[Description of the provided services]

Today the PPA SA offers the following services:

Services to Ships Container Terminal Car Terminal Conventional Cargo Land Area Development Cruise Services Coastal Shipping Services

4.1.6.1 Services to Ships

For these services engaged in four departments from different directorates:

CYSM of 68

Name Month Year

Drydock Department (http://olp.gr/en/services/79/174-programme-dexamenes)

Ship Repair Zone (http://olp.gr/en/services/79/175-nafp-zwni) Container Terminal (SEMPO) (http://olp.gr/en/services/79/176-2011-02-17-11-

21-17) Car Terminal (http://olp.gr/en/services/79/177-car-terminal) Cruise Terminal (http://olp.gr/en/cruise-greece/cruise-arrivals)

4.1.6.2 Container Terminal

The Container Terminal of the Piraeus Port Authority (http://olp.gr/en/services/79/158-2011-02-19-08-31-58) began its operation in June 2010. With a projected annual capacity of 1.000.000 TEUs, it constitutes the main pier for freight activities of PPA SA. The personnel of the Station have experience and expertise of more than twenty years, thus ensuring the provision of high quality port services. Both the technical staff and administrative staff are highly trained with expertise in both the operation of container terminals and the demands and peculiarities of the Greek market scene.

CYSM of 68

http://olp.gr/en/services/79/158-2011-02-19-08-31-58


http://olp.gr/en/cruise-greece/cruise-arrivals

http://olp.gr/en/services/79/177-car-terminal


http://olp.gr/en/services/79/175-nafp-zwni

http://olp.gr/en/services/79/174-programme-dexamenes

Name Month Year

Organizational Chart

The Container Terminal has facilities and equipment of high standards and has the ability to offer advanced services in loading & offloading containers. The mechanical equipment is of the latest technology, compiled of eight cranes (4 SPP) and eight RMGs. There exist two platforms; the East one of 500m length and 18m depth and the West one of 320m length and 12m depth.

Next to the station, the new waterside railway station of the Hellenic Railways Organization will operate, whose main railway line will link the length of the freight port of N. Konya with the new Freight Station of Intermodal Transport in Athens at Thriassio of Eleusina.

4.1.6.3 Car Terminal (http://olp.gr/en/services/car-terminal)

The operation of the car terminal in Piraeus was launched in 1995, in Drapetsona under G1 management, along with the introduction of other conventional cargo in the warehouse of the region. With the demolition of the warehouse (2002), the entire area of 69.000m2 was granted for the movement –storage of cars alone, providing a storage capacity of 4.500 cars. From 1999, at N. Ikonio, under G2 management, the first Car Carriers are served and the first cars are stored in 2.300 slots, in an area of 17.150m2.In 2005 the new Car Terminal, with an area of 74.000m2, begins operation, which resulted from sand - filling the port area of Karvounoskala. In 2009 the complex G8, 9 and 10 is demolished and the space is reserved for the Car Terminal. During the first half of 2011, with the modern requirements imposed by the international standards of car terminals, a new space of approximately 20.000m2 is created for the movement and storage of cars.

CYSM of 68

Name Month Year

The demand for transit vehicles in the Eastern Mediterranean, Black Sea and North Africa places Piraeus in the center of developments. The list of port customers now includes most of the major companies of the car industry. The expansion of the terminal G2 in Keratsini completed, its connection with the train line in 2012 and future expansions of the Car Terminal - according to the 5-year investment plan of PPA SA - combined with the use of information at all stages with the implementation of an integrated management system, ensures that the port of Piraeus has the ability to function as a central transhipment gateway for the wider Mediterranean region and Eastern Europe.

4.1.6.4 Conventional Cargo (http://olp.gr/en/services/conventional-cargo)

Handling and storage of conventional cargo is primarily done through the facilities of PPA in Schisto and secondarily through the Port of Hercules.The mechanical equipment used for loading and unloading conventional cargo is cranes, forklifts and tractors of various types.For the storage of conventional cargo, the Port has suitable warehouses.

