GLOSSARY

Supply Chain and Business Concepts

TermDefinition(s)Reference(s)
ApplicationIT solution, including application software, application data and procedures, designed to help an organization’s users perform particular tasks or handle particular types of IT problems by automating a business process or functionISO/IEC 27032:2012
Application serviceSoftware with functionality delivered on-demand to subscribers through an online model which includes web based or client-server applications. Examples are an online storage or a Customs online serviceISO/IEC 27032:2012
Application softwareSoftware designed to help users perform particular tasks or handle particular types of problems, as distinct from software that controls the computer itselfISO/IEC 26514:2008
AssetSomething (item, thing or entity) that has value (potential or actual value) to the organization. An asset extends beyond physical goods or hardware, and includes software, information, people, and reputation. [ISO/IEC 27001: 2013; ISO/IEC 20000-1: 2018] Information asset: Anything that has value to an individual, an organization or a government. [ISO/IEC 27032: 2012]. An asset can be for example an application server, a presence sensor, a mobile or a municipal building. The only diffenrence of the two terms is that the second makes provision for individuals and the separation of governments from organizations. ISO/IEC 27001: 2013; ISO/IEC 20000-1: 2018
Business objectiveA result to be achieved. An objective can be strategic, tactical, or operational. Objectives can relate to different disciplines (e.g. financial, health and safety, and environmental goals) and can apply at different levels (e.g. strategic, organization-wide, project, product and process. An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target).ISO/IEC 27000: 2018
Cosignee / Shipper / CosignorA person or company that consigns or receives goods for transportation.EU H2020-DS-2014-01 project "MITIGATE"
Critical Infrastructure (CI)An asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions. Examples are SCADA, port, Port Community System (PCS). European critical infrastructure (ECI) is a critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This includes effects resulting from cross-sector dependencies on other types of infrastructure [Council Directive 2008/114/EC].Council Directive 2008/114/EC
Critical Information Infrastructure (CII)ICT systems that are Critical Infrastructures for themselves or that are essential for the operation of Critical Infrastructures (telecommunications, computers/software, Internet, satellites, etc.).An example is a Human Machine Interface (HMI).Council Directive 2008/114/EC
Critical servicesA critical service is a service that is essential for the maintenance of critical societal or economic activities.NIS Directive, 2016
CustomerPerson or organization that could or does receive a product or a service that is intended for or required by this person or organization for example a consumer, client, end-user, retailer, receiver of product or service from an internal process, beneficiary and purchaser.ISO 9000:2015
DistributorAn entity that buys noncompeting products or product lines, and resells them to retailers or direct to the end users or customers.EU H2020-DS-2014-01 project "MITIGATE", MITIGATE glossary
Downstream/UpstreamDownstream: refers to the actions, processes and movements of the cargo in the supply chain that occur after the cargo leaves the direct operational control of the organization, including but not limited to insurance, finance, data management, and the packing, storing and transferring of cargo. Upstream: refers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo comes under the direct operational control of the organization, including but not limited to insurance, finance, data management, and the packing, storing and transferring of cargoISO 28000:2007
Exportera businessperson or firm who transports goods abroad for sale.EU H2020-DS-2014-01 project "MITIGATE"
ImporterFirm or person whose business involves importing goods from outside (especially from a foreign country).EU H2020-DS-2014-01 project "MITIGATE", MITIGATE glossary
Infrastructureorganization system of facilities, equipment and services needed for the operation of an organization ISO 9000:2015
Information systemSet of applications, services, information technology assets, or other information-handling componentsISO/IEC 27000: 2018
Interdependencethe mutual dependence among cooperating firms, which originates from their requirement to maintain relationships in order to serve their goalsFrazier, G. L. (1983) “On the Measurement of Interfirm Power in Channels of Distribution,”Journal of Marketing, Vol. 53, January, pp. 50-69.
IndustryProducer of merchandise for use or sale using extraction and/or transformation means, labour and machines, tools, chemical and biological processing, or formulation. The term may refer to a range of human activity, from handicraft to high tech, but is most commonly applied to industrial production, in which raw materials are transformed into finished goods on a large scale. For example: Automobile Industry: the manufacturer that produces the vehicles and equipment (i.e. automobiles, trucks, semi-trailer trucks, trailers, and railroad cars etc.)EU H2020-DS-2014-01 project "MITIGATE"
Industrial Control System (ICS)An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems used to control geographically dispersed assets, as well as distributed control systems and smaller control systems using programmable logic controllers to control localized processes.NIST SP 800-39, 2011
InvolvementTaking part in an activity, event or situationISO 9000:2015
Internet of Things (IoT)A cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making. Examples are smart Infrastructures, such as Industry 4.0, smart grid, smart transport, etc. Various ports are studying or launching an IoT project to improve their competitiveness and their performance and monitor their infrastructure to prevent security or safety incidents. Applied to maritime traffic surveillance, infrastructure management and terminal operations on goods or passengers, an IoT platform could monitor the port environment and operations, collect data to optimize processes and improve the decision-making process. This would be possible through the implementation of sensors and RFID technology on port assets.
More specifically, the port of Rotterdam has launched his own IoT platform by implementing different sensors on buoys, walls and quays to allow port actors to identify the best timing and location for a ship to dock.
["Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019]
ENISA
[https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot]
Organizationperson or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives. The concept of organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.ISO/IEC 27000: 2018
Physical assetasset that has a tangible or material existence
Physical assets usually refer to cash, equipment, inventory and properties owned by the individual or organization. Software is considered an intangible asset, or a non-physical asset.
ISO/IEC 27032:2012
Policyintentions and direction of an organization as formally expressed by its top management.ISO/IEC 27000: 2018
ProcessA group of interconnected or interacting activities capable of turning inputs into outputs. Indicative process examples are the customs clearance issuance and the vehicles loading/ulnoading within the Vehicle Transport Service performance. A process model example is a business process diagram following a modelling language notification (i.e. BPMN diagram, UML diagram).
(1) A supply chain process: a group of interconnected activities during a supply chain service performance.

(2) Business Process Management (BPM): a principle serves the tasks of dealing with organizing, automating, monitoring and controlling business processes in organizations.

(3) Process Mapping: It is assumed the identification, description and illustration of all the flows of a work via flowcharts, process models and business diagrams. [Kalogeraki E.-M., Panayiotopoulos T., Apostolou D. (2016) “Semantic queries in BPMN 2.0: A contemporary method for information retrieval”, IEEE, 6th International Conference on Information, Intelligence, Systems and Applications” (IISA 2015), 7388061]
ISO/IEC 27000: 2018
RequirementThe need or expectation that is stated, generally implied or obligatory. A specified requirement is one that is stated, for example in documented information.
(1) “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied.
(2) A specified requirement is one that is stated, for example in documented information.
ISO/IEC 27000: 2018
Service(1) means of delivering value for the customer by facilitating outcomes the customer wants to achieve.
(2) output of an organization with at least one activity necessarily performed between the organization and the customer
Services may refer to a majority of types (i.e. economic service, information service, business service, domestic service, governmental service, public service, military service, etc). Example of services are e-mail service, logistics service, billing service, etc.
ISO/IEC 20000-1:2018, ISO 9000:2015
Service Level Agreement (SLA)Documented agreement between the service provider and customer that identifies services and service targets.
(1) A service level agreement can also be established between the service provider and a supplier, an internal group or a customer acting as a supplier.
(2) A service level agreement can be included in a contract or another type of documented agreement.
ISO/IEC 20000-1:2018
Service Providerorganization that manages and delivers a service or services to customers ISO/IEC 20000-1:2018
Stakeholder (Business partner or interested party)(1) A person or entity (i.e. customers, shareholders, financiers, insurers, regulators, statutory bodies, employees, contractors, suppliers, labour organizations, or society) having a vested interest in the organization’s performance, success or the impact of its activities [ISO 28000:2007]. (2) person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity [ISO 31000:2018; ISO/IEC 27000:2018]. [ISO 28000:2007] , [ISO 31000:2018], [ISO/IEC 27000:2018]
StepAn element (numbered list item) in a procedure (process) that tells a user (involved party) to perform an action (or actions)ISO/IEC 26514:2008
Supplier (provider)Organization that provides a product or a service.
(1) A provider can be internal or external (not part of) to the organization.
(2) In a contractual situation, a provider is sometimes called “contractor”.
ISO 9000:2015
Supply Chain (SC)Linked set of resources and processes that begins with the sourcing of raw material and extends through the delivery of products or services to the end user across the modes of transport. The supply chain may include vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers and other entities that lead to the end user. Eg.: Maritime Supply Chain.ISO 28000:2007
Supply Chain disruptionDisruptions in supply chains is considered the disruption of the security, continuity and reliability of the critical services that are essential for the smooth functioning of the SC performance that it is capable of preventing the provision of other services which depend on it and could thus have a serious impact on economic and societal activities of the SC.NIS Directive, 2016
Supply Chain Security (SC security)Security of the processes, techniques, and technologies associated with supply chains.ENISA report (2015) “Supply Chain Integrity: An overview of the ICT supply chain risks and challenges, and vision for the way forward”, v.1.1, August 2015.
Supply Chain Operators (SC operator)Contractors, suppliers, agents and forwarders that operate (interact, depend, provide, receive) for the production of goods or the provision of a supply chain service.EU H2020-DS-2014-01 project "MITIGATE"
Supply Chain Service (SCS)(1) A network of the supply chain operators and their supporting units that function for the transaction of resources, to develop services, transfer the underlying resources into supporting and core services and deliver the services to the end- customer/user.
(2) Service provided by a supply chain, a linked set of resources and processes
Vehicle Transport Service: A massively complex system with numerous players for the manufacturing, shipment and delivery of various types of vehicles.It supports composite processes (i.e. domestic and international transportation, communications and information technology, warehouse management, order and inventory control etc.). It includes several interactions and tasks among the various entities engaged (stakeholders and actors) having different goals and requirements.
(1) [Baltacioglu et al. (2007). “A new Framework for service supply chains”. The Service Industries Journal, 27(2), pp 105–124.]
(2) EU H2020-DS-2014-01 project "MITIGATE"
Trailernon-powered vehicle for the carriage of goodsEU H2020-DS-2014-01 project "MITIGATE"
Transport operatorA party, a company or a department of a company, planning and maintaining the use of means of transport or equipment of a transport stage.EU H2020-DS-2014-01 project "MITIGATE"
Transport organiserA party, a company or a department organising and planning a part of a transport chain.EU H2020-DS-2014-01 project "MITIGATE"
TransshipmentMoving goods from one means of transport to anotherEU H2020-DS-2014-01 project "MITIGATE"
UserPerson who performs one or more tasks with software; a member of a specific audienceISO/IEC 26514:2008
User interfaceEnsemble of software and hardware that allows a user to interact with a computer systemISO/IEC 26514:2008

