Finnish Critical Industries, Maritime Transport Vulnerabilities and societal Implications

Maritime transports are very essential for Finland as over 80% of the foreign trade in the country is seaborne and possibilities to carry out these transports by are limited. Any disruption in maritime transports has negative consequences to many sectors in the Finnish economy. Maritime transport thus represents critical infrastructure for Finland. This report focuses on the importance of maritime transports on security of supply in Finland and for the so called critical industries in particular. The report summarizes the results of the Work Package 2 of the research project STOCA – “Study of cargo flows in the Gulf of Finland in emergency situations”. The aim of the research was to analyze the cargo flows and infrastructure that are vital for maintaining security of supply in Finland, as well as the consequences of disruptions in the maritime traffic for the Finnish critical industries and for the Finnish society. In the report we give a presentation of the infrastructure and transport routes which are critical for maintaining security of supply in Finland. We discuss import dependency of the critical industries, and the importance of the Gulf of Finland ports for Finland. We assess vulnerabilities associated with the critical material flows of the critical industries, and possibilities for alternative routings in case either one or several of the ports in Finland would be closed. As a concrete example of a transport disruption we analyze the consequences of the Finnish stevedore strike at public ports (4.3.–19.3.2010). The strike stopped approximately 80% of the Finnish foreign trade. As a result of the strike Finnish companies could not export their products and/or import raw materials, components and spare parts, or other essential supplies. We carried out personal interviews with representatives of the companies in Finnish critical industries to find out about the problems caused by the strike, how companies carried out they transports and how they managed to continue their operations during the strike. Discussions with the representatives of the companies gave us very practical insights about companies’ preparedness towards transport disruptions in general. Companies in the modern world are very vulnerable to transport disruptions because companies regardless of industries have tried to improve their performance by optimizing their resources and e.g. by reducing their inventory levels. At the same time they have become more and more dependent on continuous transports. Most companies involved in foreign trade have global operations and global supply chains, so any disruption anywhere in the world can have an impact on the operations of the company causing considerable financial loss. The volcanic eruption in Iceland in April 2010 stopping air traffic in the whole Northern Europe and most recently the earth quake causing a tsunami in Japan in March 2011 are examples of severe disruptions causing considerable negative impacts to companies’ supply chains. Even though the Finnish stevedore strike was a minor disruption compared to the natural catastrophes mentioned above, it showed the companies’ vulnerability to transport disruptions very concretely. The Finnish stevedore strike gave a concrete learning experience of the importance of preventive planning for all Finnish companies: it made them re-think their practical preparedness towards transport risks and how they can continue with their daily operations despite the problems. Many companies realized they need to adapt their long-term countermeasures against transport disruptions. During the strike companies did various actions to secure their supply chains. The companies raised their inventory levels before the strike began, they re-scheduled or postponed their deliveries, shifted customer orders between production plants among their company’s production network or in the extreme case bought finished products from their competitor to fulfil their customers’ order. Our results also show that possibilities to prepare against transport disruptions differ between industries. The Finnish society as a whole is very dependent on imports of energy, various raw materials and other supplies needed by the different industries. For many of the Finnish companies in the export industries and e.g. in energy production maritime transport is the only transport mode the companies can use due to large volumes of materials transported or due to other characteristics of the goods. Therefore maritime transport cannot be replaced by any other transport mode. In addition, a significant amount of transports are concentrated in certain ports. From a security of supply perspective attention should be paid to finding ways to decrease import dependency and ensuring that companies in the critical industries can ensure the continuity of their operations.

Software Security Vulnerabilities in Mobile Peer-to-peer Environment

Increase of computational power and emergence of new computer technologies led to popularity of local communications between personal trusted devices. By-turn, it led to emergence of security problems related to user data utilized in such communications. One of the main aspects of the data security assurance is security of software operating on mobile devices. The aim of this work was to analyze security threats to PeerHood, software intended for performing personal communications between mobile devices regardless of underlying network technologies. To reach this goal, risk-based software security testing was performed. The results of the testing showed that the project has several security vulnerabilities. So PeerHood cannot be considered as a secure software. The analysis made in the work is the first step towards the further implementation of PeerHood security mechanisms, as well as taking into account security in the development process of this project.

