GLOSSARY

Supply Chain and Business Concepts

TermAbbreviationDefinition(s)Reference(s)Example(s)Notes/Remarks
Application-IT solution, including application software, application data and procedures, designed to help an organization’s users perform particular tasks or handle particular types of IT problems by automating a business process or functionISO/IEC 27032:2012
Application service-Software with functionality delivered on-demand to subscribers through an online model which includes web based or client-server applications.ISO/IEC 27032:2012Online storage, Customs online serviceApplication service provider: operator who provides a hosted software solution that provides application services which includes web based or client-server delivery models [ISO/IEC 27032:2012].
Application software-Software designed to help users perform particular tasks or handle particular types of problems, as distinct from software that controls the computer itselfISO/IEC 26514:2008
Asset-Something (item, thing or entity) that has value (potential or actual value) to the organization. An asset extends beyond physical goods or hardware, and includes software, information, people, and reputation. [ISO/IEC 27001: 2013; ISO/IEC 20000-1: 2018] Information asset: Anything that has value to an individual, an organization or a government. [ISO/IEC 27032: 2012]ISO/IEC 27001: 2013; ISO/IEC 20000-1: 2018an asset can be for example an application server, a presence sensor, a mobile or a municipal building.The only diffenrence of the two terms is that the second makes provision for individuals and the separation of governments from organizations.
Business objective-result to be achieved. An objective can be strategic, tactical, or operational. Objectives can relate to different disciplines (e.g. financial, health and safety, and environmental goals) and can apply at different levels (e.g. strategic, organization-wide, project, product and process. An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target).ISO/IEC 27000: 2018
Cosignee / Shipper / Cosignor-A person or company that consigns or receives goods for transportation.EU H2020-DS-2014-01 project "MITIGATE"
Critical InfrastructureCIAn asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a
Member State as a result of the failure to maintain those functions
Council Directive 2008/114/ECSCADA, port, Port Community System (PCS)European critical infrastructure (ECI) is a critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This includes effects resulting from cross-sector dependencies on other types of infrastructure [Council Directive 2008/114/EC].
Critical Information InfrastructureCIIICT systems that are Critical Infrastructures for themselves or that are essential for the operation of Critical Infrastructures (telecommunications, computers/software, Internet, satellites, etc.)Council Directive 2008/114/ECHuman Machine Interface (HMI)
Critical services-A critical service is a service that is essential for the maintenance of critical societal or economic activities.NIS Directive, 2016
CustomerPerson or organization that could or does receive a product or a service that is intended for or required by this person or organizationISO 9000:2015Consumer, client, end-user, retailer, receiver of product or service from an internal process, beneficiary and purchaser.
Distributor-An entity that buys noncompeting products or product lines, and resells them to retailers or direct to the end users or customers.EU H2020-DS-2014-01 project "MITIGATE", MITIGATE glossary
Downstream/Upstream-Downstream: refers to the actions, processes and movements of the cargo in the supply chain that occur after the cargo leaves the direct operational control of the organization, including but not limited to insurance, finance, data management, and the packing, storing and transferring of cargo. Upstream: refers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo comes under the direct operational control of the organization, including but not limited to insurance, finance, data management, and the packing, storing and transferring of cargoISO 28000:2007
Exporter-a businessperson or firm who transports goods abroad for sale.EU H2020-DS-2014-01 project "MITIGATE"
Importer-Firm or person whose business involves importing goods from outside (especially from a foreign country).EU H2020-DS-2014-01 project "MITIGATE", MITIGATE glossary
Infrastructure-organization system of facilities, equipment and services needed for the operation of an organization ISO 9000:2015
Information system-Set of applications, services, information technology assets, or other information-handling componentsISO/IEC 27000: 2018
Interdependence-the mutual dependence among cooperating firms, which originates from their requirement to maintain relationships in order to serve their goalsFrazier, G. L. (1983) “On the Measurement of Interfirm Power in Channels of Distribution,”Journal of Marketing, Vol. 53, January, pp. 50-69.
Industry-Producer of merchandise for use or sale using extraction and/or transformation means, labour and machines, tools, chemical and biological processing, or formulation. The term may refer to a range of human activity, from handicraft to high tech, but is most commonly applied to industrial production, in which raw materials are transformed into finished goods on a large scale.EU H2020-DS-2014-01 project "MITIGATE"Automobile Industry: Automobile Industry: the manufacturer that produces the vehicles and equipment (i.e. automobiles, trucks, semi-trailer trucks, trailers, and railroad cars etc.)
Industrial Control SystemICSAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems used to control geographically dispersed assets, as well as distributed control systems and smaller control systems using programmable logic controllers to control localized processes.NIST SP 800-39, 2011
Involvement-Taking part in an activity, event or situationISO 9000:2015
Internet of ThingsIoTA cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making.ENISA
[https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot]
Smart Infrastructures, such as Industry 4.0, smart grid, smart transport, etc.Various ports are studying or launching an IoT project to improve their competitiveness and their performance and monitor their infrastructure to prevent security or safety incidents. Applied to maritime traffic surveillance,
infrastructure management and terminal operations on goods or passengers, an IoT platform could monitor the port environment and operations, collect data to optimize processes and improve the decision-making process. This would be possible through the implementation of sensors and RFID technology on port assets.
More specifically, the port of Rotterdam has launched his own IoT platform by implementing different sensors on buoys, walls and quays to allow port actors to identify the best timing and location for a ship to dock.
["Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019]
Organization-person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives. The concept of organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.ISO/IEC 27000: 2018
Physical asset-asset that has a tangible or material existence
Physical assets usually refer to cash, equipment, inventory and properties owned by the individual or organization. Software is considered an intangible asset, or a non-physical asset.
ISO/IEC 27032:2012
Policy-intentions and direction of an organization as formally expressed by its top management.ISO/IEC 27000: 2018
Process-A group of interconnected or interacting activities capable of turning inputs into outputs.ISO/IEC 27000: 2018Indicative process examples are the customs clearance issuance and the vehicles loading/ulnoading within the Vehicle Transport Service performance. A process model example is a business process diagram following a modelling language notification (i.e. BPMN diagram, UML diagram)(1) A supply chain process: a group of interconnected activities during a supply chain service performance.

(2) Business Process Management (BPM): a principle serves the tasks of dealing with organizing, automating, monitoring and controlling business processes in organizations.

(3) Process Mapping: It is assumed the identification, description and illustration of all the flows of a work via flowcharts, process models and business diagrams. [Kalogeraki E.-M., Panayiotopoulos T., Apostolou D. (2016) “Semantic queries in BPMN 2.0: A contemporary method for information retrieval”, IEEE, 6th International Conference on Information, Intelligence, Systems and Applications” (IISA 2015), 7388061]
Requirement-need or expectation that is stated, generally implied or obligatory. A specified requirement is one that is stated, for example in documented information.
ISO/IEC 27000: 2018(1) “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied.
(2) A specified requirement is one that is stated, for example in documented information.
Service-(1) means of delivering value for the customer by facilitating outcomes the customer wants to achieve.
(2) output of an organization with at least one activity necessarily performed between the organization and the customer
ISO/IEC 20000-1:2018, ISO 9000:2015services may refer to a majority of types (i.e. economic service, information service, business service, domestic service, governmental service, public service, military service, etc). Example of services are e-mail service, logistics service, billing service, etc.
Service Level AgreementSLADocumented agreement between the service provider and customer that identifies services and service targets.
ISO/IEC 20000-1:2018
(1) A service level agreement can also be established between the service provider and a supplier, an internal group or a customer acting as a supplier.

