Collaborative Security Management Services for Port Information
Systems
Theodoros Ntouskas and Nineta Polemi
Department of Informatics, University of Piraeus, Karaoli & Dimitriou str 80, 18534 Piraeus, Greece
Keywords:
Security Management, Commercial Ports, Critical Infrastructures, Collaboration, S-Port project.
Abstract:
Ports Information and Communication Technology (PICT) systems offer critical services and host sensitive
data. However the current maritime legislation, standardization and technological efforts do not sufficiently
cover the PICT security. Identifying these needs, we propose the collaborative environment S-Port offering
security management services.
1 INTRODUCTION
Commercial ports play an important role in the Eu-
ropean trade and economy, since 52% of the Euro-
pean Union (EU) goods traffic in 2010 was carried by
maritime transport and the 90% of EU external trade
take place through maritime sector (ENISA, 2011).
Additionally, they are among the transportation criti-
cal infrastructures (Transportation Security Adminis-
tration, 2007), (Brunner and Suter, 2008) since they
are large-scale infrastructures that their degradation,
interruption or impairment of their ICT Systems has
serious consequences on national security, health,
safety, economy and welfare of citizens and nations
characterized with multiplicity of interdependencies
between them and the other entities in the maritime
environment.
The normal functionality of any critical infrastruc-
ture such as the commercial ports depends largely on
the proper operation of their ICT systems. The large
amount of critical and sensitive data, the information
and services that are managed on a daily basis, the
large number of entities called to be served, and the
interdependencies with the other infrastructures re-
quire effective security management.
However the current maritime legislation or stan-
dardization efforts do not sufficiently cover the ICT
security of the commercial ports. In particular the
commercial ports are not treated as independent criti-
cal infrastructures hosting critical ICT systems inter-
acting with many entities and their security is not as-
sessed or managed in a holistic, effectivemanner. The
fact that ports are critical infrastructures raises spe-
cific threats (e.g. strikes, terrorist attacks, weather co-
nditions etc), that their identifications and impacts
(e.g. in national economy, national security, disrup-
tion of public order) are ignored yielding to inaccurate
risk evaluations.
The existing maritime security standards, method-
ologies and tools concentrate only on the physical
security of the ports (safety) especially in the ac-
cess control of the ports’ infrastructures in relation
to the safety of the ships. For example: the Inter-
national Maritime Organization (IMO) (International
Maritime Organization, 2011) has published a series
of directives that fall in two categories: SOLAS and
MARPOL. The SOLAS directivesfor the safety of the
ships, passengers and cargo and the MARPOL direc-
tives for the environmental (sea) protection. The 2002
IMO directive ISPS (International Ships and Port Fa-
cilities Security Code) that all commercial ports need
to be complied with, address mostly safety require-
ments for the ports including: Secure access, Audit,
Secure handling of cargo, Availability of telecommu-
nication infrastructure, Incident reporting, Creation of
security team Risk Assessment and Training. ISPS
does not address either cyber threats or security mea-
sures for the PICT systems.
Targeted methodologies for risk assessment of
ports like MSRAM (Maritime Security Risk Analy-
sis Model) (U.S. Department of Energy, 2002), (Adler
and Fuller, 2007) address only physical security and
they are compatible with the ISPS. Similarly the avail-
able maritime risk assessment systems like MARISA
(Balmat et al., 2009) concentrate on the safe naviga-
tion of ships during their presence in the port. The risk
assessment system CMA (Kang et al., 2009) detects
abnormal behavior of ships and identifies respecting
305
Ntouskas T. and Polemi N..
Collaborative Security Management Services for Port Information Systems.
DOI: 10.5220/0004076503050308
In Proceedings of the International Conference on Data Communication Networking, e-Business and Optical Communication Systems (ICE-B-2012),
pages 305-308
ISBN: 978-989-8565-23-5
Copyright
c
2012 SCITEPRESS (Science and Technology Publications, Lda.)
threats.
To conclude, the available maritime security man-
agement directives, methodologies and systems only
consider safety (physical security) and not security.
A holistic approach to security management of
the Ports Information and Communication Technol-
ogy (PICT) systems that the authors propose is
the creation/enhancement of maritime targeted secu-
rity management methodologies which are compliant
with the: ISPS code, modified ICT and CCIP security
management standards.
