A Novel Risk Assessment Methodology for SCADA Maritime Logistics Environments

In recent years maritime logistics infrastructures are the global links among societies and economies. This challenges adversaries to intrude on the cyber-dependent ICTs by performing high-level intelligent techniques. A potential cyber-attack on such infrastructures can cause tremendous damages starting from supply chain service disruption ending up with threatening the whole human welfare. Current risk management policies embed significant limitations in terms of capturing the specific security requirements of ICTs and control/monitoring devices, such as IoT platforms, satellites and time installations, which are primary functioning for the provision of Maritime Logistics and Supply Chain (MLoSC) services. This work presents a novel risk assessment methodology capable of addressing the security particularities and specificities of the complex nature of SCADA infrastructures and Cyber-Physical Systems (CPSs) of the Maritime Logistics Industry. The methodology identifies asset vulnerabilities and threats to estimate the cyber-risks and their cascading effects within the supply chain, introducing a set of subsequent security assessment services. The utilization of these services is demonstrated via a critical, real-life SCADA scenario indicating how they can facilitate supply chain operators in comprehending the threat landscape of their infrastructures and guide them how to adopt optimal mitigation strategies to counter or eliminate their cyber-risks.


Introduction
In the modern era, Maritime Logistics and Supply Chains (MLoSCs) are the blood veins of global trade and economy where cross-border Critical Infrastructures (CI), such as ports, maritime authorities, airports, railways, energy providers, banks, maritime logistics and transport companies, collaborate in offering critical complex services, such as container management, vehicle transport, Liquefied Natural Gas (LNG) transport and cruising. The CIs that operate within their MLoSCs have physical and cyber multi-interdependencies, interacting with all sectors of the economy and therefore, their malfunctioning or disruption could have cascading effects on several other infrastructures or services depending on it throughout the global supply chain.
MLoSC services embed physical processes, such as vehicles and cargo stevedoring, ports Plant power supply procedures, pipeline management during LNG transport, which are monitored and controlled by composite and heterogeneous Industrial Control Systems (ICS) including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and ISO27001 [10], ISO27005 [10] and ISO28001 [11]. Furthermore, there is a compelling need for more targeted Risk Assessment (RA) approaches dealing with the distributed and interconnected nature of the dynamic, ICT-based MLoSC environments.
The current study aims to present a novel evidence-based risk assessment methodology and illustrate the utilization of its generated sophisticated RA system, which has been developed under the EU H2020 Research Project "MITIGATE" [12]. The proposed methodology addresses the specificities and particularities of MLoSC cyber-assets, such as composite SCADA-based infrastructures and evaluates their evolving risk landscape by identifying assets interdependencies regarding the associated threats and cascading effects. To illustrate the level of disruption and damage that can cause a potential sophisticated cyber-attack to the MLoSC performance and underscore the necessity of protecting complex maritime logistics infrastructures, such as SCADA systems, we present three real-life SCADA cyber-attack scenarios on critical services of the MLoSC. Furthermore, to demonstrate how cybersecurity risks of SCADA installations pertaining the MLoSC can be captured, assessed and evaluated, we implement the MITIGATE effective, collaborative, standards-based security assessment services on a relevant SCADA supply chain scenario. To this purpose, all threats arising from the global supply chain will be considered, including those related to port CIs interdependencies and associated cascading effects. Section 2 presents related works. In Section 3 security challenges on Industrial Control Systems (ICS) are addressed. Section 4 describes the MITIGATE evidence-driven risk assessment methodology and analyze its security assessment services. Section 5 presents SCADA real-life cyber-attack scenarios on maritime logistics critical services. Section 6 refers to the utilization of the MITIGATE system security assessment services on SCADA systems. Section 7 states the evaluation process and findings of the MITIGATE risk assessment methodology; it presents the limitations of existing RA methods, highlights corresponding MITIGATE advantages and reports the evaluation findings. Eventually, Section 8 integrates conclusion and discussion topics.

Risk Assessment Methodologies on Contemporary Maritime Logistics Infrastructures
A systemic review has been carried out to identify relevant existing literature on topics of supply chain security requirements engineering, risk management and supply chain security management standards of the Maritime Logistics Industry, to adumbrate cutting-edge issues and elicit important challenges.
Risk Assessment (RA) practices for CPSs have been developed over the past 40 years and they are still searching for methods to comprehend and facilitate the monitoring of risks [13]. The underlying principles of RA are captured in the National Academy of Science (Red Book) [14], where assessment and decision-making are distinguished [15].
With respect to SCADA systems, risk is assumed "a function of the likelihood of a given threat-source exploiting a potential vulnerability and the resulting impact of a successful exploitation of the vulnerability" (7). According to ISO/IEC 13335-1:2004 definitions [16], security goals are traditionally categorized into (i) Confidentiality (information is not made available or disclosed to unauthorized entities); (ii) Integrity (safeguarding the accuracy and completeness of assets) and (iii) Availability (being accessible and usable upon demand by an authorized entity).
RAs are generally categorized into qualitative, quantitative and hybrid methods, which are a combination of the first two. Remarkable examples of semi-quantitative RA approaches for maritime logistics assets are found in the literature, such as the Fault Tree Events Analysis which estimates the frequency of event occurrence in an undesired (top/root) logical scale [17]. The OBEST object-based event scenario tree illustrates combined features of event tree analysis and Monte-Carlo discrete event simulation along with concepts of object-oriented analysis for RA [18]. Schneier [19] introduced the attack trees as a method to formalize the security of systems and subsystems regarding varying attacks. A probabilistic-based RA Tool provides a foundation for the estimation of risk reduction when applied to SCADA security [20]. Augmented vulnerability trees and two new indices for quantifying • A structured body of cybersecurity knowledge using Knowledge Management practices to organize the knowledge [13,55]. • Adoption of business modeling and simulation techniques to carry out different real-life cyber-attack scenarios and experiment with the results [7,55].

•
Taking into account rational decision-making techniques for probabilistic RAs of complex cyber-attack scenarios. • Identify common or cross-border scenarios throughout national and regional limits [7]. • Involvement of all CI operators, including entities of both public and private sector participating, in order to have a clear and detailed view of SCADA cyber-risks at the asset-individual level and to identify the overall cyberdependencies across SCADA Networks and hence detecting the impact at the system level [55]. • Be compliant with regulations and directives or international standards applying to the supply chain (e.g., IMO practices and ISO standards).

•
Introduce collaborative practices to facilitate the sharing and transfer of risk-related information across supply chain operators.
Moreover, there is the need for new risk and resilience assessment approaches that may assess and demonstrate the ability to develop and implement effective RA strategies and ensure SCADA systems resilience against aftermath cyber-incidents. The MITIGATE security assurance services are capable of responding to these requirements. The current work aims to raise MLoSCs operators' awareness of ICS security and assist them in learning how to recognize and react to an ICS cybersecurity SCADA incident.

The MITIGATE Supply Chain Risk Assessment Methodology
MITIGATE is the product of a research project [12], co-funded by the European Commission under its biggest Research and Innovation program Horizon 2020. The acronym "MITIGATE" stands for multidimensional, integrated, risk assessment framework and dynamic, collaborative Risk Management tools for critical information infrastructures.

An Evidence-Driven Holistic Approach
The MITIGATE methodology is a dynamic, collaborative, standards-based risk management methodology for all maritime logistics actors of the global supply chain protecting CIs from cyber-criminal activities [56]. This RA approach deals with MLoSC infrastructures and can be respectively applied to SCADA systems to assess their cyber-risks.
Its dynamic and collaborative notion derives from an evidence-driven Maritime Supply Chain Risk Assessment (MSCRA) holistic approach [56][57][58], which is implemented towards a step-by-step risk management methodology providing an holistic view of maritime logistics infrastructures and their supply chains, enabling cooperation and risk-handling transparency among supply chain stakeholders and generating unique evidence about risk assessment and mitigation. This is achieved by an open simulation environment that allows the business partners to simulate risks and evaluate risk mitigation actions. To estimate the cascading and escalating effects of risks, threats and vulnerabilities of the ICT-based supply chains, the MITIGATE methodology uses specialized metrics and measurements. The identification and analysis of composite interdependencies between supply chain entities and their cyber-assets drive the process of assessing the propagation of incidents through multiple ICT networks. An application of game-theoretic algorithms yields the recognition of optimal mitigation actions, capturing a worst-case scenario damage for the defender, based on the game-theoretic risk management approach described in Reference [59], the mathematical module for uncertain payoffs described in Reference [60] and potential attack strategies presented in References [57,58,61]. In this context, the MITIGATE methodology focuses on the following objectives:

•
To assess a given supply chain service at the asset individual level • To promote a rigorous, rational approach that gathers, critically appraises and uses high-quality research information (produced either by well-defined simulation experiments or available online repositories and social media) To formulate a proper mitigation strategy.
The methodology of design is compliant with a range of international standards (e.g., ISO27k and ISO28k families and ISPS code), capitalizing on them and other well-known and proven guidelines and good practices [15] and following standardized notations. Beyond the aforementioned standards and guidelines, the MITIGATE approach has taken into consideration, additionally, concepts coming from past projects and existing tools: The MEDUSA supply chain risk assessment methodology [38], Secure Tropos (e.g., the security modeling) [62] and AECID (e.g., informational interdependency types) [63].