Cyber security in home and small office local area networks - Attack vectors and vulnerabilities

This thesis presents security issues and vulnerabilities in home and small office local area networks that can be used in cyber-attacks. There is previous research done on single vulnerabilities and attack vectors, but not many papers present full scale attack examples towards LAN. First this thesis categorizes different security threads and later in the paper methods to launch the attacks are shown by example. Offensive security and penetration testing is used as research methods in this thesis. As a result of this thesis an attack is conducted using vulnerabilities in WLAN, ARP protocol, browser as well as methods of social engineering. In the end reverse shell access is gained to the target machine. Ready-made tools are used in the attack and their inner workings are described. Prevention methods are presented towards the attacks in the end of the thesis.

Tietopääomaresurssit ja riskienhallinta

Työn tavoitteena oli selventää tietopääomaresurssien merkitys liiketoiminnassa riskien hallinnan kohteina. Tarkoitus oli määrittää eri tietopääomaresurssit ja niihin liittyviä riskejä. Tutkimus on kirjallisuustutkimus. Tutkimuksen tuloksena oli, että tietopääomaresursseihin kohdistuu erilaisia riskejä ja, että liiketoiminnalle tärkeät ja kriittiset tietopääomaresurssit ovat riskienhallinnan kohteita. Tutkimuksessa syntyi tietopääomaresurssien hallintamalli,jossa 1) toimintatapa yhdistää 2) osaamisen, 3) tiedot ja tietovarannot sekä 4) aineettomat oikeudet yhteneväiseksi kokonaisuudeksi. Tutkimuksessa kuvattiin kuhunkin resurssiin mahdollisesti liittyviä riskejä. Tutkimus osoitti, että liiketoiminnan tietopääomaresurssit voidaan tunnistaa ja niiden liiketoiminnallinen merkitys ja suojaustarve arvioida. Tietopääomaresurssien suojauskeinoja ovat yhteistyösopimukset, toimintatavat ja ohjeet sekä tietotekniset ja fyysiset suojausratkaisut.

Security and Privacy in a Ubiquitous Information Screen

We expose the ubiquitous interaction between an information screen and its’ viewers mobile devices, highlights the communication vulnerabilities, suggest mitigation strategies and finally implement these strategies to secure the communication. The screen infers information preferences’ of viewers within its vicinity transparently from their mobile devices over Bluetooth. Backend processing then retrieves up-to-date versions of preferred information from content providers. Retrieved content such as sporting news, weather forecasts, advertisements, stock markets and aviation schedules, are systematically displayed on the screen. To maximise users’ benefit, experience and acceptance, the service is provided with no user interaction at the screen and securely upholding preferences privacy and viewers anonymity. Compelled by the personal nature of mobile devices, their contents privacy, preferences confidentiality, and vulnerabilities imposed by screen, the service’s security is fortified. Fortification is predominantly through efficient cryptographic algorithms inspired by elliptic curves cryptosystems, access control and anonymity mechanisms. These mechanisms are demonstrated to attain set objectives within reasonable performance.

