Monday, July 6, 2020

From pilot initiative to periodic ISPS exercise

Given these premises, the protection of the network infrastructure of an ISPS port facility, as well as having to be subject to security procedures that protect the assets physically, against tampering or sabotage and agents directly on the system hardware , must be the subject also of reaction procedures [15] , connected to the unauthorized access scenarios (eg. unauthorized access ) to the computer system via telematics .

In this sense, reference is made at the regulatory level to Art. 615 ter . of the Criminal Code, titled Abusive access to a computer or telematic system , which punishes the conduct of those who illegally enter a computer or telematic system protected by security measures, or keep there against the express or tacit will of those who have the right to exclude it.

This article, placed systematically in Section IV of the Code - Of crimes against the inviolability of the home , introduces the concept of the so-called IT home , here understood as a protected and identified legal asset, "... as an ideal space in which the data is contained computer systems pertaining to the person, extending the protection of the confidentiality of the individual sphere, as a constitutionally protected asset ", thus drawing a parallel with the real home [16] .

This process of analysis, pending specific additions to the legislation, could allow PFSOs of port facilities to schedule a penetration test on their ICT systems within quarterly exercises ( drills ), to be repeated in the quarter of the following year . In this way, what originates as a pilot action carried out only by some virtuous ports, could consolidate itself as a peculiar and repeatable exercise scenario over time security architect job.

The hypothesized initiative could also represent a useful option in order to reduce the risk of resorting to very often repetitive and / or insufficiently realistic scenarios, as evidenced by the recent inspection activity carried out by the General Command of the Port Authorities, in the ports and in national port facilities [17] .

Finally, including penetration tests in quarterly drills would mean creating new synergies with the corporate ICT functions, contributing to the development of an internal group capable of jointly developing and improving practices and prevention measures suitable for inclusion in Port Facility Security Current plan .

NOTE
See, General Command of the Port Authorities, Security Title Circular no. 40 of 29/03/2018, Maritime cyber risk management . ↑
See, Recital 10, Directive (EU) 2016/1148 of 6/07/2016. ↑
ENISA publication : "The European economy is therefore critically dependent upon the maritime movement of cargo and passengers. On the other hand, the maritime activity increasingly relies on Information Communication and Technology (ICT) to optimize its operations, like in all other sectors. ICT is used to enable essential maritime operations, from navigation to propulsion, from freight management to traffic control communications, etc ". ↑
The Cooperation Program approved by the European Commission with decision C (2017) 6247 of 09/14/2017. ↑
In the Italian part of the Program area, the ports of Venice (2,000,000 m²) and Trieste (1,725,000 m²) have the largest areas dedicated to goods storage. In addition to this, in particular for the port of Venice, there is the considerable increase in cruise traffic, which is undoubtedly capable of stimulating the tourist activities of the ports in question. The port of Koper is one of the main logistics and distribution centers and plays a leading role, holding since 2010 the largest market share in the Upper Adriatic. ↑
This aspect is important because additional and uncoordinated security measures often result in a slower management of port operations and therefore in a less attractive port. ↑
According to ENISA , "Penetration testing is the assessment of the security of a system against different types of attacks performed by an authorized security expert. The tester attempts to identify and exploit the system's vulnerabilities. The difference between a penetration test and an actual attack is that the former is done by a tester who has permission to assess the security of the system and expose its security weaknesses. In addition the tester is given certain boundaries to operate and perform this task ". ↑
As regards the Port of Trieste, a first pilot action concerns the implementation of a console for managing data from two distinct IT systems, which are jointly able to offer a high and complex set of data, the study of which would allow maximize the control of presence in port, also with a view to supporting management decisions and handling emergencies. ↑
The second pilot actionplaced in charge of the ADSP MAO of Trieste has been focused on the so-called Security & Compliance Consulting services and in particular is aimed at ensuring the adaptation of the IT infrastructure of the Port of Trieste with respect to the provisions of: Regulation (EU) no. 2016/679 relating to the protection of individuals with regard to the processing of personal data (so-called GDPR); Legislative Decree no. 196/2003 (the so-called Privacy Code), in particular as regards the directive on monitoring access by system administrators. Thanks to the SECNET project, an important assessment document was therefore drawn up, the '' Port of Trieste Security Assessment - Cyber ​​Risk Management '', which reconstructs the state of affairs of the Port of Trieste. ↑
See, Annex 6.1., Study of best practices in ICT systems used for port security , pp. 38 et seq .As highlighted, most of the ports surveyed have adopted a cyber security plan, accessible to all employees and regulating the responsibilities and obligations of individuals. Behavioral procedures have also been introduced in the ports of Valencia, Varna, Burgas and Capodistria in the event of cyber accidents, which include the recognition of intrusion attempts in the system and the transmission of alarms to the reaction team. Only two ports (Koper and Burgas) analyze the attacks systematically. The data collected indicate that not even half of the ports surveyed regularly carry out a cyber security risk assessment. Only a few ports include software and hardware vendors in the security assessment.. ↑
See, Par. 18.4, "The exercises and trainings aim to ensure that the staff of the port facility is able to perform the security tasks entrusted to them at all security levels and to identify any gaps in the security system that need remedy " . ↑
See, Art. 8, Paragraph 6 of Legislative Decree no. 203/2007. ↑
Significant extension of security obligations to all operations, including radio and telecommunication systems, IT systems and networks, for ports and port facilities. See Recital 10, Directive (EU) 2016/1148 (so-called NIS Directive). ↑
See Section A / 15.5, ISPS Code and Security Title Circular no. 40 of 29/03/2018. ↑
The implementation of which is mainly entrusted to the ICT staff and, as a possible support, to the staff of the PFSO office if present. ↑
See, Criminal Cassation section a. No. 17325 of 03/26/2015. Furthermore, the case referred to in art. 615 ter, provides for an aggravating hypothesis if the criminal conduct is carried out to the detriment of public interest IT systems (paragraph III). This also assumes importance with respect to the definition of "Operator of essential services", in the NIS Directive. 

No comments:

Post a Comment