Certification Security Concepts

TermDefinition(s)Reference(s)
InformationAny communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.[CNSSI No. 4009]
Information systemA set of applications, services, information technology assets, or other information-handling components eg.: an Enterprise Resource Planning (ERP) system[ISO/IEC 27000:2018]
Information Security Management System (ISMS)Set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives[ISO/IEC 27000:2018]
ConfidentialityProperty that information is not made available or disclosed to unauthorized individuals, entities, or processes[ISO/IEC 27000:2018]
IntegrityProperty of accuracy and completeness[ISO/IEC 27000:2018]
AvailabilityProperty of being accessible and usable on demand by an authorized entity.[ISO/IEC 27000:2018]
Accountabilitythe state of being answerable (in response)
for assigned actions and decisions.
[ISO/IEC 27000:2018]
AuthenticityProperty that an entity is what it claims to be.[ISO/IEC 27000:2018]
ReliabilityProperty of consistent intended behaviour and results[ISO/IEC 27000:2018]
Non-repudiationAbility to prove the occurrence of a claimed event or action and its originating entities[ISO/IEC 27000:2018]
Information securityPreservation of the CIA triad (Confidentiality, Integrity and Availability) of information involving also the ensurance of other properties such as authenticity, accountability, non-repudiation, and reliability.[ISO/IEC 27000:2018]
Information security continuityProcesses and procedures for ensuring continued information security operations[ISO/IEC 27000:2018]
Cybersecuritypreservation of Confidentiality, Integrity and Availability (CIA triad) of information in the Cyberspace.[ISO/IEC 27032:2012]
Cyber resiliencyThe ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources[NIST SP 800-160, 2019]
Adversary (attacker/threat agent)(1) Adversary: Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities [NIST SP 800-30 Rev 1, 2012]. (2) Attacker: an actor who attempts to gain access to behaviors or resources that are outside of the product's intended control sphere for that actor [MITRE glossary].
(3) Threat agent: entity that can adversely act on assets [ISO/IEC 15408-1:2009].
For instance, an attacker can be a disgruntled employee (insider), a hacktivist, a cybercriminal, a terrorist group, a pirate or a hijacker, a cyber vandal, a government/industry spy.
NIST SP 800-30 Rev 1, 2012, MITRE glossary online available: https://cwe.mitre.org/documents/glossary, ISO/IEC 15408-1:2009
Behaviour analysisThe act of examining malware interactions within its operating environment including file systems, the registry (if on Windows), the network, as well as other processes and Operating System components.[CNSSI No. 1011]
Attack

