Introduction
As technology evolves, the opportunities for its application in different aspects of life also continue to expand. However, as with many other things in life, whenever there are new opportunities created in technology, there are always people who want to take advantage of the system for their gain. Mitigating such risks is a multidisciplinary process that includes people, policy, and system frameworks (Luo, Wang, & Cai, 2015). All these efforts are aimed at preventing the occurrence of cybercrime or minimizing their impact if at all they happen. The concept of cybersecurity entails this process (ACS, 2016).
Many ports around the world have adopted information technology solutions to improve their competitiveness in the global transport business. In fact, for many port authorities, automation is an inevitable addition to their processes and operations (Chiappetta, 2017). Since most of these facilities bet their future on the adoption of cybersecurity measures to streamline their operations and reduce the impact of fraud, cybersecurity has a strong impact on their activities in the long run. Nonetheless, many governments struggle with the decision of whether to install cybersecurity measures at their ports, or not. More importantly, some of them have questioned whether having such systems would improve their defense at ports, or if they have the resources to do so in the first place (Lusk, 2015). This paper examines this dilemma by investigating the pros and cons of having cybersecurity at ports. The research question appears below.
Research Question
Do the advantages of installing cybersecurity systems outweigh the disadvantages?
Hypothesis
The advantages of installing cybersecurity processes outweigh the disadvantages of the same.
Literature Review
Cyber Risks in the Shipping Industry
Ports are important installations because their operations encompass land and sea operations. In fact, for many countries, such facilities are the lifeline of their economies. Relative to this fact, Chiappetta (2017) says, more than 90% of the world’s goods and services are exported or imported via ports. Thus, such facilities are essential to transport hubs. While governments often worry about the security of nuclear facilities and energy centers, few of them note that ports are also vulnerable to the same risks. For example, according to Luo et al. (2015), about 37% of shipping companies that use Windows web servers have not updated their systems to manage today’s security challenges. Consequently, more than one-third of these companies are vulnerable to cybersecurity attacks. Additionally, ACS (2016) says most ports around the world are unprepared to handle cybersecurity risks. Although some of them have acted on specific cyber risks, most of them have failed to notice the business impact of such system breaches on their operations (Baldwin, Gheyas, Ioannidis, Pym, & Williams, 2017).
The reality of cyber attacks on international ports was demonstrated through the “NotPetya” incident in 2017. Several companies and operations were affected by the security breach, as was evident through the interruption of the operations of a shipping company (Maersk) in different parts of the world (Dingeldey, 2017). The attack came at a huge cost to the company ($300 million in damages) (even though it was not the main target) (Dingeldey, 2017). Other ports that have been affected by similar attacks include the port of Antwerp and more recently the attack on APMT (ACS, 2016). Both of them were drug-related, but most importantly, they highlighted the vulnerabilities of port facilities to such attacks. These examples show that even the most resourced firms could still be hit by cybersecurity attacks.
Why it is Difficult to Protect Port Operations from Cyber Security Attacks
The difficulty of protecting port terminals from cybersecurity attacks is the sheer complexity of their operations. The issue is further compounded by the fact that most automated processes are aimed to transform sensory signals into mechanical actions (Lusk, 2015). This is a new area of vulnerability because the link between sensory processes and mechanical actions could easily be affected by security threats in the same way as the automated processes are affected (Baldwin et al., 2017). Additionally, it can take a long time (probably months or years) to detect areas of weakness (Baldwin et al., 2017). At the same time, even when the weaknesses are detected, it could similarly take a longer time to correct them. In such automated systems, different components have to be analyzed, while making sure that they do not interrupt port operations, which often go on for 24 hours.
Although ports have to broaden their risk approaches to cover different types of risks, hackers only need to find one entry point. For example, third parties (such as vendors) that work in port facilities may be points of entry for phishing attacks (Gomez, 2015). The failure to update data systems regularly may also be a new point of entry for cybersecurity attacks. A new complexity to this problem is the ability of modern ships to spread attacks to port systems via internet platforms, such as Wi-Fi. The above problems are real for the maritime sector because most of the industrial systems, which they rely on, were not necessarily built with “security considerations” in mind (Gomez, 2015). The above issues appeal to the technical side of cybersecurity threats. Comparatively, other researchers have highlighted the human side of the problem.
Human factors are crucial to understanding the kinds of risks ports may experience when carrying out their operations. Terrorists, disgruntled employees, and such as people may compromise a port’s security system deliberately because of varied reasons. At the same time, some employees may fail to implement such systems effectively because they make their work redundant. ACS (2016) says this problem mostly affects ports that rely a lot on employee manual inputs. Some port authorities recognize the above challenges and consequently installed cybersecurity applications in their systems. Their most visible response has been to increase the awareness of cybersecurity threats in their operations and offer training opportunities for their employees to learn how to mitigate them.
