Drivers of Change in Maritime – Ports and Cyber Security
Ports have for centuries been integral to the economic and social prosperity of a sea-trading nation. They constitute an essential component of the global transportation sector providing the means for maritime transport and trade. As well as facilitating the flow of goods and people, major ports are part of the critical national infrastructure and vital to the effective security and border management of a country.
Today, despite the age of the train and the plane, 90 percent of global trade by volume, is carried out by the shipping industry. In the United States, for example, seaports handle over 99 percent of the country’s overseas cargo by volume and 65 percent by value. In the United Kingdom, over 95 percent of imports and exports by volume, and 75 percent by value still pass through the country’s ports. As global shipping volumes continue to increase, the role of ports as ‘multi-modal distribution hubs’ has become key to establishing market access, supporting supply chain ecosystems and connecting consumers and producers. It is crucial therefore, that ports are able to adapt and respond to the constant pressures from economic, technological, and regulatory changes in order to ensure a resilient and optimal operating capability – integral to this is the need for adequate assurances with regards to safety and security and in particular, the growing complexity of threats from Cyberspace.
Following on from the four physical domains of land, sea, air, and space originating from military doctrine, Cyberspace is referred to as the fifth dimension, and reflects the evolving world of the internet and the proliferation of information. It challenges the concept of sovereign control and ownership as Cyberspace is not bound by land borders or subject to the legitimacy of territorial waters, or protocols governing international waters and airspace. In the context of national interests, Cyberspace is less about defining and defending borders or occupying territory, and more about ensuring access and control in a virtual environment and the ability to operate freely when it comes to communication and transportation. When considering some of the major drivers shaping the future of the maritime sector, the implications of Cyberspace can be seen and felt in many different ways as the sector evolves, and the approach to Cyber Security becomes mainstream.
The growth of protectionism, the rapid adoption of digitalisation, increasing competition and consolidation, the focus on environmental issues, and the challenge of regulatory considerations, are driving unprecedented change in the maritime sector. In particular, the impact of digitalisation is creating a fundamental shift of traditional paradigms; concepts such as the ‘Digital Economy’, the ‘Virtual Border, the ‘Smart Port’,’ exemplify the coalescing of the physical world with the virtual, and how little the complexities and implications are currently understood, especially in relation to the Cyber Security arena. It is useful therefore to examine these drivers of change in that context.
Shipping facilitates international trade on which the global economy is dependent, but the geopolitical landscape is changing rapidly. Since early 2018, there has been an ongoing spiral of sanctions and trade restrictive measures between two of the world’s most powerful nations, the United States and China. The proliferation of similar restrictive trade policies and practices in other countries around the world has triggered tensions over the increase in protectionism and the spectre of escalating trade wars. This concern was highlighted at the World Trade Organisation in May 2019, when industry stakeholders presented the case for free trade and a rules-based multilateral trading system. Nevertheless, the sector remains resilient with global maritime trade predicted to grow, albeit at a slower rate, at an average annual of 3.4 percent between 2019 and 2024. New regional trade alliances and realignment of trade routes are already reshaping the industry, further driving investment in transport infrastructure and impacting the volume of trade passing through major ports as they compete to attract business and expand operations. In 2006, only three of the world’s Top 10 ports were located in China, whereas an estimated two-thirds of container traffic now passes through Chinese ports or ports that have received Chinese investment . Today, only one of the Top 10 ports, Jebel Ali, is located outside of East Asia, and the flow of trade is ever increasing through the South China Sea.
This domination is set to continue with the ‘Belt and Road Initiative’ (BRI) – a colossal infrastructure programme announced by China in 2013 aiming to improve regional integration, trade and economic growth on a transcontinental scale. The overland “Belt” connects China to Central and South Asia and onward to Europe. The maritime “Road” links China to the countries of South East Asia, the Gulf, East and North Africa, all the way to Europe. Whilst mounting controversy surrounds China’s true intentions, the Maritime Silk Road is establishing valuable trade links for China through the investment of billions of dollars in developing strategically located ‘Smart Ports’ such as Singapore, Djibouti, Duisberg, Hambantota, Antwerp, Rotterdam, Piraeus, and Valencia.
As protectionism and world political tensions escalate, Cyberspace is becoming the new dimension for safeguarding and advancing sovereign state interests; some countries also see Cyber Security as the tool to influence the perception of ‘adversaries’. Last year the Danish Maritime Authority (DMA) published its Cyber and Information Security Strategy for the Maritime Sector 2019-2022 following a threat assessment from Denmark’s Centre for Cyber Security (CFCS). Summarising high threats, the report states:
According to Research and Markets, the Global Smart Ports Market 2018-2027 accounted for $1.53 billion in 2018 and is expected to reach $9.86 billion by 2027 growing at a compound annual growth of 23.1 percent during the forecast period. Just as shipping is vital to global trade, ports are the hubs that facilitate the international movement of goods and people, acting as a crucial connection between land and sea transport. They are complex infrastructures and operational environments with multiple stakeholders encompassing shipping lines, freight forwarders, terminal operators, government agencies and merchants (reference figure 1). In recent years, the pressures to increase efficiencies, reduce environmental impacts and enhance security have led to the adoption of digital technologies in transforming the way ports interact between shipping, e-commerce, and logistics.