(2) A service level agreement can be included in a contract or another type of documented agreement.
Service Providerorganization that manages and delivers a service or services to customers ISO/IEC 20000-1:2018
Stakeholder (Business partner or interested party)-(1) A person or entity (i.e. customers, shareholders, financiers, insurers, regulators, statutory bodies, employees, contractors, suppliers, labour organizations, or society) having a vested interest in the organization’s performance, success or the impact of its activities [ISO 28000:2007]. (2) person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity [ISO 31000:2018; ISO/IEC 27000:2018]. [ISO 28000:2007] , [ISO 31000:2018], [ISO/IEC 27000:2018]
Step-An element (numbered list item) in a procedure (process) that tells a user (involved party) to perform an action (or actions)ISO/IEC 26514:2008
Supplier (provider)-Organization that provides a product or a service. ISO 9000:2015(1) A provider can be internal or external (not part of) to the organization.
(2) In a contractual situation, a provider is sometimes called “contractor”.
Supply ChainSCLinked set of resources and processes that begins with the sourcing of raw material and extends through the delivery of products or services to the end user across the modes of transport. The supply chain may include vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers and other entities that lead to the end user.ISO 28000:2007Maritime Supply Chain
Supply Chain disruption-Disruptions in supply chains is considered the disruption of the security, continuity and reliability of the critical services that are essential for the smooth functioning of the SC performance that it is capable of preventing the provision of other services which depend on it and could thus have a serious impact on economic and societal activities of the SC.NIS Directive, 2016
Supply Chain SecuritySC securitySecurity of the processes, techniques, and technologies associated with supply chains.ENISA report (2015) “Supply Chain Integrity: An overview of the ICT supply chain risks and challenges, and vision for the way forward”, v.1.1, August 2015.
Supply Chain OperatorsSC operatorContractors, suppliers, agents and forwarders that operate (interact, depend, provide, receive) for the production of goods or the provision of a supply chain service.EU H2020-DS-2014-01 project "MITIGATE"
Supply Chain ServiceSCS(1) A network of the supply chain operators and their supporting units that function for the transaction of resources, to develop services, transfer the underlying resources into supporting and core services and deliver the services to the end- customer/user.
(2) Service provided by a supply chain, a linked set of resources and processes
(1) [Baltacioglu et al. (2007). “A new Framework for service supply chains”. The Service Industries Journal, 27(2), pp 105–124.] (2) EU H2020-DS-2014-01 project "MITIGATE"Vehicle Transport Service: A massively complex system with numerous players for the manufacturing, shipment and delivery of various types of vehicles.It supports composite processes (i.e. domestic and international transportation, communications and information technology, warehouse management, order and inventory control etc.). It includes several interactions and tasks among the various entities engaged (stakeholders and actors) having different goals and requirements.
Trailer-non-powered vehicle for the carriage of goodsEU H2020-DS-2014-01 project "MITIGATE"
Transport operator-A party, a company or a department of a company, planning and maintaining the use of means of transport or equipment of a transport stage.EU H2020-DS-2014-01 project "MITIGATE"The Transport Company (i.e. Logitren, TrainOSE) is responsible to transfer the vehicles from the automobile manufacturer to the destination port.
Transport organiser-A party, a company or a department organising and planning a part of a transport chain.EU H2020-DS-2014-01 project "MITIGATE"
Transshipment-Moving goods from one means of transport to anotherEU H2020-DS-2014-01 project "MITIGATE"
User-Person who performs one or more tasks with software; a member of a specific audienceISO/IEC 26514:2008
User interface-Ensemble of software and hardware that allows a user to interact with a computer systemISO/IEC 26514:2008
Entity-Any natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations.NIS 2 Directive
Essential entity-Any entity of a type referred to as an essential entity in Annex I of NIS 2 Directive.NIS 2 Directive
Operator of Essential ServiceOESAny operator that resides to the Member States when laying down security and incident reporting requirements for the types of essential services referred to Annex I of NIS 2 Directive.NIS 2 DirectiveNIS 2 Directive essential services are also presented in xx of the current deliverable.
Important entity-Any entity of a type referred to as an important entity in Annex II of NIS 2 Directive.NIS 2 Directive
Operator of Important ServiceOISAny operator that resides to the Member States when laying down security and incident reporting requirements for the types of important services referred to Annex II of NIS 2 Directive.NIS 2 DirectiveNIS 2 Directive important services are also presented in xx of the current deliverable.
Supply Chain ServiceSCSIt is considered the service that entails a linked set of resources and processes that begins with the sourcing of raw material and extends through the delivery of products or services to the end user across the modes of transport.ISO 28000:2007The vehicle transport service is a massively complex system with numerous players for the manufacturing, shipment and delivery of various types of vehicles.SCS business partners are the main actors for the provision of the SCS and they are considered in CYRENE under the following perspectives: 1. SCS Commercial Business Partner, 2. SCS Governmental Business Partner, 3. SCS provider.
International Supply Chain Service-1. A supply chain that at some point crosses an international or economic border 2. A SCS that consists of EU and non-EU SCS-BP.1. ISO 28001:2007 2. EU H2020-ICT-02-2020 project "CYRENE": EUSCS, CYRENE RCA Methodology.
SCS Business PartnerSCS-BP1. Those contractors, suppliers or service providers that an organization contracts with to assist the organization in its function as an “Organization in the Supply Chain". 2. A stakeholder that participates in the provision of the supply chain service".1. ISO 28001:2007 2. EU H2020-ICT-02-2020 project "CYRENE"CYRENE delves into a service approach definition, whereas ISO 28001 defines it from a supply chain perspective.
SCS providerSCS-PThe main actor in the supply chain (originator) that identifies all business partners (of type B, C, D), SCS processes / sub-processes to be followed, agreements (e.g., protection profile) and records (e.g., self-assessment conformity statements).EU H2020-ICT-02-2020 project "CYRENE": EUSCS, CYRENE RCA Methodologyin the vehicle transport SCS, the automotive industry and all its third parties/sub-contractors belong in this type.(Business Partner A)
SCS Commercial Business Partner-Participating in the provision of the supply chain service, undertaking an operational role, related to the operation of the supply chain service, including ordering, transporting, importing, and other processes.EU H2020-ICT-02-2020 project "CYRENE": EUSCS, CYRENE RCA Methodologyin the vehicle transport SCS, the importers, transport/maritime companies and any third-party commercial partner reflect this category.(Business Partner B)
SCS Governmental Business Partner-Participaing in the provision of the supply chain service, undertaking an operational role, related to the operation of the supply chain service, including ordering, provisioning, storing, and other processes.EU H2020-ICT-02-2020 project "CYRENE": EUSCS, CYRENE RCA Methodologyin the vehicle transport SCS, the Ministry of Transport, Customs and other related authorities fall in this category.(Business Partner C)
SCS Self-Assessor-Every business partner (A or B or C) is allowed to undertake the compliance role which covers the activities related to the verification of compliance to standards and regulations, including documentation, self-assessment, interfaces with third party assessor or CABs (if needed) and management of EU statements of conformity (for SCs with AL Basic). EU H2020-ICT-02-2020 project "CYRENE": EUSCS, CYRENE RCA Methodology(Business Partner D)
SCS Assessor-can be either the SCS Self-Assessor (Business Partner D) that is every business partner (A or B or C) who undertakes the compliance role which covers the activities related to the verification of compliance to standards and regulations, including documentation, self-assessment, interfaces with third party assessor or CABs (if needed) and management of EU statements of conformity (for SCs with assurance level Basic).EU H2020-ICT-02-2020 project "CYRENE": EUSCS, CYRENE RCA Methodology
Mutual Recognition AgreementSCS-MRAIt is considered an agreement between the SCS business partners (EU and non-EU business partners) which is set up to establish and support the mutual recognition of the EU SCS certification schema (EUSCS) with third countries.EU H2020-ICT-02-2020 project "CYRENE": EUSCS, CYRENE RCA Methodology
SCS process-It is a group of interconnected sets or interacting activities, capable of turning inputs into outputs for the provision of the SCSISO/IEC 27000:2018Within the vehicle transport service performance, a transportation order or ship formalities arrangements are considered SCS processes.
SCS asset-1. Something (item, thing or entity) that has value (potential or actual value) to the organization. An asset extends beyond physical goods or hardware, and includes software, information, people, and reputation. [ISO/IEC 27001: 2013; ISO/IEC 20000-1: 2018] 2. Information asset: Anything that has value to an individual, an organization or a government. [ISO/IEC 27032: 2012].1. ISO/IEC 27001: 2013 2. ISO/IEC 20000-1: 2018an asset can be for example: an application server, a presence sensor, a mobile or a municipal building, a Human Machine Interface (HMI), a vehicle or a vessel traffic web application.The only difference of the two terms is that the second makes provision for individuals and the separation of governments from organizations.
Information Security Management SystemISMSSet of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives.ISO/IEC 27000:2018, ISO/IEC 27001
SCS evaluation view-It is considered the different options that can be utilized to assess the SCS using three different conformity assessment profiles according to the different views ‘process’ (overall business), ‘holistic-technical’, ‘sector-specific’ the SCS can be represented or described.EU H2020-ICT-02-2020 project "CYRENE": EUSCS, CYRENE RCA Methodology
Security Declaration-A documented commitment by a business partner, which specifies security measures implemented by that business partner, including, at a minimum, how goods and physical instruments of international trade are safeguarded, associated information is protected and security measures are demonstrated and verified.ISO 28001:2007  
Statement of Applicability-document that contains the selection and implementation of controls in order to assist with compliance requirements.ISO/IEC 27000:2018

Certification Security Concepts

TermAbbreviationDefinition(s)Reference(s)Example(s)Notes/Remarks
Information-Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.[CNSSI No. 4009]
Information systemset of applications, services, information technology assets, or other information-handling components[ISO/IEC 27000:2018]An Enterprise Resource Planning (ERP) system
Information Security Management SystemISMSSet of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives[ISO/IEC 27000:2018]ISO 27001
Confidentiality-Property that information is not made available or disclosed to unauthorized individuals, entities, or processes[ISO/IEC 27000:2018]
Integrity-Property of accuracy and completeness[ISO/IEC 27000:2018]
Availability-Property of being accessible and usable on demand by an authorized entity.[ISO/IEC 27000:2018]
Accountability-the state of being answerable (in response)
for assigned actions and decisions.
[ISO/IEC 27000:2018]
Authenticity-Property that an entity is what it claims to be.[ISO/IEC 27000:2018]
Reliability-Property of consistent intended behaviour and results[ISO/IEC 27000:2018]
Non-repudiation-Ability to prove the occurrence of a claimed event or action and its originating entities[ISO/IEC 27000:2018]
Information security-Preservation of the CIA triad (Confidentiality, Integrity and Availability) of information involving also the ensurance of other properties such as authenticity, accountability, non-repudiation, and reliability.[ISO/IEC 27000:2018]
Information security continuity-Processes and procedures for ensuring continued information security operations[ISO/IEC 27000:2018]
Cybersecurity-preservation of Confidentiality, Integrity and Availability (CIA triad) of information in the Cyberspace.[ISO/IEC 27032:2012]
Cyber resiliency-The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources[NIST SP 800-160, 2019]
Adversary (attacker/threat agent)-(1) Adversary: Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities [NIST SP 800-30 Rev 1, 2012]. (2) Attacker: an actor who attempts to gain access to behaviors or resources that are outside of the product's intended control sphere for that actor [MITRE glossary].
(3) Threat agent: entity that can adversely act on assets [ISO/IEC 15408-1:2009].
NIST SP 800-30 Rev 1, 2012, MITRE glossary online available: https://cwe.mitre.org/documents/glossary, ISO/IEC 15408-1:2009For instance, an attacker can be a disgruntled employee (insider), a hacktivist, a cybercriminal, a terrorist group, a pirate or a hijacker, a cyber vandal, a government/industry spy.
Behaviour analysis-The act of examining malware interactions within its operating environment including file systems, the registry (if on Windows), the network, as well as other processes and Operating System components.[CNSSI No. 1011]For instance, when analysing attacker's profile, e.g. scrutinizing the level of his expertise, skills etc.
Attack

-attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset[ISO/IEC 27000:2018]Attack on a SCADA software (cyber) , attack on a cruise terminal (physical).
-Attack path (attack model/attack pattern/attack vector)(1) Attack path: Steps that a threat takes or may take to plan, prepare for, and execute an attack [API standard 780]. (2) Attack pattern: abstracted approach utilized to attack software [ISO/IEC TR 20004:2015]. (3) Attack vector: path or means by which an attacker can gain access to a computer or network server in order to deliver a malicious outcome [ISO/IEC 27032:2012].
API standard 780 , ISO/IEC TR 20004:2015 , ISO/IEC 27032:2012attack path to compromise a CCTV system of an enterprise: compromise an e-mail account to gain access to an employee's workstation of an enterprise and after take advantage of a CCTV server that is installed in the workstation operating system
-Attack graph-Data structures that are able to model all possible avenues of a network attackAn attack modelling tool providing MITRE ATT&CK graphs via Bloodhound can be found in https://medium.com/falconforce/graphing-mitre-att-ck-via-bloodhound-87c11aadc119
Attack graphs generation using the MITIGATE risk management tool Ref.: Kalogeraki, E.-M., Papastergiou, S., Mouratidis, H., Polemi N., (2018) “A novel risk assessment methodology for SCADA maritime logistics environments”, Applied Sciences, MDPI AG, Switzerland, 8(9): 1477, ISSN: 2076-3417, https://doi.org/10.3390/app8091477)
Cyber attack - An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.[NIST SP 800-30 Rev 1, 2012]Man-In the-Middle attack cinderella attack ransomware attack
Alert - Notification that a specific attack has been directed at an organization’s information systems.[CNSSI 4009-2015]A cyber alert has been raised due to the identification of suspicious traffic on a database system.
Information security incident - An individual or a series of either unwanted or unexpected information security events that enclose a serious probability of compromising business operations and threatening information security[ISO/IEC 27000:2018]
Hacking - Intentionally accessing a computer system without the authorization of the user or the owner.[ISO/IEC 27032:2012]
Measurement - process to determine a value[ISO/IEC 27000:2018]
Measurement method (scale) - A logical sequence of operations, described in generic, that aims to quantify an attribute with cocnerns a specified scale.[ISO/IEC 27000:2018]Risk level can be vulnerability/threat/ risk level can be scaled as Very High/High/Medium/Low/Very LowQuantitative measurement is information about quantities, and therefore correspond to numbers, and qualitative measurement is descriptive, and regards phenomenon which can be observed but not measured, such as language (i.e. business, temporal, environmental, etc..).
Performance - Measurable result[ISO/IEC 27000:2018]
Effect - A deviation from the expected — positive or negative.[ISO/IEC 27000:2018]
Event - Occurrence or change of a particular set of circumstances that can end up with several causes which can even consist of something not happening.[ISO/IEC 27000:2018]
Uncertainty - The state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.[ISO/IEC 27000:2018]
Likelihood - Chance of something happening[ISO/IEC 27000:2018]
Likelihood of occurance - A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. Determining the likelihood of threat events causing adverse impacts.NISTIR 7621 Rev. 1, 2016], [CNSSI 4009-2015], [NIST SP 800-30 Rev 1, 2012]
Vulnerability - (1) Weakness in the TOE that can be used to violate the SFRs in some environment ISO/IEC 15408-1:2009
(CC).
(2) Weakness of an asset or control that can be exploited by one or more threats [ISO/IEC 27000:2018] (3) In the context of information technology and cybersecurity, a vulnerability is a behaviour or set of conditions present in a system, product, component, or service (functional) that violates an implicit or explicit security policy. A vulnerability can be thought of as a weakness or exposure that allows a security impact or consequence. Attackers exploit vulnerabilities to compromise confidentiality, integrity, availability, operation, or some other security property [ISO/IEC 29147:2018].
ISO/IEC 15408-1:2009
(CC) , ISO/IEC 27000:2018, ISO/IEC 29147:2018
• Poor encryption in digital signatures.
• Target Row Refresh (TRR), aka the TRRespass issue (CVE-2020-10255)
• The DNS bugs (CVE-2020-11901)
- A term 'vulnerability' is functioning in different context in ISO/IEC 15408 as it reflects the perspective of the TOE (*see line 94).
- Multiple vulnerabilies can impact a supply chain as a whole, compromising multiple inteconnected assets by exploiting a series of assets' vulnerabilities.
See more: "Hacking the Supply Chain"
[https://i.blackhat.com/USA-20/Wednesday/us-20-Oberman-Hacking-The-Supply-Chain-The-Ripple20-Vulnerabilities-Haunt-Tens-Of-Millions-Of-Critical-Devices.pdf]
-Potential (uknown) Vulnerability - Potential: Suspected, but not confirmed, weakness [ISO/IEC 15408-1:2009(CC)]. Uknown: There are reports of impacts that indicate a vulnerability is present, but that the cause of the vulnerability is unknown or they may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports [CVSS v3.1 NIST NVD (FIRST)]ISO/IEC 15408-1:2009
(CC) , CVSS v3.1 NIST NVD (FIRST)
An uknown/zero day vulnerability could be an adversary that sneaks in an asset through a backdoor that was left unlocked by accident.Suspicion is by virtue of a postulated attack path to violate the SFRs.