Irtokappaleiden hallinnan nykytila ja kehittäminen Loviisan voimalaitoksella

Ydinvoimateollisuudessa irtokappaleella tarkoitetaan prosessiin kuulumatonta materiaalia, joka ei luonnostaan kuulu prosessiin ja jolla prosessiin jäädessään voi olla haitallinen vaikutus sen toimintaan, komponentteihin tai kemiaan. Irtokappaleet voivat aiheuttaa monenlaisia haittoja ydinvoimalaitoksen turvalliselle ja taloudelliselle käytölle. Vaikka ydinvoimalaitoksen käytössä turvallisuus on aina etusijalla, negatiiviset vaikutukset turvallisuuteen heijastuvat usein myös talouteen. Diplomityössä arvioitiin erilaisia irtokappaleiden aiheuttamia riskejä ydinvoimalan toiminnalle käyttötapahtumia analysoimalla. Erilaisiin tapahtumiin, niiden aiheuttajiin ja vaikutusmekanismeihin tutustumisen jälkeen tutkittiin Loviisan voimalaitoksen käyttämiä toimintatapoja irtokappaleiden hallitsemiseksi. Irtokappaleiden hallintaan pyritään sekä hallinnollisilla että käytännön menetelmillä. Hallinnollisia menetelmiä ovat esimerkiksi ohjeistojärjestelmä ja johtaminen, käytännön menettelytapoja esimerkiksi työtavat ja koulutus. Irtokappaleiden hallinnan menetelmiin tutustuttiin sekä tehoajolla että vuosihuollon aikana. Nykytilan arvioinnin perusteella esitettiin toimenpide-ehdotuksia irtokappaleiden hallinnan kehittämiseksi. Toimenpide-ehdotukset muodostettiin sekä korjaamaan havaittuja haavoittuvuuksia että kehittämään toimintaa kansainvälisesti hyviksi tunnistettujen käytäntöjen mukaisiksi.

High-Throughput Screening for Novel Prostate Cancer Drug Targets –Getting Personal

Prostate cancers form a heterogeneous group of diseases and there is a need for novel biomarkers, and for more efficient and targeted methods of treatment. In this thesis, the potential of microarray data, RNA interference (RNAi) and compound screens were utilized in order to identify novel biomarkers, drug targets and drugs for future personalized prostate cancer therapeutics. First, a bioinformatic mRNA expression analysis covering 9873 human tissue and cell samples, including 349 prostate cancer and 147 normal prostate samples, was used to distinguish in silico prevalidated putative prostate cancer biomarkers and drug targets. Second, RNAi based high-throughput (HT) functional profiling of 295 prostate and prostate cancer tissue specific genes was performed in cultured prostate cancer cells. Third, a HT compound screen approach using a library of 4910 drugs and drug-like molecules was exploited to identify potential drugs inhibiting prostate cancer cell growth. Nine candidate drug targets, with biomarker potential, and one cancer selective compound were validated in vitro and in vivo. In addition to androgen receptor (AR) signaling, endoplasmic reticulum (ER) function, arachidonic acid (AA) pathway, redox homeostasis and mitosis were identified as vital processes in prostate cancer cells. ERG oncogene positive cancer cells exhibited sensitivity to induction of oxidative and ER stress, whereas advanced and castrate-resistant prostate cancer (CRPC) could be potentially targeted through AR signaling and mitosis. In conclusion, this thesis illustrates the power of systems biological data analysis in the discovery of potential vulnerabilities present in prostate cancer cells, as well as novel options for personalized cancer management.

Approaches to Supply Chain Risk Management: Identification, Analysis and Control

Supply chain risk management has emerged as an increasingly important issue in logistics as disruptions in the supply chain have become critical issues for many companies. The scientific literature on the subject is developing and in many respects the understanding of it is still in its infancy. Thus, there is a need for more information in order for scholars and practitioners to understand the causalities and interrelations that characterise the phenomenon. The aim of this dissertation is to narrow this gap by exploring key aspects of supply chain risk management through two maritime supply chains in the immediate region of the Gulf of Finland. The study contributes to the field in three different ways. Firstly, it facilitates the identification of risks on different levels of the supply chain through a systematic analysis of the processes and actors, and of the cognitive barriers that limit the actors’ visibility and their understanding of the operations and the risks involved. There is a clear need to increase collaboration and information exchange in order to improve visibility in the chain. Risk management should be a collaborative effort among the individual actors, aimed at obtaining a holistic picture. Secondly, the study contributes to the literature on risk analysis through the use of systemic frameworks that illustrate the causalities and linkages in the system, thereby making it easier to perceive the vulnerabilities. Thirdly, the study enhances current knowledge of risk control in identifying actor roles, risk visibility and risk controllability as being among the key factors determining risk-management effectiveness against supply-chain vulnerability. This dissertation is divided into two parts. The first part gives a general overview of the relevant literature, the research design and the conclusions of the study, and the second part comprises six research publications. Case-study methodology with systematic combining approach is used, where in-depth interviews, questionnaires and expert panel sessions are the main data collection methods. The study illustrates the current state of risk management in multimodal maritime supply chains, and develops frameworks for further analysis. The results imply that there are major differences between organizations in their ability to execute supply chain risk management. Further collaboration should be considered in order to facilitate the development of systematic and effective management processes.

