Risk Assessment on Multimodal Transport Ecosystem



Information security is an organisation’s approach to maintaining confidentiality, integrity, availability, nonrepudiation, accountability, authenticity and reliability of its IT systems[1]. Risk and impact assessment is of paramount importance for the efficient operation of Information and Communications Technology (ICT) deployments and hence for the multimodal transport and its digital infrastructures.

Risk Management (RM) is the process of identifying, quantifying, and managing the risks that an organisation faces[2]. In general, it is a process aiming to find the right balance between realizing opportunities for gains while minimizing vulnerabilities and losses. It is an integral part of management practice and an essential element of good corporate governance. Consequently, RM needs to be a recurring process that when accurately implemented, it will enable continuous organizational improvement, performance and decision making.

CitySCAPE’s Multimodal Transport Chain Risk Assessment (MTCRA) methodology

Within CitySCAPE we have defined the CitySCAPE Multimodal Transport Chain Risk Assessment (MTCRA) methodology that provides a systematic approach for identifying, analysing, assessing, and managing risk to acceptable levels. It is designed to address the various cascading effects that are associated with security incidents occurring across the multimodal transport ecosystem.

The methodology served as the basis for the development of the Risk and Impact Assessment (RITA) engine which will be used to perform risk assessments to the multimodal transport ecosystems. It is inspired by existing standards and methodologies that are commonly used by security practitioners and consultants for risk assessment, such ISO/IEC 27005, ISO 31000, NIST SP 800-30, CRAMM, CORAS, OCTAVE, MONARC, EBIOS, MAGERIT, ITSRM2, LINDUNN, PASTA, STIDE and other academic approaches but it is tailored to the field of multimodal transport ecosystem and its digital infrastructure value chain.

Overall, the MTCRA methodology, supported/implemented by RITA, can assist risk assessors to identify the risk level of each component of the multimodal transport ecosystem, by identifying all possible threats and vulnerabilities. It presents a number of key innovation points when compared to other risk assessment solutions/tools and acts as a complementary tool for the security of multimodal transport infrastructure. More specifically, the MTCRA methodology:

  1. does not solely focus on the assessment of individual assets of interest but calculates the overall/cumulative impact and risk, by adopting the idea of fault trees, used for investigation of cascades in cybersecurity incidents. To this end the “modified fault trees for threat analysis” (mFTTA) are tailored made for the CitySCAPE risk model in order to include countermeasures, and a more complete probabilistic view of the risk in the model. This approach enable us to implement the cascading risks and threat model and calculate the overall/cumulative risk by taking into account cascading effects that each vulnerability could cause, and
  2. Provides deep insights on the security posture of the multimodal transport ecosystem (CPaaS infrastructure). This is possible through the inclusion of an engine that detects and manages vulnerabilities and through integration with other CitySCAPE components, thus allowing administrators to monitor the security posture of their CPaaS infrastructure

The methodology is based on the identification of: a) basic assets and their exposure to threat, b) system (composite) assets, their decomposition to basic assets and their relationships, as well as list of threats for each basic asset, the threat likelihood and associated countermeasures mapped to CIS Controls classification, c) threats and cascading threats that can harm the system and their association with the system asset types, d) vulnerabilities and their association with the identified threats, e) countermeasures and their association with the threat they mitigate.

The methodology follows standardized notations and consists of seven phases, which are presented bellow along with a short description:

  • Context Establishment, where the risk assessor collects all information related to the organisation in order to establish the scope and limits of the risk analysis by defining the organization’s objectives and evaluation criteria of the assessment.
  • Context Modelling, where the multimodal transport infrastructure under examination is decomposed, and its business services and composite assets that comprise it (along with their basic assets and their interrelations) are defined and modelled using the CitySCAPE taxonomies.
  • Threat Analysis, where cyber threats against the multimodal transport ecosystem cyber assets are identified based on the users (CPaaS Risk Assessor) expertise and knowledge, with usage of existing cyber threats repositories.
  • Vulnerability Analysis, where vulnerabilities of the multimodal transport ecosystem cyber assets are identified, based on data extracted from existing vulnerabilities repositories. Each vulnerability is first assessed and then by using knowledge on how services and assets communicate, cascading threats and the corresponding vulnerabilities that can be successfully exploited are calculated, enabling the calculation of the cumulative vulnerability score/value.
  • Impact Analysis, that measures the effect that can be expected as a result of the successful exploitation of a vulnerability that resides in an asset. The impact of the successful exploitation of each vulnerability is calculated individually for all assets followed by the cumulative impact assessment that captures the propagation of the impact to other interconnected assets, of a business service.
  • Risk Assessment which is the main phase of the methodology that capitalizes on the outcomes of the previous phases in order to provide two risk variants, namely the a) Individual Risk Assessment that represents how dangerous a threat is to a specific basic asset taking into consideration all the associated vulnerabilities ignoring the asset dependencies and relationships, b) Cumulative Risk Assessment that refers to the risk imposed to a service (S) that comprises of a number of composite assets. Both values will be exploited in order to detect and prevent cybersecurity risks, as well as unidentified threats, in real-time, by adapting the system’s behaviour accordingly.
  • Risk Treatment which involves prioritising, evaluating, and implementing appropriate risk-reducing controls (extracted by guidelines and standards).

The RITA engine

In the context of CitySCAPE, the RITA engine is an impact and risk assessment suite implementing the CitySCAPE MTCRA methodology for evaluating the cybersecurity risk in the multimodal transport ecosystem. In this context, RITA provides two risk assessments, namely the individual and overall risk assessments.

RITA functions include: a) an automated framework for assets identification and risk analysis on complex interconnected digital infrastructures, b) the estimation of threats cascading mechanisms, with the extraction of risk scores leading to the timely identification and warning on vulnerabilities and attack entry points, c) the iterative risk and impact assessments on existing multimodal transport value chain assets, depending on the assets, their interconnections and their operational environment.

In summary, RITA engine:

  1. provides an environment for the hierarchical system modelling that can be performed from a system user or architect without required security knowledge;
  2. provides an updatable and upgradable knowledgebase with assets, threats, vulnerabilities, countermeasures and their relationships;
  3. consumes information from other architectural components regarding vulnerabilities and threats;
  4. incorporates an inference engine taking into account cascading threats, risks and impacts by exploiting the interconnections and interdependencies between assets, entities and services;
  5. dynamically evaluates the cybersecurity risk and impact of the successful exploitation of a vulnerability in the multimodal transport ecosystem, with automatic re-evaluation of risks and impacts upon an event or a change.

RITA calculates the individual and overall risk levels which will be used for selecting and configuring the required countermeasures. In fact, the outcome of the risk and impact assessment process will be exploited by the Financial impact assessment (FIMCA) engine in order to suggest new security configurations, each one being characterized by a different set of applied countermeasures.

By consuming information on latest threats and vulnerabilities RITA will perform a risk assessment based on evidence which reflects the current security state of the multimodal transport. CitySCAPE platform users can access RITA in order to identify the weaknesses that affect their systems and obtain the suggested mitigation actions. In this way, the organization weaknesses and, therefore, the risk in which a system adopting the CitySCAPE architecture is exposed, can be progressively reduced.

The CitySCAPE user (CPaaS Risk Assessor) is responsible for providing the necessary data to support the threat modelling, impact analysis and risk assessment process, towards the individual and cumulative risk calculation.


[1] Mass Soldal Lund, Folker Den Braber, Ketil Stølen, Fredrik Vraalsen, 2004, “A UML profile for the identification and analysis of security risks during structured brainstorming”

[2] European Network and Information Security Agency (ENISA), Threat and Risk Management