A sub-category of this is the "zero-day" vulnerability, which is related to a security flaw in the software that is known to the software vendor, but with no patch in place to fix the flaw.
-Confirmed Vulnerability-Detailed reports exist, or functional reproduction is possible (functional
exploits may provide this). Source code is available to independently verify
the assertions of the research, or the author or vendor of the affected code
has confirmed the presence of the vulnerability.
CVSS v3.1 NIST NVD (FIRST)A confirmed vulnerability example is the vulnerability of Microsoft Teams Remote Code Execution, which was published on 11/11/2020.
-Exploitable Vulnerability-Weakness in the TOE that can be used to violate the SFRs in the operational environment for the TOEISO/IEC 15408-1:2009 (CC)
-Residual Vulnerability - Weakness that cannot be exploited in the operational environment for the TOE, but could be used to violate the SFRs by an attacker with greater attack potential than is anticipated in the operational environment for the TOEISO/IEC 15408-1:2009
(CC)
-Severity of vulnerability - The severity of a vulnerability is an assessment of the relative importance of mitigating/remediating the vulnerability. The severity can be determined by the extent of the potential adverse impact if such a vulnerability is exploited by a threat source. Thus, the severity of vulnerabilities, in general, is context-dependent.[NIST SP 800-30 Rev.1, 2012]CVSS
Vulnerabilities Measurement/Labelling - - - - Common Vulnerabilities and Exposures
- TOE-relevant CVE vulnerabilities
- Common Weakness Enumeration
- Common Vulnerability Scoring System
- CVSS basic metric
- CVSS temporal metric
- CVSS environmental metric
- Common Vulnerabilities and ExposuresCVE(1) A nomenclature and dictionary of security-related software flaws [NIST SP 800-126 Rev. 2]. (2) A list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities [MITRE].[NIST SP 800-126 Rev. 2] , [MITRE]: online available: https://cve.mitre.org/The confirmed vulnerability example of Microsoft Teams Remote Code Execution has the CVE (Id) "CVE-2020-17091" (1) CVEs are designated by the CVE Numbering Authorities (CNAs), namely organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. The MITRE Corporation functions as Editor and Primary CNA. (2) NIST repository for vulnerabilities (National Data Repository for Vulnerabilities) is utilized to identify a vulnerability on an asset. Useful links to search for CVEs that can be utilized in the scope of the current project: https://nvd.nist.gov/vuln , https://www.cvedetails.com/
- TOE-relevant CVE vulnerabilities - CVE vulnerabilities from all versions of the TOE product family or CVE vulnerabilities associated with products of the same technology typeISO/IEC TR 20004:2015(*for more about ToE see line 94)
- Common Weakness EnumerationCWEA community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.[MITRE] online availiable: https://cwe.mitre.org/CWE-20 Improper Input Validation: the asset does not validate or incorrectly validates input that can affect the control flow or data flow of a program.When software fails to validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution. CWE is assigned by MITRE. This leads to a mapping of vulnerabilities to the related threats
- Common Vulnerability Scoring System CVSSThe Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It mainly consists of three metric groups: Base, Temporal, and Environmental. FIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvssFor instance, the confirmed vulnerability "CVE-2020-17091" Microsoft Teams Remote Code Execution has Basic score metrics= 7.8 : Exploitability(1) CVSS is designed to measure the severity of a vulnerability. The score leverages Basic, Temporal and Environmental) CVSS is designed to measure the severity of a vulnerability. The score leverages Basic, Temporal and Environmental Metrics. (2) CVSS has been recognized as an international standard for scoring vulnerabilities.
- CVSS basic metric - The base group consists of exploitability: Attack Vector (AV)/Attack Complexity (AC)/Privileges Required (PR)/User Interaction (UI), scope and Impact: CIA triad. The basic group metric represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. FIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvss
- CVSS temporal metric - The temporal group consists of the following : Exploit Code Maturity (E)/Remediation Level (RL)/Report Confidence (RC) and reflects the characteristics of a vulnerability that change over time. FIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvss
- CVSS environmental metric - The environmental group consists of the following security requirements: Confidentiality Requirement (CR), Integrity Requirement (IR), Availiability Requirement (AR) and represents the characteristics of a vulnerability that are unique to a user's environment.FIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvss
Threat - Potential cause of an unwanted incident, which can result in harm to a system or organization.[ISO/IEC 27000:2018]Example are a signature spoofing by key theft on an e-mail operating system and buffer overflow in Local Command-Line Utilities on an admin operating system.
Threat assessment - Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.[CNSS, 2015] , [NIST SP 800-30 Rev.1, 2012]
Threat level - The expected probability of occurrence of a threat to a cyber asset EU H2020-DS-2014-01 project "MITIGATE", MITIGATE glossary
Cyber Threat IntelligenceCTIThreat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.[NIST SP 800-150, Guide to Cyber Threat Information Sharing, 2016].Additional information can be found under:
- "ENISA Threat Landscape 2020 - Cyber threat intelligence overview"
[https://www.enisa.europa.eu/publications/cyberthreat-intelligence-overview] - "Cyber Threat Intelligence Standards- A high-level overview"
[https://www.enisa.europa.eu/events/2018-cti-eu-event/cti-eu-2018-presentations/cyber-threat-intelligence-standardization.pdf]
Security impact analysis - The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.[NIST SP 800-37 Rev.2, 2018]
Impact - The result of an unwanted incidentISO/IEC PDTR 13335-1
Impact level - The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.[NIST SP 800-37 Rev.2, 2018]
Risk - Effect (see "effect" in the current glossary) of uncertainty (see "uncertainty" in the current glossary) on objectives (ISO 31000:2018; ISO/IEC 27000:2018). Risk is often characterized by reference to potential events and consequences or a combination of these (including changes in circumstances) and the associated "likelihood" of occurrence. [ISO/IEC 27000:2018][ISO/IEC 27000:2018], [ISO 31000:2018]
Information security risk - Risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
Effect of uncertainty on information security objectives. The potential that threats will exploit vulnerabilities that can be found on an information asset or a group of information assets and therefore can harm an organization. [ISO/IEC 27000:2018]
[NIST SP 800-30 Rev 1, 2012] [ISO/IEC 27000:2018]
Risk model - It defines the risk factors to be assessed and the relationships among those factors[NIST SP 800-30 Rev 1, 2012]
Risk identification - Process of finding, recognizing and describing risks. Risk identification involves the identification of risk sources, events, their causes and their potential consequences. Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs.[ISO/IEC 27000:2018]
Risk analysis - Process to comprehend the nature of riskand to determine the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment. Risk analysis includes risk estimation.[ISO/IEC 27000:2018]
Risk evaluation - The process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. Risk evaluation assists in the decision about risk treatment.[ISO/IEC 27000:2018]
Risk AssessmentRAThe overall process of risk identification, risk analysis and risk evaluation
estimating, and prioritizing information security risks
estimating, and prioritizing information security risks
[ISO/IEC 27000:2018] [NIST SP 800-30 Rev.1, 2012] [NIST SP 800-30 Rev.1, 2012]
Risk assessor - The individual, group, or organization responsible for conducting a risk assessment.[NIST SP 800-30 Rev.1, 2012]
Level of risk - Magnitude of a risk expressed in terms of the combination of consequencesand their likelihood.[ISO/IEC 27000:2018]
Residual risk - Risk remaining after risk treatment. Residual risk can contain unidentified risk. It can also be referred to as “retained risk”.[ISO/IEC 27000:2018]
Risk treatment - Process to modify risk [ISO/IEC 27000:2018]
Risk mitigation - Risk treatments that deal with negative consequences.[ISO/IEC 27000:2018]
Control - Measure that maintains and/or modifies risk [ISO 31000: 2018; ISO/IEC 27000:2018]. Controls include any process, policy, device, practice, or other actions which modify risk. It is possible that controls not always exert the intended or assumed modifying effect. [ISO/IEC 27000:2018][ISO 31000: 2018] , [ISO/IEC 27000:2018]Control – term used in [CSA, Art. 52.4]: “The certificate or the EU statement of conformity shall refer to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of, or to prevent cybersecurity incidents.”
This term can be seen as equivalent to the Security Functional Requirements (SFRs) defined in ISO15408.
Control objective - Statement describing what is to be achieved as a result of implementing controls.[ISO/IEC 27000:2018]
Security control - Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.[NIST SP 800-30 Rev.1, 2012 (FIPS 199, CNSSI No. 4009)]
Risk managementRMA systematic performance of policies, procedures and practices management on communicating, consulting activities, establishing the context and controlling identifying, analysing, evaluating, treating, monitoring and reviewing risk. [ISO/IEC 27000:2018] Coordinated activities to direct and control an organization with regard to risk. [ISO 31000:2018][ISO/IEC 27000:2018] [ISO 31000:2018]
Risk owner - Person or entity with the accountability and authority to manage a risk.[ISO/IEC 27000:2018]
Security ManagementSMSecurity management includes all the activities and practices implemented by organizations to manage security risks, threats, and impacts. These activities and practices should be coordinated in a systematic, and optimized manner.[ISO 28000:2007]
Security management objective - Specific outcome or achievement required of security in order to meet the security management policy. It is essential that such outcomes are linked either directly or indirectly to providing the products, supply or services delivered by the total business to its customers or end users.[ISO 28000:2007]
Security management policy - Overall intentions and direction of an organization, related to the security and the framework for the control of security-related processes and activities that are derived from and consistent with the organization’s policy and regulatory requirements[ISO 28000:2007]
Information and Communtication TechnologyICT1. Encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.

2. Includes all categories of ubiquitous technology used for the gathering, storing, transmitting, retrieving, or processing of information (e.g., microelectronics, printed circuit boards, computing systems, software, signal processors, mobile telephony, satellite communications, and networks).

3. Encompasses all technologies for the capture, storage, retrieval, processing, display, representation, organization, management, security, transfer, and interchange of data and information.
1. NIST SP 800-161 under Information and Communications Technology (ICT) ISO/IEC 2382 - Adapted,
NISTIR 7622 under Information and Communications Technologies ANSDIT - Adapted

2. CNSSI 4009-2015 DoDI 5200.44

3. NISTIR 8074 Vol. 2 under Information and Communications Technologies
• maritime ICT cloud transforms shipping;
• printed circuit boards;
• computing systems;
• software;
• signal processors;
• mobile telephony;
• satellite communications;
• fleet IT manager onboard platform.
ICT Product - An element or a group of elements of a network or information systemRegulation (EU) 2019/881
(EU Cybersecurity Act)
• A software;
• A firmware;
• A piece of hardware;
• A service;
• A process;
• A supply chain.
ICT System - Network or information system (cf. CSA). Combination of ICT products and ICT processes that supports one or more ICT services.Regulation (EU) 2019/881
(EU Cybersecurity Act)
• Industrial Control System (i.e. SCADA);
• Port Community System (PCS);
• Enterprise Resource Planning (ERP) software.
ICT Service - A service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systemsRegulation (EU) 2019/881
(EU Cybersecurity Act)
• Vehicle Transport Service;
• e-Invoicing;
• Container Management Service;
• e-Delivery.
ICT Process - A set of activities performed to design, develop, deliver or maintain an ICT product or ICT serviceRegulation (EU) 2019/881
(EU Cybersecurity Act)
• Port Services Requested;
• Ship Formalities Arrangements;
• Vehicles Unloading processes.
Certification - Certification of a management system, such as the environmental management system, quality management system or information security management system of an organization, is one means of providing assurance that the organization has implemented a system for the management of the relevant aspects of its activities, products and services, in line with the organization’s policy and the requirements of the respective international management system standardISO/IEC 17021-1:2015
Certification Scheme - Conformity assessment system related to management systems to which the same specified requirements, specific rules and procedures applyISO/IEC 17021-1:2015There are a lot of national schemes.
The ones presented, all part of SOGIS-MRA, included NL (NLNCSA), FR (ANSSI), SE (FMV), DE (BSI). The national bodies mentioned all act as national certification bodies authorities with supervisory responsibility and some are ISO/IEC 17065 accredited by their national accreditation bodies. Their role is to oversee the national schemes and to issue the certificate based on the evaluation results of the laboratories. They also see to that the technical capabilities and skills of the laboratories are adequate. The certificates issued by national certification bodies cover product categories for which there is defined use-case and a protection profile specified by a technical community (stakeholder group) against which the laboratories will evaluate the equipment and certification bodies will issue the certificate. Protection profiles have until now been developed to a large extent for smart cards and also reflect the number of certificates issued, for some Member State they covered half of certificates, in addition to a very high level of assurance EAL5+.