Usable Privacy Preservation in Mobile Electronic Personality

Personalised ubiquitous services have rapidly proliferated due technological advancements in sensing, ubiquitous and mobile computing. Evolving societal trends, business and the economic potential of Personal Information (PI) have overlapped the service niches. At the same time, the societal thirst for more personalised services has increased and are met by soliciting deeper and more privacy invasive PI from customers. Consequentially, reinforcing traditional privacy challenges and unearthed new risks that render classical safeguards ine ective. The absence of solutions to criticise personalised ubiquitous services from privacy perspectives, aggravates the situation. This thesis presents a solution permitting users' PI, stored in their mobile terminals to be disclosed to services in privacy preserving manner for personalisation needs. The approach termed, Mobile Electronic Personality Version 2 (ME2.0), is compared to alternative mechanisms. Within ME2.0, PI handling vulnerabilities of ubiquitous services are identi ed and sensitised on their practices and privacy implications. Vulnerability where PI may leak through covert solicits, excessive acquisitions and legitimate data re-purposing to erode users privacy are also considered. In this thesis, the design, components, internal structures, architectures, scenarios and evaluations of ME2.0 are detailed. The design addresses implications and challenges leveraged by mobile terminals. ME2.0 components and internal structures discusses the functions related to how PI pieces are stored and handled by terminals and services. The architecture focusses on di erent components and their exchanges with services. Scenarios where ME2.0 is used are presented from di erent environment views, before evaluating for performance, privacy and usability.

Mapping financial stability

The ongoing global financial crisis has demonstrated the importance of a systemwide, or macroprudential, approach to safeguarding financial stability. An essential part of macroprudential oversight concerns the tasks of early identification and assessment of risks and vulnerabilities that eventually may lead to a systemic financial crisis. Thriving tools are crucial as they allow early policy actions to decrease or prevent further build-up of risks or to otherwise enhance the shock absorption capacity of the financial system. In the literature, three types of systemic risk can be identified: i ) build-up of widespread imbalances, ii ) exogenous aggregate shocks, and iii ) contagion. Accordingly, the systemic risks are matched by three categories of analytical methods for decision support: i ) early-warning, ii ) macro stress-testing, and iii ) contagion models. Stimulated by the prolonged global financial crisis, today's toolbox of analytical methods includes a wide range of innovative solutions to the two tasks of risk identification and risk assessment. Yet, the literature lacks a focus on the task of risk communication. This thesis discusses macroprudential oversight from the viewpoint of all three tasks: Within analytical tools for risk identification and risk assessment, the focus concerns a tight integration of means for risk communication. Data and dimension reduction methods, and their combinations, hold promise for representing multivariate data structures in easily understandable formats. The overall task of this thesis is to represent high-dimensional data concerning financial entities on lowdimensional displays. The low-dimensional representations have two subtasks: i ) to function as a display for individual data concerning entities and their time series, and ii ) to use the display as a basis to which additional information can be linked. The final nuance of the task is, however, set by the needs of the domain, data and methods. The following ve questions comprise subsequent steps addressed in the process of this thesis: 1. What are the needs for macroprudential oversight? 2. What form do macroprudential data take? 3. Which data and dimension reduction methods hold most promise for the task? 4. How should the methods be extended and enhanced for the task? 5. How should the methods and their extensions be applied to the task? Based upon the Self-Organizing Map (SOM), this thesis not only creates the Self-Organizing Financial Stability Map (SOFSM), but also lays out a general framework for mapping the state of financial stability. This thesis also introduces three extensions to the standard SOM for enhancing the visualization and extraction of information: i ) fuzzifications, ii ) transition probabilities, and iii ) network analysis. Thus, the SOFSM functions as a display for risk identification, on top of which risk assessments can be illustrated. In addition, this thesis puts forward the Self-Organizing Time Map (SOTM) to provide means for visual dynamic clustering, which in the context of macroprudential oversight concerns the identification of cross-sectional changes in risks and vulnerabilities over time. Rather than automated analysis, the aim of visual means for identifying and assessing risks is to support disciplined and structured judgmental analysis based upon policymakers' experience and domain intelligence, as well as external risk communication.