The area is strictly guarded 24 hours a day. It is secured by staff and electronic means, while providing parking and waiting areas for cars.

4.1.6.5 Land Area Development (http://olp.gr/en/services/utilization-of-land-areas)

The Company operates a number of premises which are under its authority. Specifically, it concedes upon economic return, the use of these sites (outdoor and indoor) to third parties for the operation of shipbuilding units (at the repair base of Perama and Kynosoura), various industrial complexes, canteens, cafes, food storages and offices for agencies.

The economic development and upgrading of the area adjacent to the harbor is a constant pursuit of PPA SA and it concerns the benefit of the local communities and the national economy.

In this context, the construction of a new ultra-modern exhibition centre in the Palataki region (70.000m2), will decisively contribute to the development of the City and will make the port of Piraeus an international exhibition and events centre.

CYSM of 68

Name Month Year

4.1.6.6 Cruise Services

The Port of Piraeus is an important destination for cruise ships in the Mediterranean Sea. It has 11 places for the simultaneous berthing of vessels and can accommodate even the largest cruise ships.

For the purpose of servicing cruise passengers the Port operates Passenger Terminals which host duty free shops, Tourist Police, Customs office and other essential services for the passengers

Nearby there is an open parking area for tourist coaches, while the transportation of passengers from the anchoring areas to the Passenger Terminal is provided by P.P.A SA transportation means.

CYSM of 68

Name Month Year

P.P.A. SA objective is to attract a larger market share in the cruise field , in order to yield considerable benefits for the National Economy by creating new employment posts and increasing the income from tourist exchange currency.

11 Berthing places 2 Passenger Terminals 60 slots for coaches 1 helipad

CRUISE PASSENGER TERMINALS

CRUISE PASSENGER TERMINAL A

Refreshment Room - Tourist and customer service - Air-conditioned hall, luggage storage area- lockers - Coast Guard - Duty free shops - Tourist Police, Customs

CYSM of 68

Name Month Year

CRUISE PASSENGER TERMINAL B

Air-conditioned hall - Duty free shops

4.1.6.7 Coastal Shipping Services (http://olp.gr/en/coastal-shipping/coasting)

Piraeus is the largest port in Europe and one of the largest in the world concerning passenger traffic. It has a throughput volume of about 20 million passengers per annum (including the ferry traffic Salamis – Perama, which has a throughput volume of about 8 million passengers per year). It is the main link between the mainland and the Aegean islands and Crete, while also being the main sea gate of the European Union at its south eastern edge. The boundaries of the Main Port are the piers of Themistocles and Krakari.

The Passenger Port is divided into areas that serve coasting and cursing.

The anthropocentric nature of the services of the central port is a basic choice of PPA SA. In this context, an attempt is made to continuously upgrade services:

Digital information displays for passengers, indoors and outdoors Pedestrian bridge Electric signs and free transport service within the port Improvement of passenger terminals- renovation of the passenger terminal at

Tzelepis coast (approved). Construction of 2 WCs which also include WCs for the disabled Construction of waiting areas with air conditioning and water coolers Renovation of 6 canteens 3 km path for the disabled Reconstruction of a 350m2 area at Kononos street

CYSM of 68

Name Month Year

130 parking spaces 13 taxi stations 2 vehicle control points Allignment and boundary settings for traffic control Free Wi-Fi service 24 hour telephone service at 14541

4.1.7. Security Awareness Report

[The port will provide the complete questionnaire, the template of which can be found in appendix A]

4.2. Valencia Port Case (VPF)







4.3. Port of Mykonos Case (SiLo/Port of Mykonos)







CYSM of 68

Name Month Year

4.4. Port of Genoa Case (DITEN- UNIGE)







CYSM of 68

Name Month Year

5. Conclusions (PPA)

[This section will draw conclusions]

CYSM of 68

Name Month Year

Glossary

Term Definition

Table Cell 1 Table Cell 2



CYSM of 68

Name Month Year

References

[1] Reynolds, D., Rabey, K., Polemi, N.: Analysing mes needs and expectations in the area of information security. ENISA report (2008), available at http://www.enisa.europa.eu/act/sr/reports/micro-enterprises/files/wg-micro-report.