[https://www.enisa.europa.eu/events/sog-is/minutes]
Common CriteriaCCAn international standard (ISO/IEC 15408) for computer security certification
Governing document that provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems
ISO/IEC 15408-1:2009
(CC)
CNSSI 4009-2015
- In other words, "Common Criteria" is another way to call the ISO/IEC 15408-1:2009.
European Cybersecurity Certification SchemeECCSA ccomprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processesRegulation (EU) No 526/2013 (Cybersecurity Act)*It is an umbrela, which replaces SOG-IS. There are no examples of schemes according to ECCS yet - the EU is in the process of creating.It is necessary to adopt a common approach and to establish a European cybersecurity certification framework that lays down the main horizontal requirements for European cybersecurity certification schemes to be developed and allows European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes to be recognised and used in all Member States. In doing so, it is essential to build on existing national and international schemes, as well as on mutual recognition systems, in particular SOG-IS, and to make possible a smooth transition from the existing schemes under such systems to schemes under the new European cybersecurity certification framework. The European cybersecurity certification framework should have a twofold purpose. First, it should help increase trust in ICT products, ICT services and ICT processes that have been certified under European cybersecurity certification schemes. Second, it should help avoid the multiplication of conflicting or overlapping national cybersecurity certification schemes and thus reduce costs for undertakings operating in the digital single market. The European cybersecurity certification schemes should be non-discriminatory and based on European or international standards, unless those standards are ineffective or inappropriate to fulfil the Union’s legitimate objectives in that regard.
Horizontal Certification Scheme - Adjective indicating that an ICT product, ICT process or ICT service targets multiple markets and that the related cybersecurity certificate may be recognized by corresponding cybersecurity certification schemes of these targeted markets.Cybersecurity Certification: EUCC Candidate Scheme

(https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme)
• Accordingly, it is very important that standardization and certification approaches are well aligned across different industries when it comes to suppliers at the start of the supply-chain. For example, manufacturers of smart cards usually deliver their products into multiple sectors. On the other hand, once the integration steps come close to a final product, the situation might become very sector-specific. Therefore, it is essential to keep at least two views in mind:
1. The horizontal view: standards for cybersecurity in terms of robustness against a broad range of attacks. Accordingly, certification schemes used there need to be rather generic (e.g. ISO15408 – Common Criteria) than specific and act as building blocks for certification schemes tailored to sectors.
2. The sectorial view: standards in this case are typically very specific to the sectorial needs. However, certification schemes very specific to sectors (e.g. standards for smart cards) should make use of horizontal (generic) schemes and recognize and build on top of those.
Sectorial Certification Scheme - Adjective indicating that an ICT product, ICT process or ICT service targets a particular market sector and that the related cybersecurity certificate may be recognized by corresponding cybersecurity certification schemes of these particular market sector. Sectorial ICT systems usually rely on ICT infrastructure services for specific functions.Cybersecurity Certification: EUCC Candidate Scheme

(https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme)
• Accordingly, it is very important that standardization and certification approaches are well aligned across different industries when it comes to suppliers at the start of the supply-chain. For example, manufacturers of smart cards usually deliver their products into multiple sectors. On the other hand, once the integration steps come close to a final product, the situation might become very sector-specific. Therefore, it is essential to keep at least two views in mind:
1. The horizontal view: standards for cybersecurity in terms of robustness against a broad range of attacks. Accordingly, certification schemes used there need to be rather generic (e.g. ISO15408 – Common Criteria) than specific and act as building blocks for certification schemes tailored to sectors.
2. The sectorial view: standards in this case are typically very specific to the sectorial needs. However, certification schemes very specific to sectors (e.g. standards for smart cards) should make use of horizontal (generic) schemes and recognize and build on top of those.
Target of EvaluationToEA set of software, firmware, hardware and/or process possibly accompanied by guidanceISO/IEC 15408-1:2009
(CC)
• A software application;
• An operating system;
• A software application in combination with an operating system;
• A software application in combination with an operating system and a workstation;
• An operating system in combination with a workstation;
• A smart card integrated circuit;
• The cryptographic co-processor of a smart card integrated circuit;
• A Local Area Network including all terminals, servers, network equipment and software;
• A database application excluding the remote client software normally associated with that database application;
• A supply chain.
- ToE shall be the ICT product as a whole or the elements of the ICT product.

- While there are cases where a TOE consists of an IT product, this need not be the case. The TOE may be an IT product, a part of an IT product, a set of IT products, a unique technology that may never be made into a product, or a combination of these.
As far as ISO/IEC 15408 is concerned, the precise relation between the TOE and any IT products is only important in one aspect: the evaluation of a TOE containing only part of an IT product should not be misrepresented as the evaluation of the entire IT product.
Trusted IT Product - IT product, other than the TOE, which has its security functional requirements administratively coordinated with the TOE and which is assumed to enforce its security functional requirements correctlyISO/IEC 15408-1:2009
(CC)
One that has been separately evaluated.
Security Requirements ASE_REQThe security requirements consist of two groups of requirements:
a) the security functional requirements (SFRs)
b) the security assurance requirements (SARs)
ISO/IEC 15408-1:2009
(CC)
-
- Security Functional RequirementsSFRA translation of the security objectives for the TOE into a standardised languageISO/IEC 15408-1:2009
(CC)
- Security Assurance RequirementsSARA description of how assurance is to be gained that the TOE meets the SFRsISO/IEC 15408-1:2009
(CC)
The ST also contains a security requirements rationale that explains why this particular set of SARs was deemed appropriate. There are no specific requirements for this explanation. The goal for this explanation is to allow the readers of the ST to understand the reasons why this particular set was chosen.
An example of an inconsistency is if the security problem description mentions threats where the threat agent is very capable, and a low (or no) Vulnerability analysis (AVA_VAN) is included in the SARs.
Conformance Statement - This statement describes the manner in which PPs or STs must
conform to this PP: strict or demonstrable
ISO/IEC 15408-1:2009
(CC)
A typical example of the use of strict conformance is in selection based purchasing where a product's security requirements are expected to exactly match those specified in the PP.
- Strict conformance is oriented to the PP-author who requires evidence that the requirements in the PP are met, that the ST is an instantiation of the PP, though the ST could be broader than the PP. In essence, the ST specifies that the TOE does at least the same as in the PP, while the operational environment does at most the same as in the PP.
- Demonstrable conformance is orientated to the PP-author who requires evidence that the ST is a suitable solution to the generic security problem described in the PP.
Conformity - fulfilment of a requirement[ISO/IEC 27000:2018]
Non-conformity - non-fulfilment of a requirement[ISO/IEC 27000:2018]
Conformance Claim - The conformance claim indicates the source of the collection of requirements that is met by a TOE or PP that passes its evaluation.Common Criteria for Information Security Conformity Evaluation (CC) (Part I: Introduction and general model (2017), v3.1 Rev. 5 https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf (Section 10.5)
Protection ProfilePPImplementation-independent statement of security needs for a TOE typeISO/IEC 15408-1:2009
(CC)
As a Protection Profile is not written for a specific product, in many cases only a general idea can be given of the available hardware/software/firmware. In some other cases, e.g. a requirements specification for a specific consumer where the platform is already known, (much) more specific information may be provided.

All vendors must agree for the PP doc, which describes the security functions of the ToE, threats, etc.

[https://www.commoncriteriaportal.org/pps/]
Security TargetSTImplementation-dependent statement of security needs for a specific identified TOEISO/IEC 15408-1:2009
(CC)
A document provided by the vendor of the product (in a product evaluation process), which defines boundary and specifies the details of the TOE.
An ST contains some (but not very detailed) implementation-specific information that demonstrates how the product addresses the security requirements. It may refer to one or more Protection Profiles (PPs). In such a case, the ST must fulfill the generic security requirements given in each of these PPs, and may define further requirements.

[https://commoncriteriaportal.org/files/epfiles/383-4-450%20ST%20v1.3A.pdf]
Security Objective-(1) Statement of an intent to counter identified threats and/or satisfy identified organization security policies and/or assumptions [ISO/IEC 15408-1:2009(CC)]. (2) Information security objective: Objectives that are set by the organization, consistent with the information security policy, to achieve specific results [ISO/IEC 27000:2018].ISO/IEC 15408-1:2009
(CC) , ISO/IEC 27000:2018
• to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure during the entire life cycle of the ICT product, ICT service or ICT process
• to protect stored, transmitted or otherwise processed data against accidental or unauthorised destruction, loss or alteration or lack of availability during the entire life cycle of the ICT product, ICT service or ICT process
• that authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer
According to Article 51 of EU Cybersecurity Act, a European cybersecurity certification scheme shall be designed to achieve, as applicable, at least the following security objectives:
(a) to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure during the entire life cycle of the ICT product, ICT service or ICT process;
(b) to protect stored, transmitted or otherwise processed data against accidental or unauthorised destruction, loss or alteration or lack of availability during the entire life cycle of the ICT product, ICT service or ICT process;
(c) that authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer;
(d) to identify and document known dependencies and vulnerabilities;(e) to record which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;
(f) to make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;
(g) to verify that ICT products, ICT services and ICT processes do not contain known vulnerabilities;
(h) to restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident;
(i) that ICT products, ICT services and ICT processes are secure by default and by design;
(j) that ICT products, ICT services and ICT processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates.
Assurance Class-Each assurance class contains at least one assurance family. The Assurance Class name indicates the topics covered by the assurance class.ISO/IEC 15408-3:2008
(CC)
• Class ACO - Composition
• Class ADV - Development
• Class AGD – Guidance documents
• Class ALC – Life-cycle support
• Class ASE – Security Target Evaluation
• Class ATE – Tests
• Class AVA – Vulnerability assessment
Assurance Family - Assurance Family is family defined by ISO/IEC 15408-3. Each assurance family contains one or more assurance components. The Family name provides descriptive information about the topics covered by the assurance family.
Each assurance family is placed within the assurance class that contains other families with the same intent.
ISO/IEC 15408-3 (CC)1 FAMILY SECURITY ARCHITECTURE (ADV_ARC)
2 FAMILY FUNCTIONAL SPECIFICATION (ADV_FSP)
3 FAMILY IMPLEMENTATION REPRESENTATION (ADV_IMP)
4 FAMILY TSF INTERNALS (ADV_INT).
5 FAMILY SECURITY POLICY MODELLING (ADV_SPM)
6 FAMILY TOE DESIGN (ADV_TDS)

1 OPERATIONAL USER GUIDANCE (AGD_OPE)
2 PREPARATIVE PROCEDURES (AGD_PRE)

1 FAMILY CM CAPABILITIES (ALC_CMC)
2 FAMILY CM SCOPE (ALC_CMS)
3 FAMILY DELIVERY (ALC_DEL)
4 DEVELOPMENT SECURITY (ALC_DVS)
5 FLAW REMEDIATION (ALC_FLR)
6 FAMILY LIFE-CYCLE DEFINITION (ALC_LCD)
7 FAMILY TOOLS AND TECHNIQUES (ALC_TAT)