A Novel Integrated Risk Management System and Services
Despite the importance of CIs and dynamic ICT-based assets for port operations, according to the literature, risk management methodologies for maritime logistics environments pay limited attention to the cyber-security nature of their infrastructures and do not adequately address the security requirements of the business processes associated with global supply chains. Motivated by these limitations, MITIGATE introduces, integrates, validates and commercializes a novel Risk Management (RM) system [64], which empowers stakeholders' collaboration for the identification, assessment and mitigation of risks associated with cybersecurity assets and supply chain processes. The MITIGATE RA approach can be utilized on SCADA infrastructures to assess their cyber-risks. This is demonstrated via an indicative example presented in Section 6. The MITIGATE system achieves its objectives through a bouquet of subsequent security assessment services, which integrate a number of activities ranging from asset identification, impact and threat analysis to the specification of the existing controls and the disclosure, evaluation and treatment of the inherent and interdependent risks. Thereby, the MITIGATE system supports the following flexible and configurable self-driven security assessment services: • The MITIGATE methodology addresses the cybersecurity requirements of the business processes encompassing the MLoSC performance through the modeling of the MLoSC services. This is achieved by adopting knowledge management practices, which analyze in-depth inter-organizational and cross-organizational key-concepts of MLoSC critical services: Key-management processes, participating business partners and operating CPSs. The aforementioned approach implements a combined technique of process-centric and asset-centric views analyzed in Reference [55]. The process-centric view, depicted in Figure 1, defines the business processes and business partners' participation and collaboration in the provision of the supply chain service whereas the cyber-asset view, shown in Figure 2, identifies the cyber-assets operation and their interrelation within the supply chain service. The MITIGATE methodology addresses the cybersecurity requirements of the business processes encompassing the MLoSC performance through the modeling of the MLoSC services. This is achieved by adopting knowledge management practices, which analyze in-depth inter-organizational and cross-organizational key-concepts of MLoSC critical services: Key-management processes, participating business partners and operating CPSs. The aforementioned approach implements a combined technique of process-centric and asset-centric views analyzed in Reference [55]. The process-centric view, depicted in Figure 1, defines the business processes and business partners' participation and collaboration in the provision of the supply chain service whereas the cyber-asset view, shown in Figure 2, identifies the cyber-assets operation and their interrelation within the supply chain service.     Consequently, this security assessment service delivers a cyber-asset inventory including all computing (desktops, notebooks, servers) and networking related devices (switches, routers, etc.), printers, appliances (network attached storage, network capable cameras, etc.), applications and IT systems in general owned, managed, or otherwise used by the maritime logistics operators. Such devices are vessel traffic monitoring systems, intermodal maritime-based logistics, SCADA components, such as Human Machine Interface (HMI), Master Terminal Unit (MTU), Programming Logic Controllers (PLCs), Supervisory stations, Remote Terminal Units (RTUs), sensor systems for controlling stevedoring equipment, such as gantry cranes, trailers and forklifts [54].
The modeling of supply chain services elicits information about the main cyberdependencies that exist among assets. A cyberdependency of assets is considered a pair cyber-asset (node) interrelation and/or interconnection (edge) aiming to fulfil an electronic service/operation across communication networks [55,59]. The MITIGATE methodology assumes a twofold dependency concept: (i) The dependency type and (ii) the dependency access vector. The dependency type identifies the manner in which a cyber-asset pair is interdependent in a supply chain service: 1. Hosting; 2. Exchange data/information; 3. Storing; 4. Controlling; 5. Processing; 6. Accessing; 7. Installing; 8. Trusted; 9. Connecting. The cyber-asset pair consists of a source cyber-asset and a destination cyber-asset. The dependency access vector defines the location the two cyber-assets are able to interact through a communication network within the supply chain: Adjacent Network (A), Local (L), Network (N) [34,55,56]. This allows the MLoSC operators to understand how these assets are used and cooperate. Additionally, the MITIGATE service provides a visualization of the entire infrastructure, which expands the cyber-assets knowledge and improves the data sharing of the spectrum [55].

Vulnerabilities Management and Open Intelligence (SAS-2)
Organizations involved in the MLoSC should be aware of the vulnerabilities associated with the cyber-assets of their IT infrastructures. This service acts as a central repository for all known and unknown/undisclosed vulnerabilities. It makes use of open data sources, such as the CVE Details portal [65] where these vulnerabilities have been disclosed, replicating all the confirmed and known vulnerabilities and associating them with the affected assets via synchronization and knowledge management mechanisms. Unknown/undisclosed vulnerabilities can be, additionally, declared and treated by business partners. To quantify vulnerabilities, a set of metrics is taken into account as listed below [65]:

•
The access vector showing how vulnerability can be exploited.

•
The attack complexity illustrating how easy or difficult is to exploit the discovered vulnerability.

•
The authentication describing the number of times that an attacker must authenticate to a target to exploit it.

•
The confidentiality outlining the impact on the confidentiality of data processed by the asset.

•
The availability describing the impact on the availability of the target asset.

•
The integrity describes the impact on the integrity of the exploited asset.

Threats/Controls Management and Open Intelligence (SAS-3)
The digital era presses supply chain operators and organizations involved in the MLoSC to be highly knowledgeable about the threat landscape their IT infrastructure is exposed to. Hence, they should be armed with the appropriate tools and solutions that could help them familiarize themselves with the threats that may affect their organizations and the security controls that can be either deployed or applied in order to mitigate the risks and confront the defined threats and weaknesses. In this context, the MITIGATE system acts as a knowledge base of identified threats indicating corresponding mitigation controls that can be used to counter such cybersecurity issues.
This service adopts the CAPEC classification of MITRE [66], which synchronizes the MITRE attack identifiers and associates the identified vulnerabilities with one or more weakness identifiers. Custom threats can be declared by supply chain business partners. Furthermore, the service supports the creation and customization of security controls, which are categorized into two types: "Mitigates Threats" and "Mitigates Vulnerabilities".

