A Prevention, Preparedness and Consequence Management of Terrorism and other
Security-related Risks Programme of the European Union
COLLABORATIVE CYBER-PHYSICAL SECURITY
MANAGEMENT SYSTEM
Integrated Proof-of-Concept Prototype
Deliverable D5.1 – Prototype
Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other
Security-related Risks Programme of the European Union
Deliverable Id : D5.1
Deliverable Name : Integrated Proof-of-Concept Prototype
Due date of deliverable : M24
Actual submission date : M24
Work Package : WP5
Organization name of lead
contractor for this SILO
deliverable:
P. Kachramanos, C. Bratos, A. Karantjias, S.
Papastergiou, G. Makrodimitris, N. Polemi, F. Bisio, F.
Author(s):
Ballini, R. Bozz, D. Incertis Jarillo, A. Subirats Tarín, V.
Cerdá García de Leonardo, D. Calduch
Partner(s) contributing : FEPORTS, DITEN- UNIGE, SiLO, UPRC, VALENCIAPORT
Abstract
The main objective of this report is to deliver the prototype products that resulted from the
implementation and deployment effort of CYSM technical providers. Apart from providing all
necessary information to access and review the source code of CYSM Risk Assessment toolkit,
CYSM system’s technical components are reported in terms of their functional and interface
specifications.
CYSM Project
Collaborative
System
Cyber-Physical
Security
Management
Integrated Proof-of-Concept Prototype
Deliverable id: D5.1
Coordinator:
Singular Logic (GR)
Zacharias, Marios
www.cysm.eu
April, 2015
“This Project has been funded with support from the European Commission. This publication reflects the views only
of the authors, and the European Commission cannot be held responsible for any use which made be made of the
information contained therein”
History
Version
Date
1
Modification reason
2
10/04/2015
Formulation of the
Content
UPRC’s Contribution
7
26/04/15
Semi- final version
SILO
8
30/04/15
final version
SILO
7/11/14
Table
Modified by
of
SILO
UPRC
CYSM Project | Workpackage nº 5
Integrated Proof-of-Concept Prototype
Project full title
Collaborative Cyber-Physical Security Management
System
Project Acronym
CYSM
European Programme
Prevention, Preparedness and Consequence
Management of Terrorism and other Security-related
Risks Programme of the European Union
Agreement nº
HOME/2012/CIPS/AG/4000003750
Project Partners
Feports (ES), Fundación Valenciaport (ES), University of
Piraeus Research Centre (GR), Singular Logic (GR),
Piraeus Port Authority (GR), Dipartimento di Ingegneria
Navale, Elettrica, Elettronica e delle TelecomunicazioniUNIGE (IT)
Coordinator
SiLo
Workpackage Code
WP5
Deliverable nº
D5.1
Deliverable full title
Integrated Proof-of-Concept Prototype
Dissemination level
Public
Deliverable format
Prototype
Publication date
30/04/15
Publication status
Final
Authors
P. Kachramanos, C. Bratos, A. Karantjias, S.
Papastergiou, G. Makrodimitris, N. Polemi, F. Bisio, F.
Ballini, R. Bozz, D. Incertis Jarillo, A. Subirats Tarín, V.
Cerdá García de Leonardo, D. Calduch
Address
Al. Panagouli & Siniosoglou St, 14234 Nea Ionia, Athens,
Greece
Marios Zacharias
Contact
Project Official Site
[email protected]
www.cysm.eu
Project total budget
663.159,07 €
Project Start date (duration)
April, 26th 2013 (24 months)
Contents
1
Introduction .......................................................................................................................... 8
2
CYSM Risk Management Toolkit ........................................................................................... 9
2.1
From Version 1 to Final Version .................................................................................. 10
2.2
Web Interactive Tier.................................................................................................... 12
2.2.1
Functional Description ........................................................................................ 12
2.2.2
Interface Description ........................................................................................... 13
2.3
Enterprise Tier ............................................................................................................. 15
2.3.1
Functional Description ........................................................................................ 15
2.3.2
Interface Description ........................................................................................... 16
2.4
Database Tier .............................................................................................................. 16
2.4.1
2.5
Integrated Components .............................................................................................. 17
2.5.1
2.6
3
Functional Description ........................................................................................ 16
Collaboration Suite .............................................................................................. 17
Source Code ................................................................................................................ 18
Conclusions ......................................................................................................................... 19
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
Executive Summary
The main objective of this report is to deliver the prototype products that resulted from the
implementation and deployment effort of CYSM technical providers. Apart from providing all
necessary information to access and review the source code of CYSM Risk Management Toolkit
and peripheral components (if applicable), CYSM System’s technical components are reported
in terms of their functional and interface specifications.
In more detail, Chapter 2 presents the final prototype of CYSM Risk Management Toolkit,
categorised in its main tiers as designed and reported in D2.3, D3.2 and D4.1.
Chapter 3 draws final conclusions.
 Copyright by CYSM
7
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
1
Introduction
Aim of the CYSM system is the protection of the ports’ critical infrastructures, i.e. the effective
and efficient transport of people, freight, natural gas, oil, cargoes and manufactured goods in
order to guarantee their business continuity. CYSM project has designed and developed a
CYSM Risk Assessment Toolkit, described in the Deliverable D3.2. This involves new,
innovative, evolutionary, sophisticated and specialized technologies, processes and tools.
This deriverable aims at giving a report on applications to real-world port scenarios respecting
the CYSM Risk Management approach described in the Deriverable D3.1. In particular, it will
describe in details how to efficiently support the main risk assessment and management
processes of the tool, analyzing its core elements, components and modules.
The adoption of the CYSM Risk Assessment Toolkit gives the opportunity to the ports to
harmonize their security practices and procedures by working upon the same security and
safety principles achieving a secure national and European network of ports. This allows the
development of trustworthy clusters of national, regional and European ports with the same
culture and practices in treating their security and privacy enabling them to increase the
resilience of their infrastructure.
In this context, the toolkit relies on a set of automated workflows which have be designed and
implemented encapsulating primitive elements and tools aiming at the identification, analysis
and management of the physical and cyber threats and vulnerabilities of the ports’
infrastructure. These components have been combined in an effective and efficient manner
providing integrated and transparent self-management capabilities as a service, which will be
fully customizable, covering various aspects such as complexity, automation, terminology,
simplification and understanding.
8
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
2
CYSM Risk Management Toolkit
The CYSM Risk Management developed is a web toolkit (CYSM System from now) to facilitate
and guide to any users to carry out the risk assessment of any port facility. This CYSM System
assists the user to make as many risk assessments of “his” port facilities as he wants.
The system lets to select a set of assets and assets’ categories, with a particular threats (and
threat’s categories), vulnerabilities and countermeasures, and even the user who makes the
assessment is able to add or edit new of these elements, depending on the assessed facility.
The user is also able to add the standard rules or directives (ISPS, ISO27001) that will apply in
the new assessment, and is also able to create sections and sub-sections of these standards to
concrete much more their application in a new risk assessment.
Furthermore the user can view and use other previously completed Risk Assessments to do the
new one and can invite the involved departments (managers and employees) to check and
help to do the assessment.
There are two main categories of users for the CYSM System, and each user will have a login
and a password that will give it a certain level of permissions:

Users that administer the CYSM System. He/She is responsible for the configuration of
the Risk Assessment Elements.

Users that make use of the CYSM System. For this second category we will have the
following types of users:
a) Information Security Officer: He/She will undertake the responsibility to participate
in a given Risk Assessment (through the Risk Assessment option from the menu)
and he/she will be able to manage and configure Risk Assessments (through the
use of the CYSM Management option from the menu).
b) Managers of Departments: they will undertake the responsibility to participate in a
given Risk Assessment (through the Risk Assessment option from the menu).
c) Employees of Departments: they will undertake the responsibility to participate in
a given Risk Assessment (through the Risk Assessment option from the menu).
With the CYSM toolkit is possible to access to some items as “Risk Assessment”,
“Management” and “Administration”. These links will let the users choose, edit, define or add
all the aspects to make as many risk assessment of any port facility as was necessary (even
could be a facility not related with ports). Some of these aspects will be “Assets Categories”,
“Threats”, “Vulnerabilities”, “Countermeasures” etc., and due to the collaborative nature of
the CYSM System, all news threats, vulnerabilities, countermeasures, etc., identified will be
available for any users.
 Copyright by CYSM
9
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
2.1 From Version 1 to Final Version
The final version of CYSM Risk Management Toolkit was build taking into account the
following:



The suggestions of all users
The bugs identified when using the toolkit
The improvements that the CYSM consortium proposed
The following table depicts all the aforementioned.
Bugs / Improvements /
Suggestions
Required Actions / Comments
Fixed
A refresh mechanism is required
in order to identify all performed
changes (e.g. if a new assets is
added)
Asset Refresh mechanism is implemented
True
The user who uses the digital
library is not able to delete an
uploaded document
Deletion mechanisms is implemented
True
The user who uses the digital
library is not able to edit and
modify an existing record (e.g.
description)
In order to address this suggestion a major change on
users’ privileges was required
False
Change the date format from
mm/dd/yyyy to dd/mm/yyyy
The date format is changed
True
In
administrative
module:
"Countermeasure Types" should
be changed to "Control Types"
The label is changed
True
Control abstraction functionality
needs to be removed.
Control abstraction functionality has been removed.
True
The user who uses the digital
library is not able to modify the
categories defined in the CYSM
taxonomy, (e.g. add a new
category)
This will cause many problems on the proper tagging
of the content among the different ports
False
The user who uses the digital
library is not able to add special
characters
An input validator for the document title field was
properly integrated
True
When using the digital library,
the
help
message
“Pick
categories from the right” is not
The "pick categories" message has been changed
True
10
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
correct. The categories are on
the left of the screen
The user who uses the digital
library is not able to select more
than one category.
The search functionality has been totally updated so
that if a user selects more than one category, the
system will present all related documents registered
in any of the selected categories.
True
The user who uses the digital
library is not able to add a
document in more than two
categories (e.g. the "National"
category and the "Other
Countries" category)
The add functionality has been totally reengineered
True
When
initializing
a
risk
assessment process a warning
message should be appeared in
order to inform the user to
define the boundaries of the risk
assessment
A warning message is added
True
In the Risk Management
component, a label should be
added to indicate the risk
assessment in which the user
participates
The required label with the title of the risk
assessment is added
True
Problems
when
uploading
images in the Help module were
identified
In order to add images in the help module without
using an external host, the best practice is to convert
the image the user wants to import to base64
encoded format (there are many online tools for this
purpose,
for
example:
http://webcodertools.com/imagetobase64converter).
In the help module editing pane, select the "HTML"
option and then paste the html code (it will be a
single img tag) generated by the aforementioned
tools.
True
CYSM
System
/
Services
Unavailability needs to be fixed
CYSM System/Services is hosted by a cloud service
provider (Greek Research and Technology Network
(GRNET S.A. https://okeanos.grnet.gr/home/)) and it
is accessible through the url http://cysm.cs.unipi.gr
True
The back-end system of the
CYSM Risk Management Toolkit
v.1 needs to be reengineered
since the content of the
different
Risk
Assessments
The Back-end system of the Toolkit is totally updated
True
 Copyright by CYSM
11
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
needs to be related
When initializing a new Risk
Assessment the user needs to
have available all the assets from
previously
performed
assessments
All assets, risks, vulnerabilities and countermeasures
may be imported from previous assessments to a
newer one
True
Table 1: Bugs / Improvements / Suggestions/ Actions
2.2 Web Interactive Tier
2.2.1 Functional Description
It is the tier in which the core web Portal functionality and communication mechanisms (e.g.
Web Services) of the CYSM Risk Management toolkit are integrated, served and hosted.
This module undertakes the presentation layer of CYSM System comprising the source code of
the JSP pages that are used by the integrated modules (i.e. Document Management module,
Risk Assessment module) and corresponding services (i.e. Asset Management, Security Policy,
Collaboration). As previously mentioned it is java-based and when necessary it uses XML,
Javascript and Ajax technologies in order provide the desired levels of interaction and userfriendliness. Also it uses CSS mechanisms for the graphical environment.
Internet applications, such as CYSM, require a powerful and extensible Web server. The latest
stable version of Tomcat is not only a server which provides HTML pages, but also a platform,
upon which Internet applications can be easily developed.
Tomcat can host, among others, Java based applications, providing the ability to take
advantage of new features, such as the Web Services, which are part of the Java and the
Information System’s developing process.
Tomcat provides a set of advanced features beyond the simple Web service or Java/JSP
hosting environment. Its latest version has been designed to better extend and provide
tremendous reliability, so that applications will not significantly affect the performance of the
server. For example, all Java-based implementations are served using the process model of the
Tomcat and provide support to multiple application areas (multiple application pools). This
means that any Java-based application is isolated and do not directly communicate with the
kernel-mode HTTP listener, providing high performance and significant credibility.
This tier integrates also the Web Services object model in the following main categories:
12

