Posted November 30, 2019
By Catherine Stupp, Wall Street Journal
Ports, shipping firms often adopt new technologies without considering how to secure them, EU agency says
BRUSSELS—Ports and shipping companies in Europe are increasingly adopting technologies such as automation or internet-connected devices to analyze data and improve services. But their cybersecurity defenses haven’t caught up, creating gaps that hackers could exploit, according to a report published Tuesday by the European Union’s cybersecurity agency.
Adding to the strain: Maritime companies tend not to share sensitive information with each other, meaning they have fewer chances to stop hackers, experts said. Compared with their counterparts at U.S. firms, employees at European maritime companies don’t communicate as much with their competitors because they lack an industrywide group to share details about cybersecurity threats, said Chronis Kapalidis, Europe representative of HudsonAnalytix, a New Jersey-based consulting firm specializing in maritime cybersecurity.
The vast majority of global trade is moved via ships and Europe has two of the world’s 15 biggest container ports by volume: Rotterdam in the Netherlands and Antwerp in Belgium, according to the World Shipping Council, a Washington-based trade group representing shipping lines. The rest are located in Asia.
The international shipping industry will soon face tougher cybersecurity rules that aim to help protect ships from hackers, but the rules are already outdated. New guidelines from the International Maritime Organization, part of the United Nations, are set to take effect in January 2021. The guidelines were drafted in 2016 and don’t refer to newer technologies such as artificial intelligence or cloud computing.
The European Union Agency for Cybersecurity, known as Enisa for the abbreviation of an older name, said in Tuesday’s report that the European industry could step up its cyber defenses with a public-private organization such as the U.S. Maritime and Port Security Information Sharing and Analysis Center. The Florida-based center, set up in 2015, includes representatives from ports, shipping firms and other maritime companies on its advisory board.
The U.S. Coast Guard is also encouraging the commercial shipping industry to improve its security measures and issued an alert this summer about a February cyberattack that hit a ship en route to the Port of New York and New Jersey, WSJ Pro Cybersecurity previously reported.
Conservative, outdated ideas of cybersecurity are common at European maritime companies, Enisa said in its report. Port operators often prioritize adopting new tools before considering how to secure them, the agency said. That means hackers could intercept port communications to monitor activities and gain access to data, potentially using that information to steal cargo, the report said.
Among new technologies that ports are using, according to the report: The ports of Rotterdam and Amsterdam use drones to monitor operations, while the port of Antwerp started a data-analysis project to control traffic and prevent bottlenecks.
It is challenging for companies to find and hire cybersecurity experts with knowledge of complex maritime technologies and industrial equipment, said Magdalena Szwiec, a Norway-based senior associate at professional-services firm KPMG LLP who advises companies in the maritime sector about cybersecurity. Businesses around the world are struggling to fill cybersecurity jobs and the challenge is greater in specialized industrial fields such as maritime operations, she said. Europe has an estimated 291,000 unfilled cybersecurity jobs, up from 142,000 in 2018, according to a survey from (ISC)2, a trade association for cybersecurity professionals.
Enisa recommended that ports develop tailored training courses for employees working on different kinds of equipment. Large European ports work with up to 900 companies of various sizes that may have differing cybersecurity standards, the agency’s report said.
Some experts say European laws are helping firms in the complex maritime supply chain to shore up cybersecurity gaps. EU regulations have encouraged companies to upgrade their cybersecurity safeguards, said Steve Purser, head of core operations at Enisa.
A directive on the security of network and information systems, adopted in 2016, required the 28 EU countries to identify, by last year, companies that operate critical services, including large ports. Those firms must report cybersecurity incidents to regulators and implement security measures.
“You can’t reasonably expect within a few years that whole supply chains have been secured, but that’s certainly the idea,” Mr. Purser said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com