En vårdvetenskaplig teori om interkulturellt vårdande : att föda barn i en annan kultur

The aim of this dissertation is to develop a theory on intercultural caring to deepen the understanding of caring between nurses and patients who have different cultural backgrounds. The research questions are: 1) What is intercultural caring? 2) How is intercultural caring described and understood? 3) How is intercultural caring described and understood in a maternity care context from the patients’ perspective? 4) What is the substance in a theory on intercultural caring? 5) What is the substance in a theory on intercultural caring in maternity care from the patients’ perspective? The theoretical perspective is based on caritative theory and the caring science-tradition (Eriksson, 2001, 2002) and has a hermeneutic approach. In the first study, 19 texts of Campinha-Bacote, Kim-Godwin, Leininger and Ray are analysed through content analysis. A model for intercultural caring is then created abductively. The second study is a metasynthesis of 40 studies on intercultural caring in maternity care research. The third study is a focused ethnography, in which 17 immigrant mothers are interviewed and observed. The theory on intercultural caring is created through a hermeneutic synthesis of the three studies. A synthesis of the studies with a maternity context results in five patterns of interpretation: the experience of caring is related to power; the family is always present; childbearing and change of culture can give women multiple vulnerabilities; both the mother and the nurse change when they meet; conflicts can cause change. The theory and patterns of interpretation consolidate into a contextual theory on intercultural caring for clinical maternity praxis. In this theory, caring consists of four dimensions: universal, cultural, contextual, and unique caring, which permeate each other. Universal caring is nondependent of time and space. Cultural caring considers the cultural background, the acculturation and the equality of each mother. In the maternity care culture, cultural competence, cultural safety, and acculturation of the nurse are emphasised. Contextual caring considers the specific cultural features of the childbearing mother. In this respect, the nurse is expected to be an expert and to clarify cultural assumptions in maternity care. In unique caring, the mother expects good communication, respect for the family, goodwill and somebody who cares for her and meets her needs, in order for trust to be built. In this respect, the nurse listens to the woman’s narrative, is flexible, open, courageous, and non-judgemental. The nurse shows an understanding for the life situation of the woman, and strives for continuity to preserve the care relationship. It was found that external circumstances affect intercultural caring. Moreover, intercultural caring is expected to decrease misunderstandings and conflicts, alleviate suffering and promote health and life. The theory adds knowledge to the phenomenon of intercultural caring for the nursing and caring sciences, and for the nursing care of patients with other cultural backgrounds than the nurses. The theory can be used in nursing, education, research and administration.

Critical infrastructure protection against cyber threats

A postgraduate seminar series with a title Critical Infrastructure Protection against Cyber Threats held at the Department of Military Technology of the National Defence University in the fall of 2013 and 2014. This book is a collection of some of talks that were presented in the seminar. The papers address origin of critical infrastructure protection, wargaming cyberwar in critical infrastructure defence, cyber-target categorization, supervisory control and data acquisition systems vulnerabilities, electric power as critical infrastructure, improving situational awareness of critical infrastructure and trust based situation awareness in high security cloud environment. This set of papers tries to give some insight to current issues of the network-centric critical infrastructure protection. The seminar has always made a publication of the papers but this has been an internal publication of the Finnish Defence Forces and has not hindered publication of the papers in international conferences. Publication of these papers in peer reviewed conferences has indeed been always the goal of the seminar, since it teaches writing conference level papers. We still hope that an internal publication in the department series is useful to the Finnish Defence Forces by offering an easy access to these papers.