1 FAMILY FUNCTIONAL TESTS (ATE_FUN)
2 FAMILY COVERAGE (ATE_COV)
3 FAMILY DEPTH (ATE_DPT)
4 FAMILY INDEPENDENT TESTING (ATE_IND)

1 FAMILY VULNERABILITY ASSESSMENT (AVA_VAN)
For the purposes of this project, only the Family of Vulnerability Assessment (AVA_VAN) will be used.
Assurance Level - A basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT service or ICT process has been evaluated but as such does not measure the security of the ICT product, ICT service or ICT process concernedRegulation (EU) 2019/881
(EU Cybersecurity Act)
• Level 1: Little or no confidence;
• Level 2: Some confidence;
• Level 3: High confidence;
Evaluation Assurance LevelEALThe definition of a scale for measuring assurance for component Targets of Evaluation (TOEs)ISO/IEC 15408-3:2008
(CC)
Vulnerability Analysis AVA_VANAVA_VANVulnerability analysis is an assessment to determine whether potential vulnerabilities identified, during the evaluation of the development and anticipated operation of the TOE or by other methods (e.g. by flaw hypotheses or quantitative or statistical analysis of the security behaviour of the underlying security mechanisms), could allow attackers to violate the SFRs.
Vulnerability analysis deals with the threats that an attacker will be able to discover flaws that will allow unauthorised access to data and functionality, allow the ability to interfere with or alter the TSF, or interfere with the authorised capabilities of other users.
Vulnerability assessment class addresses the possibility of exploitable vulnerabilities introduced in the development or the operation of the TOE. Assessment of development vulnerabilities is covered by the assurance family AVA_VAN.
ISO/IEC 15408-3:2008
(CC)
Levelling is based on an increasing rigour of vulnerability analysis by the evaluator and increased levels of attack potential required by an attacker to identify and exploit the potential vulnerabilities.
• AVA_VAN.1 Vulnerability survey
(TOE Resistance against Basic Attack Potential);
• AVA_VAN.2 (Unstructured) Vulnerability analysis
(TOE Resistance against Basic AP);
• AVA_VAN.3 Focused vulnerability analysis
(TOE Resistance against Enhanced-Basic AP);
• AVA_VAN.4 Methodical vulnerability analysis
(TOE Resistance against Moderate AP);
• AVA_VAN.5 Advanced methodical vulnerability analysis
(TOE Resistance against High AP).
Security FunctionSFFunction that implement the security requirements.ISO15408
(CC)
Package - A named set of security requirements. A package is either
• a functional package, containing only SFRs, or
• an assurance package, containing only SARs.
Mixed packages containing both SFRs and SARs are not allowed
ISO/IEC 15408-1:2009
(CC)
Examples of assurance packages are the evaluation assurance levels (EALs) – i.e. “EAL 3”– that are defined in ISO/IEC 15408-3. At the time of writing there are no functional packages for this version of ISO/IEC 15408.A package can be defined by any party and is intended to be re-usable. To this goal it should contain
requirements that are useful and effective in combination. Packages can be used in the construction of larger
packages, PPs and STs. At present there are no criteria for the evaluation of packages, therefore any set of
SFRs or SARs can be a package.
Composed Assurance PackageCAPThe definition of a scale for measuring assurance for composed TOEsISO/IEC 15408-3:2008
(CC)
The structure of the CAPs is similar to that of the EALs. The main difference between these two types of package is the type of TOE they apply to; the EALs applying to component TOEs and the CAPs applying to composed TOEs.
Conformity Assessment BodyCABA body that performs conformity assessment activities including calibration, testing, certification and inspectionRegu­lation (EC) No 765/2008One that:
• Applies and assesses conformity to EU Cybersecurity Certification Scheme.
• Certifies product conformity by a certification report.
For the purposes of this Regulation, not-for-profit operation by a national accreditation body should be understood as an activity that is not intended to add any gain to the resources of the body's owners or members. While national accreditation bodies do not have the objective of maximising or distributing profits, they may provide services in return for payment, or receive income. Any excess revenue that results from such services may be used for investment to develop their activities further, as long as it is in line with their main activities. It should accordingly be emphasised that the primary objective of national accreditation bodies should be to support or engage actively in activities that are not intended to produce any gain.

*This body is going to follow the ECCS.
Conformity AssessmentCAThe process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled
A procedure for evaluating whether specified requirements relating to an ICT product, ICT service or ICT process have been fulfilled
Regu­lation (EC) No 765/2008
Regulation (EU) 2019/881
(EU Cybersecurity Act)
That procedure is carried out by an independent third party that is not the manufacturer or provider of the ICT products, ICT services or ICT processes that are being assessed. A European cybersecurity certificate should be issued following the successful evaluation of an ICT product, ICT service or ICT process. A European cybersecurity certificate should be considered to be a confirmation that the evaluation has been properly carried out. Depending on the assurance level, the European cybersecurity certifi­cation scheme should indicate whether the European cybersecurity certificate is to be issued by a private or public body. Conformity assessment and certification cannot guarantee per se that certified ICT products, ICT services and ICT processes are cyber secure. They are instead procedures and technical methodologies for attesting that ICT products, ICT services and ICT processes have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example in technical standards. [EU Cybersecurity Act]
*In case the assurance level is basic then the CAB is a vendor / service provider / supply chain provider (see "conformity self-assessment").
Conformity Self-assessment - An action carried out by a manufacturer or provider of ICT products, ICT services or ICT processes, which evaluates whether those ICT products, ICT services or ICT processes meet the requirements of a specific European cybersecurity certification schemeRegulation (EU) 2019/881
(EU Cybersecurity Act)
Same example as before, except that in a conformity self-assessment an authority is not needed. The organisation can either do it itself or by using a third-party company, but not an authority.
Accreditation - An attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral schemes, to carry out a specific conformity assessment activityRegu­lation (EC) No 765/2008
National Accreditation BodyNABThe sole body in a Member State that performs accreditation with authority derived from the StateRegu­lation (EC) No 765/2008One that accredits a Conformity Assessment Body.
National Supervisory Authority NSAA body or bodies nominated or established by Member States as their national supervisory authority in order to assume the tasks assigned to such authority under this Regulation and under the measures referred to in Article 3Regulation (EC) No 549/2004One that supervises a Conformity Assessment Body.
Attack Potential (means, skills, opportunities) - (1) Measure of the effort to be expended in attacking a TOE, expressed in terms of an attacker's expertise, resources and motivation [ISO/IEC 15408-1:2009].
(CC). (2) Perceived potential for success of an attack, should an attack be launched, expressed in terms of an attacker's expertise, resources and motivation [ISO/IEC 27032:2012].
ISO/IEC 15408-1:2009
(CC) , ISO/IEC 27032:2012
- Attack potential can be estimated Basic or Enhanced-basic or Moderate or High.
- 'Attack potential' is used to prove or deny the TOE security functionality remains in the secure state regardless if the vulnerability is identified or discovered.

Confidentiality-Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.ISO/IEC 27000:2018
Integrity-Property of accuracy and completeness.ISO/IEC 27000:2018
Availability-Property of being accessible and usable on demand by an authorized entity.ISO/IEC 27000:2018
Accountability-the state of being answerable (in response) for assigned actions and decisions.ISO/IEC 27000:2018
Authenticity-Property that an entity is what it claims to be.ISO/IEC 27000:2018
Reliability-Property of consistent intended behaviour and results.ISO/IEC 27000:2018
Non-repudiation-Ability to prove the occurrence of a claimed event or action and its originating entities.ISO/IEC 27000:2018
Information security-Preservation of the CIA triad (Confidentiality, Integrity and Availability) of information involving also the ensurance of other properties such as authenticity, accountability, non-repudiation, and reliability.ISO/IEC 27000:2018
Vulnerability -1. Weakness in the TOE that can be used to violate the SFRs in some environment.
2. Weakness of an asset or control that can be exploited by one or more threats. 3. In the context of information technology and cybersecurity, a vulnerability is a behaviour or set of conditions present in a system, product, component, or service (functional) that violates an implicit or explicit security policy. A vulnerability can be thought of as a weakness or exposure that allows a security impact or consequence. Attackers exploit vulnerabilities to compromise confidentiality, integrity, availability, operation, or some other security property.
1. ISO/IEC 15408-1:2009 (CC) , 2. ISO/IEC 27000:2018, 3. ISO/IEC 29147:2018• Poor encryption in digital signatures. Target Row Refresh (TRR), aka the TRRespass issue (CVE-2020-10255) • The DNS bugs (CVE-2020-11901)
-Potential (uknown) Vulnerability-1. Potential: Suspected, but not confirmed, weakness 2. Uknown: There are reports of impacts that indicate a vulnerability is present, but that the cause of the vulnerability is unknown or they may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports.1. ISO/IEC 15408-1:2009 (CC), 2. CVSS v3.1 NIST NVD (FIRST)An unknown/zero day vulnerability could be an adversary that sneaks in an asset through a backdoor that was left unlocked by accident.
-Confirmed Vulnerability-Detailed reports exist, or functional reproduction is possible (functional Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability.CVSS v3.1 NIST NVD (FIRST)A confirmed vulnerability example is the vulnerability of Microsoft Teams Remote Code Execution, which was published on 11/11/2020.
-Exploitable Vulnerability-Weakness in the TOE that can be used to violate the SFRs in the operational environment for the TOE.ISO/IEC 15408-1:2009 (CC)
-Residual Vulnerability-Weakness that cannot be exploited in the operational environment for the TOE, but could be used to violate the SFRs by an attacker with greater attack potential than is anticipated in the operational environment for the TOE.ISO/IEC 15408-1:2009 (CC)
Vulnerabilities Measurement/Labelling- Vulnerabilities are defined in terms of an attribute and the method for quantifying it ISO/IEC 27000:2018, ISO/IEC/IEEE 15939:2017 - Common Vulnerabilities and Exposures - TOE-relevant CVE vulnerabilities - Common Weakness Enumeration - Common Vulnerability Scoring System - CVSS basic metric - CVSS temporal metric - CVSS environmental metric - CVSS environmental metric
Severity of vulnerability-The severity of a vulnerability is an assessment of the relative importance of mitigating/remediating the vulnerability. The severity can be determined by the extent of the potential adverse impact if such a vulnerability is exploited by a threat source. Thus, the severity of vulnerabilities, in general, is context-dependent.NIST SP 800-30 Rev.1, 2012CVSS 3.1
Vulnerability Severity LevelVSL1. Qualitative severity rankings of “None” (0.0), "Low" (0.1-3.9), "Medium" (4.0-6.9), "High" (7.0-8.9), and “Critical” (9.0-10.0). 2. It measures the probability an attacker can successfully reach and exploit a specific vulnerability (either confirmed or unknown) taking into account temporal vulnerability characteristics and the impact according to the user’s environment to a specific asset.1. CVSS v3.1, 2. EU H2020-ICT-02-2020 project "CYRENE": CYRENE RCA Methodology
Common Vulnerabilities and ExposuresCVE1. A nomenclature and dictionary of security-related software flaws. 2. A list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.1. NIST SP 800-126 Rev. 2, 2. MITRE: online available: https://cve.mitre.org/The confirmed vulnerability example of Microsoft Teams Remote Code Execution has the CVE (Id) "CVE-2020-17091"
Common Weakness EnumerationCWEA community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.[MITRE] online availiable: https://cwe.mitre.org/CWE-20 Improper Input Validation: the asset does not validate or incorrectly validates input that can affect the control flow or data flow of a program.When software fails to validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.
Common Vulnerability Scoring System CVSSThe Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It mainly consists of three metric groups: Base, Temporal, and Environmental. FIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvssFor instance, the confirmed vulnerability "CVE-2020-17091" Microsoft Teams Remote Code Execution has Basic score metrics= 7.8 : Exploitability
Vulnerability ChainWeaknesses existing in a group of assets that can be exploited by threats starting from an entry point in a successive manner which allows a progressive security impact or consequences to these assets that terminate(s) to a target point. ANSI/API, 2013
Attacker (adversary/ threat agent)-1. Adversary: Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities [NIST SP 800-30 Rev 1, 2012]. 2. Attacker: an actor who attempts to gain access to behaviors or resources that are outside of the product's intended control sphere for that actor [MITRE glossary].
3. Threat agent: entity that can adversely act on assets [ISO/IEC 15408-1:2009].
1. NIST SP 800-30 Rev 1, 2012, 2. MITRE glossary online available: https://cwe.mitre.org/documents/glossary, 3.. ISO/IEC 15408-1:2009For instance, an attacker can be a disgruntled employee (insider), a hacktivist, a cybercriminal, a terrorist group, a pirate or a hijacker, a cyber vandal, a government/industry spy.
Attack-Attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.ISO/IEC 27000:2018Attack on a SCADA software (cyber), attack on a cruise terminal (physical).
Cyber attack-An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.NIST SP 800-30 Rev 1, 2012Man-In the-Middle attack cinderella attack ransomware attack
Attack Potential (means, skills, opportunities)-(1) Measure of the effort to be expended in attacking a TOE, expressed in terms of an attacker's expertise, resources and motivation. (2) Perceived potential for success of an attack, should an attack be launched, expressed in terms of an attacker's expertise, resources and motivation.1. ISO/IEC 15408-1:2009(CC) 2. ISO/IEC 27032:2012
Likelihood of occurrence-A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. Determining the likelihood of threat events causing adverse impacts.NISTIR 7621 Rev. 1, 2016, CNSSI 4009-2015, NIST SP 800-30 Rev 1, 2012
Threat-Potential cause of an unwanted incident, which can result in harm to a system or organization.ISO/IEC 27000:2018Example are a signature spoofing by key theft on an e-mail operating system and buffer overflow in Local Command-Line Utilities on an admin operating system.
Threat assessment-Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.CNSS, 2015, NIST SP 800-30 Rev.1, 2012
Threat level-The expected probability of occurrence of a threat to a cyber asset. EU H2020-DS-2014-01 project "MITIGATE"
Security impact analysis-The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.NIST SP 800-37 Rev.2, 2018
Impact-The result of an unwanted incidentISO/IEC PDTR 13335-1
Impact level-The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.NIST SP 800-37 Rev.2, 2018
Risk AssessmentRA1. The overall process of risk identification, risk analysis and risk evaluation 2. the process of identifying, estimating, and prioritizing information security risks.1. ISO/IEC 27000:2018, 2. NIST SP 800-30 Rev.1, 2012
Risk assessor-The individual, group, or organization responsible for conducting a risk assessment.NIST SP 800-30 Rev.1, 2012
Level of risk-Magnitude of a risk expressed in terms of the combination of consequences and their likelihood.ISO/IEC 27000:2018
Residual risk-Risk remaining after risk treatment. Residual risk can contain unidentified risk. It can also be referred to as “retained risk”.ISO/IEC 27000:2018
Risk treatment-Process to modify risk. ISO/IEC 27000:2018
Risk mitigation-Risk treatments that deal with negative consequences.ISO/IEC 27000:2018
Control-1. Measure that maintains and/or modifies risk [ISO 31000: 2018; ISO/IEC 27000:2018]. 2. Controls include any process, policy, device, practice, or other actions which modify risk. It is possible that controls not always exert the intended or assumed modifying effect. [ISO/IEC 27000:2018]1. ISO 31000: 2018 1.,2. ISO/IEC 27000:2018Control – term used in [CSA, Art. 52.4]: “The certificate or the EU statement of conformity shall refer to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of, or to prevent cybersecurity incidents.” This term can be seen as equivalent to the Security Functional Requirements (SFRs) defined in ISO15408.
Control objective-Statement describing what is to be achieved as a result of implementing controls.ISO/IEC 27000:2018
Security control-Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.NIST SP 800-30 Rev.1, 2012 (FIPS 199, CNSSI No. 4009)
Risk managementRM1. A systematic performance of policies, procedures and practices management on communicating, consulting activities, establishing the context and controlling identifying, analysing, evaluating, treating, monitoring and reviewing risk.
2. Coordinated activities to direct and control an organization with regard to risk.
1. ISO/IEC 27000:2018
2. ISO 31000:2018
Risk owner-Person or entity with the accountability and authority to manage a risk.ISO/IEC 27000:2018
Security ManagementSMSecurity management includes all the activities and practices implemented by organizations to manage security risks, threats, and impacts. These activities and practices should be coordinated in a systematic, and optimized manner.ISO 28000:2007

