While the maritime industry is surging ahead with smart ports, its approach to port cyber security is dumbfounding, says Edwin Lampert
There are three major disconnects. First, emerging cyber security regulation is encouraging terminal operators to concentrate on operational technology or the OT side of things. However, a lot of the attack vectors and evidential threats – such as manifest manipulation, ransomware and extortion, fraudulent payments and rewiring of money – are on the IT side.
The challenge, because of the way regulations such as Europe’s NIS directive (a set of rules previously voluntary, now mandatory, which require open reporting of attacks on critical national infrastructure among other items) and comparable US rules are written for today’s terminal, is knowing where to prioritise cyber security spend. Or as the chief executive of Cyber Owl, Daniel Ng, put it to me in a recent conversation, “Knowing how to split the budget between being compliant versus actually being secure.”
The second major disconnect is a failure to adapt to the converging worlds of OT and IT. Most ports are run by a head of security recruited from a physical security background. Their natural focus is securing a port against embargoed goods, theft and manipulation of cargo in and around the terminals. The industry’s challenge, said Mr Ng, is bringing the cyber threat into the head of security’s “sphere of consciousness”.
The third disconnect relates to the lack of chief information security officers in ports. There are of course exceptions, notably among the larger European and United States ports. The Port of Rotterdam, for example, now has a dedicated port cyber resilience officer and the Port of Barcelona has a Technical ICT Security Office tasked with tackling cyber risks proactively. The Port of Amsterdam has unveiled a new cyber security programme consisting of a hotline and ‘Cyber Resilient North Sea Canal Area’ network. The network collects information about cyber threats and shares this with affiliated companies. Impressive, but the overriding sense is that building a meaningful defence is linked to a port’s location and scale.
On an almost daily basis we hear anecdotal reports of minor port hacking. Typically, a terminal’s network is open to shippers, shipping, road and rail companies with the potential for unauthorised access. The hack may be purely criminal, such as changing a manifest. The fear is that this activity is indicative of some sort of reconnaissance where the motive is altogether darker.
While the last thing the industry feels it needs is more regulation, what it may benefit from – alongside a rebalancing of the present focus on OT – is mandatory guidance or regulation which forces it to meet a standard of care or reasonableness around cyber security, and mandates it to take appropriate measures to understand, deal with, and remediate the very real cyber risks faced in our increasingly virtual ports.
This would be one trend we certainly hope goes viral.
Maritime digitalisation and port cyber security will be discussed at Riviera Maritime Media's Maritime Cyber Risk Management Forum, in London, on 25 June.