2 S- PORT: A NATIONAL
PROJECT
In the national S-PORT project (S-PORT Project,
2011) we have identified the above mentioned issues,
searched the previously mentioned efforts, identified
the PICT-security management needs with the guid-
ance of the involved national ports (Piraeus Port Au-
thority, Thessaloniki Port Authority, Municipal Port
Fund of Mykonos). S-PORT views the ports as
critical infrastructures and addresses the following
two main security management needs: The develop-
ment of a targeted security management collaborative
methodology for the PICT-systems based on IT se-
curity management standards and the ISPS code in-
volving all PICT users viewing the port infrastruc-
tures as critical infrastructures; The promotion of col-
laboration and interaction among PICT users in the
security management of the PICT-systems in an auto-
mated used friendly approach.
2.1 S-PORT Risk Management
Methodology for the PICT Systems
S-PORT-RM is the proposed Risk Management
methodology which is based on STORM-RM
(Ntouskas and Polemi, 2012), (Ntouskas et al.,
2011a). STORM-RM combines the Analytic Hierar-
chy Process (AHP) (Saaty, 2008) and security man-
agement standards ISO27001 (ISO/IEC 27001, 2005)
and AS/NZS 4360 (AS/NZS 4360, 1999) and has
been modified in order to address the specific needs
of PICT and the requirements of the ISPS code. The
basic goal of S-PORT-RM methodology is the col-
lection of knowledge and experience from all port’s
users (i.e. managers, administrators, security team,
local users, cooperate users) in order to evaluate the
impacts, threats, vulnerabilities and risks more accu-
rately.
In order to have the S-PORT-RM methodology
as service that will be provided by the S-PORT col-
laborative environment, each Phase of S-PORT-RM
methodology has been implemented as a distinct
module in the S-PORT environment.
2.2 S-PORT Collaborative Security
Management Environment
S-PORT environment is a parameterization of
the STORM security management environment
(Ntouskas et al., 2011b) addressing the specific needs
of PICT and involving all PICT users in the security
management procedures.
The overall architecture of the S-PORT collab-
orative environment is depicted in the above figure
(Fig. 1) and consists of four (4) main entities: the
S-PORT main Platform, the Middleware System, the
Identity & Access Management System (IAM) and the
Business Process Management System (BPM). The S-
PORT entities and their functionalities are described
in detail in the following paragraphs.
Figure 1: S-PORT collaborative environment - architecture.
More specifically, the S-PORT main Platform
consists of:
• The Web Interactive Tier which is based on Web
2.0 technologies and open source solutions (i.e.
Ajax forms, popup help menus, charts etc.), is re-
sponsible for the graphical and user-friendly rep-
resentation and also the provision of collabora-
tion among the S-PORT users. It is enriched
with the Collaboration Module (enhanced with
Forum, Wiki, Blog and Chat room) in order to
achieve the communication between all users and
also with the Presentation Module responsible for
the collection and representation of the assets and
the results of S-PORT-RM procedures with user-
friendly manner.
ICE-B2012-InternationalConferenceone-Business
306
• The Enterprise Tier which is composed by eight
(8) modules, is responsible for creating and han-
dling all S-PORT primary assets (e.g. cartogra-
phy assets, risk assessment assets, risk manage-
ment assets, S-PORT growing documents). The
first module is the Content Management Module
which is responsible for creating, edit-ing, updat-
ing and publishing all S-PORT primary and pro-
cessed content in a consistent and structured way.
The main modules (Cartography, Risk Assess-
ment, Penetration Testing and Risk Management
modules) are responsible for the implementation
of the S-PORT-RM methodology and they handle
and calculate all the basic entities and results of
risk management procedures (i.e. impact / threat
/ vulnerability/risk values of all ICT assets). The
DR-BC Module communicates with Risk Assess-
ment and Risk Management modules in order to
provide the required functionality for the design,
creation and maintenance of Business Continuity
(BC) and Disaster Recovery (DR) plans, accord-
ing to the SPORT-RM results. The Security Mod-
ule provides the essential communicationbetween
the S-PORT main Platform and the Middleware
System in order to ensure the secure access of the
S-PORT content. Finally the Data Layer Module
contains all the necessary functionalities and re-
quired mechanisms in order to achieve the com-
munication and inter-connection among all the
modules of the Enterprise Tier with the Database
Tier.
