Security in ports


One of the main barriers to further cooperation on digital innovation is a lack of a clear framework on data ownership.

Due to this legal void, companies are hesitant to share nonpersonal information as they are unsure of their rights regarding how their data is used or their obligations regarding data. Electronic exchange of B2G information has the potential to increase the efficiency of supply chains.

Cybersecurity is becoming an important issue faced by all sectors of society. EU and national regulators support industry solutions and cooperation to ensure security of European transport systems.


What are the biggest challenges in terms of cyber security for port companies in these days?

Ports and private port companies as many other sectors rely increasingly on technologies to be more competitive, comply with some standards and policies and optimize operations. This brings new stakes and challenges in the area of cybersecurity, both in the Information Technologies (IT) as well as in Operation Technologies (OT) worlds.

Due to the number and diversity of stakeholders taking part in port operations and with whom port companies interact, the challenge is to overcome the technical complexity of port IT and OT systems of the different port stakeholders who use different systems that are developed, managed and maintained by different teams or entities. Another challenge lies in the fact that OT systems, more vulnerable than IT systems, are protected because they are separated from IT systems and networks. But, increasingly, IT and OT systems and networks, become more and more dependent and interconnected thus the importance given by port companies to the resulting risks.

There is however a need to find a right balance between business efficiency and cybersecurity, especially by guaranteeing the continuity of services while keeping IT and OT secure.

The European Union has identified ports as critical infrastructure and defined the ports as “any specified area of land and water, with boundaries defined by the Member State in which the port is situated, containing works and equipment designed to facilitate commercial maritime transport operations” in article 3(1) of Directive 2005/65/EC.

The Federation of European Private Port Companies and Terminals 2 Ports play a crucial role at different levels for many sectors and have been the successful pioneers in Europe for interconnecting the different types of transport. As a main vehicle for European imports and exports (food, commodities, etc.) with the rest of the world, ports enable also trade and contacts between all European nations.

For a number of years, ports have been undergoing a digital transformation in order to meet emerging challenges and port companies have been playing a major role in this respect. They are optimizing existing processes and introducing new capabilities, such as automation and real-time monitoring of operations. This digitalization has been centered around the interconnectivity of Information Technology (IT) and Operation Technology (OT) assets and the introduction of new technological enablers, such as big data and Internet of Things (IoT).

The complexity of the port ecosystem due to the number and diversity of stakeholders taking part in port operations is an important challenge because the level of awareness with respect to cybersecurity might not be the same for all actors in a port. However when it comes to port companies and terminals as there have been huge investments in IT and OT, time and budget, awareness and training regarding cybersecurity as well as the recruitment of qualified people to deal with cybersecurity has also become a top priority.

To know more, please read FEPORT's Position Paper on Cyber security challenges in ports.


NIS Directive

The NIS Directive 2016/1148 is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:

  • Member States' preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority;
  • Cooperation among all the Member States, by setting up a Cooperation Group, in order to support and facilitate strategic cooperation and the exchange of information among Member States.
  • a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.

The Commission has reviewed the NIS Directive as part of its 2020 Work Programme and has, based on this review process, presented a legislative proposal for a revised NIS Directive on the 16th of December, 2020.

Source: European Commission


ENISA report on cybersecurity in ports 

ENISA, the European Union Agency for Cybersecurity also conducts work on Cybersecurity in ports. On the 17th of December 2020, they published a guidance on said topic.

The report aims to provide port operators with good practices for cyber risk assessment that they can adapt to whatever risk assessment methodology they follow. The report contains a four-phase approach to cyber risk management for port operators which is aligned to the risk assessment methodology that is laid out in the ISPS Code and relevant EU legislation for Port and Port Facility Security.

The four phases are the following:

  • Phase 1: Identifying cyber-related assets and services
  • Phase 2: Identifying and evaluating cyber-related risks
  • Phase 3: Identifying security measures
  • Phase 4: Assessing cybersecurity maturity

For each of these phases, the report provides actionable guidelines, lists common challenges and contains good practices that can be readily adopted and customised by individual organisations.

Phases four of these guidelines also introduces a model for port operators to perform cybersecurity maturity self-assessments.

Source: ENISA