An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset eg.: attack on a SCADA software (cyber) , attack on a cruise terminal (physical).[ISO/IEC 27000:2018]
-Attack path (attack model/attack pattern/attack vector)(1) Attack path: Steps that a threat takes or may take to plan, prepare for, and execute an attack [API standard 780]. (2) Attack pattern: abstracted approach utilized to attack software [ISO/IEC TR 20004:2015]. (3) Attack vector: path or means by which an attacker can gain access to a computer or network server in order to deliver a malicious outcome [ISO/IEC 27032:2012].
For example an attack path to compromise a CCTV system of an enterprise: compromise an e-mail account to gain access to an employee's workstation of an enterprise and after take advantage of a CCTV server that is installed in the workstation operating system
API standard 780 , ISO/IEC TR 20004:2015 , ISO/IEC 27032:2012
-Attack graphData structures that are able to model all possible avenues of a network attack. An attack modelling tool providing MITRE ATT&CK graphs via Bloodhound can be found here (active link leading to: https://medium.com/falconforce/graphing-mitre-att-ck-via-bloodhound-87c11aadc119)Attack graphs generation using the MITIGATE risk management tool Ref.: Kalogeraki, E.-M., Papastergiou, S., Mouratidis, H., Polemi N., (2018) “A novel risk assessment methodology for SCADA maritime logistics environments”, Applied Sciences, MDPI AG, Switzerland, 8(9): 1477, ISSN: 2076-3417, https://doi.org/10.3390/app8091477)
Cyber attackAn attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.[NIST SP 800-30 Rev 1, 2012]
AlertNotification that a specific attack has been directed at an organization’s information systems.[CNSSI 4009-2015]
Information security incidentAn individual or a series of either unwanted or unexpected information security events that enclose a serious probability of compromising business operations and threatening information security[ISO/IEC 27000:2018]
HackingIntentionally accessing a computer system without the authorization of the user or the owner.[ISO/IEC 27032:2012]
Measurementprocess to determine a value[ISO/IEC 27000:2018]
Measurement method (scale)A logical sequence of operations, described in generic, that aims to quantify an attribute with cocnerns a specified scale. For example a Risk level can be vulnerability/threat/ risk level can be scaled as Very High/High/Medium/Low/Very Low. Quantitative measurement is information about quantities, and therefore correspond to numbers, and qualitative measurement is descriptive, and regards phenomenon which can be observed but not measured, such as language (i.e. business, temporal, environmental, etc..). [ISO/IEC 27000:2018]
PerformanceMeasurable result[ISO/IEC 27000:2018]
EffectA deviation from the expected — positive or negative.[ISO/IEC 27000:2018]
EventOccurrence or change of a particular set of circumstances that can end up with several causes which can even consist of something not happening.[ISO/IEC 27000:2018]
UncertaintyThe state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.[ISO/IEC 27000:2018]
LikelihoodChance of something happening[ISO/IEC 27000:2018]
Likelihood of occuranceA weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. Determining the likelihood of threat events causing adverse impacts.NISTIR 7621 Rev. 1, 2016], [CNSSI 4009-2015], [NIST SP 800-30 Rev 1, 2012]
Vulnerability (1) Weakness in the TOE that can be used to violate the SFRs in some environment ISO/IEC 15408-1:2009
(CC).
ISO/IEC 15408-1:2009
(CC) , ISO/IEC 27000:2018, ISO/IEC 29147:2018
(2) Weakness of an asset or control that can be exploited by one or more threats [ISO/IEC 27000:2018] (3) In the context of information technology and cybersecurity, a vulnerability is a behaviour or set of conditions present in a system, product, component, or service (functional) that violates an implicit or explicit security policy. A vulnerability can be thought of as a weakness or exposure that allows a security impact or consequence. Attackers exploit vulnerabilities to compromise confidentiality, integrity, availability, operation, or some other security property [ISO/IEC 29147:2018]. For example: • Poor encryption in digital signatures.
• Target Row Refresh (TRR), aka the TRRespass issue (CVE-2020-10255)
• The DNS bugs (CVE-2020-11901)
A term 'vulnerability' is functioning in different context in ISO/IEC 15408 as it reflects the perspective of the TOE (*see line 94).
- Multiple vulnerabilies can impact a supply chain as a whole, compromising multiple inteconnected assets by exploiting a series of assets' vulnerabilities.
See more: "Hacking the Supply Chain"
[https://i.blackhat.com/USA-20/Wednesday/us-20-Oberman-Hacking-The-Supply-Chain-The-Ripple20-Vulnerabilities-Haunt-Tens-Of-Millions-Of-Critical-Devices.pdf]
-Potential (uknown) VulnerabilityPotential: Suspected, but not confirmed, weakness [ISO/IEC 15408-1:2009(CC)]. Uknown: There are reports of impacts that indicate a vulnerability is present, but that the cause of the vulnerability is unknown or they may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports [CVSS v3.1 NIST NVD (FIRST)]
An uknown/zero day vulnerability could be an adversary that sneaks in an asset through a backdoor that was left unlocked by accident.
Suspicion is by virtue of a postulated attack path to violate the SFRs.
A sub-category of this is the "zero-day" vulnerability, which is related to a security flaw in the software that is known to the software vendor, but with no patch in place to fix the flaw.
ISO/IEC 15408-1:2009
(CC) , CVSS v3.1 NIST NVD (FIRST)
-Confirmed VulnerabilityDetailed reports exist, or functional reproduction is possible (functional
exploits may provide this). Source code is available to independently verify
the assertions of the research, or the author or vendor of the affected code
has confirmed the presence of the vulnerability.
A confirmed vulnerability example is the vulnerability of Microsoft Teams Remote Code Execution, which was published on 11/11/2020.
CVSS v3.1 NIST NVD (FIRST)
-Exploitable VulnerabilityWeakness in the TOE that can be used to violate the SFRs in the operational environment for the TOEISO/IEC 15408-1:2009 (CC)
-Residual VulnerabilityWeakness that cannot be exploited in the operational environment for the TOE, but could be used to violate the SFRs by an attacker with greater attack potential than is anticipated in the operational environment for the TOEISO/IEC 15408-1:2009
(CC)
-Severity of vulnerabilityThe severity of a vulnerability is an assessment of the relative importance of mitigating/remediating the vulnerability. The severity can be determined by the extent of the potential adverse impact if such a vulnerability is exploited by a threat source. Thus, the severity of vulnerabilities, in general, is context-dependent.[NIST SP 800-30 Rev.1, 2012]
Vulnerabilities Measurement/LabellingExamples of it are:
- Common Vulnerabilities and Exposures
- TOE-relevant CVE vulnerabilities
- Common Weakness Enumeration
- Common Vulnerability Scoring System
- CVSS basic metric
- CVSS temporal metric
- CVSS environmental metric
-
- Common Vulnerabilities and Exposures(1) A nomenclature and dictionary of security-related software flaws [NIST SP 800-126 Rev. 2]. (2) A list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities [MITRE]. ie.: The confirmed vulnerability example of Microsoft Teams Remote Code Execution has the CVE (Id) "CVE-2020-17091" [NIST SP 800-126 Rev. 2] , [MITRE]: online available: https://cve.mitre.org/
- TOE-relevant CVE vulnerabilitiesCVE vulnerabilities from all versions of the TOE product family or CVE vulnerabilities associated with products of the same technology typeISO/IEC TR 20004:2015
#NAME?A community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. i.e,: CWE-20 Improper Input Validation: the asset does not validate or incorrectly validates input that can affect the control flow or data flow of a program.When software fails to validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution. [MITRE] online availiable: https://cwe.mitre.org/
- Common Vulnerability Scoring System The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It mainly consists of three metric groups: Base, Temporal, and Environmental. For instance, the confirmed vulnerability "CVE-2020-17091" Microsoft Teams Remote Code Execution has Basic score metrics= 7.8 : ExploitabilityFIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvss
- CVSS basic metricThe base group consists of exploitability: Attack Vector (AV)/Attack Complexity (AC)/Privileges Required (PR)/User Interaction (UI), scope and Impact: CIA triad. The basic group metric represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. FIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvss
- CVSS temporal metricThe temporal group consists of the following : Exploit Code Maturity (E)/Remediation Level (RL)/Report Confidence (RC) and reflects the characteristics of a vulnerability that change over time. FIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvss
- CVSS environmental metricThe environmental group consists of the following security requirements: Confidentiality Requirement (CR), Integrity Requirement (IR), Availiability Requirement (AR) and represents the characteristics of a vulnerability that are unique to a user's environment.FIRST CVSS v3.1 Specification, Rev.1 online available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf , [MITRE] https://nvd.nist.gov/vuln-metrics/cvss
ThreatPotential cause of an unwanted incident, which can result in harm to a system or organization. Example are a signature spoofing by key theft on an e-mail operating system and buffer overflow in Local Command-Line Utilities on an admin operating system.[ISO/IEC 27000:2018]
Threat assessmentProcess of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.[CNSS, 2015] , [NIST SP 800-30 Rev.1, 2012]
Threat levelThe expected probability of occurrence of a threat to a cyber asset EU H2020-DS-2014-01 project "MITIGATE", MITIGATE glossary
Cyber Threat Intelligence (CTI)Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.[NIST SP 800-150, Guide to Cyber Threat Information Sharing, 2016].
Security impact analysisThe analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.[NIST SP 800-37 Rev.2, 2018]
ImpactThe result of an unwanted incidentISO/IEC PDTR 13335-1
Impact levelThe magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.[NIST SP 800-37 Rev.2, 2018]
RiskEffect (see "effect" in the current glossary) of uncertainty (see "uncertainty" in the current glossary) on objectives (ISO 31000:2018; ISO/IEC 27000:2018). Risk is often characterized by reference to potential events and consequences or a combination of these (including changes in circumstances) and the associated "likelihood" of occurrence. [ISO/IEC 27000:2018][ISO/IEC 27000:2018], [ISO 31000:2018]
Information security riskRisks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. [NIST SP 800-30 Rev 1, 2012]
Effect of uncertainty on information security objectives. The potential that threats will exploit vulnerabilities that can be found on an information asset or a group of information assets and therefore can harm an organization. [ISO/IEC 27000:2018][ISO/IEC 27000:2018]
Risk modelIt defines the risk factors to be assessed and the relationships among those factors[NIST SP 800-30 Rev 1, 2012]
Risk identificationProcess of finding, recognizing and describing risks. Risk identification involves the identification of risk sources, events, their causes and their potential consequences. Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs.[ISO/IEC 27000:2018]
Risk analysisProcess to comprehend the nature of riskand to determine the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment. Risk analysis includes risk estimation.[ISO/IEC 27000:2018]
Risk evaluationThe process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. Risk evaluation assists in the decision about risk treatment.[ISO/IEC 27000:2018]
Risk Assessment (RA)The overall process of risk identification, risk analysis and risk evaluation[ISO/IEC 27000:2018]
the process of identifying, estimating, and prioritizing information security risks[NIST SP 800-30 Rev.1, 2012]
Risk assessorThe individual, group, or organization responsible for conducting a risk assessment.[NIST SP 800-30 Rev.1, 2012]
Level of riskMagnitude of a risk expressed in terms of the combination of consequencesand their likelihood.[ISO/IEC 27000:2018]
Residual riskRisk remaining after risk treatment. Residual risk can contain unidentified risk. It can also be referred to as “retained risk”.[ISO/IEC 27000:2018]
Risk treatmentProcess to modify risk [ISO/IEC 27000:2018]
Risk mitigationRisk treatments that deal with negative consequences.[ISO/IEC 27000:2018]
ControlMeasure that maintains and/or modifies risk [ISO 31000: 2018; ISO/IEC 27000:2018]. Controls include any process, policy, device, practice, or other actions which modify risk. It is possible that controls not always exert the intended or assumed modifying effect. [ISO/IEC 27000:2018] Control – term used in [CSA, Art. 52.4]: “The certificate or the EU statement of conformity shall refer to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of, or to prevent cybersecurity incidents.”
This term can be seen as equivalent to the Security Functional Requirements (SFRs) defined in ISO15408.
[ISO 31000: 2018] , [ISO/IEC 27000:2018]
Control objectiveStatement describing what is to be achieved as a result of implementing controls.[ISO/IEC 27000:2018]
Security controlSecurity controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.[NIST SP 800-30 Rev.1, 2012 (FIPS 199, CNSSI No. 4009)]
Risk management (RM)A systematic performance of policies, procedures and practices management on communicating, consulting activities, establishing the context and controlling identifying, analysing, evaluating, treating, monitoring and reviewing risk. [ISO/IEC 27000:2018][ISO/IEC 27000:2018]
Coordinated activities to direct and control an organization with regard to risk. [ISO 31000:2018][ISO 31000:2018]
Risk ownerPerson or entity with the accountability and authority to manage a risk.[ISO/IEC 27000:2018]
Security Management (SM)Security management includes all the activities and practices implemented by organizations to manage security risks, threats, and impacts. These activities and practices should be coordinated in a systematic, and optimized manner.[ISO 28000:2007]
Security management objectiveSpecific outcome or achievement required of security in order to meet the security management policy. It is essential that such outcomes are linked either directly or indirectly to providing the products, supply or services delivered by the total business to its customers or end users.[ISO 28000:2007]
Security management policyOverall intentions and direction of an organization, related to the security and the framework for the control of security-related processes and activities that are derived from and consistent with the organization’s policy and regulatory requirements[ISO 28000:2007]
Information and Communtication Technology (ICT)1. Encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.