Threat Scenarios Specification (SAS-4)
The interconnectivity and heterogeneity of ICT systems foster the frequent emergence of new, complex threats and vulnerabilities. As cybercriminals continue to do the unexpected by discovering new ways to break into ICT processes and SCADA operations, the nature of cyber-attacks within the MLoSC is becoming even more targeted, sophisticated and ingenious. Against this background, the MITIGATE system serves threat scenario specification to help MLoSC operators realize the consequences deriving from the identified threats and vulnerabilities on their cyber-assets. Threat scenario is assumed a use-case in which a threat can compromise an asset by exploiting vulnerabilities and weaknesses as well as taking advantage of the lack of adequate security controls. The MITIGATE service provides the capability to declare statically the mapping of threats and vulnerabilities with assets to increase the cybersecurity awareness of MLoSC operators. Figure 3 illustrates the threat scenarios declaration in the MITIGATE system. consequences deriving from the identified threats and vulnerabilities on their cyber-assets. Threat scenario is assumed a use-case in which a threat can compromise an asset by exploiting vulnerabilities and weaknesses as well as taking advantage of the lack of adequate security controls. The MITIGATE service provides the capability to declare statically the mapping of threats and vulnerabilities with assets to increase the cybersecurity awareness of MLoSC operators. Figure 3 illustrates the threat scenarios declaration in the MITIGATE system. This MITIGATE service provides guidance to the MLoSC operators to assess and organize the cybersecurity issues associated with the supply chain services in which they are involved. Moreover, the MITIGATE system encompasses and executes an evaluation process that implements the main steps of the proposed MSCRA approach [56][57][58]61]. Furthermore, MLoSC operators, such as Port employees, SCADA operators, forwarders, Port Authorities, shipping and carrier agencies, can use this service to identify and measure all relevant cyber threats, vulnerabilities, assess the possible impacts and derive and prioritize the corresponding risks. In particular, the MITIGATE MSCRA approach estimates the cyber-assets' risk exposure concerning the following three main types of risks: (i) The individual risk, which represents how dangerous a threat is to a specific cyber-asset This MITIGATE service provides guidance to the MLoSC operators to assess and organize the cybersecurity issues associated with the supply chain services in which they are involved. Moreover, the MITIGATE system encompasses and executes an evaluation process that implements the main steps of the proposed MSCRA approach [56][57][58]61]. Furthermore, MLoSC operators, such as Port employees, SCADA operators, forwarders, Port Authorities, shipping and carrier agencies, can use this service to identify and measure all relevant cyber threats, vulnerabilities, assess the possible impacts and derive and prioritize the corresponding risks. In particular, the MITIGATE MSCRA approach estimates the cyber-assets' risk exposure concerning the following three main types of risks: (i) The individual risk, which represents how dangerous a threat is to a specific cyber-asset within a supply chain service; (ii) the cumulative risk, which estimates the risk exposure of the successful exploitation of multiple vulnerabilities, in order to reach a specific cyber-asset within the supply chain service starting from different entry points and (iii) the propagated risk, which shows how deep into the supply chain service an attacker may penetrate in case he successfully exploits vulnerabilities found in asset entry points dealing with threats.
Risk Assessment is initiated on the cyber-assets declared on the supply chain processes pertaining to the MLoSC services, identified during the execution of the supply chain service modeling. MLoSC operators are able to assess the risks on their cyber-assets operating in supply chain processes, which are either directly defined from them or realized by other business partners in which they have been invited and accepted to participate via the MITIGATE system collaborative environment.
The Supply Chain Risk Analysis service supports two types of risk assessment: "Real" and "Simulation". The key difference is that simulation allows MLoSC operators to further customize their cyber-assets by changing the security information on them; disregard certain vulnerabilities and threats, amend the threat probability indicators and add more or replace security controls while the "Real" risk assessment type does not permit such alterations. Furthermore, the simulation mode offers a virtual playground where asset cartography has been cloned and thus it permits to run dynamically different mitigation strategies without affecting the status of the real asset inventory.
The security assessment service delivers a detailed summary of the calculated risks at asset individual level, as presented in Figure 4. Cyber-assets operating in the selected supply chain process are presented in a lexicographical order. For each asset, the operator can see the individual risk level, defined previously, which is calculated per vulnerability along with the associated threat category. Moreover, the mapping of attacker's capability with respect to the asset-vulnerability combination provides the likelihood that an attacker may be able to exploit a specific vulnerability. This estimation relies on a qualitative nature of a five-tier nominal scale, which is thoroughly analyzed in References [56][57][58]: (i) "Very High" (VH) risk is expected to occur within the assets of the business partner with very high probability and an incident has been realized more than once in the last year (12 month period); (ii) "High" (H) risk is expected to occur within the assets of the business partner with high probability and an incident has been realized once in the last 1 year (12 month period); (iii) "Moderate" (M) risk is expected to occur within the assets of the business partner with moderate probability, where more than one incident has been realized over the last 2 years; (iv) "Low" (L) risk is expected to occur within the assets of the business partner with low probability, where at most one incident has been realized over the last 2 years; (v) "Very Low" (VL) risk is expected to occur within the assets of the business partner with very low probability, where at most one incident or no incident has been realized over the last 3 years. in which they have been invited and accepted to participate via the MITIGATE system collaborative environment.
The Supply Chain Risk Analysis service supports two types of risk assessment: "Real" and "Simulation". The key difference is that simulation allows MLoSC operators to further customize their cyber-assets by changing the security information on them; disregard certain vulnerabilities and threats, amend the threat probability indicators and add more or replace security controls while the "Real" risk assessment type does not permit such alterations. Furthermore, the simulation mode offers a virtual playground where asset cartography has been cloned and thus it permits to run dynamically different mitigation strategies without affecting the status of the real asset inventory.
The security assessment service delivers a detailed summary of the calculated risks at asset individual level, as presented in Figure 4. Cyber-assets operating in the selected supply chain process are presented in a lexicographical order. For each asset, the operator can see the individual risk level, defined previously, which is calculated per vulnerability along with the associated threat category. Moreover, the mapping of attacker's capability with respect to the asset-vulnerability combination provides the likelihood that an attacker may be able to exploit a specific vulnerability. This estimation relies on a qualitative nature of a five-tier nominal scale, which is thoroughly analyzed in References [56][57][58]: (i) "Very High" (VH) risk is expected to occur within the assets of the business partner with very high probability and an incident has been realized more than once in the last year (12 month period); (ii) "High" (H) risk is expected to occur within the assets of the business partner with high probability and an incident has been realized once in the last 1 year (12 month period); (iii) "Moderate" (M) risk is expected to occur within the assets of the business partner with moderate probability, where more than one incident has been realized over the last 2 years; (iv) "Low" (L) risk is expected to occur within the assets of the business partner with low probability, where at most one incident has been realized over the last 2 years; (v) "Very Low" (VL) risk is expected to occur within the assets of the business partner with very low probability, where at most one incident or no incident has been realized over the last 3 years.  To classify the asset's risk, the worst-case scenario of the vulnerability risks per asset is used to introduce the "Dominant Individual Risk Level", which is additionally visualized by a Risk Analysis Diagram.
Besides, the operator can see for each asset the threat's dominant risk level, which is the maximum risk of all vulnerabilities under a particular threat. The "Threat Analysis" diagram illustrates a count of different threats that contribute to the asset's risk level classification.

Attack Paths Simulation (SAS-6)
MLoSC interdependent assets can be increasingly affected by multi-stage targeted cyber-attacks (such as Stuxnet, Duqu, and Flame) using this cross-organizational dependency as a stepping stone to reach the actual target. MITIGATE implements an attack-path discovery method [57,58,61] that relies on unique characteristics, such as the attacker's location, the attacker's capability, assets interdependencies and which the entry and target points are in order to return all attack paths that exist in the examined supply chains. The service supports the calculation and rendering of all the relevant attack graphs representing the different paths a cyber-attacker can follow to reach and harm a target asset. The operator can see all the potentially affected assets and their individual relationships.
This attack path generation and visualization ( Figure 5) is carried out by the execution of rule-based reasoning mechanisms that develop all alternative chains of sequential vulnerabilities on the examined cyber-assets following an attack-path discovery method. It is a logic rule-based reasoning approach, which basically consists of the attacker profile, the attacker location and each association rules that are executed to build the attack graph and generate the paths. In addition, it relies on two components; (i) the knowledge base component and (ii) the path construction component. A further description of the approach is presented in References [57,58,61].