Threat modeling a factory environment using Microsoft Security Development Lifecycle methodology

The number of security violations is increasing and a security breach could have irreversible impacts to business. There are several ways to improve organization security, but some of them may be difficult to comprehend. This thesis demystifies threat modeling as part of secure system development. Threat modeling enables developers to reveal previously undetected security issues from computer systems. It offers a structured approach for organizations to find and address threats against vulnerabilities. When implemented correctly threat modeling will reduce the amount of defects and malicious attempts against the target environment. In this thesis Microsoft Security Development Lifecycle (SDL) is introduced as an effective methodology for reducing defects in the target system. SDL is traditionally meant to be used in software development, principles can be however partially adapted to IT-infrastructure development. Microsoft threat modeling methodology is an important part of SDL and it is utilized in this thesis to find threats from the Acme Corporation’s factory environment. Acme Corporation is used as a pseudonym for a company providing high-technology consumer electronics. Target for threat modeling is the IT-infrastructure of factory’s manufacturing execution system. Microsoft threat modeling methodology utilizes STRIDE –mnemonic and data flow diagrams to find threats. Threat modeling in this thesis returned results that were important for the organization. Acme Corporation now has more comprehensive understanding concerning IT-infrastructure of the manufacturing execution system. On top of vulnerability related results threat modeling provided coherent views of the target system. Subject matter experts from different areas can now agree upon functions and dependencies of the target system. Threat modeling was recognized as a useful activity for improving security.

Usability and Security in Medication Administration Applications

The traditional process of filling the medicine trays and dispensing the medicines to the patients in the hospitals is manually done by reading the printed paper medicine chart. This process can be very strenuous and error-prone, given the number of sub-tasks involved in the entire workflow and the dynamic nature of the work environment. Therefore, efforts are being made to digitalise the medication dispensation process by introducing a mobile application called Smart Dosing application. The introduction of the Smart Dosing application into hospital workflow raises security concerns and calls for security requirement analysis. This thesis is written as a part of the smart medication management project at Embedded Systems Laboratory, A° bo Akademi University. The project aims at digitising the medicine dispensation process by integrating information from various health systems, and making them available through the Smart Dosing application. This application is intended to be used on a tablet computer which will be incorporated on the medicine tray. The smart medication management system include the medicine tray, the tablet device, and the medicine cups with the cup holders. Introducing the Smart Dosing application should not interfere with the existing process carried out by the nurses, and it should result in minimum modifications to the tray design and the workflow. The re-designing of the tray would include integrating the device running the application into the tray in a manner that the users find it convenient and make less errors while using it. The main objective of this thesis is to enhance the security of the hospital medicine dispensation process by ensuring the security of the Smart Dosing application at various levels. The methods used for writing this thesis was to analyse how the tray design, and the application user interface design can help prevent errors and what secure technology choices have to be made before starting the development of the next prototype of the Smart Dosing application. The thesis first understands the context of the use of the application, the end-users and their needs, and the errors made in everyday medication dispensation workflow by continuous discussions with the nursing researchers. The thesis then gains insight to the vulnerabilities, threats and risks of using mobile application in hospital medication dispensation process. The resulting list of security requirements was made by analysing the previously built prototype of the Smart Dosing application, continuous interactive discussions with the nursing researchers, and an exhaustive stateof- the-art study on security risks of using mobile applications in hospital context. The thesis also uses Octave Allegro method to make the readers understand the likelihood and impact of threats, and what steps should be taken to prevent or fix them. The security requirements obtained, as a result, are a starting point for the developers of the next iteration of the prototype for the Smart Dosing application.