Automation is leading the digital revolution of ports with automated equipment handling such as cranes and self-driving trucks. Other emerging technologies such as AI, Blockchain, Big Data, Machine Learning and Virtual Reality simulations are also enabling ports and their eco-systems to become more efficient, flexible and agile. Through the Internet of Things (IoT), ports are being integrated into maritime information network hubs, where relevant data is accessible and communications can be shared in real-time with shipping partners. Automatic processing of cargo information provides container movement transparency and efficiency, as well as supporting other port processes associated with the flow of containerised cargo. Digital transformation of port security is enhancing the ability to detect the illicit movement of goods and people through innovations in surveillance technology, access controls, screening, communications and command and control integration. Port authorities such as Singapore, Los Angeles, Long Beach, Shanghai, Shenzhen, Rotterdam and Hamburg are helping lead the next generation of port designs and technology. The Port of Rotterdam is replacing its traditional radio and radar communications with Internet of Things (IoT) sensors to gather tidal, wind and visibility data to seamlessly bring vessels into berth. Trials are also being undertaken for a technology, referred to as the digital twins, which uses sensors to analyse a physical asset’s efficiency, condition and status.
Operators can use real-time information to run scenarios to improve decision making, problem solving and predictive planning. Through the targeted exchange of information and data, ports can develop and deploy new business models enabling greater innovation and collaboration within global supply chains.
Digitalisation is also helping with the shift to greener and more efficient practices. New regulations from the International Maritime Organisation (IMO) include the introduction of a low sulphur cap for fuel emissions from 01/01/2020, and a 50 percent reduction of carbon emissions by 2050. Ports have a key role in reducing shipping’s impact on air quality through inspections of ships and by promoting a zero- emission berth standard in ports. Port-call optimization, (optimizing vessel speeds and routes), can reduce carbon-dioxide emissions and waiting times in ports. The Port of San Diego was among the first to launch an energy efficiency digitisation programme in 2014 and adopt a Climate Action Plan (CAP); the deployment of smart sensors to capture and use data to detect and stop wasted energy in buildings is anticipated to contribute to future declines in greenhouse gas emissions.
All of these gains come at a price and the drive towards digitalisation and automation is increasing the Cyber threat vectors exponentially. Arguably ports and terminals, with their complex interfaces, convergence of IT and OT assets, interconnected communications and control systems, and global supply chains are much more at risk. In recent years a number of high profile Cyberattacks on ports have highlighted their vulnerability and caused the sector to realise that cyber incidents can occur at any point along the supply chain; the potentially devastating consequences include disruption of operations, financial loss and reputational damage.
In 2017, the NotPetya Cyberattack on A.P. Møller-Maersk hit 4,000 servers, 45,000 computers, and 2,500 applications causing the shutdown of its fully automated Rotterdam port terminal; to date the recovery of operations has cost over $300 million. This was not an isolated incident; other Cyberattacks in the public domain include the Port of San Diego, where a Cyber Security threat disrupted the port’s information technology systems; a Cyberattack on the Port of Barcelona that affected the port’s servers and systems; and a Cosco Shipping-affiliated terminal which suffered a ransomware attack at the Port of Long Beach. These incidents and the learning from them has been a dramatic wakeup call for the sector and Maersk has since shared why it now regards Cyber Security as a key business enabler if properly addressed. A recent report from Lloyd’s of London stated that Cyberattacks on Asian ports could cost the industry as much as $110 billion. The growing Cyber threat has prompted governments and regulatory bodies to introduce new policies, regulations and data protection laws.
The shipping industry is principally regulated by the IMO and responsibility for enforcing IMO regulations concerning ship safety and environmental protection rests with the flag states. International liner ships and the port facilities at which they call have to adhere to the standards and procedures, including security assessments, set out in the IMO’s International Ship and Port Facility Security (ISPS) Code. In addition, Port State Control officers have the power to detain foreign flag ships in port if they do not comply with international requirements.
In recent years the IMO has formalised a number of Cyber requirements for ship owners, ship operators and ports within its International Safety Management (ISM) Code which must be addressed by 2021. These regulations require stakeholders to “raise awareness on the Cyber risk”; “embed a culture of Cyber risk awareness”; “respond quickly to a Cyber incident”.
Alongside industry specific regulations the introduction of Flag State laws, such as Singapore’s Cybersecurity Act 2018, and national privacy and data protection laws provide a mandate for stakeholders to address Cyber risk as an essential business function. The General Data Protection Regulation (GDPR) and the EU Network and Information Security (NIS) Directive, which considers the maritime industry a regulated ‘operator of essential services’, impose significant financial penalties on organisations for data breaches, especially if they are not properly reported.
For ports and port stakeholders, balancing business decisions and making informed choices when it comes to commercial, operational and technology investments should incorporate the impact of Cyber Security threats, risks and opportunities.
Proactive and defensive measures need to be proportionate to the evolving risks within the holistic business portfolio and reviewed regularly in line with security best practices. The European Union Agency for Cybersecurity (ENISA) recently issued a report on the Cyber Security challenges relating to the evolution of maritime port systems which identified the importance of ‘defining clear governance, enforcing technical Cyber Security basics, implementing security by design, and enforcing detection and response capabilities at port level ‘.
Education and training from the board to the front line can help promote greater awareness in line with recent IMO regulations and help create a culture reinforcing the relevance and importance of Cyber Security. The International Maritime Cyber Centre of Excellence (IMCCE) with its Maritime Cyber Emergency Response Team (MCERT), and ENISA’s initiatives with Information Sharing and Analysis Centres (ISACs) and maritime stakeholders, are helping create industry specific platforms for global data sharing, collaboration and emergency response which will be vital as the industry matures its capability and resilience. In a digital world of unprecedented uncertainty, the Ports sector is not alone in how it prepares for, and addresses change, but it does need its own enlightened leaders to navigate its future course.
By Anu Khurmi, Managing Director, Global Services, Templar Executives