2. Includes all categories of ubiquitous technology used for the gathering, storing, transmitting, retrieving, or processing of information (e.g., microelectronics, printed circuit boards, computing systems, software, signal processors, mobile telephony, satellite communications, and networks).

3. Encompasses all technologies for the capture, storage, retrieval, processing, display, representation, organization, management, security, transfer, and interchange of data and information.
Examples are:
• maritime ICT cloud transforms shipping;
• printed circuit boards;
• computing systems;
• software;
• signal processors;
• mobile telephony;
• satellite communications;
• fleet IT manager onboard platform.
1. NIST SP 800-161 under Information and Communications Technology (ICT) ISO/IEC 2382 - Adapted,
NISTIR 7622 under Information and Communications Technologies ANSDIT - Adapted

2. CNSSI 4009-2015 DoDI 5200.44

3. NISTIR 8074 Vol. 2 under Information and Communications Technologies
ICT ProductAn element or a group of elements of a network or information system. Examples are:
• A software;
• A firmware;
• A piece of hardware;
• A service;
• A process;
• A supply chain.
Regulation (EU) 2019/881
(EU Cybersecurity Act)
ICT SystemNetwork or information system (cf. CSA). Combination of ICT products and ICT processes that supports one or more ICT services. Examples are:
• Industrial Control System (i.e. SCADA);
• Port Community System (PCS);
• Enterprise Resource Planning (ERP) software.
Regulation (EU) 2019/881
(EU Cybersecurity Act)
ICT ServiceA service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems. Examples are:
• Vehicle Transport Service;
• e-Invoicing;
• Container Management Service;
• e-Delivery.
Regulation (EU) 2019/881
(EU Cybersecurity Act)
ICT ProcessA set of activities performed to design, develop, deliver or maintain an ICT product or ICT service. Examples are:
• Port Services Requested;
• Ship Formalities Arrangements;
• Vehicles Unloading processes.
Regulation (EU) 2019/881
(EU Cybersecurity Act)
CertificationCertification of a management system, such as the environmental management system, quality management system or information security management system of an organization, is one means of providing assurance that the organization has implemented a system for the management of the relevant aspects of its activities, products and services, in line with the organization’s policy and the requirements of the respective international management system standardISO/IEC 17021-1:2015
Certification SchemeConformity assessment system related to management systems to which the same specified requirements, specific rules and procedures applyISO/IEC 17021-1:2015
Common Criteria (CC)An international standard (ISO/IEC 15408) for computer security certificationISO/IEC 15408-1:2009
(CC)
Governing document that provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems
CNSSI 4009-2015
European Cybersecurity Certification Scheme (ECCS)A ccomprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes
*It is an umbrela, which replaces SOG-IS. There are no examples of schemes according to ECCS yet - the EU is in the process of creating.
Regulation (EU) No 526/2013 (Cybersecurity Act)
Horizontal Certification SchemeAdjective indicating that an ICT product, ICT process or ICT service targets multiple markets and that the related cybersecurity certificate may be recognized by corresponding cybersecurity certification schemes of these targeted markets.
Accordingly, it is very important that standardization and certification approaches are well aligned across different industries when it comes to suppliers at the start of the supply-chain. For example, manufacturers of smart cards usually deliver their products into multiple sectors. On the other hand, once the integration steps come close to a final product, the situation might become very sector-specific. Therefore, it is essential to keep at least two views in mind:
1. The horizontal view: standards for cybersecurity in terms of robustness against a broad range of attacks. Accordingly, certification schemes used there need to be rather generic (e.g. ISO15408 – Common Criteria) than specific and act as building blocks for certification schemes tailored to sectors.
2. The sectorial view: standards in this case are typically very specific to the sectorial needs. However, certification schemes very specific to sectors (e.g. standards for smart cards) should make use of horizontal (generic) schemes and recognize and build on top of those.
Cybersecurity Certification: EUCC Candidate Scheme

(https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme)
Sectorial Certification SchemeAdjective indicating that an ICT product, ICT process or ICT service targets a particular market sector and that the related cybersecurity certificate may be recognized by corresponding cybersecurity certification schemes of these particular market sector. Sectorial ICT systems usually rely on ICT infrastructure services for specific functions.
Accordingly, it is very important that standardization and certification approaches are well aligned across different industries when it comes to suppliers at the start of the supply-chain. For example, manufacturers of smart cards usually deliver their products into multiple sectors. On the other hand, once the integration steps come close to a final product, the situation might become very sector-specific. Therefore, it is essential to keep at least two views in mind:
1. The horizontal view: standards for cybersecurity in terms of robustness against a broad range of attacks. Accordingly, certification schemes used there need to be rather generic (e.g. ISO15408 – Common Criteria) than specific and act as building blocks for certification schemes tailored to sectors.
2. The sectorial view: standards in this case are typically very specific to the sectorial needs. However, certification schemes very specific to sectors (e.g. standards for smart cards) should make use of horizontal (generic) schemes and recognize and build on top of those.
Cybersecurity Certification: EUCC Candidate Scheme

(https://www.enisa.europa.eu/publications/cybersecurity-certification-eucc-candidate-scheme)
Target of Evaluation (ToE)A set of software, firmware, hardware and/or process possibly accompanied by guidance. For example:
• A software application;
• An operating system;
• A software application in combination with an operating system;
• A software application in combination with an operating system and a workstation;
• An operating system in combination with a workstation;
• A smart card integrated circuit;
• The cryptographic co-processor of a smart card integrated circuit;
• A Local Area Network including all terminals, servers, network equipment and software;
• A database application excluding the remote client software normally associated with that database application;
• A supply chain.
ISO/IEC 15408-1:2009
(CC)
Trusted IT ProductIT product, other than the TOE, which has its security functional requirements administratively coordinated with the TOE and which is assumed to enforce its security functional requirements correctlyISO/IEC 15408-1:2009
(CC)
Security Requirements (ASE_REQ)The security requirements consist of two groups of requirements:
a) the security functional requirements (SFRs)
b) the security assurance requirements (SARs)
ISO/IEC 15408-1:2009
(CC)
#NAME?A translation of the security objectives for the TOE into a standardised languageISO/IEC 15408-1:2009
(CC)
#NAME?A description of how assurance is to be gained that the TOE meets the SFRs. The ST also contains a security requirements rationale that explains why this particular set of SARs was deemed appropriate. There are no specific requirements for this explanation. The goal for this explanation is to allow the readers of the ST to understand the reasons why this particular set was chosen.
An example of an inconsistency is if the security problem description mentions threats where the threat agent is very capable, and a low (or no) Vulnerability analysis (AVA_VAN) is included in the SARs.
ISO/IEC 15408-1:2009
(CC)
Conformance StatementThis statement describes the manner in which PPs or STs must
conform to this PP: strict or demonstrable. A typical example of the use of strict conformance is in selection based purchasing where a product's security requirements are expected to exactly match those specified in the PP.
ISO/IEC 15408-1:2009
(CC)
Conformityfulfilment of a requirement[ISO/IEC 27000:2018]
Non-conformitynon-fulfilment of a requirement[ISO/IEC 27000:2018]
Conformance ClaimThe conformance claim indicates the source of the collection of requirements that is met by a TOE or PP that passes its evaluation.Common Criteria for Information Security Conformity Evaluation (CC) (Part I: Introduction and general model (2017), v3.1 Rev. 5 https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf (Section 10.5)
Protection Profile (PP)Implementation-independent statement of security needs for a TOE typeISO/IEC 15408-1:2009
(CC)
Security Target (ST)Implementation-dependent statement of security needs for a specific identified TOEISO/IEC 15408-1:2009
(CC)
Security Objective(1) Statement of an intent to counter identified threats and/or satisfy identified organization security policies and/or assumptions [ISO/IEC 15408-1:2009(CC)]. (2) Information security objective: Objectives that are set by the organization, consistent with the information security policy, to achieve specific results [ISO/IEC 27000:2018].ISO/IEC 15408-1:2009
(CC) , ISO/IEC 27000:2018
Assurance ClassEach assurance class contains at least one assurance family. The Assurance Class name indicates the topics covered by the assurance class. For example:
• Class ACO - Composition
• Class ADV - Development
• Class AGD – Guidance documents
• Class ALC – Life-cycle support
• Class ASE – Security Target Evaluation
• Class ATE – Tests
• Class AVA – Vulnerability assessment
ISO/IEC 15408-3:2008
(CC)
Assurance Family Assurance Family is family defined by ISO/IEC 15408-3. Each assurance family contains one or more assurance components. The Family name provides descriptive information about the topics covered by the assurance family.
Each assurance family is placed within the assurance class that contains other families with the same intent. For example:
1 FAMILY SECURITY ARCHITECTURE (ADV_ARC)
2 FAMILY FUNCTIONAL SPECIFICATION (ADV_FSP)
3 FAMILY IMPLEMENTATION REPRESENTATION (ADV_IMP)
4 FAMILY TSF INTERNALS (ADV_INT).
5 FAMILY SECURITY POLICY MODELLING (ADV_SPM)
6 FAMILY TOE DESIGN (ADV_TDS)

