13 September 16

The need of risk assessment, user requirements and the MITIGATE approach

Schermata 2016-04-21 alle 10.05.53The increasing digitization of more and more business processes leads to access and exchange opportunities for digital information along the maritime transport chain.

It is recognized that in the maritime sector risk management has been traditionally more focused on physical security (e.g. Imo isps, ec725/2004 regulation), thus a gap is identified between sector specific risk management approaches and the need to protect an increasingly more important maritime cyber infrastructure. According to surveys1, cyber risks rank among the most important risks for business interruption and supply chain disruption of companies and are expected to become the most important risk in the future.

In the MITIGATE project, the partners examine the data security of maritime supply chains, e.g. of liquefied natural gas, container and bulk goods, as well as vehicle transport chains.

A first (non representative) survey has revealed that nearly two thirds of the respondents do not carry out a risk assessment of their it infrastructures so far. From the perspective of the respondents, the most important cyber assets are corporate networks (between 50 and 60%) as well as databases and operational applications (65 to 75% respectively). In addition, conformance to national and international regulations and standards was confirmed as a top requirement.

To build a thorough basis for the MITIGATE system, relevant security management standards were identified in the first months of the project duration, and the requirements associated with the MITIGATE framework are now being validated. To analyze and develop security requirements, attention had to be paid on how these capture and refine security goals. Processes and methodologies to model such requirements, goals, problems or threats are numerous; e.g. Kaos, secure Tropos, UMLsec and Trust Modelling. For MITIGATE purposes, the project partners decided to use secure Tropos. This tool proved mightiness and suitability in earlier projects concerning risk analyses in the maritime supply chain.

But the analysis of an IT system, its cyber assets and software applications, is not enough, considering the complex cross-linked digital relations among the elements a transport chain consists of. It is not realistic to expect a thorough defense from all possible cyber attacks. Thus, and in order to provide a concrete background for the MITIGATE toolset, a review of the state of the art in mathematical approaches to supply chain risk assessment was also conducted. Tools such as queuing theory, game theory, simulations, fuzzy and nonlinear programming have already been employed to solve problems in supply chain systems, transportation systems and logistic systems, but as they were not conceived to address specifically cyber security issues in the supply chain novel approaches need to be explored by the project. The chosen approach involves the use of Big Data analysis to exploit diverse sources of information on threats; such as logs, social media and crowd sourcing.

For more info, please visit the web site of MITIGATE

Please download here the MITIGATE project newsletter Protecting maritime supply chain it infrastructure – NL #1 – September 2016

You might be interested in: