As far as interest is concerned, port IT security meets the following critical areas, as highlighted in the 2011 ENISA report, namely:
poor awareness / attention towards maritime IT security which translates into inadequate preparation to deal with IT risks;
complexity of ICT systems in the maritime context which also include very specific elements, with respect to which the rapid overall technological development has in some cases reduced the attention on the vulnerabilities related to the lack of updates. Furthermore, it has been noted that there is no standardization of good practices to ensure adequate protection of ICT systems. Security guidelines often refer only to basic measures and do not match the complexity of ICT tools or do not cover all the relevant technology;
fragmentation of maritime authorities : there are different levels of governance in the maritime sector with respect to IT security and related risks. The lack of coordination between these organizations and those existing at European and national level leads to disharmony in tackling maritime security;
low view of IT security in the maritime regulation : the current regulatory environment poses a lot of attention to safety ( safety ) and physical security ( physical security ) of the port areas, but leaves out almost all aspect of computer security and prevention of possible cyber attacks through illegal acts;
absence of a uniform approach to IT risks : maritime authorities are managing IT security considering only a part of the actual risks, neglecting all the relevant aspects of the protection of critical maritime infrastructure, for the identification of the necessary measures to prevent and manage , all types of IT incidents;
lack of economic incentives for the implementation of IT security; Information architects job description
need for initiatives aimed at collaboration, the exchange of information and the sharing of experiences between the actors involved. There are few and few collaborative sector initiatives.
These aspects represented the starting point, against which to consider a cross-border action plan to strengthen port security, through the use of ICT solutions and dedicated procedures, to be introduced through individual pilot actions, assigned to the ports involved.
Pilot actions of cyber security
The cyber security pilot actions concerned the ports of Koper and Trieste, respectively for the execution of:
penetration test [7] ;
single data management platform [8] ;
GDPR compliance actions [9] .
The pilot penetration test action implemented at the Port of Luka Koper was aimed at verifying and subsequently preventing cyber attacks on the port system and all systems connected to it, verifying their vulnerabilities and updating the database .
In particular, the following tests were performed:
security control according to the black box principle , which includes checks on the possibility of unauthorized access to data and their modification;
verification of the adequacy of data retention at local workstations, to avoid further abuse of the system;
assumption of the identity of existing users in the system;
changes in user privileges;
functionality evaluation;
OS security checks of servers with the MS Windows Server application ;
provision of a new test to verify the completion of the corrective actions identified following the initial test.
Penetration tests in port ICT systems
The penetration test implemented in the Port of Koper ( and in particular the provision of a subsequent verification test ) can reasonably be considered an exception, within the overall framework of the protection of the ICT port systems analyzed in the SECNET project [10] .
This critical aspect, which emerged thanks to the study indicated, could represent an opportunity, if included in the framework of the periodic exercises envisaged pursuant to Section A / 18.3. and Paragraph 18.4 [11] and ss . Part B of the ISPS Code ( respectively, Annexes II and III of Regulation (EC) No. 725/2004 ).
In this sense, Paragraph 18.5. Part B, on the subject of exercises ( so-called Drills), states that, " To ensure effective application of the provisions of the port facility security plan ( understood as security ), it is necessary to carry out exercises at least once every three months ... The exercise should serve to test the individual elements of the security plan, in particular those relating to the security threats listed in paragraph 15.11 ".
Subject of the quarterly exercises made mandatory by PFSO and the Port Security Authority [12] , are therefore the threat scenarios coded ( originally for the purpose of the security assessment of the port facility ) in Paragraph 15.11 and related to typical risk scenarios , referring to the safety ( security ) physical .
In particular, risk scenario 4 (Paragraph 15.11.4.) Assumes importance in its breadth, where it contemplates the hypothesis of " Access (in the port facility) or unauthorized use , including the presence of illegal immigrants ".
It is clear that the scenario indicated refers to the hypothesis of material or physical entry into the port facility, by subjects and means not having an authorization, or that they remain in it against the will of the managers of the facility, but this aspect, it could also detect cyber security .
Now, consider that each PFSP in its structure must contain at least the items referred to in Section A / 16.3, and in particular point 2, indicating " measures to prevent unauthorized access to the port facility ... and to restricted areas of the plant itself ".
In particular, the restricted access areas of the port facility, pursuant to Paragraph 16.25. et seq ., may include places where sensitive security information is stored, as well as places where there are radio and telecommunications systems [13] and other collective services.
Restricted access areas subject to security measures governing regulated access can therefore include, for example, the places where the servers that make up the network infrastructure are stored and in particular, the web server, any servers dedicated to providing specific services for professional and private operators, backup servers and any other peripheral element, serving the protected network infrastructure.