1 OPERATIONAL USER GUIDANCE (AGD_OPE)
2 PREPARATIVE PROCEDURES (AGD_PRE)
ISO/IEC 15408-3 (CC)
Assurance LevelA basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT service or ICT process has been evaluated but as such does not measure the security of the ICT product, ICT service or ICT process concerned.
For example:
• Level 1: Little or no confidence;
• Level 2: Some confidence;
• Level 3: High confidence;
Regulation (EU) 2019/881
(EU Cybersecurity Act)
Evaluation Assurance Level (EAL)The definition of a scale for measuring assurance for component Targets of Evaluation (TOEs)ISO/IEC 15408-3:2008
(CC)
Vulnerability Analysis AVA_VANVulnerability analysis is an assessment to determine whether potential vulnerabilities identified, during the evaluation of the development and anticipated operation of the TOE or by other methods (e.g. by flaw hypotheses or quantitative or statistical analysis of the security behaviour of the underlying security mechanisms), could allow attackers to violate the SFRs.
Vulnerability analysis deals with the threats that an attacker will be able to discover flaws that will allow unauthorised access to data and functionality, allow the ability to interfere with or alter the TSF, or interfere with the authorised capabilities of other users.
Vulnerability assessment class addresses the possibility of exploitable vulnerabilities introduced in the development or the operation of the TOE. Assessment of development vulnerabilities is covered by the assurance family AVA_VAN.
ISO/IEC 15408-3:2008
(CC)
Security Function (SF)Function that implement the security requirements.ISO15408
(CC)
PackageA named set of security requirements. A package is either a functional package, containing only SFRs, or an assurance package, containing only SARs.
Mixed packages containing both SFRs and SARs are not allowed. Examples of assurance packages are the evaluation assurance levels (EALs) – i.e. “EAL 3”– that are defined in ISO/IEC 15408-3. At the time of writing there are no functional packages for this version of ISO/IEC 15408.
ISO/IEC 15408-1:2009
(CC)
Composed Assurance Package (CAP)The definition of a scale for measuring assurance for composed TOEsISO/IEC 15408-3:2008
(CC)
Conformity Assessment Body (CAB)A body that performs conformity assessment activities including calibration, testing, certification and inspection. For example one that:
• Applies and assesses conformity to EU Cybersecurity Certification Scheme.
• Certifies product conformity by a certification report.
Regu­lation (EC) No 765/2008
Conformity Assessment (CA)The process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilledRegu­lation (EC) No 765/2008
A procedure for evaluating whether specified requirements relating to an ICT product, ICT service or ICT process have been fulfilledRegulation (EU) 2019/881
(EU Cybersecurity Act)
Conformity Self-assessmentAn action carried out by a manufacturer or provider of ICT products, ICT services or ICT processes, which evaluates whether those ICT products, ICT services or ICT processes meet the requirements of a specific European cybersecurity certification schemeRegulation (EU) 2019/881
(EU Cybersecurity Act)
AccreditationAn attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral schemes, to carry out a specific conformity assessment activityRegu­lation (EC) No 765/2008
National Accreditation Body (NAB)The sole body in a Member State that performs accreditation with authority derived from the State. For example one that accredits a Conformity Assessment Body.Regu­lation (EC) No 765/2008
National Supervisory Authority A body or bodies nominated or established by Member States as their national supervisory authority in order to assume the tasks assigned to such authority under this Regulation and under the measures referred to in Article 3. For example one that supervises a Conformity Assessment Body.Regulation (EC) No 549/2004
Attack Potential (means, skills, opportunities)(1) Measure of the effort to be expended in attacking a TOE, expressed in terms of an attacker's expertise, resources and motivation [ISO/IEC 15408-1:2009].
(CC). (2) Perceived potential for success of an attack, should an attack be launched, expressed in terms of an attacker's expertise, resources and motivation [ISO/IEC 27032:2012].
ISO/IEC 15408-1:2009
(CC) , ISO/IEC 27032:2012

