Cyber-physical security for ports infrastructure

Taking advantage of the benefits associated with digital means has become a main priority for ports globally. The effective and smooth integration of Information Technology (IT) applications and those systems that support the conduct of operations (Operational Technology (OT) systems), along with the accurate “adjustment” of the human factor elements should be viewed as a very critical pillar for optimized safe and efficient operations in ports. The afore mentioned assimilation characterizes cyber-physical systems and entails an extended number of IT and OT modules, systems and tasks involving various data transmission routes that are advancing in a technological and operational level alongside plausible cybersecurity threats. These cybersecurity risks, threats and vulnerabilities are depicted in this article to emphasize the progression of cyber- physical systems in the wider maritime industry and port domains, along with their rising cybersecurity vulnerabilities. Existing and applicable industry and government standards and mandates associated with cybersecurity attempt to impose regulatory compliance and increase asset cybersecurity integrity with reduced emphasis however, in the existing OT (Operational Technology) components and systems. The use of security risk assessment tools and processes that are used in other industrial sectors, such as the Security Risk Assessment (SRA) and the Bow Tie Analysis methods, can support the evaluation of IT/OT infrastructure for cyber-physical security susceptibilities and then assign suitable reactive measures. The implementation of cybersecurity safeguards that arise through the implementation of the MITRE ATT&CK Threat Model can enhance the cybersecurity posture of those assets that support the logistics chain, assuming that they are intermittently adapted following evaluations for their effectiveness and suitability. Finally, the improvement of stakeholder communication and cyber-awareness along with the increase in cyber- physical security resiliency can further be aided by the effective convergence of the segregated cyber and physical security elements of waterside or landside-based IT/OT infrastructure

sec-certs: Examining the security certification practice for better vulnerability mitigation

Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certificates. To address these problems, we conducted a large-scale automated analysis of Common Criteria and FIPS 140 certificates. We trained unsupervised models to learn which vulnerabilities from NIST's National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities (on average). This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at https://seccerts.org

Current established risk assessment methodologies and tools

The technology behind information systems evolves at an exponential rate, while at the same time becoming more and more ubiquitous. This brings with it an implicit rise in the average complexity of systems as well as the number of external interactions. In order to allow a proper assessment of the security of such (sub)systems, a whole arsenal of methodologies, methods and tools have been developed in recent years. However, most security auditors commonly use a very small subset of this collection, that best suits their needs. This thesis aims at uncovering the differences and limitations of the most common Risk Assessment frameworks, the conceptual models that support them, as well as the tools that implement them. This is done in order to gain a better understanding of the applicability of each method and/or tool and suggest guidelines to picking the most suitable one

Data driven decision support systems as a critical success factor for IT-Governance: an application in the financial sector

IT-Governance has a major impact not only on IT management but also and foremost in the Enterprises performance and control. Business uses IT agility, flexibility and innovation to pursue its objectives and to sustain its strategy. However being it more critical to the business, compliance forces IT on the opposite way of predictability, stability and regulations. Adding the current economical environment and the fact that most of the times IT departments are considered cost centres, IT-Governance decisions become more important and critical. Current IT-Governance research and practise is mainly based on management techniques and principles, leaving a gap for the contribution of information systems to IT-Governance enhancement. This research intends to provide an answer to IT-Governance requirements using Data Driven Decision Support Systems based on dimensional models. This seems a key factor to improve the IT-Governance decision making process. To address this research opportunity we have considered IT-Governance research (Peter Weill), best practises (ITIL), Body of Knowledge (PMBOK) and frameworks (COBIT). Key IT-Governance processes (Change Management, Incident Management, Project Development and Service Desk Management) were studied and key process stakeholders were interviewed. Based on the facts gathered, dimensional models (data marts) were modelled and developed to answer to key improvement requirements on each IT-Governance process. A Unified Dimensional Model (IT-Governance Data warehouse) was materialized. To assess the Unified Dimensional Model, the model was applied in a bank in real working conditions. The resulting model implementation was them assessed against Peter Weill‘s Governance IT Principles.Assessment results revealed that the model satisfies all the IT-Governance Principles. The research project enables to conclude that the success of IT-Governance implementation may be fostered by Data Driven Decision Support Systems implemented using Unified Dimensional Model concepts and based on best practises, frameworks and body of knowledge that enable process oriented, data driven decision support

