The British government has published a “Good Practice Guide” for maritime cybersecurity.
Intended primarily for port operators and port system providers, the guide warns of cyber attacks on ports like the June 2017 Maersk shipping company NotPetya attack. The virus entered Maersk’s systems through a widely used piece of tax accounting software in Ukraine. Maersk was not the intended target for the attack, but the consequences for the company were very real. The virus spread through the company globally and made all their applications and data unavailable for several days. Real world operations – including its Rotterdam terminal – were seriously affected, with losses in the region of $200-300million.
In other cyber security incidents, port assets have been infected with malware and there has been unintentional jamming or interference with wireless networks.
Port facilities are becoming increasingly complex and dependent on the extensive use of information and communications technologies (ICT) at all stages of their lifecycles – for example, in the growth of automated berthing operations. Some of this technology is embedded in the fixed and mobile assets used to operate the port; other elements may be remotely located, such as the systems used to schedule vessel and cargo movements.
The new guide is built on a 2016 code for cybersecurity at ports and provides advice on measures including cyber security assessments and plans for important assets, how to handle security breaches, and having the correct governance structures, roles, responsibilities and processes.
The guide advises ports and port facilities to first assess vulnerabilities, controls or mitigations identified in the respective latest reports to establish whether there are cyber security implications arising from them. For example, the deployment of technology-based security systems as controls and mitigations to specific security threats or vulnerabilities may introduce or increase cyber security vulnerabilities. The port and port facility should then review their overall business risk assessment to assess the level of exposure and whether there are any additional potential cyber-related threats and vulnerabilities across the full range of port systems and data (for example, cargo handling systems, security systems, industrial control systems, etc.) not identified in the security assessments for a port/port facility, but which nevertheless impact upon the cyber security of each or both.
Where the security assessments for a port or port facility do not cover the full range of potential cyber security threats, the guidance recommends that the port or port facility should produce a dedicated cybersecurity assessment.
The guide includes a model cybersecurity plan for a port which includes training, management, information security, and supply chain security.