CONNECTING PORTS #9: Unchartered Waters: The Cybersecurity Challenge for Ports

Unsettling sound, drone perspective on details of port facilities - a video in the style of a true-crime trailer set the mood for the topic of cybersecurity at the ninth CONNECTING PORTS talk show by Hamburg Port Consulting (HPC). On September 5, 2024, three international experts explained how well prepared the maritime sector is, moderated by Christina Prieser, Associate Partner at HPC. Firewalls, passwords and a new perspective are needed to protect the backbone of global supply chains. Because every security breach multiplies the risks.

“We focus too much on legal regulations instead of fighting the perpetrators,” says Scott Dickerson from the USA. This will lead to further disruptions to supply chains in the coming years, predicts the founder of CISO LLC. His company develops maritime cyber security programs for shipping companies, terminal operators and ports, among others. Pradeep Luthria, Senior Partner at Saiber Innovation Technology, a cyber security solution provider in Dubai (UAE), calls for better communication about attacks: “If we got to the bottom of the causes and communicated about them more quickly, we would be better prepared.” His most recent example is an attack at the end of August on Seattle-Tacoma International Airport, where the internet and web systems were down for days.

Gadi Benmoshe, Managing Director of Marinnovators, an Israeli consultancy for maritime supply chains, calls for better cooperation within each individual port and emphasizes that preparing for attacks is not just an IT issue. However, various port areas “still expect that they will simply wait for the IT department to solve the problem in the event of a cyber-attack,” he reports. “You can install as much intelligent technology as you like, but if people are not vigilant, nothing will improve,” agrees Pradeep Luthria.

But how can criminals be stopped in concrete terms? Scott Dickerson points to the international Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) as a central coordination point for the timely exchange of information on cyber threats between trusted stakeholders. The focus is on information technology, operational technology and the Internet of Things (IoT). “The MTS-ISAC and other non-governmental organizations can share information within minutes instead of weeks and months later, as is the case with some government agencies,” he says. The moderator asks what specific security measures protect port facilities in the IoT from cyberattacks. Firstly, Gadi Benmoshe notes that there are currently far fewer IoT systems

implemented for data collection, analysis and automation than operational technology that controls physical processes - “one of the biggest weaknesses in port cyber security”. He therefore strongly recommends separating the physical networks of operational technology or IoT from the administrative networks.

According to an article in the US magazine “Harvard Business Review”, management often focuses on contingency plans instead of hazard prevention and reconstruction. Scott Dickerson also sees this as a weakness: “We need to improve the understanding and competence of board members so that they understand how their companies use technology.” When it comes to management responsibility, Pradeep Luthria addresses the topic of cyber risk insurance. According to him, there is a lack of insurance products in the market “to really protect against the business ecosystem being damaged”. Companies are often not sufficiently insured against a cyber-attack, even though risk management is becoming increasingly data-driven: “By adding more and more data, we increase the risk”.

According to Scott Dickerson, a culture of cyber security awareness among terminal employees can only be achieved if it is driven from the top down by the CEO or port director, for example. “If they don't really care about a risk area like cyber security, everyone else will quickly see through it,” he warns. Having the issue handled solely by technical experts “would be a disservice to the organization,” because it's not just technicians who work with operational technology and IoT, but the entire port administration. “We have to make sure that this cultural change comes from the people,” he emphasizes.

There is no shortage of rules and regulations for cybersecurity. As Vice Chairman of the Data Collaboration Committee at the International Association of Ports and Harbors (IAPH), Gadi Benmoshe refers to the comprehensive “IAPH Cybersecurity Guidelines for Ports and Port Facilities”. Next, the International Association of Ports and Harbors will deal with the International Maritime Organization's (IMO) mandatory requirement for a “Maritime Single Window”, which came into force this year. Ship information is exchanged on the digital platform. “We are proposing to the IMO that the member states introduce a binding legal framework for cyber security of the Maritime Single Window”, he announces for April 2025. But isn't there also a risk that regulations will become bureaucratic and ultimately have little to do with effective risk management, asks the moderator. In fact, Scott Dickerson warns of adverse effects if personnel have to be diverted from actual risk management activities for compliance efforts: “This could even make companies less resilient and more susceptible to threats from nation states and criminals in the face of capacity bottlenecks.”

Cybersecurity constantly requires many measures. Pradeep Luthria believes it is important to make people responsible and accountable for this. Gadi Benmoshe is pinning his hopes on artificial intelligence, which could help to better detect and prevent cyber-attacks. Scott Dickerson has this tip:

“Restrict your IT, operational technology and IoT architectures from being accessible from the public internet to reduce potential attacks.” He concludes with an alarming figure to illustrate just how great the dangers really are: “According to a recent statistic from KnowBe4, there are 13 attacks against critical infrastructure per second across all industries.” According to him, this makes it even more important “to know what we need to focus on in terms of day-to-day defense and strategic resources”.

The full session Connecting Ports #09 is available here.
Journalist Kerstin Kloss summarized the event for HPC.