The European Union Agency of Cyber Security’s report on smart ports and technology, presents the pros and cons of technology in the shipping industry and the cyber security challenges the ports may have to deal with, says an article published in Safety4Sea.
Cybersecurity challenges
The “Port Cybersecurity” report published in December 2019, highlights that because of the rapid development of digitalization ports now have to deal with a great number of cybersecurity challenges:
- some of them are quite generic within any IT and OT environment, while
- others are quite specific to port ecosystems.
In essence, the development of smart ports comes with potential cyber security challenges and threats that may arise, such as:
Lack of digital culture in the port ecosystem : Indeed, new trends such as digitisation and IoT initiatives are colliding with the conservative nature of the maritime industry, but are becoming more and more adopted. In this context, the cyber security needs and best practices of these initiatives are often not considered as a priority by stakeholders who are first looking at technology adoption.
Lack of awareness and training regarding cybersecurity : Ports ecosystem used to only rely on safety and physical security to address risks, IT and OT bring new challenges with regards to cybersecurity that port stakeholders often do not fully anticipate and master.
Lack of time and budget allocated to cybersecurity : As a consequence of poor awareness, especially of top management with regards to cybersecurity challenges.
Lack of human resources and qualified people regarding cybersecurity matters : The ports do not have enough people in IT and OT staff to manage all projects, especially cybersecurity projects. Moreover, cybersecurity skills are very specific and scarce which makes it difficult for small companies to hire adequately qualified people on those topics.
Complexity of the port ecosystem due to the number and diversity of stakeholders taking part in port operations : This ecosystem is built from companies of various sizes, with various levels of cybersecurity capabilities and can even be direct competitors among themselves. This makes the overall cybersecurity control at port level difficult with heterogeneous level of controls within the port.
Need to find a right balance between business efficiency and cybersecurity.
Lack of regulatory requirements regarding cybersecurity : The NIS Directive is a first base to implement cybersecurity measures, but only concerns some of the stakeholders in the maritime sector. This is not yet enough to ensure a proper level of cybersecurity over the entire port ecosystem and to allow enough budgets to be released to meet the requirements.
Difficulty to stay up to date with the latest threats : Especially in view of the diversity of stakeholders operating in the ports, the processes, the systems implemented and used and the rapid growth of innovations in the port ecosystem.
Technical complexity of port IT and OT systems : The port stakeholders use different systems that are developed, managed and maintained by different teams or entities. For example, they can be developed either by port IT teams, either by third-parties or by IT providers. Moreover, they can be based on various technologies.
IT and OT convergence and interconnection : Usually OT systems, more vulnerable than IT systems, are protected because they are separated from IT systems and networks. But, increasingly, IT and OT systems and networks, become more and more dependent and interconnected, exposing OT systems to higher risks.
Supply chain challenges : A number of cybersecurity challenges are associated with the supply chain: lack of cybersecurity certifications for port products and services, security risks related to supplier remote access to the port networks/systems, long patching cycles for certain types of systems (e.g. ICS), heterogeneity and high number of supplier landscape, difficulty to change supplier services. Contractors do not have much control over the cybersecurity level of their suppliers and, consequently, over the cyber risks they involve (supply chain attacks).
Strong interdependencies between port systems and services and external services from other sectors (e.g. energy) that introduce interdependency cybersecurity risks.
New cyber risks resulting from the digital transformation of ports : Ports are currently launching several projects to digitalize port processes, in particular with the emergence of the SmartPort concept45, cyber risks should be taken into account in the initial phases of those projects.
Did you subscribe to our daily newsletter?
It’s Free! Click here to Subscribe!
Source: Safety4Sea