Maritime Transport Concepts

TermDefinition(s) Reference(s)
Baltic and International Maritime Council (BIMCO)BIMCO (link to https://www.bimco.org/) is one of the greatest international shipping associations representing ship owners. It undertakes the control of around 65 percent of the world's tonnage and it has a strong membership, engaging more than 120 countries, involving managers, brokers and agents. BIMCO’s main objective is to protect its global membership via the provision of information and consulting that forwards fair business practices and invests on the harmonisation and standardization of commercial shipping practices and contracts.Baltic and International Maritime Council, Den Store Danske Encyklopædi. Denstoredanske.dk. Online available: https://denstoredanske.lex.dk/Baltic_and_International_Maritime_Council?utm_source=denstoredanske.dk&utm_medium=redirect&utm_campaign=DSDredirect
Barge operatorA company that provides barge capacity and barge transport.EU H2020-DS-2014-01 project "MITIGATE"
Berth
Management
Systems
Those systems are used by Port Authorities to manage and ensure safety in mooring processes: warnings and alerts, meteorological data, video cameras streams, berth allocation management, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Border ControlThe border control authorities are responsible of taking measures to monitor the state borders and to regulate the movement of people, animals and goods. In the EU, with Schengen agreement, the crews and passengers are controlled only once when they come from a non-EU country."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
BunkeringThe provision of solid, liquid or gaseous fuel or of any other energy source used for the propulsion of the waterborne vessel as well as for general and specific energy provision on board of the waterborne vessel whilst at berth.Regulation (EU) 2017/352, Article 2
CargoItems that are placed on the ship to be transported to another port, such as boxes, pallets, cargo transport units, and bulk liquid and non-liquid matter.ISO 20858:2007
Cargo Community System (CCS)Usually owned and managed by port stakeholders that are usually private companies in charge of the terminal port operations. This system is used to share information on port operations related to the cargo and containers between all involved stakeholders (content of the cargo, localisation of a container, hour of its transfer, customs declarations, etc.)"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Cargo handlingThe organisation and handling of cargo between the carrying waterborne vessel and the shore, whether it be for import, export or transit of the cargo, including the processing, lashing, unlashing, stowing, transporting and temporary storage of the cargo on the relevant cargo-handling terminal and directly related to the transporting of the cargo, but excluding, unless the Member State determines otherwise, warehousing, stripping, repackaging or any other value added services related to the cargo.Regulation (EU) 2017/352, Article 2
CarrierFreight transporting companyEU H2020-DS-2014-01 project "MITIGATE"
Centre for International Maritime Security (CIMSEC)A 501(c)3 non-partisan think tank incorporated as a non-profit in the state of Maryland. CIMSEC was formed in 2012 and as of 2020 has 20 international chapters and over 2,000 members and subscribers in 60 countries. CIMSEC does not take organizational positions and encourages a diversity of views in the belief that a broad range of perspectives strengthens our understanding of the challenges and opportunities in the maritime domain. http://cimsec.org/about
CitiesAt local level, the cities are strongly involved in the development and the operations of ports: investment in port infrastructure, in maritime tourism, planification of road construction, financing university research, etc. The cities are a major stakeholder involved in the construction of each port strategy."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
CivilTerminal operators, usually private companies, are responsible for maintaining security and safety on the land they rent from the Port Authority and managing the services related to terminal operations (loading and unloading cargo or passengers for instance)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Civil Security, police and rescue at seaThe civil security and police authorities are responsible of law enforcement and of deploying measures to fight against criminals (terrorism, organized crime, etc.). Each port has its own local civil security and police. According to local and national specificities, they can also oversee rescue at sea to assist people and vessels in case of distress situations."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Coast GuardsCoast Guards are maritime organizations in charge of ensuring navigation safety and security and enforcing the law on the maritime territory under the responsibility of the country."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Combined TransportIntermodal transport where the major part of the European journey is by rail, inland waterways or sea and any initial and/or final legs carried out by roadEU H2020-DS-2014-01 project "MITIGATE"
Commercial and
financial data
As any company, the ports deliver services to companies (shipping companies, etc.) and books different services to their providers (ICT providers for example): financial and commercial are exchanges (money transfer, invoicing, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Control & AuthorisationThe Port Authorities and other national authorities control and deliver authorisation for vessel and cargo movement."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Customs (Authority/Agency/Office)The customs authorities are responsible of the administration and the application of national and international customs law through the collection of duties and taxes, in particular for importation, exportation, movement or storage of goods in ports."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Customs Agent/OfficerA law enforcement agent who enforces customs laws, on behalf of a governmentEU H2020-DS-2014-01 project "MITIGATE"
DepotA commercial building or area for storage of goods. Warehouses are used by manufacturers, importers, exporters, wholesalers, transport businesses, customs, etc. They are usually lcoated in industrial areas. They usually have loading docks to load and unload goods from trucks. Also warehouses are designed for the loading and unloading of goods directly from railways, airports, or seaports.EU H2020-DS-2014-01 project "MITIGATE"
DistributorAn entity that buys noncompeting products or product lines, and resells them to retailers or direct to the end users or customers.EU H2020-DS-2014-01 project "MITIGATE"
Dry PortInland terminal which is directly linked to a maritime port.EU H2020-DS-2014-01 project "MITIGATE"
European Border and Coast Guard Agency (FRONTEX)An agency of the European Union, headquartered in Warsaw, Poland, tasked with border control of the European Schengen Area, in coordination with the border and coast guards of Schengen Area member states.https://frontex.europa.eu/
European Fisheries Control Agency (EFCA)An European Union agency, which's mission is to promote the highest common standards for control, inspection and surveillance under the CFP. Its primary role is to organise coordination and cooperation between national control and inspection activities so that the rules of the CFP are respected and applied effectively.https://www.efca.europa.eu/
European Police Office (EUROPOL)The European Union’s law enforcement agency, which's main goal is to achieve a safer Europe for the benefit of all the EU citizens.
Headquartered in The Hague, the Netherlands, EUROPOL supports the 27 EU Member States in their fight against terrorism, cybercrime and other serious and organised forms of crime. The agency also works with many non-EU partner states and international organisations.
https://www.europol.europa.eu/
Electronic Port Clearance (EPC)Process of exchanging information between the ship and its agent and various parties on shore to allow the ship clearance to enter port and berth. EPC does not necessarily include customs clearance of goods that are imported or exportedISO 28005-2:2011
European Maritime Safety Agency (EMSA)Article 1 of the EMSA Founding Regulation states that the purpose of the Agency is to ensure a high, uniform and effective level of maritime safety, maritime security, prevention of, and response to, pollution caused by ships as well as response to marine pollution caused by oil and gas installations and, where appropriate, to contribute to the overall efficiency of maritime traffic and maritime transport so as to facilitate the establishment of a European Maritime Transport Space without Barriers.http://www.emsa.europa.eu
European Sea Ports Organisation (ESPO)ESPO (link leading to: https://www.espo.be/) is acting as the main interface between European seaports and European institution"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
European Union Agency for Cybersecurity (ENISA)Is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure.https://www.enisa.europa.eu/
Feeder serviceShort sea shipping service which connects at least two ports in order to consolidate or redistribute freight from a deep sea service.EU H2020-DS-2014-01 project "MITIGATE"
Feeder vessel operatorA company operating and /or owning vessels that is specialised in feeder operations.EU H2020-DS-2014-01 project "MITIGATE"
Ferry operatorA company operating and /or owning ferry vessels.EU H2020-DS-2014-01 project "MITIGATE"
FisheriesAccording to the Food and Agriculture Organization of the United Nations, a fishery is typically defined in terms of the "people involved, species or type of fish, area of water or seabed, method of fishing, class of boats, and purpose of the activities or a combination of the foregoing features"."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Fisheries Information Management System (FIMS)For ports hosting fishing activities, the FIMS, as an integrated collection of applications and processes, is owned by the local fisheries authority and used by port stakeholders to manage fisheries operations (loading and unloading), traceability of fish catches, catch certifications."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Fishery ControlThe fishery control authorities are in charge to ensure the fishing of good quality and sustainable seafood by defining controls and requirements that the fishing industry must follow. For instance, they control the permit for a vessel to fish, the origin of the fish catches, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Flag stateThe flag state of a commercial vessel is the jurisdiction under whose laws the vessel is registered: the flag state enforced regulations such as inspection, certification, and security requirements. Each vessel operates and navigates under the law of its flag state that list and enforce international conventions (IMO conventions notably)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Focal point for port securityThe body designated by each Member State to serve as contact point for the Commission and other Member States and to facilitate, follow up and provide information on the application of the port security measures laid down in this Directive.Regulation (EC) No 725/2004 (2004)
Forwarder (Freight Forwarder / Forwarding Agent / Local Agent / NVOCC: Non-Vessel Operating Common Carrier)A person or company that organizes shipments for individuals or corporations to get goods from the manufacturer or producer to a market, customer or final point of distributionEU H2020-DS-2014-01 project "MITIGATE"
Freight sender and consigneeThe sender is the person, company or organisation, at the origin of the forwarding of a good or other item which can be sent by sea."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
The consignee is the receiver of this good, also a person, a company or an organisation.
HarbourArea of water providing shelter for ships, used to build ports.EU H2020-DS-2014-01 project "MITIGATE"
Harbour MasterIs an official responsible for enforcing the regulations of a particular harbour or port, in order to ensure the safety of navigation, the security of the harbour and the correct operation of the port facilities.EU H2020-DS-2014-01 project "MITIGATE"
Hinterland connectivityThe port, as an interface between the sea and the hinterland transport systems, has hinterland connectivity assets such as railway stations and rolling stock loading and dispatch systems, road infrastructure, intermodal stations, canals and port infrastructures connecting with inland waterways."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Hinterland liaisonsThis category relates to all stakeholders, private as public, interacting in the multi-modal ecosystem of the port: waterways, roads, railways, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
ICS
Communications
networks &
components
To ensure the communications between the ICS components, the port manage the following assets: switches (managed and unmanaged), wireless access points, protocols, power supply systems (water, electricity, etc.)"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
International Maritime Bureau (IMB)IMB (active link leading to http://www.icc-ccs.org/icc/imb) is specialised division of the International Chamber of Commerce acting against all types of maritime crime and malpractice)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Industrial control systems (for maritime transport) (ICS)In the port, there are different Industrial Control Systems (ICS), for managing port access and vessels berthing (bridges, locks, gates, etc.), port infrastructure (buildings, etc.) and terminal operations (cranes, storage, etc.). The ICS is composed of the following components: automatons and analysers (PLCs, RTUs), databases (Historian, MES, etc.), supervisory systems (DCS, SCADA), HMI / workstations (programming consoles, engineering workstation), Maintenance systems and Safety Instrumented Systems (SIS)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Inland CarrierA transportation line which hauls cargo inland: truck, rail, barge, inland waterways, or domestic airline flights.EU H2020-DS-2014-01 project "MITIGATE"
Insurance CompanyProvides coverage to the Importer for damages to the vehicles resulting from incident during their transportation, loading, unloading, or storage. A marine insurance can also preserve the insured from marine casualties, the loss or damage of vessels, hull, terminals, and any transport or cargo by which property is transferred, acquired, or held between the points of origin and defined destination.EU H2020-DS-2014-01 project "MITIGATE"
Intermodal TransportMovement of goods in one loading unit or road vehicle, which uses two or more modes of transport.EU H2020-DS-2014-01 project "MITIGATE"
International Association of Independent Tanker Owners (INTERTANKO)It is a trade association of independent tanker owners supporting the interests of its Members at national, regional and international levels. The organisation aims to support global energy networks through the delivery of safe, efficient and environmentally sound transport services and it deals with a wide range of operational, technical, legal and commercial issues related to tanker owners and operators around the world. INTERTANKO. Online available: https://www.intertanko.com/About-Us/
International association of Ports and Harbours (IAPH)IAPH (active link leading to: https://www.iaphworldports.org/) is the global trade association for seaports worldwide."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
International Maritime Organization (IMO)IMO is a specialized agency of the United Nations, responsible for measures that focusing on improving the safety and security of international shipping and preventing marine and atmospheric pollution from ships.International Maritime Organization. Online available: https://www.imo.org/en/About/Pages/Structure.aspx
International Port Community System Association (IPCSA)An association with members from both private and public sectors, including governmental organisations, that focuses its activities on practical advice and guidance, rather than policy. As a result, IPCSA as respected as a trusted third party, in line with its community system members, and it is recognised as such by international bodies and intergovernmental organisations. IPCSA focuses on supporting and facilitating systems and innovations for its members and their users, and promoting the use of international data standards in sea and air ports, at border crossings and via Single Window systems around the world.https://ipcsa.international/
International Ship and Port Facility Security Code (ISPS)International Ship and Port Facility Security Code (IMO, 2002): since 2004 in force for intra-EU sea traffic, objective: information provision and exchange with a view to the security status of a vessel or actual threats and dangers to port facilitiesSOLAS XI-2 and the ISPS Code, The International Ship and Port Facility (ISPS) Code. Online available: https://www.imo.org/en/OurWork/Security/Pages/SOLAS-XI-2%20ISPS%20Code.aspx
Lift-on / Lift-off (LoLo)Loading an unloading of intermodal transport units using lifting equipment.EU H2020-DS-2014-01 project "MITIGATE"
Local AgentA Local Agent has primary responsibility to complete shipping and customs documentation, and arrange for vehicles transportation. Agents assist businesses and individuals (Importers) who need to ship the vehicles from one country to anotherEU H2020-DS-2014-01 project "MITIGATE"
LogisticsProcess of designing and managing the supply chain.EU H2020-DS-2014-01 project "MITIGATE"
Mandatory
declarations
Many declarations are mandatory for a ship to get into the port area, in respect with international, European, national and local regulations. For instance, mandatory by the FAL Convention: passenger and crew, vessel, cargo, border control, waste, security, health, travel information is required."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Maritime communicationA diverse set of communication interactions in shipping: • Ship-to-ship
• Ship-to-port
• Ship-to-Remote Control Centre (RCC)
• Ship-to-Vessel Traffic Services (VTS)
• Ship-to-Application Service Provider (ASP)
• Ship-to-Medical Aid Provider (MAP)
• Ship-to-Search and Rescue (SAR)
• Ship-to-Maritime Rescue Coordination Centre (MRCC)
Rødseth, Ørnulf Jan, Christian Frøystad, Per Håkon Meland, Karin Bernsmed, and Dag Atle Nesheim. “The need for a public key infrastructure for automated and autonomous ships.” In IOP Conference Series: Materials Science and Engineering, vol. 929, no. 1, p. 012017. IOP Publishing, 2020.
Maritime securityThe combination of measures and human and material resources intended to protect shipping against intentional unlawful acts.Regulation COM/2003/0229 (EU) (enhancing maritime transport security)
Resistance to intentional, unauthorized acts designed to cause harm or damage to ships and ports.ISO 20858:2007
Maritime security incidentSuspicious act or circumstance threatening the security of a ship or port facility. For example: Piracy on a cargo ship or tankers ship collision due to hackers activity: changed tankers' geolocation in a marine traffic databaseISO 20858:2007
Maritime stakeholderA policy actor and/or an organisation/entity/person involved in the shaping of maritime policies and directives. For example shipping companies, ship agent, ship master and crew, etc.EU H2020-DS-2014-01 project "MITIGATE"
Maritime Transport (MT)An Inland, sea and coastal passenger and freight water transport companies (as defined for maritime transport in Annex I to Regulation (EC) No 725/2004 of the European Parliament and of the Council) not including the individual vessels operated by those companies.NIS Directive, 2016
Mobile devicesDifferent mobile devices are used in ports: smartphones, tablets, TETRA radios, specific devices used for logistics (scanning, etc.) etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
MooringThe berthing and unberthing services, including shifting along the quayside, that are required for the safe operation of a waterborne vessel in the port or in the waterway access to the portRegulation (EU) 2017/352, Article 2
Multimodal TransportCarriage of goods by two or more modes of transport.EU H2020-DS-2014-01 project "MITIGATE"
Multimodal Transport OperatorPerson who concludes a multimodal transport contract and assumes the whole responsibility, performs as carrier or transport operator.EU H2020-DS-2014-01 project "MITIGATE"
Navigation dataThrough satellite and navigation data (AIS, SafeSeaNet, etc.), the different stakeholders share navigation data with the port (GPS position, information on maritime routes, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
NetworkDifferent networks are set up in ports: VHF radios (Internet, WiMAX/WIFI, Satellite, ad-hoc networks, VLAN/LAN, etc. They can be managed by different stakeholders at different levels."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Operational dataIn order to plan and manage all the services (ship services, logistics services, etc.), operational data are shared between the port stakeholders."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
OperatorRepresented in the transport chain as forwarder, intermodal operator, agent or terminal operator having each of their function either to plan and/or to control each transport stage and/or load unit handling in the terminals.EU H2020-DS-2014-01 project "MITIGATE"
OT end devicesThe Operational Technology end devices of the ICS of the port."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Hinterland connectivityTo get in or out the cargo, container, vehicles or passengers, different end-devices are used to control and inspect them, and then transport them to other transport systems: control and inspection systems (scanners, inspection systems, Xray), railway station, marshalling yards for wagons, multimodal transport hubs for people (passengers, workers…), inland port facilities, port gate control equipment (plates reading, badges, barcodes reading, detectors)"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port facility specific lay-outThe end-devices of the ICS related to the port facility specific lay-out are: specific fencing and access control, specific safety and security equipment, first response equipment, specific operational room, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Temporary storageOnce the cargo or container are out of the vessel, they are temporary stored in the port areas, different OT end-devices are used: internal transport systems (straddle carrier, yard, truck, chassis, etc.), storage equipment systems (pallet racks, tankage, etc.), cooled and uncooled stores, silos, tanks, switches (managed and unmanaged) for pipes and conveyor belts, wireless access points for « smart » seals and container self-localisation devices, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Vessel loading and unloadingTo load and unload the vessels, many OT end-devices are used: terminal-specific handling equipment and systems (cranes, ramps for passengers, pipelines, belt, conveyors, etc.), terminal-specific freight tracking systems (barcodes, liquid meters, RFID, seals, scales etc.), people badge or ticket scanners, plates reading systems, fault detectors in automated loading/unloading systems (leakages, shocks, jamming etc.)"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Vessels berthingThe end-devices of the ICS related to the port vessels berthing are: boatage, berth management systems, specific inspection and control equipment, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Passenger serviceThe organisation and handling of passengers, their luggage and their vehicles between the carrying waterborne vessel and the shore, and also includes the processing of personal data and the transport of passengers inside the relevant passenger terminal.Regulation (EU) 2017/352, Article 2
Physical floating barriersTo protect other critical vessels and port areas, to contain pollutions and other purpose, the port can use physical floating barriers."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Policy ActorRepresentative of a group of interests within a country community, a country or a region, influencing decisions of transport actors concerning the choice of the means of transport by policy frameworks such as fiscal and order policy measures.EU H2020-DS-2014-01 project "MITIGATE"
Port(1) A specified area of land and water, with boundaries defined by the Member State in which the port is situated, containing works and equipment designed to facilitate commercial maritime transport operations.
(2) Location on a coast or shore containing one or more port facilities where ships can berth and transfer people or cargo to or from land.
EU Council Directive 2005/65/EC (2005), (2) ISO 28005-1:2013
Port AuthorityA governmental or almost governmental public authority, sitting at the heart of the interactions between all stakeholders, in collaboration with other local and national authorities, is responsible of maintaining and developing the port infrastructure and the transport infrastructure, ensuring the global safety and security of port and ship operations through the harbour master. Moreover, the Port Authority oversees some controls and inspections in respect with national, European and international legislations."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port buildingBuildings that host the different offices related to the port services (Harbour Master office, customs office, etc.) and the data centres hosting all the IT and OT systems."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port clearanceProcess undertaken by an entity or entities for the purpose of determining if a ship may enter the port, berth at a facility, conduct certain operations and/or depart the port.ISO 28005-1:2013
Port Community System It is usually owned and managed by the Port Authority or port stakeholders, increasingly organised, as a single window system to share information on port operations related to the vessels between all the port stakeholders (date of arrival or departure of the ship given by the shipping companies, mandatory declarations such as crew list, dangerous goods declarations, bookings of vessel services, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port Corporate SystemsThe Port Corporate Systems are composed of different applications, systems, workstations and servers, common to every companies: financial, human resources (HR), communication and networks systems, emailing systems, sales and marketing systems (ERP), etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port facility(1) A location where the ship/port interface come about encompassing areas, such as anchorages, awaiting berths and approaches from seaward, as appropriate.
(2) (Maritime port facility) those areas of the port and harbour where the ship/port interface takes place.
Regulation (EC) No 725/2004 (2004), ISO 20858:2007
Port Facility Security PlanPlan to ensure the application of measures designed to protect the people, port facility, ships, cargo, cargo transport units, and ship stores within the port facility from the risks of a security incident.ISO 20858:2007
Port Safety & securityThe port has also dedicated infrastructure to ensure safety and security: control tower, operational room, security centre, first response facilities (firefighting, pollution, containment, evacuation routes, medical facilities, etc.). Many systems are set up in the port areas to ensure safety and security of people and port infrastructure:
• Detection systems such as video-surveillance (CCTV), incident management systems, first response centre systems, IDS (intrusion detection systems), abnormal behaviour detection systems;
• Emergency communication systems;
• Access control systems such as automatic gates, smart fencing systems, badging systems, access monitoring and counting systems;
• Traffic monitoring systems such as radar and electro-optic monitoring systems, train and truck traffic monitoring systems;
• Surveillance & inspection systems such as patrolling staff, oats, dogs and vehicles, detectors (fires, gas leaks, nuclear, etc.), X-ray scanners;
• Evacuation systems such as exit route guidance, muster points, guidance screens, emergency doors;
• Identification & authentication systems such as face recognition systems, biometric systems, ID control portable terminals; and
• Alerting systems such as sirens and loudspeakers.
"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port security authorityThe authority responsible for security matters in a given port.Regulation (EC) No 725/2004 (2004)
Port security personnel Individuals who have assigned security duties defined in the port facility and who may or may not be employees.ISO 20858:2007
Port service shipsThe port has dedicated service ships at disposal to deliver specific services on water to the vessels: pilot boats, tugboats, boatage and mooring assistance, supply vessels, safety vessels, inspection and security vessels."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Port State ControlThe Port State Control is responsible of making inspections of foreign ships (with a flag state different from the port) in ports to verify the compliance of the ships with international and national regulations. The Port State Control can take actions against non-compliant ships (sanctions, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Portuary infrastructureThe assets are related to the mooring of the vessels in the port (docks, quays, jetties, piers), the lighting, the access control (gates, plate reading systems, detectors) and the transport inside the port areas (roads, railways, waterways, walk roads)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Prevention of PollutionThe prevention of pollution authorities are responsible of ensuring that national and international regulations are applied in the port ecosystem (management of ship waste, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
ProtocolsSets of rules that are used to exchange information. For example: electronic Data Interchange (EDI), Application Programming Interface (API), authentication protocols, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
RadioRadio systems (RFID, VHF, etc.) are used for many port processes: communication with ships, safety and security operations, logistics management, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
RequestMessage sent from the ship to the single window, containing a request for some form of clearance or other service from one or more authorities connected to the single window.ISO 28005-1:2013
Road haulierA company operating and /or owning trucks and carrying out road transport functions concentrating on the physical movements of goods.EU H2020-DS-2014-01 project "MITIGATE"
Roll-on / Roll-off (RoRo)The typical ferry vessels where cars and truck drive on and off by means of a ramp. This is also uses for car carriers, to avoid wasting time by having to hoist the cars, trucks, busses or other vehicles in the sips.EU H2020-DS-2014-01 project "MITIGATE"
Seaside connectivityThose assets are related to the navigation between the seaside and the port area to ensure that the vessels can enter and exit the port: breakwaters, sea locks, buoys, light beacons, marking of waterways, tide, wind and currents monitoring, radar monitoring of waterways."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
ServersNumerous servers are used in the ports for different uses: web servers, application servers, proxy servers, mail servers, virtual servers, printers, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Service providersExamples of service providers are:
- Classification societies
- Dockers
- ICT integrators
- Infrastructure providers
- Logistic service provider
- Security providers
- Ship repair services
- Ship services providers
-
- Classification societiesAs a non-governmental organisation, classification societies set standards for the construction and operation of ships and offshore structures and certify that the construction of a ship complies with those standards by delivering a certificate."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- DockersThe dockers are employed by private companies – which could be terminal operators – to realise the terminal operations (e.g. loading and unloading vessel cargo)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- ICT integratorsTo support the port processes and operations, ports use daily Information and Communication Technology (ICT) systems which are, for most of them, set up, operated and maintained by private specialised companies in IT and Communications development."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Infrastructure providersA port can contract private companies to operate in the port to ensure the installation of port infrastructure and its maintenance."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Logistic service providerA company that offers logistic services like warehousing, storage, stuffing and stripping, etc., but in any way other services than just transport and forwarding.EU H2020-DS-2014-01 project "MITIGATE"
- Security providersTo ensure security in ports, private companies operates and maintains security systems in the port (such as CCTV)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Ship repair servicesShipping companies or shipowners can book ship repair services to the port for damage cases of all kinds, delivered by different actors depending on their expertise (propulsion systems, governors, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
- Ship services providersA ship can book different services to the port. For some of these services, the port delegates these services to external companies (e.g. refuelling)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
ShipShip itself, an agent in the port of call, the owner or management company, or any other entity that can legally represent the ship in the transaction. Eg.: Cargo ship, passengers ship, RoRo, LoLo, tankerISO 28005-1:2013
Ship / Maritime AgentA person or company that carries out the functions of an agent irrespective of whether they are in business as a ship agent, or they perform such functions as an adjunct to, or in conjunction with, other activities such as ship owning or operating, providing cargo handling or similar.
Person or firm that transacts all business in a port on behalf of ship owners or charterers. Also called shipping agent or agent.
EU H2020-DS-2014-01 project "MITIGATE"
Also called ship agent, the maritime agent acts as a representative of the shipowner to fulfil the requirements for each port the ship visits."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Ship BrokerActs as a specialized agents or intermediaries in commercial negotiations and transactions between Ship Owners and Charterers (the automobile Industry in the Vehicle supply chain) to arrange maritime transport of vehicles. Moreover, they buy and sell ships on behalf of their clients.EU H2020-DS-2014-01 project "MITIGATE"
Shipowners and crewThe shipowner is in charge of equipping and exploiting a commercial vessel, hiring licensed crew and captains to operate the ship.
"Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Ship insuranceShip insurance covers the loss or damage of ships, cargo, terminals, and any transport by which the property is transferred, acquired, or held between the points of origin and the destination."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Ship / port interfaceThe interactions that occur when a ship is directly and immediately affected by actions involving the movement of persons or goods or the provision of port services to or from the ship.Regulation (EC) No 725/2004 (2004)
ShipperThe owner of the cargo when it is dispatched. It can be either a consignee or a consignor.EU H2020-DS-2014-01 project "MITIGATE"
Shipping and maritime freight companiesThese private companies are in charge of transferring and forwarding freight from a place to another, by bookings services for all kind of transport (maritime transport, railways, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Shipping line / coastal / oversea shipping lineA company operating and /or owning vessels for sea transport.EU H2020-DS-2014-01 project "MITIGATE"
Short Sea ShippingMovement of cargo by sea mostly along a coastline.EU H2020-DS-2014-01 project "MITIGATE"
Single Window (SW)Facility that allows parties involved in trade and transport to lodge standardized information and documents with a single entry point to fulfil all import, export and transit-related regulatory requirements.ISO 28005-1:2013
Smart PortAn automated port that uses nascent technologies such as big data, Internet of Things (IoT), blockchain solutions and other smart technology based methods to improve performance and economic competitiveness. With these technologies, smart ports can also improve environmental sustainability.https://en.wikipedia.org/wiki/Smart_port

http://parisinnovationreview.com/articles-en/what-is-a-smart-port
Special vehiclesThe port has dedicated vehicles at disposal to deliver inland services. Eg.: Firefighting, ambulance, mobile cargo control units, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Stevedoring companyA company responsible for the storage of goods at terminals.EU H2020-DS-2014-01 project "MITIGATE"
Switches, routers and hubsThose components are used to forward packet in different manner between different networks."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
TerminalA terminal is a facility where cargo is trans-shipped between different transport modes, for onward transportation.EU H2020-DS-2014-01 project "MITIGATE"
Terminal Operations Management Systems (TOS)Usually owned, used and maintained by private terminal operators, are mainly composed of different systems: enterprise operations systems to plan and manage the logistics and operations (ERP, CRM, etc.), the OT systems specific to the terminal operations (cranes, etc.), terminal operating systems (TOS) used to optimise the logistics, transhipment and warehouse systems."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
TowageThe assistance given to a waterborne vessel by means of a tug in order to allow for a safe entry or exit of the port or safe navigation within the port by providing assistance to the manoeuvring of the waterborne vessel.Regulation (EU) 2017/352, Article 2
Vessel Traffic Management Information System (VTMIS)An extension of the VTS which integrates other information and functionalities to increase the effectiveness of port operations (allocation of resources, etc.)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Vessel Traffic Service (VTS)A marine traffic monitoring system."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
Waste treatment systemsThe port manages not only its waste but also the waste of the vessels (solid waste such as plastic, paper, glass, food and liquid waste such as bilge water, sludge and sewage)."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019
World Customs Organization (WCO)The World Customs Organization (WCO), established in 1952 as the Customs Co-operation Council (CCC) is an independent intergovernmental body whose mission is to enhance the effectiveness and efficiency of Customs administrations.http://www.wcoomd.org/
WorkstationsDifferent workstations are used in ports: dedicated to IT systems, dedicated to OT systems, to maintenance, mobile and fixes workstations, etc."Port Cybersecurity - Good practices for cybersecurity in the maritime sector", ENISA, 2019

KEY FACTS

Project Coordinator: Sofoklis Efremidis
Institution: Maggioli SPA
Email: info{at}cyrene.eu
Start: 1-10-2020
Duration: 36 months
Participating organisations: 14
Number of countries: 10

TWEETS by

FUNDING

EU flagThis project has received funding from the European Union’s Horizon 2020 Research and Innovation program under grant agreement No 952690. The website reflects only the view of the author(s) and the Commission is not responsible for any use that may be made of the information it contains.