by Sandra König (AIT Austrian Institute of Technology)
Attacks on maritime ports have become more sophisticated since modern ports turned into cyber-physical systems. Simulation models can help with the vital task of detecting such attacks and understanding their impacts.
Digitalisation introduces new challenges to the protection of modern critical infrastructures, such as maritime ports. While control systems ensure smooth physical operations, they are also accompanied by new threats. Complex attacks such as advanced persistent threats (APTs) or drug smuggling [L1] make explicit use of the interconnection between cyber and physical systems of a port. Their stealth makes them difficult to detect and their potential impacts can only be estimated. Impact estimations in this context should be based on a formal analysis of the system. During the course of the European Commissions project SAURON [L2] a model has been developed that simulates the aftermath of a security incident in a port in order to understand the impact on the port as well as the local population.
The simulation model represents the maritime port as a graph where nodes describe relevant assets, and edges describe a dependency between two assets. Assets can be physical (crane, gate, truck or camera), cyber (server, working laptop or a database), but also represent processes (identification of employees, registration of a container). Once the dependency graph is known, the internal dynamics of each asset are modelled. Its functionality is described on a three-tier scale, where states can be interpreted as “working properly” (state 1), “partially affected” (state 2) or “not working” (state 3). The state of the asset changes depending on notifications about events that have happened. Due to the complexity of the considered attacks, the state changes are assumed to happen with a certain likelihood. Once these likelihoods are determined, it is possible to mimic how an attack spreads through the entire system. A formal description of the model is given in  and the idea is illustrated in Figure 1.
Figure 1: Simulation model for impact estimation.
A practical application of the formal model to a concrete problem follows these steps :
- Identification of relevant assets. This step answers the question “Which components are important for smooth operation?” and the answer is a list of assets containing, for example, server, computer, camera, truck etc. If the number of assets is high, it is beneficial to classify them to reduce the modelling effort later by labelling classes instead of individual assets.
- Identification of dependencies. This step answers the question “How do the identified assets depend on one another?” and the answer is a list of pairs (u,v) where v depends on u. There are many ways that dependencies may occur, ranging from physical proximity to required services (e.g. identification of employees requires a properly working database). A dependency graph illustrates the identified relationships nicely.
- Identification of relevant alarms. This step answers the question “What threatens the system?” and the answer is a list of alarms. Not every alarm is dangerous for each asset (e.g. a malware attack only affects cyber assets) but the list is a collection of all incidents that reduce functionality of even a part of the port. Each alarm carries information on its kind (e.g., fire, malware, …) and criticality (measured on a fix scale). During simulation, it is also important to attach a timestamp indicating when the incident happened.
- Description of internal dynamics. This step answers the question “How do we describe each asset’s behaviour?” and the answer is a set of states (e.g., ranging from 1 to 3) and for each asset a matrix of transition likelihoods that describe the change between the states. If enough data is available, machine learning techniques such as logistic regression can be applied to learn thse probabilities from expert opinions.
After performing all these steps, the consequences of a concrete incident can be simulated. The considered incident may affect a single asset (e.g., in case of a malware that is activated on a single laptop) or several assets simultaneously (e.g., hackers may switch off cameras). An online tool [L3] is available to perform the significant number of simulation rungs required for statistical analysis.
The simulation allows the impact on assets to be statistically analysed. It is possible, for instance, to estimate how often a specific asset is not working properly (state 2 or 3) or not working (state 3). Further, the average state of each asset can be computed and the corresponding nodes in the dependency graphs can be coloured accordingly (using green, orange and red to indicate the average level of functionality). The resulting graph gives a quick overview of which assets are threatened the most. Another important result of the analysis is that it allows the cause of failure of a specific asset to be identified by following back the chain of infection that led to the failure. Such information is particularly useful when investigating ways to protect the system – an asset that causes problems should be replaced or protected to increase the security of the entire system.
This work was supported by the European Commission’s Project SAURON (Scalable multidimensional situation awareness solution for protecting European ports) under the HORIZON 2020 Framework (Grant No. 740477).
 S. König, S. Rass, B. Rainer and S. Schauer, “Hybrid Dependencies Between Cyber and Physical Systems”, in Advances in Intelligent Systems and Computing, Proceedings of the 2019 Computing Conference, Volume 2, London, UK, July 16-17, 2019, K. Arai Ed. Cham: Springer, 2019. pp 550-565.  S. König, A. Gouglidis, S. Rass, N. Adams, P. Smith and D. Hutchison, “Analysing Disaster-Induced Cascading Effects in Hybrid Critical Infrastructures: A Practical Approach”, in Guide to Disaster-Resilient Communication Networks, J. Rak, D. Hutchison, Eds. Cham: Springer, 2020. pp. 769-789.
AIT Austrian Institute of Technology, Austria