Maritime Transport Concepts

TermAbbreviationDefinition(s)Reference(s)Example(s)Notes/Remarks
Baltic and International Maritime CouncilBIMCOBIMCO is one of the greatest international shipping associations representing ship owners. It undertakes the control of around 65 percent of the world's tonnage and it has a strong membership, engaging more than 120 countries, involving managers, brokers and agents. BIMCO’s main objective is to protect its global membership via the provision of information and consulting that forwards fair business practices and invests on the harmonisation and standardization of commercial shipping practices and contracts.Baltic and International Maritime Council, Den Store Danske Encyklopædi. Denstoredanske.dk.
Online available: https://denstoredanske.lex.dk/Baltic
_and_International_Maritime_Council?utm_source=denstoredanske.dk&utm_medium=redirect&utm_campaign=DSDredirect
https://www.bimco.org/
Barge operator-A company that provides barge capacity and barge transport.EU H2020-DS-2014-01 project "MITIGATE"
Berth
Management
Systems
- Those systems are used by Port Authorities to manage and ensure safety in mooring processes: warnings and alerts, meteorological data, video cameras streams, berth allocation management, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Border Control - The border control authorities are responsible of taking measures to monitor the state borders and to regulate the movement of people, animals and goods. In the EU, with Schengen agreement, the crews and passengers are controlled only once when they come from a non-EU country."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Bunkering-The provision of solid, liquid or gaseous fuel or of any other energy source used for the propulsion of the waterborne vessel as well as for general and specific energy provision on board of the waterborne vessel whilst at berth.Regulation (EU) 2017/352, Article 2
Cargo-Items that are placed on the ship to be transported to another port, such as boxes, pallets, cargo transport units, and bulk liquid and non-liquid matter.ISO 20858:2007
Cargo Community SystemCCSUsually owned and managed by port stakeholders that are usually private companies in charge of the terminal port operations. This system is used to share information on port operations related to the cargo and containers between all involved stakeholders (content of the cargo, localisation of a container, hour of its transfer, customs declarations, etc.)"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Cargo handling - The organisation and handling of cargo between the carrying waterborne vessel and the shore, whether it be for import, export or transit of the cargo, including the processing, lashing, unlashing, stowing, transporting and temporary storage of the cargo on the relevant cargo-handling terminal and directly related to the transporting of the cargo, but excluding, unless the Member State determines otherwise, warehousing, stripping, repackaging or any other value added services related to the cargo.Regulation (EU) 2017/352, Article 2
Carrier-Freight transporting companyEU H2020-DS-2014-01 project "MITIGATE"
Centre for International Maritime SecurityCIMSECA 501(c)3 non-partisan think tank incorporated as a non-profit in the state of Maryland. CIMSEC was formed in 2012 and as of 2020 has 20 international chapters and over 2,000 members and subscribers in 60 countries. CIMSEC does not take organizational positions and encourages a diversity of views in the belief that a broad range of perspectives strengthens our understanding of the challenges and opportunities in the maritime domain. http://cimsec.org/about
Cities-At local level, the cities are strongly involved in the development and the operations of ports: investment in port infrastructure, in maritime tourism, planification of road construction, financing university research, etc. The cities are a major stakeholder involved in the construction of each port strategy."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Civil - Terminal operators, usually private companies, are responsible for maintaining security and safety on the land they rent from the Port Authority and managing the services related to terminal operations (loading and unloading cargo or passengers for instance)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Civil Security, police and rescue at sea-The civil security and police authorities are responsible of law enforcement and of deploying measures to fight against criminals (terrorism, organized crime, etc.). Each port has its own local civil security and police. According to local and national specificities, they can also oversee rescue at sea to assist people and vessels in case of distress situations."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Coast Guards-Coast Guards are maritime organizations in charge of ensuring navigation safety and security and enforcing the law on the maritime territory under the responsibility of the country."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Combined Transport-Intermodal transport where the major part of the European journey is by rail, inland waterways or sea and any initial and/or final legs carried out by roadEU H2020-DS-2014-01 project "MITIGATE"
Commercial and
financial data
- As any company, the ports deliver services to companies (shipping companies, etc.) and books different services to their providers (ICT providers for example): financial and commercial are exchanges (money transfer, invoicing, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Control & Authorisation-The Port Authorities and other national authorities control and deliver authorisation for vessel and cargo movement."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Customs (Authority/Agency/Office) - The customs authorities are responsible of the administration and the application of national and international customs law through the collection of duties and taxes, in particular for importation, exportation, movement or storage of goods in ports."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Customs Agent/Officer-A law enforcement agent who enforces customs laws, on behalf of a governmentEU H2020-DS-2014-01 project "MITIGATE"
Depot-A commercial building or area for storage of goods. Warehouses are used by manufacturers, importers, exporters, wholesalers, transport businesses, customs, etc. They are usually lcoated in industrial areas. They usually have loading docks to load and unload goods from trucks. Also warehouses are designed for the loading and unloading of goods directly from railways, airports, or seaports.EU H2020-DS-2014-01 project "MITIGATE"
Distributor-An entity that buys noncompeting products or product lines, and resells them to retailers or direct to the end users or customers.EU H2020-DS-2014-01 project "MITIGATE"
Dry Port-Inland terminal which is directly linked to a maritime port.EU H2020-DS-2014-01 project "MITIGATE"
European Border and Coast Guard AgencyFRONTEXAn agency of the European Union, headquartered in Warsaw, Poland, tasked with border control of the European Schengen Area, in coordination with the border and coast guards of Schengen Area member states.https://frontex.europa.eu/
European Fisheries Control AgencyEFCAAn European Union agency, which's mission is to promote the highest common standards for control, inspection and surveillance under the CFP. Its primary role is to organise coordination and cooperation between national control and inspection activities so that the rules of the CFP are respected and applied effectively.https://www.efca.europa.eu/
European Police OfficeEUROPOLThe European Union’s law enforcement agency, which's main goal is to achieve a safer Europe for the benefit of all the EU citizens.
Headquartered in The Hague, the Netherlands, EUROPOL supports the 27 EU Member States in their fight against terrorism, cybercrime and other serious and organised forms of crime. The agency also works with many non-EU partner states and international organisations.
https://www.europol.europa.eu/
Electronic Port ClearanceEPCProcess of exchanging information between the ship and its agent and various parties on shore to allow the ship clearance to enter port and berth.ISO 28005-2:2011EPC does not necessarily include customs clearance of goods that are imported or exported
European Maritime Safety AgencyEMSAArticle 1 of the EMSA Founding Regulation states that the purpose of the Agency is to ensure a high, uniform and effective level of maritime safety, maritime security, prevention of, and response to, pollution caused by ships as well as response to marine pollution caused by oil and gas installations and, where appropriate, to contribute to the overall efficiency of maritime traffic and maritime transport so as to facilitate the establishment of a European Maritime Transport Space without Barriers.http://www.emsa.europa.eu
European Sea Ports OrganisationESPOΙs acting as the main interface between European seaports and European institution"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019https://www.espo.be/
European Union Agency for CybersecurityENISAIs the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure.https://www.enisa.europa.eu/
Feeder service-Short sea shipping service which connects at least two ports in order to consolidate or redistribute freight from a deep sea service.EU H2020-DS-2014-01 project "MITIGATE"
Feeder vessel operator-A company operating and /or owning vessels that is specialised in feeder operations.EU H2020-DS-2014-01 project "MITIGATE"
Ferry operator-A company operating and /or owning ferry vessels.EU H2020-DS-2014-01 project "MITIGATE"
Fisheries - According to the Food and Agriculture Organization of the United Nations, a fishery is typically defined in terms of the "people involved, species or type of fish, area of water or seabed, method of fishing, class of boats, and purpose of the activities or a combination of the foregoing features"."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Fisheries Information Management SystemFIMSFor ports hosting fishing activities, the FIMS, as an integrated collection of applications and processes, is owned by the local fisheries authority and used by port stakeholders to manage fisheries operations (loading and unloading), traceability of fish catches, catch certifications."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Fishery Control - The fishery control authorities are in charge to ensure the fishing of good quality and sustainable seafood by defining controls and requirements that the fishing industry must follow. For instance, they control the permit for a vessel to fish, the origin of the fish catches, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Flag state - The flag state of a commercial vessel is the jurisdiction under whose laws the vessel is registered: the flag state enforced regulations such as inspection, certification, and security requirements. Each vessel operates and navigates under the law of its flag state that list and enforce international conventions (IMO conventions notably)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Focal point for port security-The body designated by each Member State to serve as contact point for the Commission and other Member States and to facilitate, follow up and provide information on the application of the port security measures laid down in this Directive.Regulation (EC) No 725/2004 (2004)
Forwarder (Freight Forwarder / Forwarding Agent / Local Agent / NVOCC: Non-Vessel Operating Common Carrier)-A person or company that organizes shipments for individuals or corporations to get goods from the manufacturer or producer to a market, customer or final point of distributionEU H2020-DS-2014-01 project "MITIGATE"
Freight sender and consignee-The sender is the person, company or organisation, at the origin of the forwarding of a good or other item which can be sent by sea.
The consignee is the receiver of this good, also a person, a company or an organisation.
"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Harbour-Area of water providing shelter for ships, used to build ports.EU H2020-DS-2014-01 project "MITIGATE"
Harbour Master-Is an official responsible for enforcing the regulations of a particular harbour or port, in order to ensure the safety of navigation, the security of the harbour and the correct operation of the port facilities.EU H2020-DS-2014-01 project "MITIGATE"
Hinterland connectivity-The port, as an interface between the sea and the hinterland transport systems, has hinterland connectivity assets such as railway stations and rolling stock loading and dispatch systems, road infrastructure, intermodal stations, canals and port infrastructures connecting with inland waterways."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Hinterland liaisons - This category relates to all stakeholders, private as public, interacting in the multi-modal ecosystem of the port: waterways, roads, railways, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
ICS
Communications
networks &
components
- To ensure the communications between the ICS components, the port manage the following assets: switches (managed and unmanaged), wireless access points, protocols, power supply systems (water, electricity, etc.)"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