Attack Paths Simulation (SAS-6)
MLoSC interdependent assets can be increasingly affected by multi-stage targeted cyber-attacks (such as Stuxnet, Duqu, and Flame) using this cross-organizational dependency as a stepping stone to reach the actual target. MITIGATE implements an attack-path discovery method [57,58,61] that relies on unique characteristics, such as the attacker's location, the attacker's capability, assets interdependencies and which the entry and target points are in order to return all attack paths that exist in the examined supply chains. The service supports the calculation and rendering of all the relevant attack graphs representing the different paths a cyber-attacker can follow to reach and harm a target asset. The operator can see all the potentially affected assets and their individual relationships.
This attack path generation and visualization ( Figure 5) is carried out by the execution of rule-based reasoning mechanisms that develop all alternative chains of sequential vulnerabilities on the examined cyber-assets following an attack-path discovery method. It is a logic rule-based reasoning approach, which basically consists of the attacker profile, the attacker location and each association rules that are executed to build the attack graph and generate the paths. In addition, it relies on two components; (i) the knowledge base component and (ii) the path construction component. A further description of the approach is presented in References [57,58,61]. The vulnerabilities trees, produced during the Attack Path Simulation Service, expose the risks embedded in the individual cyber-assets and in the entire supply chain. Thereupon, the MLoSC business partners require guidelines recommending the selection of the most appropriate security controls and indicating optimization practices, to minimize the expected damage. In this vein, the MITIGATE assures an acceptable risk level for the collaborative business partners and the overall MLoSC. In particular, the proposed system provides the necessary defensive capabilities and supports a rational decision-making to determine which security controls must be implemented and which partners need to implement them to encounter the identified security issues and cyber-risks. Since all defence strategies and the corresponding payoffs have been determined, the game-theoretic algorithm implementation, which is analytically presented in References [59,60], delivers an optimal The vulnerabilities trees, produced during the Attack Path Simulation Service, expose the risks embedded in the individual cyber-assets and in the entire supply chain. Thereupon, the MLoSC business partners require guidelines recommending the selection of the most appropriate security controls and indicating optimization practices, to minimize the expected damage. In this vein, the MITIGATE assures an acceptable risk level for the collaborative business partners and the overall MLoSC. In particular, the proposed system provides the necessary defensive capabilities and supports a rational decision-making to determine which security controls must be implemented and which partners need to implement them to encounter the identified security issues and cyber-risks. Since all defence strategies and the corresponding payoffs have been determined, the game-theoretic algorithm implementation, which is analytically presented in References [59,60], delivers an optimal way of selecting actions both of the attacker and defender. This equilibrium has a twofold notion: (i) To protect the assets by adopting the proper proposed security measures that eliminate the damage; (ii) to identify the highest damage an adversary may cause to the business partner and indicate the defense strategy that deviates the attacker from this optimal solution providing the minimum business partner's loss. To this end, the worst case scenario of damage within the supply chain service is described. Summarizing, MITIGATE recommends to maritime logistics organizations the performance of the following activities, in order to manage the MLoSC's cyber-risks:

•
Review the risk assessment results and focus on assets with high individual risk; highlight the responsible vulnerabilities and the applicable security controls.

•
Run attack path analysis scenarios setting (i) high-risk assets as entry points (e.g., GIS web services, malware SCADA supervisory workstations, etc.) (ii) cyberdependencies as targets.
Then, explore the paths and the vulnerabilities that contribute more to the cumulative risk on the cyberdependencies. Mitigating these will limit the potential impact imposed on the collaborating business partners. In addition, attack path analysis can be carried out setting cyberdependencies as entry points and study the propagated sub-graph. • Mitigation Strategy Selection. Select the security controls of choice and build different defensive strategies. The game theoretic module will evaluate them and return the optimal results.

Social Engineering and Open Intelligence (SAS-8)
World Wide Web is full of cybersecurity-related content. Social media like Twitter and Reddit, as well as security blogs, RSS feeds and general-purpose websites, contain invaluable information about disclosed vulnerabilities, cyber-threats, exploitation methods and security controls. The Open Intelligence service captures information from various sources and repositories, analyzes and correlates their content with cybersecurity concepts and stores the results for further browsing and processing.
This Social Engineering and Open Intelligence procedures can be managed by adding, editing or deleting sources, specifying the media source and search-keyword. The MITIGATE system consults the inherent list in further data gathering job executions and provides an enhanced result set. A remarkable example of the open intelligence service is shown in Figure 6.
performance of the following activities, in order to manage the MLoSC's cyber-risks: • Review the risk assessment results and focus on assets with high individual risk; highlight the responsible vulnerabilities and the applicable security controls.

•
Run attack path analysis scenarios setting (i) high-risk assets as entry points (e.g., GIS web services, malware SCADA supervisory workstations, etc.) (ii) cyberdependencies as targets. Then, explore the paths and the vulnerabilities that contribute more to the cumulative risk on the cyberdependencies. Mitigating these will limit the potential impact imposed on the collaborating business partners. In addition, attack path analysis can be carried out setting cyberdependencies as entry points and study the propagated sub-graph. • Mitigation Strategy Selection. Select the security controls of choice and build different defensive strategies. The game theoretic module will evaluate them and return the optimal results.

Social Engineering and Open Intelligence (SAS-8)
World Wide Web is full of cybersecurity-related content. Social media like Twitter and Reddit, as well as security blogs, RSS feeds and general-purpose websites, contain invaluable information about disclosed vulnerabilities, cyber-threats, exploitation methods and security controls. The Open Intelligence service captures information from various sources and repositories, analyzes and correlates their content with cybersecurity concepts and stores the results for further browsing and processing.
This Social Engineering and Open Intelligence procedures can be managed by adding, editing or deleting sources, specifying the media source and search-keyword. The MITIGATE system consults the inherent list in further data gathering job executions and provides an enhanced result set. A remarkable example of the open intelligence service is shown in Figure 6.  Hence, the service provides the "Open Intelligence News", where MLoSC operators can view cybersecurity news relevant to their assets. The Assets' CPE identifier is used in particular to define the relevance of a new entry with the business partner's asset inventory. Further, searching is allowed via the available filters (time-range, free-text) and the "Search" button. "Open Intelligence Search" allows operators to explore content without applying the asset inventory relevance filter described previously.

Attack Scenarios on Real-life Maritime Logistics and Supply Chain Services
This section aims to illustrate how the performance of MLoSCs can be threatened and disrupted by cybercriminals. It stresses the need for providing security assessment methods that can increase the cybersecurity awareness of MLoSC operators' for supply chain's SCADA Infrastructures and can advise them how to protect their assets against potential cyber-attacks or eliminate the security damage in case an attack occurs. This is presented by exploring cyber-attack scenarios that have been either reported or known or assumed or suspected against real-life MLoSC services: The Container Cargo Management, the Vehicle Transport and the Liquefied Natural Gas (LNG) Transport.
The selected services have been identified as critical to the Maritime Logistics Industry due to security and economic reasons. The criteria for selecting these Critical Services satisfy the hereunder prerequisites: • European level nature: Implemented on large, European commercial ports. • Economic enablers: Address high economic impact across the EU Maritime Logistics Industry and the whole European economy.

•
Environmental value: Meet the EU environmental requirements and standards.
The selected MLoSC Services can be subject to a number of possible threat scenarios that can be realized by conducting a combination/series of specific cyber-attacks in various MLoSCs' SCADA CPSs. Hence, malicious users/adversaries are able to realize complex threat scenarios for the purpose of disrupting MLoSCs' operations or facilitating illegal activities aimed at obtaining financial, political/military or even ideological gain and benefits. For example, adversaries may manage to smuggle illegal material of any kind (e.g., drugs, weapons) or illegal immigrants, or destroy a CI of the MLoSC by interrupting and modifying its services, gaining access to it either locally or remotely to take advantage of the system's security-sensitive operations. To this end, three credible cyber-attack scenarios against the aforementioned critical MLoSC services are described sequentially.

Cyber-Attack on SCADA Systems of the Container Cargo Management Service
According to Eurostat 184/2016 statistics, the containerized freight represents almost the third part of total trade exchanges measured in monetary value. On the other hand, the percentage of maritime transport in relation to total transported is even higher when kilometres or tonne-kilometres are measured. Consequently, these references are pointing out the important role of container terminals in the international carriage of goods. Containers-uniform boxes that can be easily moved between a lorry, a train and a ship have reshaped global trade over the past few decades.
A terrorist group wants to carry out a terrorist attack at a port in order to inflict wide-scale death and destruction by placing a bomb in a container, shipping it to the target port and detonating it before it could be inspected. The terrorist group is aware that a name-brand company ships containers of products and other cargoes to this port. The containers on any given ship are packed at the factories of the company; the container doors are shut and a mechanical seal is put into the door pad-eyes. A transportation company has undertaken the responsibility to pick up the container and transfer it to a container vessel. However, the containers are not delivered directly from the name-brand company's premises to the port terminal; rather, they go through a third party, a container packing warehouse.
The terrorists are aware of that the deliveries are managed through an IT system at the container packing warehouse; thus they cooperated with skilled hackers who can infiltrate the IT environment of the third party and gain access to the container management system. The terrorists change the information of the shipping container in order to replace it with another one carrying a bomb, which has been already placed by the terrorist group in the container packing warehouse.
Alternatively, the hackers could target any RFID tags and sensors attached to the container to monitor the goods. Such RFID kits are usually used to monitor various: (i) safety-oriented features such as whether the container door is opened or closed, the temperature inside the container, etc. or (ii) national security concerns like the illegal transportation of radioactive material and/or chemicals used in bomb construction. Each container's RFID tag transmits its ID number and sensor data to an RFID reader, which then forwards that information (e.g., via a GSM base station) to an onboard control system and finally to the system administrator. The hackers could remotely exploit these RFID tags and sensors by injecting their own malware so that they transmit falsified information for the cargo of the targeted container. Even worse, they can manipulate the tags of other legitimate containers to make them look as if they hold suspicious cargo instead of the actual malevolent container.
At the target port, the security authorities inspect containers that the screening identifies as suspicious, based on ports of call, manifest data, shipping company, etc. In order for the terrorists to circumvent the authorities and bypass the inspection process, they compromise the IT infrastructure of the port and gain access to the container shipping system that keeps the routing or scheduling of the containers. Hence, they can change the container's details in the system and place the container in the desired location so that the detonation of the bomb could cause the maximum number of injuries and deaths.

