Effective cyber-risk governance does not require a degree in computer science. However, an understanding of the dynamics of cyber-vulnerability can assist directors in setting protection priorities and overseeing contingency and remediation plans.
By Art Linton
The frequency and severity of maritime cyber-attacks increases every year. Often, damage is ongoing and not discovered for years. A cyber-attack on the port of Antwerp in 2011 continued until it was discovered in 2013. The Danish Maritime Authority was attacked in 2012 by a virus contained in an email. The contagion spread throughout the Maritime Authority’s network and Danish government institutions before it was discovered in 2014. Reasons for the ever-increasing security exposure include the growing use and interdependence of electronic systems, the relative ease and extreme value of successful attacks, and the exceptional difficulty in identifying the culprits and bringing them to justice.
Port authorities sometimes contribute to their vulnerability by addressing cyber security as a technology matter handled solely by IT professionals. On the contrary, successful and serious cyber attacks are inevitable and the planned response must be subject to the same governance and scrutiny that any existential threat would receive. Effective cyber-risk governance does not require a degree in computer science. However, an understanding of the dynamics of cyber-vulnerability can assist directors in setting protection priorities and overseeing contingency and remediation plans.
Cyber-risk is a relatively new issue at ports, some of which have been in continuous operation for hundreds or even thousands of years. In contrast, the navigation systems, command and control electronics and Internet access on which every modern port’s operation depends, have developed in the most recent 50 years. While computer security is a priority for port management, its development has been evolutionary, almost invariably following in the wake of already successful and damaging intrusions. Access controls and passwords were introduced in the 1960s, encryption followed a decade later, firewalls and malware detection came along in the 1980s, virtual private networks, biometrics and two-factor authentication were not common until the 1990s. More recently, secure programming processes, threat intelligence sharing and Wi-Fi security have become standard.