Administration

Authentication

Data Retrieval

Permissions

Sites

Search
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype

People and Profiles

Workflow

List REST access

Client Object Model
2.2.2 Interface Description
Considering its role in the CYSM architecture, this module does not interface with any other
system, module or database except for the Enterprise Tier which are highly connected with.
On the other hand, the Web Interactive tier is composed of all user interfaces that are used by
the Identity Management, Information Asset Management and Decision Support system and
services as presented in the following figures:
Figure 1: Administration module
Figure 2: Management module
 Copyright by CYSM
13
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
Figure 3: Risk Assessment module
.
Figure 4: Risk Assessment Results module
14
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
Figure 5: Security Policy Reporting module
In general, the Web Interactive Tier can be considered as the fundamental interface of endusers with the offered functionalities.
2.3 Enterprise Tier
2.3.1 Functional Description
It is the tier, which hosts the CYSM System’s applications. At this level all project applications
are fully integrated and supported. These applications are based on Java and Spring
technology, taking full advantage of innovations and technological superiority of Java products.
It is a complete architecture for developing Web applications and objects, dispersed in Internet
by using managed code.
System’s applications use the programming model, development tools, and installation and
Setup practices that are common for all the Java applications. These applications take
advantage of all common services, including support for different programming languages.
Most development systems make difficult the separation of business logic from the
presentation, which are not easy to be maintained. The user of Java technology makes the
above separation easy. The clear separation of presentation from behavior actually simplifies
the deployment process and procedures, reducing the cost of long-term maintenance and
facilitating the cooperation in the selected development.
The functional specifications of this module can be summarised by the functionalities provided
by the Identity Management System, namely upload, search and management of various
content and files, along with relevant information details and the applied taxonomy
categories.
 Copyright by CYSM
15
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
2.3.2 Interface Description
As previously mentioned the user interfaces of this module are integrated within and deployed
by the Web Interactive Tier. The following figure presents another user interface of the
content management module:
Figure 6: User interface of upload functionality
Furthermore, the web interactive module is interconnected with the database of the CYSM
digital library.
2.4 Database Tier
2.4.1 Functional Description
It is the tier in which the Relational Databases management of the CYSM System resides. This is
implemented using worldwide known and accepted technologies, such as MySQL. Specifically,
MySQL is a well-known solution for analysing and managing data, and provides a
comprehensive data platform for organizations and companies to:



16
Create, implement and manage enterprise applications that are highly secure, scalable
and reliable.
Maximize the productivity of Information Services, reducing the complexity of
creation, implementation and management of database applications.
Achieve sharing of data between different platforms, applications and devices in order
to facilitate linking internal and external systems.
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype


Control costs without compromising on performance, availability, scalability, or
security.
Provide increased business knowledge in a broader set of users within the company.
MySQL adopts significant solutions in the management of corporate data, in productivity
programming and business intelligence, integrating:


Improvements in the field of business data management, which allow reducing
application downtime, increased scalability and performance, as well as the
development of stringent security checks
Improvements in the field of programming productivity, which change radically the
way of creation and installation of database applications, and therefore allow faster
development of more reliable and safer applications.
MySQL implementation and integration includes the following tools:





Relational database. A secure, reliable, scalable and with high availability relational
database that offers improved performance and support for structured and
unstructured data.
Create replicated (Replication Services). Data replication for distributed or mobile data
processing applications, high systems availability, scalable map with auxiliary data
storage points for enterprise reporting solutions, and integration in heterogeneous
systems
Notification Services (Notification services). Advanced notification capabilities for
applications development and implementation that offer personalized escalating and
timely information updates to a variety of connected and mobile devices.
Integration Services (Integration services). Export capabilities, loading and conversion
for data integration across the company.
Management Tools. MySQL provides an integrated environment for accessing,
configuring and management of all its components.
2.5 Integrated Components
2.5.1 Collaboration Suite
CYSM System ships with a robust suite of collaboration applications which are used to build
communities of users (Information Security Officers, Department Managers, and Employees).
All of the applications share a common look and feel, security model, and architecture,
inheriting all of the strengths of being a part of the main CYSM System, so they are used in
combination with the integrated user management and Content Management features.
CYSM collaboration suite includes the following Web2.0 tools, applications and technologies:




Blogs
Calendars
Message Boards
Wikis
 Copyright by CYSM
17
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
The Blogs module is easy to configure on various options, such as Email From, Entry Added
Email, Entry Updated Email, Display Settings, Maximum Items to Display, Display Style, Enable
Flags, Enable Ratings, Enable Comments, and Enable Comment Ratings.
Additionally, the System provides the option to select in which blogs will be displayed to RSS
readers, and how the blog entries will be published to feed readers and outside the Toolkit.
Since the CYSM blog is a shared blog, Ports’ administrators are able to modify the permissions
on the blog.
One the other hand, CYSM Calendar is a complete calendaring solution. In a similar way to the
Blog module, a CYSM user can use the Calendar as a shared calendar on a community or Port's
site, or he can use the Calendar as a personal calendar - or both. The System allows a CYSM
user to configure three different options, Email From, Event Reminder Email, and Display
Settings. The Calendar module generally works the way a user would expect a calendar to
work. It inherits its interface from the rest of modules’ library, so he should find common tasks
in the same place that he finds them in other modules.
Message boards are state of the art forum applications similar to many forums in which a
CYSM user may have participated. The difference, of course, is that CYSM's message boards
can inherit the abilities of the system to provide an integrated experience that others cannot
match.
Last but not least, the Wiki module, like the Message Boards one, is a full-featured wiki
application which has all of the features anyone would expect in a state of the art wiki. Again,
though, it has the benefit of being able to take advantage of all of the features of the CYSM
system. As such, it is completely integrated with its user management, tagging, and security
features. A wiki is an application which allows CYSM users to collaborate on information.
Specifically, it allows CYSM users to create and edit documents and link them to each other.
2.6 Source Code
In order to access the source code of the CYSM Risk Management Toolkit the Reader is kindly
requested to access the following URL:
http://....org
Responsible personnel for providing authentication credentials and any further clarifications
required are the following:
Dr. Spyros Papastergiou
Senior Security Engineer,
University of Piraeus, Dept. of Informatics
80, Karaoli & Dimitriou Str - (502)
18534 Piraeus, Greece
E-mail: [email protected]
Tel: +30 210 414 2270
Fax: +30 210 414 2264
18
CYSM Project | Workpackage Nº4
Integrated Proof-of-Concept Prototype
3
Conclusions
The final stable version (CYSM Risk Management Toolkit v.2.0) of all integrated modules that
deploy and support the various services and tools provided to end-users constitutes one of the
main products of the whole project and has been successfully finalized
To this end, this deliverable provides the results of:




The implementation and deployment of the source code, functionalities and
communication interfaces of the core CYSM system
The implementation and deployment of the source code, functionalities and
communication interfaces of all integrated components
The design and implementation of all necessary databases and user interfaces
The deployment of their holistic integration under a common and highly interoperable
communication framework.
The presentation of CYSM Risk Management Toolkit and integrated components prototypes
follows the architectural design produced and reported in D2.3 and D3.2 and comprises all
information necessary for their technical description and final product delivery.
 Copyright by CYSM
19