Ports must navigate a complex threat landscape and take into account training and skills gaps as well as dated and vulnerable systems in mapping out a strategy to make the maritime industry more cyber-secure.
The European Union Agency for Cybersecurity developed the Port Cybersecurity best-practices guide in conjunction with several EU ports, aiming to provide a blueprint for CIOs and CISOs in the maritime sector.
“Ports tend to rely more on technologies to be more competitive, comply with some standards and policies and optimize operations,” said the report. “This brings new stakes and challenges in the area of cybersecurity, both in the Information Technologies (IT) and Operation Technologies (OT) worlds.”
The industry must adapt to the shifting cyber threat landscape, the report added, given recent attacks such as the cyberattack in Antwerp port, NotPetya ransomware and its impact on Maersk, and the wave of ransomware attacks in the Port of Barcelona and San Diego.
The study takes into account the “high degree of diversity from one port to another” and how “over the years, the ports have adapted their infrastructure and services to the local geographic and territorial specificities, to the activities related to the location of the port (existing fishing basins around, an ideal location for tourism, a location at the crossroads of different countries and continents, etc.) and to the different challenges that ports have to face.” It also notes the large amounts of data regularly exchanged between the ports and stakeholders, including mandatory declarations, control and authorization, and operational, financial and navigation information.
Threats to the IT and OT environments include port paralysis with a shutdown of operations, harm to humans through impacts on work in dangerous areas or passenger flows (such as hijacking), stealing of sensitive data, stealing cargo, enabling the trafficking of illegal goods, destroying complex systems and critical infrastructure, causing an environmental disaster, or tarnishing the reputations of companies and their standing in the global market.
Threats can arise from nefarious targeted activity such as malware and DoS attacks toward systems, interception of communications, physical attacks including terrorism and piracy, main supply or network outages, equipment failures and malfunctions, unintentional damage such as the accidental deletion of data, and natural disasters.
“New trends such as digitisation and IoT initiatives are colliding with the conservative nature of the maritime industry, but are becoming more and more adopted. In this context, the cyber security needs and best practices of these initiatives are often not considered as a priority by stakeholders who are first looking at technology adoption,” says the report, citing in addition to cultural challenges a lack of cybersecurity training, lack of time or budget allocated to cybersecurity, a skills gap, complexity of the port ecosystem, and the “need to find a right balance between business efficiency and cybersecurity, especially by guaranteeing the continuity of services while keeping IT and OT secure, such as disconnecting critical systems and updating systems without any business impacts.”
Challenges also include the use of old legacy systems, a lack of cyber regulatory requirements, failure to keep up with the latest threats, failure to understand technical complexity and get security teams on the same page, and too much interdependence that introduces new cyber risks.
“A number of cybersecurity challenges are associated with the supply chain: lack of cybersecurity certifications for port products and services, security risks related to supplier remote access to the port networks/systems, long patching cycles for certain types of systems (e.g. ICS), heterogeneity and high number of supplier landscape, difficulty to change supplier services,” the report adds. “Contractors do not have much control over the cybersecurity level of their suppliers and, consequently, over the cyber risks they involve (supply chain attacks).”
Security measures should be addressed in terms of policies, organizational practices and technical practices. The guide walks ports through these steps from threat assessment to human resources security and access control.
Recommendations include defining clear governance around port-level cybersecurity, crafting a cyber-aware culture at all points of port operations, enforcing basic cyber hygiene such as strong passwords and system updates, baking cybersecurity into application design, and enforcing “detection and response capabilities at port level to react as fast as possible to any cyberattack before it impacts port operation, safety or security.”
“As ports undergo their digital transformation, cybersecurity should be viewed not only as a key factor to be considered in terms of keeping pace with the technical evolutions but also as an enabler of further developments and automation,” the guide concludes. “Considering the complexity of both the port landscape in terms of involved stakeholders and communication flows and system interactions, but also in terms of the evolving IT and OT environment, this is by no means an easy or straightforward endeavour.”