International Maritime BureauIMBA specialised division of the International Chamber of Commerce acting against all types of maritime crime and malpractice)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019http://www.icc-ccs.org/icc/imb
Industrial control systems (for maritime transport)ICSIn the port, there are different Industrial Control Systems (ICS), for managing port access and vessels berthing (bridges, locks, gates, etc.), port infrastructure (buildings, etc.) and terminal operations (cranes, storage, etc.). The ICS is composed of the following components: automatons and analysers (PLCs, RTUs), databases (Historian, MES, etc.), supervisory systems (DCS, SCADA), HMI / workstations (programming consoles, engineering workstation), Maintenance systems and Safety Instrumented Systems (SIS)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Inland Carrier-A transportation line which hauls cargo inland: truck, rail, barge, inland waterways, or domestic airline flights.EU H2020-DS-2014-01 project "MITIGATE"
Insurance Company-Provides coverage to the Importer for damages to the vehicles resulting from incident during their transportation, loading, unloading, or storage. A marine insurance can also preserve the insured from marine casualties, the loss or damage of vessels, hull, terminals, and any transport or cargo by which property is transferred, acquired, or held between the points of origin and defined destination.EU H2020-DS-2014-01 project "MITIGATE"
Intermodal Transport-Movement of goods in one loading unit or road vehicle, which uses two or more modes of transport.EU H2020-DS-2014-01 project "MITIGATE"Intermodal Transport unit: containers, swap bodies, semi-trailers
International Association of Independent Tanker OwnersINTERTANKOIt is a trade association of independent tanker owners supporting the interests of its Members at national, regional and international levels. The organisation aims to support global energy networks through the delivery of safe, efficient and environmentally sound transport services and it deals with a wide range of operational, technical, legal and commercial issues related to tanker owners and operators around the world. INTERTANKO. Online available: https://www.intertanko.com/About-Us/
International association of Ports and HarboursIAPHIs the global trade association for seaports worldwide."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019https://www.iaphworldports.org/
International Maritime OrganizationIMOIMO is a specialized agency of the United Nations, responsible for measures that focusing on improving the safety and security of international shipping and preventing marine and atmospheric pollution from ships.International Maritime Organization. Online available: https://www.imo.org/en/About/Pages/Structure.aspx
International Port Community System AssociationIPCSAAn association with members from both private and public sectors, including governmental organisations, that focuses its activities on practical advice and guidance, rather than policy. As a result, IPCSA as respected as a trusted third party, in line with its community system members, and it is recognised as such by international bodies and intergovernmental organisations. IPCSA focuses on supporting and facilitating systems and innovations for its members and their users, and promoting the use of international data standards in sea and air ports, at border crossings and via Single Window systems around the world.https://ipcsa.international/
International Ship and Port Facility Security Code ISPS International Ship and Port Facility Security Code (IMO, 2002): since 2004 in force for intra-EU sea traffic, objective: information provision and exchange with a view to the security status of a vessel or actual threats and dangers to port facilitiesSOLAS XI-2 and the ISPS Code, The International Ship and Port Facility (ISPS) Code. Online available: https://www.imo.org/en/OurWork/Security/Pages/SOLAS-XI-2%20ISPS%20Code.aspx
Lift-on / Lift-offLoLoLoading an unloading of intermodal transport units using lifting equipment.EU H2020-DS-2014-01 project "MITIGATE"
Local Agent-A Local Agent has primary responsibility to complete shipping and customs documentation, and arrange for vehicles transportation. Agents assist businesses and individuals (Importers) who need to ship the vehicles from one country to anotherEU H2020-DS-2014-01 project "MITIGATE"
Logistics-Process of designing and managing the supply chain.EU H2020-DS-2014-01 project "MITIGATE"
Mandatory
declarations
- Many declarations are mandatory for a ship to get into the port area, in respect with international, European, national and local regulations. For instance, mandatory by the FAL Convention: passenger and crew, vessel, cargo, border control, waste, security, health, travel information is required."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Maritime communication - A diverse set of communication interactions in shipping: • Ship-to-ship
• Ship-to-port
• Ship-to-Remote Control Centre (RCC)
• Ship-to-Vessel Traffic Services (VTS)
• Ship-to-Application Service Provider (ASP)
• Ship-to-Medical Aid Provider (MAP)
• Ship-to-Search and Rescue (SAR)
• Ship-to-Maritime Rescue Coordination Centre (MRCC)
Rødseth, Ørnulf Jan, Christian Frøystad, Per Håkon Meland, Karin Bernsmed, and Dag Atle Nesheim. “The need for a public key infrastructure for automated and autonomous ships.” In IOP Conference Series: Materials Science and Engineering, vol. 929, no. 1, p. 012017. IOP Publishing, 2020.VDES or RFID communicationVHF Data Exchange System (VDES): a radio communication system that operates between ships, shore stations and satellites on Automatic Identification System (AIS), Application Specific Messages (ASM) and VHF Data Exchange (VDE) frequencies in the Marine Mobile VHF band.
Radio-frequency identification (RFID): uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID system consists of a tiny radio transponder, a radio receiver and transmitter. When triggered by an electromagnetic interrogation pulse from a nearby RFID reader device, the tag transmits digital data, usually an identifying inventory number, back to the reader. This number can be used to track inventory goods.
Maritime security-The combination of measures and human and material resources intended to protect shipping against intentional unlawful acts.Regulation COM/2003/0229 (EU) (enhancing maritime transport security)
Resistance to intentional, unauthorized acts designed to cause harm or damage to ships and ports.ISO 20858:2007
Maritime security incident-Suspicious act or circumstance threatening the security of a ship or port facility.ISO 20858:2007(1) Piracy on a cargo ship
(2) tankers ship collision due to hackers activity: changed tankers' geolocation in a marine traffic database
Maritime stakeholder-A policy actor and/or an organisation/entity/person involved in the shaping of maritime policies and directives.EU H2020-DS-2014-01 project "MITIGATE"Shipping companies, ship agent, ship master and crew, etc.
Maritime TransportMTAn Inland, sea and coastal passenger and freight water transport companies (as defined for maritime transport in Annex I to Regulation (EC) No 725/2004 of the European Parliament and of the Council) not including the individual vessels operated by those companies.NIS Directive, 2016
Mobile devices - Different mobile devices are used in ports: smartphones, tablets, TETRA radios, specific devices used for logistics (scanning, etc.) etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Mooring-The berthing and unberthing services, including shifting along the quayside, that are required for the safe operation of a waterborne vessel in the port or in the waterway access to the portRegulation (EU) 2017/352, Article 2
Multimodal Transport-Carriage of goods by two or more modes of transport.EU H2020-DS-2014-01 project "MITIGATE"
Multimodal Transport Operator-Person who concludes a multimodal transport contract and assumes the whole responsibility, performs as carrier or transport operator.EU H2020-DS-2014-01 project "MITIGATE"
Navigation data-Through satellite and navigation data (AIS, SafeSeaNet, etc.), the different stakeholders share navigation data with the port (GPS position, information on maritime routes, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Network-Different networks are set up in ports: VHF radios (Internet, WiMAX/WIFI, Satellite, ad-hoc networks, VLAN/LAN, etc. They can be managed by different stakeholders at different levels."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Operational data-In order to plan and manage all the services (ship services, logistics services, etc.), operational data are shared between the port stakeholders."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Operator-Represented in the transport chain as forwarder, intermodal operator, agent or terminal operator having each of their function either to plan and/or to control each transport stage and/or load unit handling in the terminals.EU H2020-DS-2014-01 project "MITIGATE"
OT end devices - The Operational Technology end devices of the ICS of the port."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Related to hinterland connectivity - To get in or out the cargo, container, vehicles or passengers, different end-devices are used to control and inspect them, and then transport them to other transport systems: control and inspection systems (scanners, inspection systems, Xray), railway station, marshalling yards for wagons, multimodal transport hubs for people (passengers, workers…), inland port facilities, port gate control equipment (plates reading, badges, barcodes reading, detectors)"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Related to port facility specific lay-out - The end-devices of the ICS related to the port facility specific lay-out are: specific fencing and access control, specific safety and security equipment, first response equipment, specific operational room, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Related to temporary storage - Once the cargo or container are out of the vessel, they are temporary stored in the port areas, different OT end-devices are used: internal transport systems (straddle carrier, yard, truck, chassis, etc.), storage equipment systems (pallet racks, tankage, etc.), cooled and uncooled stores, silos, tanks, switches (managed and unmanaged) for pipes and conveyor belts, wireless access points for « smart » seals and container self-localisation devices, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Related to vessel loading and unloading - To load and unload the vessels, many OT end-devices are used: terminal-specific handling equipment and systems (cranes, ramps for passengers, pipelines, belt, conveyors, etc.), terminal-specific freight tracking systems (barcodes, liquid meters, RFID, seals, scales etc.), people badge or ticket scanners, plates reading systems, fault detectors in automated loading/unloading systems (leakages, shocks, jamming etc.)"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Related to vessels berthing - The end-devices of the ICS related to the port vessels berthing are: boatage, berth management systems, specific inspection and control equipment, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Passenger service-The organisation and handling of passengers, their luggage and their vehicles between the carrying waterborne vessel and the shore, and also includes the processing of personal data and the transport of passengers inside the relevant passenger terminal.Regulation (EU) 2017/352, Article 2
Physical floating barriers - To protect other critical vessels and port areas, to contain pollutions and other purpose, the port can use physical floating barriers."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Policy Actor-Representative of a group of interests within a country community, a country or a region, influencing decisions of transport actors concerning the choice of the means of transport by policy frameworks such as fiscal and order policy measures.EU H2020-DS-2014-01 project "MITIGATE"
Port-(1) A specified area of land and water, with boundaries defined by the Member State in which the port is situated, containing works and equipment designed to facilitate commercial maritime transport operations.
(2) Location on a coast or shore containing one or more port facilities where ships can berth and transfer people or cargo to or from land.
EU Council Directive 2005/65/EC (2005), (2) ISO 28005-1:2013Piraeus port, Valencia portThe only difference between the two terms is that the second term specifically refers to the movement of people and cargo while the first term defines it in a more generic and commercial view.
Port Authority - A governmental or almost governmental public authority, sitting at the heart of the interactions between all stakeholders, in collaboration with other local and national authorities, is responsible of maintaining and developing the port infrastructure and the transport infrastructure, ensuring the global safety and security of port and ship operations through the harbour master. Moreover, the Port Authority oversees some controls and inspections in respect with national, European and international legislations."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019- The Valenciaport Foundation http://www.fundacion.valenciaport.com/ is the sixth largest port in Europe in terms of volume of traffic and it is also the top in import, export and transshipment port in the Mediterranean.