• the Database Tier hosts all S-PORT assets (such
as ICT assets, impact categories, possible threats,
vulnerabilities etc.) with their attributes and spe-
cific characteristics.
The second S-PORT entity is the Business Pro-
cess Management System (BPMS), which undertakes
the accountability to identify and depict the business
procedures of critical e-services of PICT, in order to
have graphical representation of them and their pri-
mary assets. BPMS communicates through Middle-
ware System with the Cartography module in order
to have the asset identification and asset interconnec-
tions reporting.
The IAM System is responsible for the identity
and access management, incorporates security mech-
anisms and policies that enhance the S-PORT envi-
ronment with proper authentication and authorization
properties enclosing end-user’s preferences and re-
quirements. Based on the above security procedures,
different S-PORT user roles (i.e. administrators, man-
agers, security team, internal, external users of ports)
have access to specific S-PORT services according to
their business role and requirements.
The final S-PORT entity is the Middleware Sys-
tem (an enterprise service bus - ESB) which is a
lightweight messaging framework, ensuring that the
different S-PORT entities, Main Platform, IAM Sys-
tem and BPM System, communicate through a com-
mon channel and the information exchanged is accu-
rate and in standardised format. Additionally, the use
of the Middleware System enables upgrading / expan-
sion or interconnection to any external entity (service
or system) if deemed necessary by future upgrades of
the environment S-PORT.
S-PORT environment offers a bundle of targeted
services to the PICT users in order to guide them to
securely manage their PICT, according to the PDCA
model (i.e. Plan -establish the ISMS, Do - implement
and operate the ISMS, Check - monitor and review
the ISMS, Act - maintain and improve the ISMS) of
the ISO27001 security standard for the design, im-
plementation and monitoring an Information Security
Management System (ISMS).
Specifically the Risk Assessment Services which
consist of the S-PORT-RM Phases responsible for the
Risk Assessment (i.e. Cartography, Impact Assess-
ment, Threat Assessment, Vulnerability Assessment,
Risk Evaluation Phases) will help PICT users to iden-
tify and evaluate the impacts, threats and vulnerabili-
ties of their IT assets. Each of the above Risk Assess-
ment service are conformed with the ISO27001and
guide PICT users to: identify the values of assets and
their owners, identify users and responsibilities, iden-
tify the threats and vulnerabilities to the IT assets,
evaluate business impacts taking into account the con-
sequences in case of loss of Confidentiality, Integrity
or Availability, estimate the risk level, assess the like-
lihood of a threat, esti-mate the risks level of each It
asset, define the criteria accepting risks.
In addition with these services the Practical Vul-
nerability Assessment Service will help them to iden-
tify the practical vulnerabilities with the use of appro-
priate tools. There exists a pool of different penetra-
tion testing tools appropriate for each asset in order to
find their vulnerabilities.
Furthermore the PICT users will be able to select
the appropriate control / countermeasure according to
the S-PORT-RM algorithm in order to protect their IT
assets (with the use of the Risk Management Service)
ensuring that all security requirements are met.
More specifically with the use of the Security Pol-
icy / BCP Service, the PICT users will be able to de-
sign and keep updated the security policy, business
continuity plan and all the necessary documented pro-
cedures (i.e. control of documents, control of records,
internal audits, corrective actions, preventive actions)
of their Information System.
CollaborativeSecurityManagementServicesforPortInformationSystems
307
Finally, the Collaborative Services (Forum, wiki,
Chat Rooms, Blog, Document Library) are responsi-
ble for the communication of the users in order to find
details about the risk assessment/management proce-
dures, discuss about security issues, find solutions
about daily IT problems, report a security incident,
provide training and awareness programmes in order
to all PICT user are aware of the Security policy and
procedures.
