1. Cyber Security in Ports Business as Usual?
November 2017

2. Essential Contribute to 3% GDP Large direct and indirect employer
Indispensable part of logistic chain
Country-level essential infrastructure
Large number of small companies
Large interdependency and connectedness

3. Dependency and connectedness
Paper-less and logistic integration as a competitive advantage
Increasing reliance on IT tools and networks
Portbase, Antwerp Port Community System
Navigate, e-Desk
More and more operational/industrial control systems
Logical and physical exposure of the network
Increasing attack surface

4. (Not)Petya June 2017 Disruptive intent
Encrypt files, no way to decrypt
Initial infection via accounting software M.E.Doc
Spreading through internal networks
Massive collateral damage (APM, TNT, DLA…)

5. Targeted, But Not To Ports

6. Impact Maersk/APM 17 container terminals disrupted for days
Loading and unloading impossible because of uncertainty of the content of the shipments
Perishable goods lost?
Camera surveillance disrupted
Truck chaos as well, delays down the logistic chain
Cyber incident turning into a physical incident
More than 300mio€ financial impact

7. The Adversaries Highly likely Targeted cybercrime
Facilitating trafficking
Strategic espionage
Moderately likely
Sabotage by insiders, hacktivists, terrorists
High impact
State sponsored disruption

8. Regulatory Framework
ISPS – International Ship and Port Security Code (response to 9/11)
Security of ships and port facilities is a risk management activity
Register of critical companies & facilities
Security Committee and Port Security Officer (issues security certificates)
Comprehensive security plan based on risk assessment
Monitoring and verification
Incident response plan and test exercises
NIS Directive - Network Information Security Directive (9 May 2018)
Mainports Antwerp & Rotterdam: Operators of Essential Services (OESs)
Implement adequate security measures and prevent and minimize impact of incidents
Report cyber incidents to national Cyber Security Authorities (NCSC and CCB)
Set up ISACs – Information Sharing and Assessment Communities (already in place)
Q: No formal role for Port Authorities foreseen, how to organize within respective ports?
GDPR - General Data Protection Regulation (May 2018)
Security requirements for processing activities involving personal data
Data breach notification requirements

9. Current Security Organisation
IT security culture and cyber hygiene lags behind
Awareness, inventory of assets, base line security controls, segmentation IT and OT environments, back-ups
Few organizations have dedicated IT security staff
None have
Mature security incident detection (no detection sensors in place)
CERTs – Cyber Emergency Response Teams
No specific threat intelligence (but if available, not able to benefit from it)
Information Sharing Communities exist but could be boosted

11. Gap
Sophistication
Adversary
Mature
Immature
Time

12. Proposals Leverage infrastructure of ISPS to implement NIS Directive
Port Security Officer to absorb Cyber Security
Framework for cyber governance (responsibilities for setting requirements, oversight, reporting, monitoring)
Develop common cyber hygiene baseline
Certification mechanism (‘cyber secure’ label)
Develop cyber security maturity indicators and reporting dashboard
Set-up a CERT for each mainport, using pooled resources
Intensify ISACs within and between the mainports
On-site training (including C-suite)
Annual exercise (within and later across ports)

13. Gap
Sophistication
Time

14. Take Aways Threat landscape becomes ever more challenging
High level of dependency and connectedness
Currently low maturity and cyber resilience
Not ready for legislation
Proposals
Increase maturity and resilience
Improve community interaction
Integrate cyber in existing security framework

15. Why again?

16. Thank You