MITIGATE: a dynamic supply chain cyber risk assessment methodology

Modern port infrastructures have become highly dependent on the operation of complex, dynamic ICT-based maritime supply chains. This makes them open and vulnerable to the rapidly changing ICT threat landscape and many ports are not yet fully prepared for that. Furthermore, these supply chains represent a highly interrelated cyber ecosystem, in which a plethora of distributed ICT systems of various business partners interact with each other. Due to these interrelations, isolated threats and vulnerabilities within a system of a single business partner may propagate and have cascading effects on multiple other systems, thus resulting in a large-scale impact on the whole supply chain. In this context, this article proposes a novel evidence-driven risk assessment methodology, i.e., the MITIGATE methodology, to analyze the risk level of the whole maritime supply chain. This methodology builds upon publicly available information, well-defined mathematical approaches and best practices to automatically identify and assess vulnerabilities and potential threats of the involved cyber assets. As a major benefit, the methodology provides a constantly updated risk evaluation not only of all cyber assets within each business partner in the supply chain but also of the cyber interconnections among those business partners. Additionally, the whole process is based on qualitative risk scales, which makes the assessment as well as the results more intuitive. The main goal of the MITIGATE methodology is to support the port authorities as well as the risk officers of all involved business partners.

[1]  Andrew E O Obwanda An information security risk management gap analysis tool based on ISO/IEC 27005:2011 compliance for SMEs in Kenya , 2018 .

[2]  Nineta Polemi,et al.  Open Issues and Proposals in the IT Security Management of Commercial Ports: The S-PORT National Case , 2012, SEC.

[3]  Giannopoulos Georgios,et al.  Risk assessment methodologies for Critical Infrastructure Protection. Part I: A state of the art , 2012 .

[4]  Per Hokstad,et al.  Risk and interdependencies in critical infrastructures : a guideline for analysis , 2012 .

[5]  Kenji Watanabe,et al.  A Framework for Modeling Interdependencies in Japan's Critical Infrastructures , 2009, Critical Infrastructure Protection.

[6]  Stefan Rass,et al.  Risk Propagation Analysis and Visualization using Percolation Theory , 2016 .

[7]  Stefano Panzieri,et al.  A Holistic-Reductionistic Approach for Modeling Interdependencies , 2009, Critical Infrastructure Protection.

[8]  Stefan Rass On Game-Theoretic Risk Management (Part One) - Towards a Theory of Games with Payoffs that are Probability-Distributions , 2015 .

[9]  Nineta Polemi,et al.  Collaborative Security Management Services for Port Information Systems , 2012, DCNET/ICE-B/OPTICS.

[10]  Matthew Henry,et al.  Risk Analysis in Interdependent Infrastructures , 2007, Critical Infrastructure Protection.

[11]  Panayiotis Kotzanikolaou,et al.  Risk assessment methodology for interdependent critical infrastructures , 2011 .

[12]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[13]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[14]  Nineta Polemi,et al.  CYSM: An Innovative Physical/Cyber Security Management System for Ports , 2015, HCI.

[15]  N. Pletneva COMMENTARY ON THE INTERNATIONAL STANDARD ISO 31000–2009 “RISK MANAGEMENT. PRINCIPLES AND GUIDELINES” , 2014 .

[16]  Stefan Rass,et al.  A Stochastic Framework for Prediction of Malware Spreading in Heterogeneous Networks , 2016, NordSec.

[17]  S. Zamir,et al.  Game Theory by Michael Maschler , 2013 .

[18]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[19]  Panayiotis Kotzanikolaou,et al.  Assessing n-order dependencies between critical infrastructures , 2013, Int. J. Crit. Infrastructures.

[20]  Stefan Rass,et al.  Uncertainty in Games: Using Probability-Distributions as Payoffs , 2015, GameSec.

[21]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[22]  Enrico Zio,et al.  Modeling Interdependent Network Systems for Identifying Cascade-Safe Operating Margins , 2011, IEEE Transactions on Reliability.

[23]  Allianz Global Corporate,et al.  Allianz risk barometer on business risks 2014. , 2014 .

[24]  P. Hokstad,et al.  Risk and Interdependencies in Critical Infrastructures , 2012 .

[25]  Nineta Polemi,et al.  Medusa: A Supply Chain Risk Assessment Methodology , 2015, CSP Forum.

[26]  Isaca COBIT 5 for Risk , 2013 .

[27]  Christos Douligeris,et al.  S-Port: Collaborative security management of Port Information systems , 2013, IISA 2013.

[28]  James P. Peerenboom,et al.  Identifying, understanding, and analyzing critical infrastructure interdependencies , 2001 .