Protecting today’s ever-more digitalised ports from the threat of a cyber-attack starts with fostering a culture of cybersecurity. However, there’s more to it than just that. Brian Dixon looks at five more industry tips to keep things secure.
Digitalisation promises ports numerous benefits, including the ability to optimise processes and productivity through the use of real-time monitoring and increased automation. However, this digital transformation, via such technological enablers as cloud computing, big data and the Internet of Things (IoT), has arguably made the sector much more susceptible to cyber-attacks, ranging from eavesdropping and keylogging to hacking site security systems for the facilitation of physical crimes, be it smuggling, stealing or sabotage.
While some cyber-attacks might be deemed generic to most or all information technology (IT) systems, others may be specifically targeted at ports. Either way, the ramifications of a cyber-attack can be costly and far-reaching. In addition to the shutdown of port operations, they could also result in the theft of critical data as well as physical cargo or assets; injuries, death and even kidnappings; the illegal trafficking of goods and people; systems damage or destruction; a tarnished reputation and a loss of competitiveness; and, given the often-hazardous nature of the products handled by ports, a significant environmental incident.
Thus, to help the ports sector counter these threats, the European Union Agency for Cybersecurity (ENISA) has now published ‘Port Cybersecurity – Good Practices for Cybersecurity in the Maritime Sector’. Among other things, the document seeks to highlight and address a number of key challenges facing ports, such as the lack of awareness and training regarding cybersecurity; the technical complexity of port IT and operational technology (OT) systems; and the need to balance cybersecurity with business efficiency.
However, probably the single largest challenge concerns the sheer complexity of the port ecosystem, with the numerous, diverse and sometimes commercially competing stakeholders involved each having their own approach to cybersecurity, whether stringent, slack or somewhere in between. Nevertheless, the report’s authors identify five practices that those people responsible for cybersecurity implementation at a port would be well advised to follow.
1) Define a clear governance around cybersecurity at port level.
Despite the challenges, this needs to encompass all stakeholders involved in the operation of a port, including, inter alia, port and terminal operators, the port authority, shipping lines and pilotage company. As such, the report recommends writing, implementing and subsequently enforcing an information systems security policy (ISSP) that describes all organisational and technical means and procedures as well as the roles and responsibilities of each stakeholder.
2) Raise awareness of cybersecurity matters at port level and infuse a cybersecurity culture.
While “the maritime sector is historically very aware of safety and security matters”, cybersecurity, the authors believe, “is not fully integrated yet in stakeholders’ minds”.
This can be overcome, according to the reports authors, by fostering a cybersecurity mindset by training all employees from the top down “to ensure [a] proper understanding of cybersecurity matters and [the] ability to enforce it in daily operations”. In line with this, ports need to define relevant practices and processes regarding IT and OT management that must then be followed by all staff.
3) Enforce the technical cybersecurity basics.
While this might seem obvious, it is nevertheless something that can be easily overlooked. Such basics include network segregation, updates management, password hardening and the segregation of rights. Moreover, in the context of OT, the authors note that “with legacy systems that usually cannot be updated, network segregation and password protection are key to ensure a correct level of cybersecurity”.
4) Consider security by design.
This is especially important as ports typically use a variety of different systems, some of which are opened to third parties for data exchange. Any vulnerability on those systems, however, can provide “a gate” by which other, if not all, port systems can be compromised. Therefore, when embarking on a new project, ports should first develop a project methodology that includes appropriate security assessments and checkpoints, such as a risk analysis, architecture security review, security tests and security approval. “More specifically,” the report says, “strongly include cybersecurity issues in SmartPort projects from the design stage to implementation.”
5) Enforce detection and response capabilities at port level to enable fast reaction times.
While ports “can rely on simple detection measures”, such as alerts when a specific action is attempted or executed, more comprehensive detection measures are also becoming available, including systems that use machine learning to correlate information and identify compromising patterns. Either way, ports should have the means in place to ensure that they can respond as rapidly as possible to any cyberattack before it can impact on overall port operation, safety and/or security. In line with this, they should consider setting up a Cybersecurity Operations Centre (SOC), including IT and OT environments to support security and cyber incidents. The SOCs of the different stakeholders, though, “must collaborate (or can be mutualised) to ensure the detection and reaction of incidents at port level”.