3 CONCLUSIONS
The fact that commercial ports are critical infrastruc-
tures and their Information Systems offer critical ser-
vices and host sensitive data, makes security manage-
ment a necessary concern for their business continuity
and productivity. A holistic approach to security man-
agement of the PICT systems that the authors pro-
pose is the creation/enhancementof maritime targeted
security management methodologies, compliant with
the: ISPS code, modified ICT and CCIP security man-
agement standards.
In this context, S-Port environment is expected to
become a prototype of the next generation, collabo-
rative, Security Managements Systems, being capa-
ble of providing high levels of confidentiality, relia-
bility, interactivity and interoperability, for the crit-
ical infrastructures of the commercial ports imple-
menting a targeted security management methodol-
ogy compliant with the ISPS and ISO27001. In ad-
dition, S-Port services hosted in the S-PORT envi-
ronment guide PICT users to identify impacts, threats
and vulnerabilities, find the appropriate countermea-
sures and maximize ports’ operations efficiency and
productivity.
ACKNOWLEDGEMENTS
The authors would like to thank the GSRT (General
Secretariat for Research and Technology Develop-
ment Department) for funding the S-Port project and
the S-Port partners for their contribution. Also the
authors would like to thank ENISA for organising the
Workshop on Cyber Security Aspects in the Maritime
Sector.
REFERENCES
Adler, R. and Fuller, J. (2007). An integrated framework
for assessing and mitigating risks to maritime critical
infrastructure. In IEEE Conference on Technologies
for Homeland Security, pages 252–257.
AS/NZS 4360 (1999). Risk management standards aus-
tralia.
Balmat, J., Lafont, F., Maifret, R., and Pessel, N. (2009).
MAritime RISk Assessment (MARISA), a fuzzy ap-
proach to define an individual ship risk factor. In
Ocean Engineering, volume 36, pages 1278–1286.
Brunner, E. and Suter, M. (2008). International CIIP Hand-
book 2008/2009: An Inventory of 25 National and
7 International Critical Infrastructure Protection Poli-
cies. Technical report, Center for Security Studies,
ETH Zurich, Switzerland.
ENISA (2011). workshop on cyber security as-
pects in the maritime sector. available at
http://www.enisa.europa.eu/act/res/workshops-
1/2011/cyber-security-aspects-in-the-maritime-sector.
International Maritime Organization (Accessed
at 7 December 2011). available at
http://www.imo.org/Pages/home.aspx.
ISO/IEC 27001 (2005). Information technology - security
techniques - information security management system
- requirements. http://www.iso.org.
Kang, M., Li, M., Montrose, B., Khashnobish, A., Elliott,
S., Bell, M., and Pieper, S. (2009). Overview of the
security architecture of the comprehensive maritime
awareness system. In Military Communications Con-
ference (MILCOM 2009), pages 1–7. IEEE.
Ntouskas, T., Kotzanikolaou, P., and Polemi, N. (2011a).
Impact Assessment through Collaborative Asset Mod-
eling: The STORM-RM approach. In 1st Interna-
tional Symposium & 10th Balkan Conference on Op-
erational Research (to appear), Thessaloniki, Greece.
Ntouskas, T., Pentafronimos, G., and Papastergiou, S.
(2011b). Storm - collaborative security management
environment. In Ardagna, C. and Zhou, J., editors,
WISTP 2011, pages 320–335. LNCS 6633.
Ntouskas, T. and Polemi, N. (2012). STORM-RM: A col-
laborative and multicriteria risk management method-
ology. In Int. J. Multicriteria Decision Making (IJM-
CDM). Inderscience Publishers (to appear).
S-PORT Project (2011). available at http://s-port.unipi.gr/.
Saaty, T. L. (2008). Decision making with the analytic hi-
erarchy process. In Int. J. Service Sciences, volume 1,
pages 83–98.
Transportation Security Administration (2007). Critical in-
frastructure and key resources sector-specifc plan as
input to the national infrastructure protection plan.
Technical report, Dept. of Homeland Security, USA.
U.S. Department of Energy (2002). Resource Hand-
book on DOE Transportation Risk Assessment. Re-
port DOE/EM/NTP/HB-01. Technical report, Na-
tional Transportation Program, Office of Environmen-
tal Management, USA.
ICE-B2012-InternationalConferenceone-Business
308
