Digitalized ports must prioritize cybersecurity risk management

Author: Schneider Electric

Ports’ increased digitalization and interconnectedness can contribute to cybersecurity risks

Ports have accelerated their pace of digitalization. They are leveraging technology to improve efficiency and logistics, achieve port sustainability goals, and streamline processes. For instance, ports are adopting connected technology, automating equipment and processes, enabling remote access and control, and connecting OT and IT networks. These changes have intensified the need to prioritize cybersecurity because digitalization and increased interconnectedness can introduce new cyber vulnerabilities.  

Cybersecurity attacks on ports are occurring more frequently worldwide

Cyberattacks are increasing on ports worldwide. They can disrupt port operations, as well as have negative financial impact, cause reputational damage, and lead to regulatory consequences. For example, in July 2023, the Port of Nagoya, Japan’s largest and busiest shipping port, was forced to suspend operations following a ransomware attack. The attack disrupted the port’s communication systems, which affected imports and exports, because the facility was unable to load and unload containers from trailers for two days.

To help combat cybercrime, many national and international agencies and organizations have developed legislation, frameworks, and standards that could be implemented to reduce cyber risks

Many businesses are being affected by cyberattacks, including data breaches across sectors and damage and disruption to industries such as finance,  healthcare, and energy. To address these widespread cybersecurity concerns, governments and organizations have developed legislation, as well as guidelines, aimed at improving cybersecurity. For example:

• Legislation: The Network and Information Security (NIS) Directive (which will soon be replaced by the NIS2 Directive) is an example of cybersecurity legislation with which EU ports will need to comply. It is the first EU-wide cybersecurity legislation aimed at preventing, responding, and mitigating potential cyberattacks. NIS applies to wide range of sectors, including essential services like transportation, like air, rail, water, and road. There are strict financial penalties for non-compliance.
• Framework: The U.S. National Institute of Standards and Technology (NIST) created the NIST Cybersecurity Framework. The framework established a set of cybersecurity best practices, recommendations, and guidance, which can be used to help address businesses’ highest priority cybersecurity risks.
• Standards: ISA/IEC 62443, an international series of standards, focuses on cybersecurity for operational technology (OT) in automation and control systems. The standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS).

ENISA has created port-specific guidelines to help ports better manage cyber risks

Ports are part of the world’s critical infrastructure – moving both people and the majority of traded goods. Despite their importance, there is no common methodology for port cyber-risk assessment, according to the European Union Agency for Cybersecurity (ENISA). To help remedy this, ENISA has developed actionable port-specific cyber risk management guidelines and identified good practices for managing cybersecurity challenges. This approach is mapped to the risk assessment methodology’s steps in the ISPS Code and the EU legislation for Port and Port Facility Security.

ENISA’s four-phase cybersecurity plan includes:

• Phase 1: Identify IT and OT assets and services
• Phase 2: Identify and evaluate cyber-related risks, implement security, and assess cybersecurity measures
• Phase 3: Identify and implement cybersecurity measures
• Phase 4: Assess cybersecurity maturity

A holistic cybersecurity approach – from services to products – can also help ports reduce vulnerabilities

Following recommended practices, such as those from ENISA, is an important aspect of ports’ cybersecurity. Ports also benefit from working with experienced experts who can help implement a  holistic cybersecurity plan that helps maintain a port’s cyber defenses over time.

For example, to be more cybersecure, ports must be able to identify information technology (IT) and operational technology (OT) assets and services (ENISA Phase 1). This can be difficult if ports lack the available resources or the necessary information regarding their IT and OT cybersecurity vulnerabilities. While ports are familiar with the topic of IT cybersecurity, port facility managers often are not aware of the cybersecurity risks to their OT systems. By working with OT cybersecurity specialists, ports can conduct a risk assessment that helps determine the specific areas where ports need to focus and improve.

Based on the risk assessment results, certified OT cybersecurity experts can perform vendor-agnostic services, such as design and implement a strategy that helps ports protect critical assets, reduce exploitable weaknesses, and defend against cyber-attacks. This approach is more robust when supported by advanced technology solutions that conform to ISA/IEC 62443 standards and are secure by design.

Upgrading power monitoring and control systems’ cybersecurity has helped a European airport comply with NIS2 regulations and reduce cyber risks

Like ports, the aviation industry must comply with the NIS2 Directive. For example, by upgrading its power monitoring and control systems’ cybersecurity, a European airport was able to fulfill the directive’s requirements. This also minimized cybersecurity vulnerabilities and built the foundation for a long-term cybersecurity maintenance program.

Making power monitoring and control systems cybersecure was the airport’s priority because a cyber-attack on only one or two subsystems could have impacted the airport’s operations. For example, cyberattackers could have reprogramed upper permissible voltage levels so that the Landside Airport Operations Center’s (APOC) networks were continually starved of power.

To improve cybersecurity, this airport implemented solutions, such as installing anti-malware, implementing hardening measures to protect existing hosts, and configuring and operating back-up solutions.

The results included:

• Fulfilled NIS recommendations
• Reduced attack surface according to recommended cybersecurity practices
• Minimized vulnerabilities
• Implemented a more secure cybersecurity posture
• Built the basis for a long-term cybersecurity maintenance program
• Secured the power management and control system
• Took first steps to implement fully automated upgrades

Ports can protect assets and operations by improving their cybersecurity strategy

Cyber-attacks are a major threat to ports’ operations. While ports may be aware of IT cybersecurity, they also need the same level of awareness and expertise when it comes to OT cybersecurity The cybersecurity risks will become even more prevalent as ports digitalize more actions and assets. Ports can reduce their vulnerabilities and make operations more secure and resilient by having expert support, tools, services and standards in place to help protect against attacks and limit damages.

Learn more about OT cybersecurity solutions for ports. https://www.se.com/ww/en/work/solutions/cybersecurity

About the author

Tam Osentowski, Vice President, Global Transportation Segment

Tam is VP of Global Transportation Segment where she is responsible for the strategy, sales & deployment of Schneider Electric’s end-to-end portfolio for infrastructures of the future.  Tam has been at the forefront in understanding, defining, and delivering solutions to address customer pain points through her 21 year tenure at Schneider Electric. Her expertise in sustainability consulting services and strategic customer experience management allows her to deliver tailored services for new and existing customers, with a particular focus on leading electrification efforts to build more sustainable operations.

Texas-based Osentowski earned a Leadership in Energy and Environmental Design Accredited Professional (LEED AP) designation and holds a Bachelor of Science and Master of Business Administration. 

Tags: cybersecurity, ENISA, IEC 62443, maritime, NIS2, Ports