Legal Framework for Port Security
Many port operations are governed by international standards of operations. The same is true for their security processes. According to ACS (2016), the international standard for port operations is contained in the International Ship and Port Facility Security Code. Different jurisdictions have implemented the same code. For example, in the European Union, the EU / 725/2004 and the EU / 65/2005 policies operationalized the code (Serrano, 2015). The European federation implemented the code to identify the authority, skills, and objectives that would be instrumental in maintaining a safe and secure system for port operations. This description reflects the blueprint of a port security plan, which could be drawn up by a suitable officer, such as port security personnel.
The installation of cybersecurity processes is a relatively new concept for many jurisdictions. For example, the US only recently adopted a grant to assess port-security among some vulnerable installations (Abomhara & Køien, 2015). Information sharing and analysis organizations (ISAO) have also been recently formed to undertake such processes (Serrano, 2015). The United Kingdom also recently undertook similar efforts through the Department for Transport and Maritime Sector (Abomhara & Køien, 2015). In line with this responsibility, the organization recently issued a guideline on how ports should manage its security operations. Globally, the international maritime organization oversees similar efforts through the issuance of guidelines that would further protect ports from impending cybersecurity attacks (Eggers, 2016). Such recommendations also include elements that involve the strengthening of the overall cybersecurity framework.
The European Union has taken a slightly different approach by using a tailor-made policy guideline, which is premised on the Network and Information Systems Directive (ACS, 2016). This platform strives to attain a common level of cybersecurity awareness in the EU. The goal is to provide a common approach to tackling cybersecurity issues. Based on the assessments highlighted above, poor cybersecurity is becoming a threat in the global maritime space and it is spreading to all the important departments that depend on the use of efficient ICT systems.
Summary
Many port facilities around the world do not seem to understand (holistically) the security risks that they are exposed to. For example, the European Network and Security Agency say maritime cybersecurity awareness in Europe is low (ACS, 2016). A big problem that has led to an increase in such security breaches is the failure of authorities to understand the advantages and disadvantages of installing cybersecurity applications. This gap in literature characterizes this review. This study strives to fill it.
Methodology
Research Approach
Two main types of research approaches used in academic studies are qualitative and quantitative. The quantitative research approach is mostly used for studies that have a measurable outcome, while the qualitative research approach is broadly applicable to research papers that have a subjective outcome. This study adopts the quantitative research approach because it augurs well with the estimation of the advantages and disadvantages of cybersecurity threats at port facilities. The applicable research design appears below.
Research Design
There are four main types of research designs applicable in quantitative research studies: descriptive, correlational, quasi-experimental, and experimental. The selection of the right research design was mainly informed by the degree of control the researcher had in completing this paper. Since the study was centrally focused on understanding the advantages and disadvantages of cybersecurity at ports, the descriptive design was applied. Therefore, the data presented in this report are generally observatory in nature.
Data Collection
The researcher collected data using the secondary research method. Particularly, there was an emphasis to review information from peer-reviewed journals, which formed the bulk of the information sources. The keywords and phrases used in the desk research were “port facilities”, “benefits,” “challenges,” “advantages,” “cybersecurity,” and “disadvantages.” Research data published within the last five years were included in the review. Those that did not fall within this bracket were not considered for analysis. The aim of doing so was to make sure the findings obtained from the materials were valid and reliable. Relative to this data collection process, it is pertinent to mention that one limitation of this study is that its findings are only applicable to cybersecurity threats in the maritime industry and not other economic sectors.
Analysis
The researcher analyzed the data using the thematic and coding methods. The process involved six key steps as outlined in table 1 below.
Broadly, the information analyzed in the study was grouped into two themes that either showed the benefits of adopting cybersecurity at port facilities or the challenges of the same. These two groups of information later resulted in two codes of the data analysis. The advantages of cybersecurity were categorized as “Code 1,” while the disadvantages of cybersecurity were categorized as “Code 2.” All the information analyzed had to fit within one of these categories. The findings appear below.
Findings
Advantages of cybersecurity
Protecting data and information
One advantage associated with the installation of cybersecurity features in port facilities is its ability to help authorities to protect vital information or data relating to their operations. Here, it is important to point out that data management is a core area of port operations. Information relating to account details, client information, types of goods bought, location, and residence of consignees and such like data are confidential information that could be stolen through cyberattacks (Baldwin et al., 2017). Installing a strong cybersecurity system at such facilities would ensure that such information is safely kept and free from breaches (Lusk, 2015).
Protects networks and resources
A key finding derived in this review was that the installation of cybersecurity systems at ports could help to protect their networks and resources from damage (Lusk, 2015). This advantage was evident in the review because port operations often involve heavy machinery and operations, which cost millions of dollars. This equipment could be damaged if there is a cybersecurity threat. Therefore, the installation of a security system could help to mitigate against such an occurrence (Baldwin et al., 2017).
Allows employees to work safely
Another advantage noted in this paper was the ability of cybersecurity applications to help port employees work better and more efficiently. Without such a system in place, employees would always be at risk of non-performance (Lusk, 2015). In case a cybersecurity breach occurs, the productivity of the employees could also be significantly jeopardized and port authorities could even have to replace specific computers, thereby making their employees’ work more difficult (Baldwin et al., 2017).
