Beyond risk management – protecting critical freight infrastructures

By Dr. Mustafa Çagri Gürbüz, ZLC Professor, and Dr. Luca Urciuoli, ZLC Adjunct Professor.

Leer versión en español

Launched in October in Bologna, TRANSCEND is a vital new three year project, co-funded from the Horizon Europe programme, that directly addresses the increasing vulnerability of Europe’s critical freight infrastructures to a growing range of internal and external threats. ZLC will be a significant partner in this endeavour.

The economies of Europe, and the welfare and even lives of its citizens, depend on the efficient, reliable and predictable performance of a complex web of freight transport networks. In many cases the effects of any disruption are largely localised, but there is a number of Critical Infrastructures (CIs) where significant failure could have enduring and far-reaching effects across Europe. Typically these are the major ports (both coastal and inland/dry) and the multimodal infrastructures that connect the ports not only to their immediate hinterlands but far beyond into other parts of Europe.

These CIs comprise not only physical assets – quays, cranes, railway lines, canals, bridges, terminals and so on – but increasingly the cyber networks through which the infrastructure is managed and controlled. Europe is increasingly dependent on these CIs – for example there is a limited number of ports that can accept the largest container ships, or of transport lanes that can cope with the volumes of traffic (identified as the Trans Europe Transport Network or TEN-T).  The range and nature of actual and potential threats to these CIs continues to grow as does the vulnerability of Europe to supply chain disruption in these lanes.

The formal title of TRANSCEND is ‘Transport resilience against cyber and non-cyber events to prevent network disruption’. CIs of course remain exposed to ‘traditional’ threats, from extreme weather (itself an increasing risk) to one-off incidents with profound consequences – ships going sideways in Suez, or taking out port access routes (Baltimore) are recent examples. But the cyber world raises new perils – cyber networks may be attacked by anyone from bored teenagers to State or State-sponsored ‘bad actors’, their own infrastructures such as data centres may be vulnerable to anything from accidental fires through solar flares to deliberate sabotage (although ironically, some of the most disruptive events recently have arisen when operators have tried to introduce new software elements intended precisely to reduce risk and vulnerability!)

At all events, CIs are increasingly vulnerable, but they are not well equipped to identify and quantify potential risks, to recognise them as they materialise, or to develop and then implement plans to mitigate the risks or to work through their effects. In part this is because CIs consist of multiple entities and operators with no common view of the risks faced, what actions individually or collectively should be taken to prevent or respond, or, often, quite how the interrelations between the different entities actually function, particularly in times of crisis.

The objective of TRANSCEND is to provide CI operators with an integrated set of advanced tools, guidelines and technological solutions to reduce risk and enhance the protection and resilience of Critical Infrastructures against physical, cyber and hybrid threats. This will be done through a Control Tower, which is a digital platform with embedded business intelligence capabilities that can give stakeholders a shared and continuous visibility of current and future threats and risks while breaking down the ‘silos’ that exist within and between organisations. Guidelines, solutions and technologies such as AI and machine learning will be developed in three chosen ‘leader’ CIs, and then implemented in a further two ‘followers’, to verify that the approaches taken are of general applicability, not just case-specific.

ZLC is responsible for leading a particular package of work devoted to identifying and classifying actual and potential risks and threats, their likelihood and potential impacts. We have to link threats to perceived vulnerabilities in the freight sector, and create a common framework for resilience analysis. Put simply, this is about three ‘time measures’. Firstly, the time the CI takes to detect and/or react to the threat (given that this may have a slow build, or may be a sudden catastrophe). Then, there is the time taken for the CI system to adapt or recover (at least adequately if not completely). Thirdly, analysis is required of the time to survive – how long can the CI keep operating while the event continues, or alternatively how much in terms of disruption can the system tolerate (given the frequency, magnitude or duration of the event).

This work can be linked to and inform mitigation strategies, and the effects of these on reaction, survival and recovery times analysed. All of this in turn will help develop the resilience analysis framework.

This can then be applied, along with the work of other groups in areas such as AI, process mining, dashboard creation, to creating Control Towers in the pilot CIs, which have been chosen for their variety of characteristics and of known risks or problems (although in each case, doubtless other risks – the ‘unknown unknowns’ – will emerge). These CIs are all elements in one or more of the TEN-T routes mentioned above and therefore have Europe-wide significance.

The Cargo Center, Luxembourg Airport, is relatively little known outside the industry but is actually Europe’s seventh largest freight airport, and was an unsung hero of medical supply logistics during Covid19. Particular issues focus around the security of high value goods, with obsolete surveillance technology and yet operating in highly regulated sectors.

Bologna Freight Village in Italy’s Emilia-Romagna is at the centre of an intermodal network at the crossroads of routes connecting Southern Italian ports such as Bari and Ravenna (it is effectively Ravenna’s ‘dry port’) with Northern Europe. A particular issue here is the increasing incidence of extreme weather which in recent years has seen repeated and extensive flooding causing billions of Euro in damage and blocking many logistics nodes. Co-ordination between logistics service providers, carriers, terminal operators and others is less than perfect in ordinary conditions – a common resilience plan and common communications framework to allow the rapid rerouting of goods is an evident necessity.

The third ‘leader’, and one with which ZLC will be particularly involved, is the CI linking the port of Valencia (Europe’s fourth largest container port) with the Zaragoza region and onwards into France and beyond. Evident issues are a lack of information exchange during transport operations, lack of common visibility on incidents – or indeed of visibility at all, given the lack of real-time monitoring of assets at terminals or on the railway. Wireless networks, with Ethernet connectivity, are known to be vulnerable, while control of physical access to assets is present but not always monitored.

The ‛follower’ CIs, which will test whether the proposed approaches are generally applicable, include Csepel FreePORT, a river port on the Danube in Hungary, where there are concerns about the vulnerability of the terminal operating system to both cyber and non-cyber attacks, and Egnatia Odos AE which is the operator of two vital motorways in Greece and connecting Turkey, Albania, Bulgaria and North Macedonia, where both severe flooding and forest fires have been recent issues, while cyber security is also a concern.

Together, these five CIs provide a wide range of cases, across multiple transport modes, against which TRANSCEND can be developed and tested.

There is a lot more to TRANSCEND – from using AI to scout the Dark Web for emerging threats (to individual entities or the whole CI), to considering how to examine human behaviour in realistic ‘attack’ scenarios. ZLC is not directly involved in these aspects but doubtless they will inform our work.

For more information, please contact Mustafa Çagri Gürbüz, ZLC Professor at mgurbuz@zlc.edu.es