Rapid digital transformation of ports and the shipping industry in Africa opens up new attack vectors that could deliver a crippling blow to “quickly disrupt a supply-chain network with tremendous financial damages extending far beyond the point of the attack,” according to a new report.
The Institute for Security Studies report, “Maritime Cyber Security: Getting Africa Ready,” said the digital transformation trend — and need for cybersecurity training and preparedness measures — is currently happening more in developed nations but ease of access and lower costs will enable technology to become more widespread in the maritime industry. While there is a lack of specific maritime cybersecurity research and knowledge pertaining to Africa, the continent’s industry is also poised to learn from vulnerabilities already experienced and mitigated by ports and shipping in other regions.
“Most African trade is seaborne, and due to the highly interconnected and networked nature of African and international economies and transport systems, the impact of maritime cyber security threats may have a devastating effect on the stability and well-being of African states,” the report notes, as “information technology is increasingly becoming part of the maritime space, and the ports and shipping sectors are set to become completely dependent on it in the future.”
“This environment by its networked nature exposes ports and ships to new risks and vulnerabilities, like malware attacks disrupting industrial control systems, or hackers obtaining personal data by exploiting software vulnerabilities, among others,” the report says.
About 90 percent of Africa’s trade occurs via sea, through a complex of 90 major ports that are central to the economies of significant regions. The continent’s population is projected to pass 2 billion people by 2040 but crop yields could drop 20 percent by 2050, underscoring how critical infrastructure security is in the maritime sector.
African states have also “taken big steps towards establishing a common market, which necessitates greater economic and social integration, which requires a well-functioning transport system.” Some countries may also take up to a decade to recover from the socio-economic impact of the COVID-19 pandemic, and a cybersecurity attack in the critical maritime space would put even additional pressure on this fragility — and maritime cyber incidents between this February and May shot up 400 percent because of “an inability to timeously update and replace hardware and software due to COVID-19.”
“To meet Africa’s development objectives and to maintain competitiveness, African ports and shipping companies will have to increase their reliance on information and communication technologies in the future,” the report says. “This convergence between operation and control systems and the information technologies in the maritime space requires us to change the way we think about threats, risks and vulnerabilities, as well as actors and perpetrators of crime.”
Meanwhile, the number of malicious cyber actors is on the rise and their reaches into critical infrastructure have been bolder, while “the technological evolution within the maritime space has been slow and often reactive, as the return on investment for companies usually takes a long time” and “has been slow to recognise the safety and security implications attached to the cyber environment.”
“Given the growing reliance on, and integration of, information technology into maritime activities, an African maritime cyber incident is not a question of if, but when,” the report warns.
Last year, 310 cyber attacks on ships and ports were recorded — a big jump from 120 attacks reported in 2018 and just 50 in 2017, and numbers that are likely “drastically under-reported due to potential reputational risks or insurance problems.” This year, reported incidents could exceed 500.
Cyber threats to maritime security include eavesdropping, interception and hijacking, nefarious activity and abuse, disaster, system outage, unintentional damage, physical attack, and failures and malfunctions. The cyber threats “are partly similar to piracy, as they are primarily opportunistic in nature.” The University of Cambridge’s Centre for Risk Studies estimated that an attack targeting cargo database logs at major ports in the Asia-Pacific region could inflict $110 billion in damages.
Maritime cybersecurity requires a harmonized approach to foster holistic cooperation between multiple government and private-sector entities.
As it faces critical port threats, Africa must build up its cybersecurity infrastructure with nations signing and ratifying the African Union Convention on Cybersecurity and. Personal Data Protection and adopting cybersecurity laws by nation, the report says. Governments should ensure International Maritime Organization cybersecurity guidelines and best practices are being followed for port cybersecurity, and work with the private shipping sector.
The African Union should conduct more research on maritime cyber threats and launch a campaign to heighten awareness about the dangers, the report adds. “Cyber security needs to be integrated into AU and Regional Economic Community maritime security frameworks, particularly as part of the African Peace and Security Architecture roadmap from 2021 onwards, and as part of the 2050 Africa’s Integrated Maritime Strategy review process.”
“An attack of scale similar to the 2017 Maersk incident would have a devastating impact on Africa’s regional and continental stability and prosperity, rooted in growing interdependence and reliance on the maritime trade,” says the report. “Considerably greater efforts and attention need to be directed towards ensuring Africa’s cyber security.”