Cybercriminals Attack OBUs during Vehicle Transport
The Vehicle Transport is a relatively long and complex service supported by numerous players, such as shippers and port authorities, involving the shipment and receipt of various types of vehicles and equipment, such as container terminals, trucks, gantry cranes and providers of Dockers. The service involves domestic and international transportation, such as warehouse management, order and inventory control, materials handling, import/export facilitation, and information technology. In this vein, the Vehicle Transport affects multiple sectors across the global supply chain.
A criminal gang aims to steal vehicles from the vehicle terminal of a port. To achieve this, hired hackers engage malicious activities spanning from simple phishing attacks, targeting port authorities and key employees, to the exploitation of more sophisticated, remote malware targeting the onboard communication interfaces and units of the pointed vehicles.
By launching a series of cyber-attacks, the adversaries manage to compromise few computers and critical elements based on software-related vulnerabilities and dynamic memory errors criteria. Thus, they manage to get access to the vehicle's vast network of interconnected On-Board Units (OBUs) and eventually spoof their geolocation. Examining the in-port vehicle scheduling processes followed, the criminals can then change the route and the location of the vehicles, to their preferred points of interest, without the port system administrator detecting any of these changes. In addition, the hackers could exploit vulnerabilities in the surveillance system of the port that controls the CCTV video cameras in order to gain access and delete video streams that show their malicious activities. Such a synergy of various attack paths against the CPSs reflects the investigation that will be performed following the MITIGATE methodology to exam the different types of vulnerabilities that may lead to the proposition of appropriate mitigation strategies.

Intrusion Scenario on the Oil Monitoring System of the LNG Transport Service
Liquefied natural gas (LNG) is natural gas, predominantly methane, CH4 that has been converted to liquid form for ease of storage or transport. It is odorless, colorless, non-toxic and non-corrosive. Hazards include flammability after vaporization into a gaseous state, freezing and asphyxia. Considering that a tanker contains more than one hundred thousand cubic meters of LNG, it represents a potential explosive hazard comparable to a nuclear bomb.
A terrorist group seeks to cause significant human casualties, economic losses and environmental damages by attacking the LNG land-based facilities of a port or an LNG tanker. For example, a possible cyber-attack to LNG land-based infrastructure may cause catastrophic fires either inside the port or even nearby populated areas and an LNG tanker attack may result in a major spill that could pose a hazard to coastal communities along the tanker's route. Furthermore, a physical attack on the LNG storage facilities, either in the form of bombing or by impacting a vehicle in the facility, may cause an explosion that leads to a widespread fire jeopardizing people's lives within the port. Therefore, we assume that a terrorist group commits a cyber-attack during LNG shipping as follows. A shipping company receives an e-mail purportedly coming from the IT company that supports and maintains its ICT infrastructure asking them to download and install a software that improves the performance of their systems. In this way, the terrorists successfully download and execute arbitrary code on the victims' systems to gain access to them.
Accordingly, the terrorists can leverage their access to go deep into the network by exploiting vulnerabilities in the oil company's monitoring software that provides remote tank monitoring, asset tracking, and data reporting services to break into the system. Therefore, they can empty the oil tank without being detected.

How to Utilize the MITIGATE Security Assessment Services
The security assessment services of the MITIGATE system can be utilized to support SCADA CPSs of MLoSC services and protect them against malicious activities, such as those described previously. Hereunder, is presented how MLoSC business partners can utilize the MITIGATE services to estimate cyber-risks on maritime logistics SCADA infrastructures and discover mitigation strategies to encounter cybersecurity issues. This is illustrated by applying the MITIGATE security assessment services in an indicative scenario of SCADA cyber-assets considered to operate within the critical service of the LNG Transport, mentioned previously. The demonstration is given in a sequential report, aiming to provide a thorough and comprehensive perspective of the MITIGATE utilities towards a supply chain service. According to the scenario, a number of business partners, such as a Local Agent of a maritime logistics company, a Greek Port Authority, a Spanish Port Authority and a Gas Shipping Company, collaborate for the provision of the LNG Transport Service and they are highly dependent on the combined use of the port's physical (i.e., facilities, buildings, cranes, pipelines, rail track, roads, data centers) and cyber infrastructure (i.e., networks, ICT hardware equipment, communication systems, access control/authentication of users and containers). These four MLoSC business partners have signed a Security Declaration Statement, which is a documented commitment of each partner to exchange any security-related information and data concerning the LNG Transport Service and report any security risks or information related to the provision of this service. This information includes the security measures implemented on their infrastructures, how CPSs of LNG Transport are safeguarded and how their accompanying information is protected. The security measures are demonstrated and verified.
In particular, the business partners use the security assessment services of the MITIGATE system to assess their SCADA components, identify individual cyber-risks and evaluate the corresponding propagated and cascading effects with respect to the entire LNG Transport Service. The goal is to have a holistic treatment of threats, offering an enhanced understanding of the cyber interfaces for unidentified vulnerabilities, providing decision-making with an improved assessment of the integrated risks containing the propagating and cascading effects of the entire supply chain.

Utilization of SAS-1: LNG Transport Service Modeling
All partners, representing their business entities, use the MITIGATE system to model their interconnected SCADA cyber-assets, operating in the processes supporting the LNG Transport Service, such as the LNG Monitoring Service process. The LNG Monitoring Service process refers to the LNG handling functions of the LNG port terminal and the LNG carrier vessel operating during the LNG Transport (i.e., pipeline monitoring and fuel monitoring) The MITIGATE system's invitation/acceptance functionality facilitates collaboration among business partners to declare their assets as participating in each specific process (i.e., Figure 7 shows that regarding the LNG Transport Service, Port Authority has invited the Local Agent to participate and the latter has accepted the invitation). This refined CI representation of the various cyber-assets and their interconnections is fundamental towards measuring and assessing their threats and vulnerabilities and the investigation of scenarios with combined cyber-attacks. The current example presents indicative SCADA components of the LNG Transport Monitoring Service process: (i) FUEL monitoring service assets (i.e., software installed on an operating system) that deliver fuel consumption information for the LNG carrier vessel; (ii) PLCs that handle the LNG tank capacity; (iii) a MTU, which controls the PLCs using the Modbus TCP/IP communication protocol; (iv) a Historian Data Server, which records historical data upon LNG tank capacity and stores in the LNG database center; (v) a HMI, which is considered an input-output device with a panel view for depicting graphically the process data to human operators of the engineering workstations; (vi) a SMTP mail server with each mail operating system for the e-mail communication across the LNG Transport network.
the LNG Transport (i.e., pipeline monitoring and fuel monitoring) The MITIGATE system's invitation/acceptance functionality facilitates collaboration among business partners to declare their assets as participating in each specific process (i.e., Figure 7 shows that regarding the LNG Transport Service, Port Authority has invited the Local Agent to participate and the latter has accepted the invitation). This refined CI representation of the various cyber-assets and their interconnections is fundamental towards measuring and assessing their threats and vulnerabilities and the investigation of scenarios with combined cyber-attacks. The current example presents indicative SCADA components of the LNG Transport Monitoring Service process: (i) FUEL monitoring service assets (i.e., software installed on an operating system) that deliver fuel consumption information for the LNG carrier vessel; (ii) PLCs that handle the LNG tank capacity; (iii) a MTU, which controls the PLCs using the Modbus TCP/IP communication protocol; (iv) a Historian Data Server, which records historical data upon LNG tank capacity and stores in the LNG database center; (v) a HMI, which is considered an input-output device with a panel view for depicting graphically the process data to human operators of the engineering workstations; (vi) a SMTP mail server with each mail operating system for the e-mail communication across the LNG Transport network. To this purpose, the Supply Chain Service Modelling (SAS-1) provides asset mapping (assets are characterized based on its cyber-nature; Application, Operating System or Hardware) and asset cyberdependency identification (Figure 7), where a set of logical rules are followed that guarantee the valid creation of a graph of assets and their cyberdependencies according to the twofold dependency concept analyzed in Section 4; an indicative example is presented in Table 1. This allows the business partners of the LNG Transport Service to understand assets interrelations within the LNG Transport Network. The asset-graph of the LNG Transport Network example is depicted previously in Figure 2. To this purpose, the Supply Chain Service Modelling (SAS-1) provides asset mapping (assets are characterized based on its cyber-nature; Application, Operating System or Hardware) and asset cyberdependency identification (Figure 7), where a set of logical rules are followed that guarantee the valid creation of a graph of assets and their cyberdependencies according to the twofold dependency concept analyzed in Section 4; an indicative example is presented in Table 1. This allows the business partners of the LNG Transport Service to understand assets interrelations within the LNG Transport Network. The asset-graph of the LNG Transport Network example is depicted previously in Figure 2.

