Addressing Cyber Risks at U.S. Ports as the Shipping Industry Adopts Digitization
The shipping industry is facing enormous challenges today as the demand for consumer goods continues to increase alongside expectations for faster delivery services – both of which are putting immense pressure on supply chains that remain unpredictable and clogged. To deal with these challenges while still remaining competitive, ports need to change the way they operate and embrace digitization, which includes adopting new technologies to improve communication, reliability and efficiency.
Similar to how other sectors of the economy have evolved, it is crucial that the shipping industry adopt digitization and cybersecurity to become “smart.” A smart port uses automation and innovation technologies such as artificial intelligence (AI), big data, the Internet of Things (IoT) and Industry 4.0 integration to automate various manual operations to improve a port’s performance.
But while digitization will help ports streamline operations, it also opens up the shipping industry’s systems to sophisticated cyber criminals or nation-state attacks. Think of a vessel as a floating USB stick that is full of data and information, with access points that can emerge as it gets closer to shore or docks at a port. Any cyberthreats on the vessel would naturally transfer into the port and beyond, depending on the port’s cybersecurity readiness and resilience. The reverse scenario is also possible: A port could infect a vessel and then that vessel could infect the next port where it docks.
In 2017, several companies, including global shipping giant Maersk, fell victim to the NotPetya virus – encryption malware that brought down Maersk’s entire operational technology (OT) and information technology (IT) systems for two weeks. The company estimated losses at nearly $300 million. Seven more instances of cyberattacks were reported in 2018, and by 2021 the number had grown to 26.
To help thwart the possibility of a cyberattack, the U.S. Coast Guard and U.S. Department of Homeland Security provide general legal requirements for Maritime Transportation Security Act (MTSA)-regulated ports and waterways (bit.ly/3C2dPYe). In 2017, the Navigational and Vessel Inspection Circular (NVIC) 01-20 (bit.ly/3p5MRY7) was published to clarify those requirements. Among the guidelines, ports must assess, document and address any vulnerabilities associated with their computer systems and networks. Noncompliance can result in citations that can reach thousands of dollars.
The NotPetya cyberattack was a significant wake-up call for the shipping industry. In 2020, the European Union Agency for Cybersecurity (ENISA) – https://bit.ly/3A9c761 – introduced a four-phase approach to cyber risk management, which many port operators have adopted:
Phase 1: Identify cyber-connected assets and services. All port operators should identify and map their entire IT and OT systems, as well as the services they support. This mapping should also include the systems of all partner stakeholders due to the interconnection of port systems with other players in the maritime transport value chain.
Phase 2: Identify and evaluate cyber-related risks. Once a port operator has mapped out all IT and OT systems and services, a cybersecurity risk analysis should be carried out, which will identify and assess any cyber risks within the operation of a port’s systems and services.
Phase 3: Identify any security measures and solutions to be adopted. Port operators should implement security measures and solutions to reduce any security risks specific to each port and define a process for remediation and protection.
Phase 4: Identify areas where port operators can improve cybersecurity maturity. A third-party or self-assessment of port maturity as it relates to cybersecurity will enable the port operator to identify strengths and weaknesses with each IT or OT system update and define security measures needed in the future.
Despite an increase in cyber risks, the shipping industry’s future will rely on adopting digital technologies to relay important information to ports and owners quickly, such as real-time vessel tracking and capacity management. Digitization is what will allow the shipping industry to overcome today’s challenges of meeting customers’ demands for more goods and expectations for improved deliveries.