[2] Polemi N., Ntouskas T., “Open Issues and Proposals in the IT Security Management of Commercial Ports: The S-PORT National Case”. In: D. Gritzalis, S. Furnell, and M. Theoharidou (Eds.): SEC 2012, IFIP AICT 376, pp. 567–572, 2012.

[3] Polemi, N.: Security Management of the ports’ information systems. ENISA Personal study. Available at http://www.enisa.europa.eu (accessed August 2012).

[4] ISO/IEC. Information Technology - Security Techniques - Information Security Risk Manage-ment, ISO /IEC 27005, 2008.

[5] ISO/IEC. Information technology - Security techniques - Specification for an Information Secu-rity Management System, ISO/IEC 27001, 2005.

[6] ISO/IEC. Information technology - Security techniques - Code of practice for information secu-rity management, ISO/IEC 27002, 2005.

[7] ISO/IEC:17799: Information technology - security techniques - code of practice for information security management (2005), http://www.iso.org

[8] National Institute for Standards and Technology, Risk management guide for information technology systems, NIST Special Publication 800-30, USA, July 2002.

[9] OCTAVE Method Implementation Guide Version 2.0, Carnegie Mellon University, June 2001. Available at http://www.cert.org/octave/ (accessed December 2010).

[10] Alberts, Christopher & Dorofee, Audrey. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method Implementation Guide, v2.0. Software Engineering Institute, Carnegie Mellon University, 2001. http://www.cert.org/octave/.

[11] Insight Consulting, CRAMM User Guide, Issue 5.1, United Kingdom, 2005.

[12] Expression of Needs and Identification of Security Objectives PREMIER MINISTRE Secrétariat général de la défense nationale Direction centrale de la sécurité des systèmes d’information Sous-direction des opérations Bureau conseil. Available www.ssi.gouv.fr

[13] BSI Standard 100-1. (2005). Information Security Management Systems (ISMS). Retrieved May 2008, from www.bsi.bund.de

[14] BSI Standard 100-2. (2005). IT-Grundszchutz methodology. Retrieved May 2008, from www.bsi.bund.de

CYSM of 68

Name Month Year

[15] BSI Standard 100-3. (2005). Risk analysis based on IT-Grundszchutz. Retrieved May 2008, from www.bsi.bund.de

[16] Club de la Securite de L’ information Francais Methods Commision, Mehari 2010 Risk analysis and treatment Guide, France, August 2010, available at http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI-2010 Risk-Analysis-and-Treatment-Guide.pdf, (accessed December 2010).

[17] Crespo F., Gomez M., Candau J., Manas J.A., “MAGERIT – version 2, Methodology for Information Systems Risk Analysis and Management, Books I – The Method”, Ministerio de Administraciones Publicas, June 2006.

[18] Crespo F., Gomez M., Candau J., Manas J.A., “MAGERIT – version 2, Methodology for Information Systems Risk Analysis and Management, Book II – Catalogue of Elements”, Ministerio de Administraciones Publicas, June 2006.

[19] Crespo F., Gomez M., Candau J., Manas J.A., “MAGERIT – version 2, Methodology for Information Systems Risk Analysis and Management, Book III – Techniques”, Ministerio de Administraciones Publicas, June 2006.

[20] Information Security Assessment & Monitoring Method (ISAMM). Available at http://www.telindus.com

[21] Ntouskas, T. and Polemi, N. (2012) "STORM-RM: a collaborative and multicriteria risk management methodology", Int. J. Multicriteria Decision Making, Vol. 2, No. 2, pp.159–177.

[22] Ntouskas T., Kotzanikolaou P., Polemi N., "Impact Assessment through Collaborative Asset Modeling: The STORM-RM approach", in Proc. of the 1st International Symposium & 10th Balkan Conference on Operational Research, 2011, Thessaloniki, Greece, September 2011.

[23] Ntouskas, T., Polemi, N., "STORM-RA: An implemented, collaborative, multi-criteria decision making risk assessment methodology", 7th Meeting Multicriteria decision analysis, Orestiada, Greece, October 2010.

