ENISA issued the “Port Cybersecurity – Good practices for cyber security in the maritime sector” report
Maritime sector face numerous cyber security challenges, as international community tragically learned with the WannaCry ransomware attack. Some of them are quite generic within any IT and OT environment, while others are quite specific to port ecosystems. ENISA, the European Union Agency for Cybersecurity, issued a report to address the main threats and help countering them. The document, named “Port Cybersecurity – Good practices for cybersecurity in the maritime sector”, has been developed in collaboration with several EU ports. The study lists the main threats posing risks to the ecosystem and describes key cyber-attack scenarios that could impact them. This approach allowed the identification of security measures that ports shall put in place to better protect themselves from cyberattack. The main measures identified intend to serve as good practices for people responsible for cyber security implementation.
The incident impacts and threats for the ports
According to the ENISA, cyber security incidents determinate many possibile impacts for a port. From a shutdown of operations or paralysis to human injuries or death. This, passing through sensitive and critical data theft, illegal trafficking, cargo and goods stealing, financial loss and costs, fraud and money steal, systems damages or worst as destruction, environmental disaster, and tarnished reputation and loss of competitiveness. The threats can be divided in 7 categories:
- Eavesdropping, interception, highjacking;
- Nefarious activity and abuse;
- Physical attacks;
- Unintentional damages;
- Failures and malfunctions;
The main cyber security challenges currently faced by ports
Based on the desk research and data from interviews, the main challenges currently faced by ports to implement cybers security measures are the following:
- Lack of digital culture in the port ecosystem, in which some stakeholders are still conservative. Indeed, new trends such as digitisation and IoT initiatives are colliding with the conservative nature of the maritime industry, but are becoming more and more adopted. In this context, the cyber security needs and best practices of these initiatives are often not considered as a priority by stakeholders who are first looking at technology adoption;
- Lack of awareness and training regarding cybersecurity: ports ecosystem used to only rely on safety and physical security to address risks, IT and OT bring new challenges with regards to cybersecurity that port stakeholders often do not fully anticipate and master;
- Lack of time and budget allocated to cybersecurity: as a consequence of poor awareness, especially of top management with regards to cybersecurity challenges.
- Lack of human resources and qualified people regarding cybersecurity matters: the ports do not have enough people in IT and OT staff to manage all projects, especially cybersecurity projects. Moreover, cybersecurity skills are very specific and scarce which makes it difficult for small companies to hire adequately qualified people on those topics;
- Complexity of the port ecosystem due to the number and diversity of stakeholders taking part in port operations: stakeholders within a port can be numerous (up to 900 for the biggest ports). This ecosystem is built from companies of various sizes, with various levels of cybersecurity capabilities and can even be direct competitors among themselves. This makes the overall cybersecurity control at port level difficult with heterogeneous level of controls within the port.
- Need to find a right balance between business efficiency and cybersecurity, especially by guaranteeing the continuity of services while keeping IT and OT secure, such as disconnecting critical systems and updating systems without any business impacts;
- Legacy of some systems and practices: especially regarding systems managing navigation data and OT systems which can be very old and vulnerable and for which extra cybersecurity measures must be enforced;
- Lack of regulatory requirements regarding cybersecurity: the NIS Directive is a first base to implement cybersecurity measures, but only concerns some of the stakeholders in the maritime sector. This is not yet enough to ensure a proper level of cybersecurity over the entire port ecosystem and to allow enough budgets to be released to meet the requirements; and
- Difficulty to stay up to date with the latest threats, especially in view of the diversity of stakeholders operating in the ports, the processes, the systems implemented and used and the rapid growth of innovations in the port ecosystem;
- Technical complexity of port IT and OT systems: the port stakeholders use different systems that are developed, managed and maintained by different teams or entities. For example, they can be developed either by port IT teams, either by third-parties or by IT providers. Moreover, they can be based on various technologies. Finally, teams managing the security of IT and OT systems can also be different. Therefore, the mapping of all port systems is difficult to define and to maintain overtime;
- IT and OT convergence and interconnection: Usually OT systems, more vulnerable than IT systems, are protected because they are separated from IT systems and networks. But, increasingly, IT and OT systems and networks, become more and more dependent and interconnected, exposing OT systems to higher risks;
- Supply chain challenges. A number of cybersecurity challenges are associated with the supply chain: lack of cybersecurity certifications for port products and services, security risks related to supplier remote access to the port networks/systems, long patching cycles for certain types of systems (e.g. ICS), heterogeneity and high number of supplier landscape, difficulty to change supplier services. Contractors do not have much control over the cybersecurity level of their suppliers and, consequently, over the cyber risks they involve (supply chain attacks);
- Strong interdependencies between port systems and services and external services from other sectors (e.g. energy) that introduce interdependency cybersecurity risks;
- New cyber risks resulting from the digital transformation of ports: ports are currently launching several projects to digitalize port processes, in particular with the emergence of the SmartPort concept, cyber risks should be taken into account in the initial phases of those projects.