Nowadays coordinated and increasingly complex terrorist attacks are shocking the world. Due to the progressive reliance of the industrial sector and many CI, in particular EU ports on ICT systems, the impact of a coordinated physical attack, a deliberate disruption of critical automation (cyber) systems or even a combined scenario including both kind of attacks, could have disastrous consequences for the European Member States’ regions and social wellbeing in general.
Taking into account this fact and this real threat on EU ports as one of the main CI in Europe, the SAURON project proposes an holistic situation awareness concept, depicted in the next figure, as an integrated, scalable and yet installation-specific solution for protecting EU ports and its surroundings.
This solution combines the more advanced physical SA features with the newest techniques in prevention, detection and mitigation of cyber-threats, including the understanding of synthetic cyber space through the use of new visualization techniques (immersive interfaces, cyber 3D models and so on).
In addition, a Hybrid Situation Awareness (HSA) application capable of determining the potential consequences of any threat will show the potential cascading effect of a detected threat in the two different planes (physical and cyber).
In case of alert SAURON will provide information that can be used to protect the general public in the vicinity and specific rescue/security teams of any potential situation that could put in risk their integrity.
Thus the SAURON platform will be composed by four main pillars:
PSA: A complete physical SA system which includes novel features such as; dynamic location of resources and assets, location, management and monitoring of sensors, including cameras mounted on drones (under the conditions of and in compliance with all pertinent legal requirements at national and European level), security perimeter control, robust and secure tactical communication network and so on. This PSA system will be adapted to the EU ports characteristics, requirements and needs for protecting them against any kind of physical threat. In order to support PSA security personnel in detecting and stopping intruders, near real-time person recognition algorithms suitable for both fixed and mobile platforms will be investigated and implemented during SAURON. This relies on innovative video analytics suitable for robust person/group tracking and multi camera calibration for mobile (e.g., UAV or body worn) and fixed cameras. All legal requirements regarding data protection and privacy will be taken into consideration with respect to these developments.
CSA: An advanced and scalable cyber SA system capable of preventing and detecting threats and in case of a declared attack, capable of mitigating the effects of the infection/intrusion. This CSA system will include new visualization paradigms for the cyber space. In addition, the SAURON CSA application relies on a cyber-security monitoring platform that will be able to acquire, process and analyse information gathered from multiple sources, originating from both cooperative and non-cooperative environments (this is, both from port’s own infrastructure and from open sources). On a real-time basis, different cyber security sensors are gathering the relevant information from these sources, processing the data in different cyber security incident detectors and sending possible incidents to a correlation engine. This correlation engine processes all the collected information and applies intelligent rules in order to identify the most relevant facts from all the data. That is, the correlation engine will be able to generate intelligence to be disseminated to the operators of the system, in order for them to take decisions about the global cyber security state of the port. The CSA will be developed by S2 based on their previous developments for clients such as the Spanish National Cryptologic Centre (NCC) and VPORT.
The individual detectors include traditional, well established threat detection measures, such as Intrusion Detection Systems (IDS), but also more innovative modules, such as Anomaly Detection (AD), aimed at detecting more complex and targeted attacks, such as Advanced Persistent Threats (APTs).
These advanced modules employ intelligent algorithms, based on techniques such as machine learning, to identify previously unknown attacks, i.e., attacks that are not detectable by standard signature based models applied in traditional malware detectors or IDS.
The detector modules integrated in SAURON will analyse network traffic within the organisation and on its perimeters, in order to detect anomalies and to identify lateral movements and/or data exfiltration attempts, which are characteristic for APTs. In addition, the CSA will estimate a global cyber security risk level for the particular seaport infrastructure, calculated from the data gathered and analysed.
HSA: A Hybrid SA system receiving both physical and cyber alarms on potential threats from the real world and the cyber space respectively. The HSA application and will show the potential consequences/effects of these threats in the other planes including cascading effects.
The Hybrid SA application goes one step beyond to the integration of the PSA and CSA applications. This innovative solution takes into account the real detected alarms of both applications and identifies and evaluates inter-correlations among different potential threats.
This detection functionality will be supported using mathematical concepts of graph theory and percolation theory. In addition, models of both the local physical infrastructure and the local cyber infrastructure will be created with interdependencies between them. Those approaches will allow the HSA to characterize the physical and logical interconnections between the two worlds of PSA and CSA and to identify the systems reachable from a single starting point. Additionally, percolation theory can describe the potential propagation of a threat, i.e., indicate which systems are more likely to be reached based on predefined probabilities. In this context, it is not relevant whether an incident occurred in the physical or in the cyber world: the cascading effects in both the physical and cyber world can be described simultaneously.
This way once a real physical and/or cyber threat is detected the potential consequences including cascading effect in both planes (physical and cyber) will be automatically shown to the decisions makers in order to give them a holistic SA on what is happen and how the situation could evolve.
Once the potential consequences and cascading effect of a detected threat have been shown HSA will also propose some decision support actions that could help the decision makers to prevent or even mitigate the future stated consequences. An example of the working of this HSA application is described in the following figure. For example, an incident in the physical plane, e.g., an explosion/fire, is detected in a building of the port (cf. Figure 4). This event is detected by the PSA and is analysed by the HSA. The HSA shows in real time what potential consequences/effects this accident/attack could have in the near future in both planes. In this case study, several servers dedicated to cyber security and video management have been destroyed by the explosion. Consequently, a freight shipping application of a large company is at risk of being hacked and video flows and data have been lost from surveillance cameras and access control assets. This warns the decision makers that a physical attack and/or cyber intrusion in these items could now happen, since that specific area now has no video surveillance and access control data are no longer being received.
The HSA immediately provides advice to port staff to send security personnel to the areas that have lost video surveillance to prevent any physical intrusion and to personnel of the affected shipping company to manually check and scrutinise carefully the cargo activities until the company’s IT system has guaranteed to be secure.
EPWS: An Emergency Population Warning System, allowing local, regional, or national authorities to contact members of rescue/security teams and the public (also integrating Smart City Platforms (SCP)) in order to warn them and draw their attention to an immediate hazard. This will encourage them to take a specific action in response to an emergency event or threat.
An Emergency Population Warning System (EPWS) is a method whereby local, regional, or national authorities can contact members of the public en masse to warn them of an impending emergency. These warnings may be necessary for a number of reasons, including: