State-of-the-art Critical Infrastructures (CIs) are gradually becoming more and more dependent on information and communication technology (ICT) (such as networking, telecommunications, cloud, sensor and Supervisory Control and Data Acquisition (SCADA) technologies, thereby rendering Critical Information Infrastructures (CIIs) a vital element of their functioning. Modern port infrastructures tend to be highly dependent on the operation of complex, dynamic ICT-based maritime supply chains. This emerging landscape of ICT-empowered CIIs-based critical infrastructures requires a paradigm shift in the way it assesses risks and vulnerabilities, as well as in relevant risk management methodologies. In the recent past significant efforts have been allocated in the introduction of risk management and assurance methodologies for CIs.
Unfortunately the efforts are not appropriate for dealing with contemporary dynamic ICT based dynamic maritime supply chains, due to their following limitations:
- They are overly focused on physical-security aspects and pay limited attention to CIIs
- They tend to have an insufficient consideration of the complex nature of the ICT systems and assets used in the maritime sector (e.g. SCADA), along with their interrelationships.
- They do not adequately take into account security processes associated with international supply chains, which are nowadays ICT enabled and therefore severely dependent on intentional and unintentional compromise of CIIs.
ENISA: Awareness on cyber security needs in the maritime sector is currently low
The above listed limitations are also acknowledged in reports, standards and regulations produced by prominent security stakeholders. For example the first ENISA (European Union Agency for Network and Information Security) report (4,3 Mb) on cyber maritime security (2011) concludes that awareness on cyber security needs in the maritime sector is currently low to non-existent and highlights the challenges of managing the interdependencies between ICT systems and other port assets.
Overall, there is a clear need for rethinking risk management in the maritime sector, towards properly addressing the role of port CIIs and their impact on maritime supply chains. To this end, sophisticated global risk assessment frameworks that can deal with cascading effects risks, threats and vulnerabilities, of ICT-based maritime supply chain are needed.
In this direction, a notional set of Maritime Supply Chain Risk Assessment assurance methods and practices should be developed based on:
- Regulations and directives that apply to the maritime sector
- Widely adopted or international standards on supply chain practices (e.g. ISO 28000)
- Practices for sharing ICT-related threat information across supply chain participants
Click the links below to get further information about the Mitigate project: