The International Association of Ports and Harbors (IAPH) announced Thursday its cybersecurity guidelines for ports and port facilities that will help safeguard against cybersecurity risks while ensuring the continued business resilience of organizations. The document aims to assist ports and port facilities to establish the true financial, commercial and operational impact of a cyberattack, and make an objective assessment on their readiness to prevent, stop and recover from a cyberattack.
The 84-page document brings together four months of intense work by 22 experts from IAPH member ports from around the world, along with associate member cybersecurity specialists and contributors from the World Bank. It will serve as a crucial, neutral document for senior executive decision-makers at ports responsible for safeguarding against cybersecurity risks as well as ensuring the continued business resilience of their organization.
Effective management of cyber risk is critical to the proper functioning of a diverse maritime community where stakeholders from the port authority, ship operators, port facilities, maritime agencies, customs, and law enforcement are all interconnected. Port and port facility leaders must recognize that cyber threats are not bound by any border, port perimeter, or even logistical supply chain where every link is critical.
Cyber threats can jeopardize an entire port or port facility’s operations and are proliferating at an ever-increasing pace. With the evolution and introduction of new IT and OT technologies, automated systems, and integrated processes that rely on key cloud-service providers, port leaders must recognize the importance of managing cyber risk and understand that it is a responsibility that begins at the top.
“We have produced this set of port and port facilities cybersecurity guidelines targeting the strategic rather than technical level,” Patrick Verhoeven, IAPH Managing Director, said in a statement. “They are designed to create awareness among the C-level management of port authorities. But on the other hand, we also wanted to bring this to the attention of the IMO, so the guidelines have been submitted to both the IMO Facilitation and Maritime Safety Committees for consideration. The latter meets in October where we will present them.”
The increasing number of cybersecurity attacks on the maritime industry between February and May of 2020 shows that the sector suffered a fourfold increase in cyber-attacks and those attacks against OT systems specifically increased by 900 percent over the last three years, IAPH said. Ports and port facility stakeholders from around the world are reporting measurable increases in cyber-threat activities, and the Maritime Transportation System Information Sharing and Analysis Center’s (MTS-ISAC) 2021 Annual Report highlighted some of the most commonly reported attack techniques.
Maritime organizations are commonly seeing phishing attacks as the primary means for attackers to compromise accounts, redirect legitimate payments, or otherwise facilitate their activities, the cybersecurity guidelines said. In addition, scanning of public Internet-facing infrastructure for unpatched systems and vulnerabilities also is common.
“The digitalization of port communities means ports will need to pay increased attention to cyber security risks,” said Pascal Ollivier, chair of IAPH Data Collaboration Committee. “When we put the team together, it quickly became apparent that the authors all felt we needed to offer a pragmatic and practical approach to dealing with cyber threat actors, which culminated in this phenomenal collaboration which is an industry first for ports,” he added.
As ports and port facilities enable global trade, they should be recognized as critical information infrastructure (CII), according to the cybersecurity guidelines. The consequences of compromised port and/or port facilities’ digital processes could result in operational disruption, affecting customers, port authorities, port community systems, and related port services. In addition, cyber-attacks exposing sensitive data to unauthorized access, manipulation, or exfiltration can further undermine the integrity of the maritime supply chain
A cost-effective approach that a port or port facility can take on is to establish a dedicated internal cybersecurity steering committee, according to the guidelines. Establishing one can become a key tool in the organization’s efforts to assume responsibility for overall cyber strategy, ensure coordination in its implementation, reduce the potential for duplication in security spending, consolidate lines of reporting, control and oversight of complex investments, and/or infrastructures, streamline communications, and drive cultural change.
The cybersecurity steering committee would take ownership of and coordinate port/port facility-wide initiatives intended to reduce cyber risk. Under the direction of the CISO or CIO, it enables the organization to optimize budgeting and procurement, drive consensus, assign authorities and institute accountability, and serve as the primary driver for information sharing and cross-functional engagement among port/port facility stakeholders, the cybersecurity guidelines said.
Recognizing the human factor as the first line of defense, port and port facility leaders should communicate clear expectations about training to non-IT staff across all of the organization’s functional operating environments, the cybersecurity guidelines said. Although the cyber risk is pervasive, training is a low-cost, high-value-add investment. For cybersecurity training to be effective, it cannot be relegated to an annual ‘check-the-box’ activity or solely to IT staff. Ports and port facilities with a more cyber-aware workforce translates into a more cyber-resilient, competitive organization. When people are trained to both recognize cyber threats and understand how to respond to incidents, then the organization can more rapidly recover from cyber disruptions.
Port and port facility leaders must also prepare for a cybersecurity breach, and outline incident response and recovery, according to the cybersecurity guidelines. The continued growth in ransomware and email phishing schemes, along with the budding adoption of AI by criminal networks will challenge ports and port facilities on either side of the digital divide. Under such pressures, it is less a question of if rather than when a port or port facility will be breached.
To prepare for such contingencies, port and port facility executives should take the necessary steps to proactively prepare their organizations to respond to and recover from a cybersecurity incident. Doing so will serve to protect their organization’s interests, mature its ability to respond to and recover from an incident, and advance not only their operational resilience but also strengthen the cyber resilience of the port community within which they reside and the global maritime industry overall.
The cybersecurity guidelines also recommended that ports and port facilities may build their cybersecurity defenses around industry frameworks, which can assist organizations to set up a trusted environment with their business partners, heighten security awareness among the staff, develop an organized risk-based approach to understand the business value of information and information systems and their integrations with operational systems, demonstrate the maturity of processes, and provide a structure for continuous improvement.
Earlier this year, the U.S. released its National Maritime Cybersecurity Plan to defend the American economy through enhanced cybersecurity coordination, policies, and practices, aimed at mitigating risks to the maritime sub-sector. The plan is intended to promote prosperity through information and intelligence sharing, and preserving and increasing the nation’s cyber workforce.