In a new flagship report – ‘Cybersecurity Guidelines for
Ports and Port Facilities’ – the International Association of Ports and Harbors
(IAPH), associate members, and colleagues from The World Bank, have produced
parameters for defence strategies for ports of all levels of digitalisation.
Port and port facility stakeholders “are reporting
measurable increases” in cyber-threat activities, the guidelines note, with the
maritime industry suffering a fourfold increase in cyber-attacks between
February and May 2020 alone.
In 2021, online systems continued to be rocked by
cyber-attacks. Ports and shipping stakeholders ranging from liner HMM to South
African port infrastructure owner Transnet have been impacted by IT
disruptions, stalling operations and risking financial and data loss.
“The accelerated pace of digitalisation in port and port
facilities only intensifies the urgency for executives to focus on
organisational cyber resilience in order to safeguard the integrity and
availability of critical data, ensure service delivery and protect maritime
infrastructure,” the guidelines noted.
“Doing so will increase the overall cybersecurity
capabilities of the global maritime supply chain.”
Notably, increased investments port and port operators in
Information Technology (IT) and Operational Technology (OT) systems, harnessing
swathes of data to improve efficiencies, brings in the “unavoidable handmaiden”
of cyber risk.
However the human factor – notably employee behaviours
through curiosities, carelessness, prejudices, and desires – collectively also
represent weak links in a port or port facility’s cybersecurity programme.
“Ports and port facilities on either side of the digital
divide face one universal challenge in cybersecurity: managing the human,” the
guidelines argued
Human error alone generates a vast array of cyber risk, and
it is estimated that 95% of cybersecurity breaches are the result of human
error, rather than IT-related faults.
Types of human errors include: the compromised employee, bringing
infected devices into an organisation’s IT networks; the careless employee, who
rushes to complete a task, often with no ill intent; and the malicious
employee, who creates deliberate harm by compromising an IT/OT system or
stealing data
Maritime organisations are commonly seeing phishing attacks
“as the primary means” for attackers to target human employees, the guidelines
found – echoing the Port of San Diego’s interview to PTI in August 2021.
Phishing attacks, which is the act of sending fraudulent
messaging to human victims designed to trick them into revealing sensitive
information or deploy malicious software, can lead a port’s IT network to be
compromised financially, lose sensitive data, or risk operational impact from
foreign actors.
Advising port stakeholders in building its cybersecurity
programme, the guidelines emphasised “collective responsibility,” highlighting
that cybersecurity is not limited to the IT department.
“Since cybersecurity represents a collective responsibility
– that it is not solely limited to the IT department – the guidelines
demonstrate how cybersecurity capability can drive cyber resilience,” the
guidelines noted.
“It is essential that C-suite executives take the lead in
allocating resources to deal with cyber security, actively managing governance
and building an organisational culture to support cybersecurity operations, and
developing leadership strategies for driving cyber resilience including the
creation of a port ecosystem cybersecurity workforce.”
Patrick Verhoeven, IAPH Managing Director, commented, “We
have produced this set of port and port facilities cybersecurity guidelines
targeting the strategic rather than technical level.
“They are designed to create awareness among the C-level
management of port authorities.
“But on the other hand, we also wanted to bring this to the
attention of the IMO, so the guidelines have been submitted to both the IMO
Facilitation and Maritime Safety Committees for consideration. The latter meets
in October [2021] where we will present them.”