Utilization of SAS-2: SCADA Assets Vulnerabilities Management of the LNG Transport Service
A set of metrics is defined to present the vulnerabilities found in the declared assets from online repositories [65] using open intelligence techniques. The Vulnerability Management Menu of the MITIGATE system (SAS-2 service) delivers the confirmed vulnerability attributes and it is capable of creating zero-day exploitable vulnerabilities. Figure 8 shows an example of vulnerability attributes of confirmed and a created zero-day vulnerability via the Vulnerability Management service of the MITIGATE system. The presented vulnerabilities are both concern heap-based buffer overflow weaknesses in the Graphic Device Interface (GDI).

Utilization of SAS-2: SCADA Assets Vulnerabilities Management of the LNG Transport Service
A set of metrics is defined to present the vulnerabilities found in the declared assets from online repositories [65] using open intelligence techniques. The Vulnerability Management Menu of the MITIGATE system (SAS-2 service) delivers the confirmed vulnerability attributes and it is capable of creating zero-day exploitable vulnerabilities. Figure 8 shows an example of vulnerability attributes of confirmed and a created zero-day vulnerability via the Vulnerability Management service of the MITIGATE system. The presented vulnerabilities are both concern heap-based buffer overflow weaknesses in the Graphic Device Interface (GDI).

Utilization of SAS-3: Threats/Controls Management within the LNG Transport Service
The MITRE CAPEC, synchronization services [66] have associated the vulnerabilities identified on SCADA assets of the LNG Monitoring service process with one or more weakness identifiers. This is depicted from the Threat Management menu of the MITIGATE system ( Figure 9).

Utilization of SAS-3: Threats/Controls Management within the LNG Transport Service
The MITRE CAPEC, synchronization services [66] have associated the vulnerabilities identified on SCADA assets of the LNG Monitoring service process with one or more weakness identifiers. This is depicted from the Threat Management menu of the MITIGATE system ( Figure 9).

Utilization of SAS-4 Threat Scenarios Specification for LNG SCADA Assets
The "Attack Scenarios Management" environment of the MITIGATE system implements the mapping of threats and vulnerabilities with assets service. An example of this mapping is illustrated in Figure 10. The visualized attack scenario concerns the exploitation of vulnerability "CVE-2016-7960" found on the PLC software declared asset, which corresponds to the "information

Utilization of SAS-4 Threat Scenarios Specification for LNG SCADA Assets
The "Attack Scenarios Management" environment of the MITIGATE system implements the mapping of threats and vulnerabilities with assets service. An example of this mapping is illustrated in Figure 10. The visualized attack scenario concerns the exploitation of vulnerability "CVE-2016-7960" found on the PLC software declared asset, which corresponds to the "information exposure" threat (CWE-200).

Utilization of SAS-4 Threat Scenarios Specification for LNG SCADA Assets
The "Attack Scenarios Management" environment of the MITIGATE system implements the mapping of threats and vulnerabilities with assets service. An example of this mapping is illustrated in Figure 10. The visualized attack scenario concerns the exploitation of vulnerability "CVE-2016-7960" found on the PLC software declared asset, which corresponds to the "information exposure" threat (CWE-200). The graphic representations of SAS-3 and SAS-4 accordingly have been implemented via business logic rules on top of a Neo4J database. The formal/normative concepts of Asset, Figure 10. The Threat Scenarios Specification service shows a possible threat scenario for the "PLC software" declared asset of the LNG Transport Service.
The graphic representations of SAS-3 and SAS-4 accordingly have been implemented via business logic rules on top of a Neo4J database. The formal/normative concepts of Asset, Vulnerability, Threat, Control element, Vendor, Attack scenario, Impact Level are unified and uniquely represented in the supportive database schema.

Utilization of SAS-5: Supply Chain Risk Analysis of the LNG Monitoring Service process
To estimate the cyber-risks of the LNG Monitoring Service supply chain process, we have executed a simulation type risk assessment on the declared assets. The Supply Chain Risk Analysis service is capable of estimating cyber-risks for zero-day exploitable vulnerabilities. This is illustrated in Figure 11. Figure 12 presents the Risk Analysis diagram of SCADA assets participating in the LNG Monitoring Service process, whereas Figure 13 shows the Threat Analysis diagram of the aforementioned assets, providing an indication of how crucial the protection is of an asset-based not only on the possibility of being attacked but also on the impact of the potential attack. The graphs depict individual cyber-risk level reports following the qualitative scale described in Section 4.2.5.
service is capable of estimating cyber-risks for zero-day exploitable vulnerabilities. This is illustrated in Figure 11. Figure 12 presents the Risk Analysis diagram of SCADA assets participating in the LNG Monitoring Service process, whereas Figure 13 shows the Threat Analysis diagram of the aforementioned assets, providing an indication of how crucial the protection is of an asset-based not only on the possibility of being attacked but also on the impact of the potential attack. The graphs depict individual cyber-risk level reports following the qualitative scale described in Section 4.2.5. Figure 11. The Supply Chain Risk Analysis service has estimated the individual cyber-risk (VH) of the Fuel Monitoring software asset due to a zero-day exploitable vulnerability, which has been respectively counted in all types of cyber-risk estimation.     Once the risk assessment has been performed, additional schemas are created that are inherited from the unified ones, such as the Attack Paths, simulating the different paths that a hacker can follow to harm a specific asset. This is supported by the Attack Path Simulation Service in the MITIGATE system (SAS-6). Figure 14 shows the attack path analysis query results according to different attack path parameters (i.e., attacker's profile, attacker's location, attacker's capability). For example, the "Local Attack" path analysis includes the query results for the given entry/target points, assuming that the attacker is an insider intruding into the Fuel Monitoring system using the local LNG network.

Utilization of SAS-6: Attack Paths Simulation Scenarios of the LNG Transport Service SCADA Assets
Once the risk assessment has been performed, additional schemas are created that are inherited from the unified ones, such as the Attack Paths, simulating the different paths that a hacker can follow to harm a specific asset. This is supported by the Attack Path Simulation Service in the MITIGATE system (SAS-6). Figure 14 shows the attack path analysis query results according to different attack path parameters (i.e., attacker's profile, attacker's location, attacker's capability). For example, the "Local Attack" path analysis includes the query results for the given entry/target points, assuming that the attacker is an insider intruding into the Fuel Monitoring system using the local LNG network.

