Digitalisation has intensified port industry focus on cyber security – but it is human staff members who remain “the pivotal element” in a port’s cyber-defence strategy.
In a new flagship report – ‘Cybersecurity Guidelines for Ports and Port Facilities’ – the International Association of Ports and Harbors (IAPH), associate members, and colleagues from The World Bank, have produced parameters for defence strategies for ports of all levels of digitalisation.
Port and port facility stakeholders “are reporting measurable increases” in cyber-threat activities, the guidelines note, with the maritime industry suffering a fourfold increase in cyber-attacks between February and May 2020 alone.
In 2021, online systems continued to be rocked by cyber-attacks. Ports and shipping stakeholders ranging from liner HMM to South African port infrastructure owner Transnet have been impacted by IT disruptions, stalling operations and risking financial and data loss.
“The accelerated pace of digitalisation in port and port facilities only intensifies the urgency for executives to focus on organisational cyber resilience in order to safeguard the integrity and availability of critical data, ensure service delivery and protect maritime infrastructure,” the guidelines noted.
“Doing so will increase the overall cybersecurity capabilities of the global maritime supply chain.”
Notably, increased investments port and port operators in Information Technology (IT) and Operational Technology (OT) systems, harnessing swathes of data to improve efficiencies, brings in the “unavoidable handmaiden” of cyber risk.
However the human factor – notably employee behaviours through curiosities, carelessness, prejudices, and desires – collectively also represent weak links in a port or port facility’s cybersecurity programme.
“Ports and port facilities on either side of the digital divide face one universal challenge in cybersecurity: managing the human,” the guidelines argued.
Human error alone generates a vast array of cyber risk, and it is estimated that 95% of cybersecurity breaches are the result of human error, rather than IT-related faults.
Types of human errors include: the compromised employee, bringing infected devices into an organisation’s IT networks; the careless employee, who rushes to complete a task, often with no ill intent; and the malicious employee, who creates deliberate harm by compromising an IT/OT system or stealing data.
Maritime organisations are commonly seeing phishing attacks “as the primary means” for attackers to target human employees, the guidelines found – echoing the Port of San Diego’s interview to PTI in August 2021.
Phishing attacks, which is the act of sending fraudulent messaging to human victims designed to trick them into revealing sensitive information or deploy malicious software, can lead a port’s IT network to be compromised financially, lose sensitive data, or risk operational impact from foreign actors.
Advising port stakeholders in building its cybersecurity programme, the guidelines emphasised “collective responsibility,” highlighting that cybersecurity is not limited to the IT department.
“Since cybersecurity represents a collective responsibility – that it is not solely limited to the IT department – the guidelines demonstrate how cybersecurity capability can drive cyber resilience,” the guidelines noted.
“It is essential that C-suite executives take the lead in allocating resources to deal with cyber security, actively managing governance and building an organisational culture to support cybersecurity operations, and developing leadership strategies for driving cyber resilience including the creation of a port ecosystem cybersecurity workforce.”
Patrick Verhoeven, IAPH Managing Director, commented, “We have produced this set of port and port facilities cybersecurity guidelines targeting the strategic rather than technical level.
“They are designed to create awareness among the C-level management of port authorities.
“But on the other hand, we also wanted to bring this to the attention of the IMO, so the guidelines have been submitted to both the IMO Facilitation and Maritime Safety Committees for consideration. The latter meets in October  where we will present them.”