These elements therefore fit fully into the organization of the security device, so as to be correctly identified in the PFSP as infrastructure to be protected, with the indication of the related countermeasures. All this after evaluating the specific risk scenarios within the PFSA [14] .
poor awareness / attention towards maritime IT security which translates into inadequate preparation to deal with IT risks;
complexity of ICT systems in the maritime context which also include very specific elements, with respect to which the rapid overall technological development has in some cases reduced the attention on the vulnerabilities related to the lack of updates. Furthermore, it has been noted that there is no standardization of good practices to ensure adequate protection of ICT systems. Security guidelines often refer only to basic measures and do not match the complexity of ICT tools or do not cover all the relevant technology;
fragmentation of maritime authorities : there are different levels of governance in the maritime sector with respect to IT security and related risks. The lack of coordination between these organizations and those existing at European and national level leads to disharmony in tackling maritime security;
low view of IT security in the maritime regulation : the current regulatory environment poses a lot of attention to safety ( safety ) and physical security ( physical security ) of the port areas, but leaves out almost all aspect of computer security and prevention of possible cyber attacks through illegal acts;
absence of a uniform approach to IT risks : maritime authorities are managing IT security considering only a part of the actual risks, neglecting all the relevant aspects of the protection of critical maritime infrastructure, for the identification of the necessary measures to prevent and manage , all types of IT incidents;
lack of economic incentives for the implementation of IT security; Information architects job description
need for initiatives aimed at collaboration, the exchange of information and the sharing of experiences between the actors involved. There are few and few collaborative sector initiatives.
These aspects represented the starting point, against which to consider a cross-border action plan to strengthen port security, through the use of ICT solutions and dedicated procedures, to be introduced through individual pilot actions, assigned to the ports involved.
Pilot actions of cyber security
The cyber security pilot actions concerned the ports of Koper and Trieste, respectively for the execution of:
penetration test [7] ;
single data management platform [8] ;
GDPR compliance actions [9] .
The pilot penetration test action implemented at the Port of Luka Koper was aimed at verifying and subsequently preventing cyber attacks on the port system and all systems connected to it, verifying their vulnerabilities and updating the database .
In particular, the following tests were performed:
security control according to the black box principle , which includes checks on the possibility of unauthorized access to data and their modification;
verification of the adequacy of data retention at local workstations, to avoid further abuse of the system;
assumption of the identity of existing users in the system;
changes in user privileges;
functionality evaluation;
OS security checks of servers with the MS Windows Server application ;
provision of a new test to verify the completion of the corrective actions identified following the initial test.
Penetration tests in port ICT systems
The penetration test implemented in the Port of Koper ( and in particular the provision of a subsequent verification test ) can reasonably be considered an exception, within the overall framework of the protection of the ICT port systems analyzed in the SECNET project [10] .
This critical aspect, which emerged thanks to the study indicated, could represent an opportunity, if included in the framework of the periodic exercises envisaged pursuant to Section A / 18.3. and Paragraph 18.4 [11] and ss . Part B of the ISPS Code ( respectively, Annexes II and III of Regulation (EC) No. 725/2004 ).
In this sense, Paragraph 18.5. Part B, on the subject of exercises ( so-called Drills), states that, " To ensure effective application of the provisions of the port facility security plan ( understood as security ), it is necessary to carry out exercises at least once every three months ... The exercise should serve to test the individual elements of the security plan, in particular those relating to the security threats listed in paragraph 15.11 ".
Subject of the quarterly exercises made mandatory by PFSO and the Port Security Authority [12] , are therefore the threat scenarios coded ( originally for the purpose of the security assessment of the port facility ) in Paragraph 15.11 and related to typical risk scenarios , referring to the safety ( security ) physical .
In particular, risk scenario 4 (Paragraph 15.11.4.) Assumes importance in its breadth, where it contemplates the hypothesis of " Access (in the port facility) or unauthorized use , including the presence of illegal immigrants ".
It is clear that the scenario indicated refers to the hypothesis of material or physical entry into the port facility, by subjects and means not having an authorization, or that they remain in it against the will of the managers of the facility, but this aspect, it could also detect cyber security .
Now, consider that each PFSP in its structure must contain at least the items referred to in Section A / 16.3, and in particular point 2, indicating " measures to prevent unauthorized access to the port facility ... and to restricted areas of the plant itself ".
In particular, the restricted access areas of the port facility, pursuant to Paragraph 16.25. et seq ., may include places where sensitive security information is stored, as well as places where there are radio and telecommunications systems [13] and other collective services.
Restricted access areas subject to security measures governing regulated access can therefore include, for example, the places where the servers that make up the network infrastructure are stored and in particular, the web server, any servers dedicated to providing specific services for professional and private operators, backup servers and any other peripheral element, serving the protected network infrastructure.
These elements therefore fit fully into the organization of the security device, so as to be correctly identified in the PFSP as infrastructure to be protected, with the indication of the related countermeasures. All this after evaluating the specific risk scenarios within the PFSA [14] .
No comments:
Post a Comment