Supply Chain Risk Management (SAS-7)
Risk assessment is supported by the Supply Chain Risk Analysis (SAS-5) and the Supply Chain Risk Management (SAS-7) services in the MITIGATE system. The most complex risk assessment operations are (a) the ad-hoc calculation of the graph; (b) the replication of the asset mapping per each business partner; (c) the calculation of the individual risk assessment metrics and (d) the calculation of the attack chains that are bound to the graph. The MITIGATE RA services deliver

Supply Chain Risk Management (SAS-7)
Risk assessment is supported by the Supply Chain Risk Analysis (SAS-5) and the Supply Chain Risk Management (SAS-7) services in the MITIGATE system. The most complex risk assessment operations are (a) the ad-hoc calculation of the graph; (b) the replication of the asset mapping per each business partner; (c) the calculation of the individual risk assessment metrics and (d) the calculation of the attack chains that are bound to the graph. The MITIGATE RA services deliver various reports, such as the asset criticality and the most possible attacks per individual asset. In order to explore and manage the LNG Transport Service cyber risks, we may run alternative attack path analysis scenarios (depicted in Table 2) setting: (i) high-risk assets as entry points, such as the LNG Database and the SMTP Mail Server and review the attack path analysis results and (ii) set cyberdependency assets either as entry or target points and study the attack path sub-graphs. The cumulative risk for each attack path, according to the qualitative scale presented in Section 4.2.5, is shown in Table 2. For example, the risk exposure of reaching the specific asset "Fuel Monitoring Software" is "Very High" in case the adversary succeeds to enter into the LNG Transport Network by attacking the "LNG-SMTP Mail Server".  Despite the individual RA report, another crucial source is the comparison between two RAs that has been performed on two different dates. Within one process of the MLoSC, many things can be altered. Initially, an asset can be replaced or even patched. Moreover, additional controls may have been enforced. Finally, additional vulnerabilities may have been disclosed for one asset. Hence, there is a business need to compare the output of these RAs regarding a specific process for two different timestamps (SAS-7). An indicative example of this security assessment utility is presented in Figure 15. In particular, an RA "LNG MS" simulation service is implemented on the assets of the LNG Monitoring Service process. Then, a new RA simulation is created and before executed, we set up a security control that mitigates the threat "Improper Restriction of Operations within the Bounds of a Memory Buffer" (CWE-119) on the following specific assets; PLC OS, Fuel Monitoring Workstation and Engineering Workstation. Additionally, we set up another security control on the asset "LNG-HMI Software" that mitigates its vulnerabilities. A new RA is then executing ("LNG TS with security controls" RA simulation), which depicts that the declared security controls manage to mitigate the threat score on these SCADA assets, as shown in Figure 15. different timestamps (SAS-7). An indicative example of this security assessment utility is presented in Figure 15. In particular, an RA "LNG MS" simulation service is implemented on the assets of the LNG Monitoring Service process. Then, a new RA simulation is created and before executed, we set up a security control that mitigates the threat "Improper Restriction of Operations within the Bounds of a Memory Buffer" (CWE-119) on the following specific assets; PLC OS, Fuel Monitoring Workstation and Engineering Workstation. Additionally, we set up another security control on the asset "LNG-HMI Software" that mitigates its vulnerabilities. A new RA is then executing ("LNG TS with security controls" RA simulation), which depicts that the declared security controls manage to mitigate the threat score on these SCADA assets, as shown in Figure 15.

Social Engineering and Open Intelligence (SAS-8)
The open repositories facilitate the required information during the risk assessment process and functions are satisfied by the Social Engineering and Open Intelligence MITIGATE service, as presented in Figure 6. Hence, normative metamodels using XSD notation are fully compatible with de-facto metamodels (CVE and CPE) providing the freedom to connect with multiple sources using an adapter pattern. The Open Intelligence Controls sub-service relates mainly to Threats and Controls. Threat and Attack type are used interchangeably. A threat or vulnerability can be mitigated by a control element.
The MITIGATE system uses the collected operational data describing the configuration of systems and software (e.g., network topologies and existing vulnerabilities) as well as static data describing the general risk (e.g., if an identified vulnerability has an exploit that is publicly available). MITIGATE also requires from the MLoSC security team to specify the (suspected/potential/possible) attacker profile (e.g., regarding knowledge and skill), the possible attacker source (e.g., from the Web) as well as the possible attacker targets (e.g., SCADA devices that are critical for the under examination LNG Transport Service). Accordingly, the MITIGATE would proceed to calculate an attack graph for this configuration and compute a probabilistic network (Individual, Cumulative and Propagated risks) on top of this attack graph.

Evaluation and Findings
In recent years, complex and heterogeneous CIs developments and their interdependencies within the Maritime Logistics Industry (i.e., port authorities, customs, shipping agencies and IoT enterprises) have been dictating the importance of protecting their systems' integrity and resilience. Most current risk management policies insufficiently consider the composite nature of ICT-empowered infrastructures (i.e., SCADA and AIS systems) and forget to take into account the global supply chain interdependent environment to define the security processes.
Risk analysis methods have been introduced based on both qualitative (i.e., NIST 800-30 [43], OCTAVE [36]) and quantitative [20] or combined (ISO 27005 [10]) approaches, which either disregard or use quite primitive computational techniques that lack exploring and comparing risk assessment results. Security assurance techniques for large-sized enterprises applied both to composite and basic systems (i.e., NIST 800-30 [43], IT-Grundschutz [44]) have been presented with limitations in analyzing management and operational issues and give low collaborative capabilities. Bayesian risk assessment methodologies (i.e., AURUM [35], OCTAVE [36]) main disadvantages refer to their partial subjectivity, the need for a potentially vast amount of training data and the difficulty of being applicable to new situations (subjective choice and Bayesian updates of the a-priori models).
An effective risk assessment approach for SCADA systems may reflect the characteristics presented in Section 3. In this context, the MITIGATE methodology addresses the following issues: (i) Complex systems, such as SCADA systems, require the collaboration and interaction of supply chain stakeholders and their cooperating systems to set effective risk and impact indicators [8].
The MITIGATE EU Project [12] introduces a collaborative, evidence-driven Maritime Supply Chain Risk Assessment (MCSRA) approach for MLoSCs, which alleviates the limitations of state-of-the-art risk management frameworks; (ii) The MITIGATE security assessment services use knowledge management [55], open source intelligence techniques and social engineering to provide accurate and updated information for vulnerabilities, threats and provide rule-based mechanisms to manipulate the extracted knowledge and to generate attack paths; (iii) Mitigate builds the risk assessment performance on an open simulation environment, which allows stakeholders to simulate risks and evaluate risk mitigation actions; (iv) Represents and explores scenarios according to global supply chain requirements; (v) Regarding risk assessment methods on SCADA systems, few approaches provide system-asset analysis, vulnerabilities and countermeasures [8]. The MITIGATE methodology applies a systematic asset-centric thorough model analysis in supply chain processes to define assets interdependencies, address vulnerabilities, threats, individual, cumulative, propagated risks and their cascading effects and indicate mitigation policies and payoffs; (vi) It is compliant with international risk management standards and security frameworks (i.e., ISO 27k and ISO 28k family standards). The demonstration of the simulated LNG scenario of SCADA components has shown that MITIGATE security assessment services are applicable to ICT-based infrastructures and complex environments of SCADA and AIS systems.
The report evaluates the internal and external results of user-tests for the MITIGATE system [64]. Internal and external tests were conducted for a period of 15 months. The tests have been divided into two phases (internal and external) and carried out simultaneously in four countries: Greece, Spain, Germany and Italy. During the internal phase, the MITIGATE system and its services were first tested among port operators participants. In the external phase, the MITIGATE system was demonstrated to external professionals (experts from Transport and Logistics enterprises and security consultants) who evaluated and assessed the MITIGATE system and its corresponding services. Their comments and suggestions have been collected. The feedback and experience gained have been continuously and promptly passed on to the developers, who then incorporated it into system improvements.
Moreover, the tests sites reported in total the participation of 235 internal and 452 external participants, mostly representatives from maritime, transport and logistics sectors, which are spread over the individual test sites (Table 3). A total of 113 non-technical and four technical questionnaires have been collected (Figures 16 and 17). However, totally 18 of the respondents can be assigned an IT background based on their positions they entered in the questionnaire, e.g., "SCADA/EMS Operator", "Senior Software Architect" or "Manager Network, Security & Infrastructure IT". Furthermore, at least 16 respondents can be assumed to have a security-related background, since "security" and/or "safety" is a part of their job title, e.g., "PFSO" ("Port Facility Security Officer"), "Chief Security Officer" or "Head of Safety and Security". Summarizing, 34 out of 113 are considered to have IT or Security related knowledge. Respondents answered questionnaires and provided their assessment using a 4-point Likert scale; A. Strongly disagree; B. Disagree; C. Agree; D. Strongly agree.
corresponding services. Their comments and suggestions have been collected. The feedback and experience gained have been continuously and promptly passed on to the developers, who then incorporated it into system improvements.
Moreover, the tests sites reported in total the participation of 235 internal and 452 external participants, mostly representatives from maritime, transport and logistics sectors, which are spread over the individual test sites (Table 3).  Spain  50  32  Germany  39  32  Greece  108  375  Italy  38  13 A total of 113 non-technical and four technical questionnaires have been collected (Figures 16  and 17). However, totally 18 of the respondents can be assigned an IT background based on their positions they entered in the questionnaire, e.g., "SCADA/EMS Operator", "Senior Software Architect" or "Manager Network, Security & Infrastructure IT". Furthermore, at least 16 respondents can be assumed to have a security-related background, since "security" and/or "safety" is a part of their job title, e.g., "PFSO" ("Port Facility Security Officer"), "Chief Security Officer" or "Head of Safety and Security". Summarizing, 34 out of 113 are considered to have IT or Security related knowledge. Respondents answered questionnaires and provided their assessment using a 4-point Likert scale; A. Strongly disagree; B. Disagree; C. Agree; D. Strongly agree.  The respondents were asked whether the system fulfils its purpose of mapping general characteristics of the methodology, if the system enables a collaborative approach for supply chain participants, whether it provides convenient possibilities to exchange data ( Figure 18) with other software. Almost all respondents agreed that MITIGATE can successfully exchange data, satisfies the methodology-characteristics mapping and that it is easy to learn enabling a collaborative approach for supply chain participants to take care of their Critical Infrastructure.

