Multidimensional, IntegraTed, rIsk assessment framework and dynamic, collaborative Risk ManaGement tools for critical information infrAstrucTurEs

State-of-the-art Critical Infrastructures (CIs) are gradually becoming more and more dependent on ICT technologies (such as networking, telecommunications, cloud, IoT, sensor and SCADA technologies), thereby rendering Critical Information Infrastructures (CIIs) a vital element of their functioning. This is very prominent in the case of modern port infrastructures, which are not only heavily dependent on the operation of complex ICT systems, but are also interconnected in order to provide complex supply chain services (e.g. container/cargo management) establishing dynamic ICT-based maritime supply chains. For example port infrastructures, interconnect with port authorities, ministries, maritime companies, ship industries, customs agencies, maritime/ insurance companies, other transport CIs (e.g. airports), people, processes, services, products, and more.
Thus, new risk assessment and security management tools are required in order to ensure the resilience and protection of the current and (even smarter) future interconnected ports’ Critical Information Infrastructures as well as their ICT- empowered supply chains.
In this vain, the MITIGATE project (www.mitigateproject.eu/) targets to contribute to the effective protection of the ICT-based ports supply chains that arises from the ICT interconnections and interdependencies of a set of maritime entities. The main goal of MITIGATE is to realize a radical shift in risk management methodologies for the maritime sector towards a collaborative evidence-driven Maritime Supply Chain Risk Assessment (g-MSRA) approach that alleviates the limitations of state-of-the-art risk management frameworks. In addition, the project has developed an effective, collaborative, standards-based risk management (RM) system that enables the involvement and participation of all stakeholders (e.g. port security operators, port facility operators, and supply chain participants) in the cyber-security management.

The project’s work started with the analysis of the requirements for the MITIGATE system. These requirements concerned both the MITIGATE methodology for risk management and the accompanying software system that supports the methodology. To this end, a questionnaire was developed and distributed to stakeholders, such as port authorities and port security operators. To develop the MITIGATE system, a thorough review and selection of mathematical instruments and risk models that could be integrated followed. Concluding this step, the MITIGATE methodology was formulated, along with the architecture of the MITIGATE software system.
The next step in the project’s development was the detailed specification of concepts, data structures, components and communication between the single modules. The technical specifications defined in this step build the ground of the MITIGATE system, including innovative concepts such as the use of game theory elements.
Integration and implementation of the MITIGATE system took place in the second half of 2016. Result is a risk management system specifically designed for the special needs of users of critical information infrastructures in the maritime supply chain. To achieve this goal, the chosen background components, modules and sub-systems were adapted, integrated and enhanced. The cloud-based infrastructure, which supports the MITIGATE governance model, including the roles of the various stakeholders and their interactions with the system, was established. Furthermore, the Open Intelligence & BigData Analytics module in order to realize the risk prediction and forecasting functionalities was implemented.
To ensure proper tests and a thorough evaluation of the MITIGATE system, five pilot sites were chosen. In the project consortium there are five ports represented which act as pilot sites: Bremen/ Bremerhaven, Livorno, Ravenna, Piraeus and Valencia. In the preparation phase, the representatives from these ports have been taught to use the MITIGATE system. Furthermore, the ports and their dedicated supporting partners from the consortium have developed plans to present the MITIGATE system to their business partners. Later on, pilot operations spread from internal to external users. Overall, more than 70 events took place, involving around 680 persons from the port and maritime community. From these events, valuable feedback was gathered to improve the system in accordance with the users’ requirements.
Not least, an intense evaluation methodology has been developed to ensure the use of the MITIGATE system from a stakeholder’s perspective. Overall, the MITIGATE project reached the goals set. The work carried corresponds mostly to the planning, related to both budget and content. Timelines were also mostly kept and the results clearly show that the aims of the project have been ambitious, but could be realised.
The three Key Exploitable Results include: the MITIGATE platform, the MITIGATE risk assessment methodology and the MITIGATE training program. The MITIGATE platform serves as a single entry point to a wide range of services, including the following aspects: innovative asset mapping and visualization, advanced simulation and visualization of cyber-attacks, collaborative risk assessment and an open intelligence and BigData analysis that allows users retrieve near real-time information.
The MITIGATE risk assessment methodology is the basis of the MITIGATE platform and the key asset to be exploited by the academic partners. And the MITIGATE training program enables participants to understand the basics of cyber threats and take precautions against them in one course, and teach the use of the MITIGATE system in a second one.

MTIGATE went beyond the state-of-the-art by introducing and validating an evidence-driven Maritime Supply Chain Risk Assessment (g-MSRA) methodology which is able to address and cover the distributed and interconnected nature of complex, interrelated cyber components, network and operating environments composing the ports’ Supply Chain Services. The proposed framework aims to facilitate and accelerate the process of the estimation and forecasting of all ports’ Supply Chain Services’ cyber risks. The ground-breaking nature of the project’s objectives is based on:
The introduction of an innovative risk assessment approach that: (a) promotes the identification and measurement all cyber threats within a Supply Chain (SC) service; (b) enables the evaluation of the individual, cumulative and propagated vulnerabilities; (c) stimulates the prediction of all possible attacks/ threats paths and patterns within the SC cyber system (which consists of cross-partners’ cyber assets); (d) allows the assessessment of the possible impacts; (e) enhnaces the calcualtion and prioritization of the corresponding cyber risks of the SC cyber assets; and (f) empowers the formulation of a proper mitigation strategy.