A Security Assessment of Mobikey for Remote Access

Today, it is very common for employees to need to work when outside of the office. For various reasons, it\u27s important that they be able to work anytime and anywhere. However, this raises security concerns about how this is accomplished. There are many options, such as virtual private networks (VPNs) and remote desktop solutions, but each comes with its own risks. A newer option is the MobiKEY from Route1, which allows users to connect to their work resources from anywhere. Route1 touts the MobiKEY, powered by MobiNET, as a much more secure method of remote access. How does it stack up against other solutions? This paper examines the advantages of MobiKEY from a security perspective as contrasted with other options. The author performed a risk assessment of the device based upon guidelines from the National Institute of Technology (NIST) and obtained a MobiKEY from Route1 for the purposes of testing. This paper documents those findings

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

ENDPOINT PROTECTION SECURITY SYSTEM FOR AN ENTERPRISE

The thesis subscriber was Metso Shared Services Ltd. The objective was to find out if Microsoft Forefront Endpoint Protection 2010 (FEP) would be secure and cost-effective enough system to fulfill the requirements of the company’s endpoint protection security system. Microsoft FEP was compared and benchmarked with some other most significant endpoint protection products based on the requirements and definitions of the subscriber. The comparison and evaluation were based on investigation and data gathering of public sources, user’s own experiences of the compared products and analysis of results found during the project. As a conclusion it can be stated that Microsoft's FEP is good, however, it falls short of the integrated technical, security and management capabilities of the endpoint protection market leaders. Microsoft's security offerings are not the leading ones, nevertheless, they are reasonably priced and good enough for Microsoft-centric, cost-driven enterprises. If a company is Windows-centric, licensed under Core CAL or ECAL or has deployed and is using Microsoft System Center Configuration Manager (SCCM), FEP must at least be considered as an endpoint protection solution for Windows based endpoints. Although this thesis has been assigned by Metso Corporation, the results of the investigations can be used for any company which considers Microsoft Forefront Endpoint Protection as protection software for their endpoint devices.Työn tilaaja oli Metso Shared Services Oy. Työn tavoitteena oli selvittää, onko Microsoft Forefront Endpoint Protection 2010 (FEP) riittävän turvallinen ja kustannustehokas ohjelmisto yrityksen päätelaitteiden tietoturvaohjelmistoksi. Työn aikana Microsoft FEP tuotetta vertailtiin ja arvioitiin muihin merkittäviin päätelaitteiden tietoturvaohjelmistoihin perustuen tilaajan vaatimuksiin. Vertailevaksi tuotteeksi kirjalliseen tuotokseen otettiin mukaan Symantec Endpoint Protection (SEP) ohjelmisto. Vertailu ja arviointi ovat perustuneet julkisista lähteistä saatavien tietojen keräämiseen ja tutkimiseen, omiin kokemuksiin kyseisten tuotteiden ominaisuuksista sekä saatujen tulosten analysointiin. Tulokset osoittivat, että Microsoft FEP on riittävän hyvä tuote teknisesti mutta ei kuitenkaan markkinoiden johtavien tuotteiden veroinen teknisiltä ominaisuuksiltaan tietoturvan ja hallittavuuden osalta. Microsoftin tietoturvatuotteet eivät ole ominaisuuksiltaan parhaiden joukossa mutta ne ovat kuitenkin kohtuullisesti hinnoiteltuja ja soveltuvat riittävän hyvin Microsoft tuotekeskeisiin ja kustannustietoisiin yrityksiin. Jos yrityksessä on paljon Windows-päätelaitteita ja yrityksellä on Core CAL tai ECAL sopimus ja yritys on ottanut käyttöönsä Microsoft System Center Configuration Manager (SCCM) tuotteen, FEP 2010 ohjelmistoa on syytä harkita yrityksen päätelaitteiden tietoturvaohjelmistoksi. Työ toteutettiin Metso konsernille mutta kehittämistyön tuloksia voidaan käyttää hyödyksi myös muissa yrityksissä, jotka harkitsevat Microsoft Forefront Endpoint Protectionin käyttöönottoa päätelaitteidensa tietoturvaohjelmistoksi

Emerging Informatics

The book on emerging informatics brings together the new concepts and applications that will help define and outline problem solving methods and features in designing business and human systems. It covers international aspects of information systems design in which many relevant technologies are introduced for the welfare of human and business systems. This initiative can be viewed as an emergent area of informatics that helps better conceptualise and design new world-class solutions. The book provides four flexible sections that accommodate total of fourteen chapters. The section specifies learning contexts in emerging fields. Each chapter presents a clear basis through the problem conception and its applicable technological solutions. I hope this will help further exploration of knowledge in the informatics discipline