Country of the Test Site Number of Internal Participants Number of External Participants
Additionally, almost a quarter of the respondents answered that they were unaware of to say if an organization improves its compliance with security standards using MITIGATE. The majority of the responders agreed ("strongly agree": 52%, "agree": 44%) that the MITIGATE-system provides important decision support for improving the organizations' risk situation (Figure 19). The 4% (of the test users who did not agree with this statement seem to have done so at least in part because of The respondents were asked whether the system fulfils its purpose of mapping general characteristics of the methodology, if the system enables a collaborative approach for supply chain participants, whether it provides convenient possibilities to exchange data ( Figure 18) with other software. Almost all respondents agreed that MITIGATE can successfully exchange data, satisfies the methodology-characteristics mapping and that it is easy to learn enabling a collaborative approach for supply chain participants to take care of their Critical Infrastructure.
Additionally, almost a quarter of the respondents answered that they were unaware of to say if an organization improves its compliance with security standards using MITIGATE. The majority of the responders agreed ("strongly agree": 52%, "agree": 44%) that the MITIGATE-system provides important decision support for improving the organizations' risk situation ( Figure 19). The 4% (of the test users who did not agree with this statement seem to have done so at least in part because of the development status of the prototypes: One of the comments pointed out implies that "the MITIGATE system could provide important decision support". Concerning the overall impression of the MITIGATE system utility, as shown in (Figure 20): Over 78% of the test users responded positively that the required time for the MITIGATE RA is reasonable, over 87% of the test users imply that they have felt comfortable using the MITIGATE-system, while 19% responded negatively that the MITIGATE system is easy to learn. Moreover, 64% strongly agreed and 23% agreed that the MITIGATE system will help them to become more productive.
The respondents were asked whether the system fulfils its purpose of mapping general characteristics of the methodology, if the system enables a collaborative approach for supply chain participants, whether it provides convenient possibilities to exchange data ( Figure 18) with other software. Almost all respondents agreed that MITIGATE can successfully exchange data, satisfies the methodology-characteristics mapping and that it is easy to learn enabling a collaborative approach for supply chain participants to take care of their Critical Infrastructure.
Additionally, almost a quarter of the respondents answered that they were unaware of to say if an organization improves its compliance with security standards using MITIGATE. The majority of the responders agreed ("strongly agree": 52%, "agree": 44%) that the MITIGATE-system provides important decision support for improving the organizations' risk situation ( Figure 19). The 4% (of the test users who did not agree with this statement seem to have done so at least in part because of the development status of the prototypes: One of the comments pointed out implies that "the MITIGATE system could provide important decision support". Concerning the overall impression of the MITIGATE system utility, as shown in (Figure 20): Over 78% of the test users responded positively that the required time for the MITIGATE RA is reasonable, over 87% of the test users imply that they have felt comfortable using the MITIGATE-system, while 19% responded negatively that the MITIGATE system is easy to learn. Moreover, 64% strongly agreed and 23% agreed that the MITIGATE system will help them to become more productive.     Eventually, the internal and external testing phases have provided many recommendations and suggestions for improvements to the developers. Much of the potential for improvement has already been implemented in the subsequent releases during the test phase. The tests were able to successfully provide feedback for the improvements of the system during the project period in terms of a targeted TRL (technology readiness level) of 7, as well as for further development towards a finished product or a TRL of 9.

Conclusions and Discussions
Maritime Logistics and Supply Chains (MLoSC) are composite interconnected systems playing a vital role in the transportation, storage and delivery of goods and services. MLoSC services usually involve various and multiple types of Critical Infrastructure, mainly in the transportation sector and exhibit intra-sector and cross-border dependencies. This type of complex infrastructure is the SCADA systems, which require the collaboration and interaction between supply chain stakeholders and their cooperating assets to set effective risk and impact indicators [8]. The primary goal of MITIGATE is to assess the individual, cumulative and propagated risk of an IT-based supply chain, having in mind the cyber interconnections and interdependencies between the various entities within an MLoSC. MITIGATE assesses the threats affecting all the business partners involved in the MLoSC and estimates the threats of the MLoSC as a whole via a collaborative environment. This helps to protect the expected individual, cumulative and propagated risks within it. The derived risk values are used in order to generate a baseline security strategy for MLoSCs, identifying the least necessary security controls for each participant within the supply chain. This enables MLoSC Eventually, the internal and external testing phases have provided many recommendations and suggestions for improvements to the developers. Much of the potential for improvement has already been implemented in the subsequent releases during the test phase. The tests were able to successfully provide feedback for the improvements of the system during the project period in terms of a targeted TRL (technology readiness level) of 7, as well as for further development towards a finished product or a TRL of 9.

Conclusions and Discussions
Maritime Logistics and Supply Chains (MLoSC) are composite interconnected systems playing a vital role in the transportation, storage and delivery of goods and services. MLoSC services usually involve various and multiple types of Critical Infrastructure, mainly in the transportation sector and exhibit intra-sector and cross-border dependencies. This type of complex infrastructure is the SCADA systems, which require the collaboration and interaction between supply chain stakeholders and their cooperating assets to set effective risk and impact indicators [8]. The primary goal of MITIGATE is to assess the individual, cumulative and propagated risk of an IT-based supply chain, having in mind the cyber interconnections and interdependencies between the various entities within an MLoSC. MITIGATE assesses the threats affecting all the business partners involved in the MLoSC and estimates the threats of the MLoSC as a whole via a collaborative environment. This helps to protect the expected individual, cumulative and propagated risks within it. The derived risk values are used in order to generate a baseline security strategy for MLoSCs, identifying the least necessary security controls for each participant within the supply chain. This enables MLoSC participants to fine-tune their security strategies according to their business role as well as their dependencies.
It should be noted that in order to validate the MITIGATE methodology, case studies based on real-world maritime scenarios and data were used. The evaluation results are promising, especially considering the impact of previous versions on the results: A large majority of MLoSC stakeholders consider the MITIGATE system to be efficient and useful in terms of its collaborative approach and decision support for improving their organizations' risk situation, having clearly organized information and being equipped with all of the expected functionalities. The response to the question, if they are satisfied with the system as a whole, is positive by a vast majority, which seems to be a good rating for a prototype in the beta stage.
Consequently, this work illustrates that maritime, logistics and transport supply chain services have common characteristics and face similar challenges concerning cybersecurity. In this context, MITIGATE can meet their requirements and particularities. To this end, the MITIGATE system supports a number of security assessment services that can be used by various different, heterogeneous MLoSC infrastructures of different types, sizes and business activities. This work has implemented the risk assessment services on an indicative SCADA scenario and has proved that the MITIGATE approach can be successfully applied to complex MLoSC systems, such as SCADA infrastructure, can estimate effectively their cyber-risks and drive the risk mitigation actions.
However, the MITIGATE evidence-driven Risk Assessment methodology provides security assessment services while considering only the cyber-nature of CPSs. Future work can be carried out on the integration of incident management practices to estimate and handle the combination of physical and cyber-risks on such infrastructure.