Disadvantages of cybersecurity
The high cost of installation
One of the main disadvantages of cybersecurity, which the researcher identified in this study, is the high cost of installing and maintaining such systems (Lusk, 2015). This view is mostly true for governments or authorities in developing countries, which may lack the financial resources needed to procure such technology in the first place and maintain them at the same time (Lusk, 2015).
Difficulty in the configuration
The findings of this paper also pointed to the difficulty in configuring firewalls and other cybersecurity features as another disadvantage of installing cybersecurity at ports (Dingeldey, 2017). The configuration problem is mostly caused by variations in port activities and the differences in port operations, which require port authorities to have unique settings that only apply to their operations (Dingeldey, 2017).
Conclusion and Recommendations
This paper has shown that cybersecurity is a critical area of performance for port operations. However, different governments have failed to understand the need for installing a robust cybersecurity system to safeguard their port operations from cyber attacks. One problem compounding the above issue is that most companies are slow to update their systems and prevent their operations from being vulnerable to these attacks. A serious cybersecurity attack on their operations could mean that these companies may fail to know the location of their ships. Similarly, port facilities may not be able to unload their cargo, as they should (Luo et al., 2015).
The literature review section has highlighted multiple incidents where such crimes have occurred and caused widespread financial damage and delays that have cost shipping companies and port authorities millions of dollars. The same literature review also showed that the reason for the occurrence of some of these incidents is the failure of port authorities and their respective governments to understand the importance of having cybersecurity systems in their operations. Partly, this problem is attributed to the failure of port authorities and governments to understand the advantages and disadvantages of having such systems. This gap characterized the literature review process.
However, a secondary data analysis undertaken in this paper highlighted three advantages of cybersecurity installations that port authorities need to consider to protect their key installations from remote attacks. They include protecting data and important information, creating a supportive environment for employees to work safely and more efficiently, and protecting key installations (networks and resources) that support port operations. These advantages broadly show that the installation of cybersecurity systems in port facilities would not only help to ensure the smooth running of ports through passengers and freight flows, but also save authorities money that would otherwise be lost when a breach occurs. However, a notable disadvantage of having such a system is the high cost of installing and maintaining them. As evident in this paper, this issue could be more serious for developing countries, which lack adequate resources to equip their port authorities with such systems. Furthermore, some ports are overstretched in capacity and may lack the resources needed to implement such a system. Another disadvantage of having cybersecurity systems in ports is the difficulty in configuring such processes to manage specific cybersecurity threats that are unique to each country. Furthermore, the configuration process is a technical process that could be hindered by the lack of people who have the right skills to do so. Although the above issues could affect the speed at which port authorities adopt cybersecurity measures, they do not negate the need for having such systems in the first place.
Having a secure system is more important than worrying about the technicalities of having a functional system. In other words, countries cannot afford to lack a cybersecurity system because ports are critical installations that propel the wheels of the economy. Sabotaging any aspect of its operations could not only mean financial damages for businesses but entire economies as well. Although there is an increased sense of awareness regarding this problem, there is a need for increased information sharing approaches to mitigate the problem. Similarly, the increased use of automated processes in port operations means that there needs to be a heightened use of information systems of high integrity. Nonetheless, the findings of this paper support the hypothesis formulated in the first part of this report, which indicates that the advantages of installing cybersecurity outweigh the disadvantages of the same.
References
Abomhara, M., & Køien, G. (2015). Cybersecurity and the internet of things: Vulnerabilities, threats, intruders and attacks. Journal of Cyber Security, 4(1), 65–88.
ACS. (2016). Cybersecurity. Web.
Baldwin, A., Gheyas, I., Ioannidis, C., Pym, D., & Williams, J. (2017). Contagion in cyber security attacks. Journal of the Operational Research Society, 68(7), 1-10.
Chiappetta, A. (2017). Hybrid ports: The role of IoT and cybersecurity in the next decade. Journal of Sustainable Development of Transport and Logistics, 2(2), 47-56.
Dingeldey, P. (2017). Port automation and cybersecurity risks. Web.
Eggers, W. (2016). Government’s cyber challenge: protecting sensitive data for the public good. Deloitte Review, 1(19), 1-10.
Gomez, M. (2015). Intrinsic or opportunistic: Chinese cyber espionage strategies. National Cyber Security Institute Journal, 2(1), 1-84.
Luo, Y., Wang, B., & Cai, G. (2015). Analysis of port hopping for proactive cyber defense. International Journal of Security and Its Applications, 9(2), 123-134.
Lusk, W. (2015). The spiraling cost of maritime security. Official Journal of the Caribbean Shipping Association, 4(1), 1-10.
Serrano, S. (2015). Cybersecurity: Towards a global standard in the protection of critical information infrastructures. European Journal of Law and Technology, 6(3), 1-10.