- Pireaus Port Authority (PPA)
Port building-Buildings that host the different offices related to the port services (Harbour Master office, customs office, etc.) and the data centres hosting all the IT and OT systems."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port clearance-Process undertaken by an entity or entities for the purpose of determining if a ship may enter the port, berth at a facility, conduct certain operations and/or depart the port.ISO 28005-1:2013
Port Community System PCSIt is usually owned and managed by the Port Authority or port stakeholders, increasingly organised, as a single window system to share information on port operations related to the vessels between all the port stakeholders (date of arrival or departure of the ship given by the shipping companies, mandatory declarations such as crew list, dangerous goods declarations, bookings of vessel services, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port Corporate Systems - The Port Corporate Systems are composed of different applications, systems, workstations and servers, common to every companies: financial, human resources (HR), communication and networks systems, emailing systems, sales and marketing systems (ERP), etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port facility-(1) A location where the ship/port interface come about encompassing areas, such as anchorages, awaiting berths and approaches from seaward, as appropriate.
(2) (Maritime port facility) those areas of the port and harbour where the ship/port interface takes place.
Regulation (EC) No 725/2004 (2004), ISO 20858:2007
Port Facility Security PlanPFSPPlan to ensure the application of measures designed to protect the people, port facility, ships, cargo, cargo transport units, and ship stores within the port facility from the risks of a security incident.ISO 20858:2007
Port Safety & security - The port has also dedicated infrastructure to ensure safety and security: control tower, operational room, security centre, first response facilities (firefighting, pollution, containment, evacuation routes, medical facilities, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019Many systems are set up in the port areas to ensure safety and security of people and port infrastructure:
• Detection systems such as video-surveillance (CCTV), incident management systems, first response centre systems, IDS (intrusion detection systems), abnormal behaviour detection systems;
• Emergency communication systems;
• Access control systems such as automatic gates, smart fencing systems, badging systems, access monitoring and counting systems;
• Traffic monitoring systems such as radar and electro-optic monitoring systems, train and truck traffic monitoring systems;
• Surveillance & inspection systems such as patrolling staff, oats, dogs and vehicles, detectors (fires, gas leaks, nuclear, etc.), X-ray scanners;
• Evacuation systems such as exit route guidance, muster points, guidance screens, emergency doors;
• Identification & authentication systems such as face recognition systems, biometric systems, ID control portable terminals; and
• Alerting systems such as sirens and loudspeakers.
Port security authority-The authority responsible for security matters in a given port.Regulation (EC) No 725/2004 (2004)
Port security personnel -Individuals who have assigned security duties defined in the port facility and who may or may not be employees.ISO 20858:2007
Port service ships-The port has dedicated service ships at disposal to deliver specific services on water to the vessels: pilot boats, tugboats, boatage and mooring assistance, supply vessels, safety vessels, inspection and security vessels."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port State Control - The Port State Control is responsible of making inspections of foreign ships (with a flag state different from the port) in ports to verify the compliance of the ships with international and national regulations. The Port State Control can take actions against non-compliant ships (sanctions, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Portuary infrastructure-The assets are related to the mooring of the vessels in the port (docks, quays, jetties, piers), the lighting, the access control (gates, plate reading systems, detectors) and the transport inside the port areas (roads, railways, waterways, walk roads)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Prevention of Pollution - The prevention of pollution authorities are responsible of ensuring that national and international regulations are applied in the port ecosystem (management of ship waste, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Protocols - Sets of rules that are used to exchange information."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019Electronic Data Interchange (EDI), Application Programming Interface (API), authentication protocols, etc.
Radio-Radio systems (RFID, VHF, etc.) are used for many port processes: communication with ships, safety and security operations, logistics management, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Request-Message sent from the ship to the single window, containing a request for some form of clearance or other service from one or more authorities connected to the single window.ISO 28005-1:2013
Road haulier-A company operating and /or owning trucks and carrying out road transport functions concentrating on the physical movements of goods.EU H2020-DS-2014-01 project "MITIGATE"
Roll-on / Roll-offRoRoThe typical ferry vessels where cars and truck drive on and off by means of a ramp. This is also uses for car carriers, to avoid wasting time by having to hoist the cars, trucks, busses or other vehicles in the sips.EU H2020-DS-2014-01 project "MITIGATE"
Seaside connectivity-Those assets are related to the navigation between the seaside and the port area to ensure that the vessels can enter and exit the port: breakwaters, sea locks, buoys, light beacons, marking of waterways, tide, wind and currents monitoring, radar monitoring of waterways."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Servers-Numerous servers are used in the ports for different uses: web servers, application servers, proxy servers, mail servers, virtual servers, printers, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Service providers---- Classification societies
- Dockers
- ICT integrators
- Infrastructure providers
- Logistic service provider
- Security providers
- Ship repair services
- Ship services providers
- Classification societies-As a non-governmental organisation, classification societies set standards for the construction and operation of ships and offshore structures and certify that the construction of a ship complies with those standards by delivering a certificate."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Dockers-The dockers are employed by private companies – which could be terminal operators – to realise the terminal operations (e.g. loading and unloading vessel cargo)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- ICT integrators-To support the port processes and operations, ports use daily Information and Communication Technology (ICT) systems which are, for most of them, set up, operated and maintained by private specialised companies in IT and Communications development."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Infrastructure providers-A port can contract private companies to operate in the port to ensure the installation of port infrastructure and its maintenance."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Logistic service provider-A company that offers logistic services like warehousing, storage, stuffing and stripping, etc., but in any way other services than just transport and forwarding.EU H2020-DS-2014-01 project "MITIGATE"
- Security providers-To ensure security in ports, private companies operates and maintains security systems in the port (such as CCTV)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Ship repair services-Shipping companies or shipowners can book ship repair services to the port for damage cases of all kinds, delivered by different actors depending on their expertise (propulsion systems, governors, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Ship services providers-A ship can book different services to the port. For some of these services, the port delegates these services to external companies (e.g. refuelling)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Ship-Ship itself, an agent in the port of call, the owner or management company, or any other entity that can legally represent the ship in the transaction.ISO 28005-1:2013Cargo ship, passengers ship, RoRo, LoLo, tanker
Ship / Maritime Agent-A person or company that carries out the functions of an agent irrespective of whether they are in business as a ship agent, or they perform such functions as an adjunct to, or in conjunction with, other activities such as ship owning or operating, providing cargo handling or similar.
Person or firm that transacts all business in a port on behalf of ship owners or charterers. Also called shipping agent or agent.
EU H2020-DS-2014-01 project "MITIGATE"
Also called ship agent, the maritime agent acts as a representative of the shipowner to fulfil the requirements for each port the ship visits."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Ship Broker-Acts as a specialized agents or intermediaries in commercial negotiations and transactions between Ship Owners and Charterers (the automobile Industry in the Vehicle supply chain) to arrange maritime transport of vehicles. Moreover, they buy and sell ships on behalf of their clients.EU H2020-DS-2014-01 project "MITIGATE"
Shipowners and crew-The shipowner is in charge of equipping and exploiting a commercial vessel, hiring licensed crew and captains to operate the ship.
"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Ship insurance - Ship insurance covers the loss or damage of ships, cargo, terminals, and any transport by which the property is transferred, acquired, or held between the points of origin and the destination."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Ship / port interface-The interactions that occur when a ship is directly and immediately affected by actions involving the movement of persons or goods or the provision of port services to or from the ship.Regulation (EC) No 725/2004 (2004)
Shipper-The owner of the cargo when it is dispatched. It can be either a consignee or a consignor.EU H2020-DS-2014-01 project "MITIGATE"
Shipping and maritime freight companies-These private companies are in charge of transferring and forwarding freight from a place to another, by bookings services for all kind of transport (maritime transport, railways, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Shipping line / coastal / oversea shipping line-A company operating and /or owning vessels for sea transport.EU H2020-DS-2014-01 project "MITIGATE"
Short Sea Shipping-Movement of cargo by sea mostly along a coastline.EU H2020-DS-2014-01 project "MITIGATE"
Single WindowSWFacility that allows parties involved in trade and transport to lodge standardized information and documents with a single entry point to fulfil all import, export and transit-related regulatory requirements.ISO 28005-1:2013
Smart Port - An automated port that uses nascent technologies such as big data, Internet of Things (IoT), blockchain solutions and other smart technology based methods to improve performance and economic competitiveness. With these technologies, smart ports can also improve environmental sustainability.https://en.wikipedia.org/wiki/Smart_port

http://parisinnovationreview.com/articles-en/what-is-a-smart-port
The Smart Port solution of the Port of Tallinn, Estonia.https://its-estonia.com/en/2020/02/11/the-smart-port-solution/
Special vehicles - The port has dedicated vehicles at disposal to deliver inland services."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019Firefighting, ambulance, mobile cargo control units, etc.
Stevedoring company-A company responsible for the storage of goods at terminals.EU H2020-DS-2014-01 project "MITIGATE"
Switches, routers and hubs-Those components are used to forward packet in different manner between different networks."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Terminal-A terminal is a facility where cargo is trans-shipped between different transport modes, for onward transportation.EU H2020-DS-2014-01 project "MITIGATE"
Terminal Operations Management SystemsTOSUsually owned, used and maintained by private terminal operators, are mainly composed of different systems: enterprise operations systems to plan and manage the logistics and operations (ERP, CRM, etc.), the OT systems specific to the terminal operations (cranes, etc.), terminal operating systems (TOS) used to optimise the logistics, transhipment and warehouse systems."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Towage-The assistance given to a waterborne vessel by means of a tug in order to allow for a safe entry or exit of the port or safe navigation within the port by providing assistance to the manoeuvring of the waterborne vessel.Regulation (EU) 2017/352, Article 2
Vessel Traffic Management Information SystemVTMISAn extension of the VTS which integrates other information and functionalities to increase the effectiveness of port operations (allocation of resources, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Vessel Traffic ServiceVTSA marine traffic monitoring system."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Waste treatment systems - The port manages not only its waste but also the waste of the vessels (solid waste such as plastic, paper, glass, food and liquid waste such as bilge water, sludge and sewage)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
World Customs OrganizationWCOThe World Customs Organization (WCO), established in 1952 as the Customs Co-operation Council (CCC) is an independent intergovernmental body whose mission is to enhance the effectiveness and efficiency of Customs administrations.http://www.wcoomd.org/
Workstations - Different workstations are used in ports: dedicated to IT systems, dedicated to OT systems, to maintenance, mobile and fixes workstations, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019

KEY FACTS

Project Coordinator: Sofoklis Efremidis
Institution: Maggioli SPA
Email: info{at}cyrene.eu
Start: 1-10-2020
Duration: 36 months
Participating organisations: 14
Number of countries: 10

TWEETS by

FUNDING

EU flagThis project has received funding from the European Union’s Horizon 2020 Research and Innovation program under grant agreement No 952690. The website reflects only the view of the author(s) and the Commission is not responsible for any use that may be made of the information it contains.