[24] ENISA (European Network and Information Security Agency), “Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools”, Available online: http://www.enisa.europa.eu/rmra/files/D1_Inventory_of_Methods_Risk_Management_Final.pdf

[25] Zambon, E., Etalle, S., Wieringa, R.J. & Hartel, P.H. (2011). “Model-based qualitative risk assessment for availability of IT infrastructures”, Software and Systems Modeling, 10(4), 553-580, 2011.

CYSM of 68

Name Month Year

[26] AbeleWigert I., Dunn M., “An Inventory of 20 National and 6 International Critical Infrastructure Protection Policies”, International CIIP Handbook 2006 (Vol. I), in: A. Wenger, V. Mauer (Eds.), for Security Studies, ETH Zurich, 2006.

[27] Yusta J. M., Correa G. J., Lacal-Arántegui R., “Methodologies and applications for critical infrastructure protection: State-of-the-art”, ESLSEVIER, Energy Policy, Vol. 39, No. 10., pp. 6100-6119, October 2011.

[28] US Department of Homeland Security, National Infrastructure Protection. Plan (2009), http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm.

[29] COUNCIL DIRECTIVE 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF

[30] North American Reliability Corporation (NERC), available at http://www.nerc.com.

[31] Luiijf E., Burger H., Klaver M., “Critical Infrastructure Protection in The Netherlands: A Quick-scan”, Gattiker U., Pedersen P., Petersen K. (Eds.), in Proc. of EI C AR Conference, 2003 (accessed May 2010)

[32] Ministry of the Interior and Kingdom Relations, National risk assessment method guide 2008. National Security Programme, Netherlands, June 2008, Available at http://www.minbzk.nl//bzk2006uk/subjects/public-safety/publications/115647/ national risk/, (Accessed May 2010)

[33] S-PORT “A secure, automated collaborative environment for the creation of risk assessment methodologies, generation of business continuity and disaster recovery plans for the Port Information Systems” funded by the GSRT (General Secretariat for Research and Technology of the Ministry of Development) national research programme “COOPERATION” (NSRF 2007-2013) available at http://s-port.unipi.gr/.

[34] SAFESEANET, a European Platform for Maritime Data Exchange between Member States' maritime authorities, is a network/Internet solution based on the concept of a distributed database, http://ec.europa.eu/idabc/en/document/2282/5926.html

[35] DIRECTIVE 2010/65/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 October 2010 on reporting formalities for ships arriving in and/or departing from ports of the Member States and repealing Directive 2002/6/EC. Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:283:0001:0010:EN:PDF

[36] COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT on the Prevention, preparedness and response to terrorist attacks (COM(2004) 698), Brussels, 20.10.2004, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2004:0698:FIN:EN:PDF

CYSM of 68

Name Month Year

[37] Green Paper of 17 November 2005 on a European programme for critical infrastructure protection (COM(2005) 576), available at http://eur-lex.europa.eu/LexUriServ/site/en/com/2005/com2005_0576en01.pdf

[38] Communication from the Commission of 12 December 2006 on a European Programme for Critical Infrastructure Protection (COM(2006) 786), available at http://eur-lex.europa.eu/LexUriServ/site/en/com/2006/com2006_0786en01.pdf

[39] "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and Resilience", COM (2009)149 of 30 March 2009, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF

[40] A Digital Agenda for Europe (COM(2010)245, Brussels, 26.8.2010, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF

[41] Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union (SWD(2013)), 7.2.2013, available at http://eeas.europa.eu/policies/eu-cyber-security/cybsec_impact_ass_res_en.pdf

CYSM of 68

Name Month Year

A.Appendix A – “Questionnaire for the involved commercial ports on security awareness” (UPRC)

CYSM of 68

cysm.eucysm.eu/.../private/Workpackage2/Activity+21/D2.1_PP… · Web viewcysm.eu

Documents

Transcript of cysm.eucysm.eu/.../private/Workpackage2/Activity+21/D2.1_PP… · Web viewcysm.eu