«ANALYSIS OF CYBER SECURITY ASPECTS IN THE MARITIME SECTOR November 2011 Analysis of cyber security aspects in the maritime sector I Contributors to ...»
ANALYSIS OF CYBER SECURITY ASPECTS IN
THE MARITIME SECTOR
Analysis of cyber security aspects in the maritime sector
Contributors to this report
ENISA would like to express its gratitude to all contributors of this analysis.
ENISA would also like to recognise the contribution of the Deloitte team members that
prepared this analysis in collaboration with and on behalf of ENISA:
- Mr. Dan Cimpean;
- Mr. Johan Meire;
- Mr. Vincent Bouckaert;
- Mr. Stijn Vande Casteele;
- Mrs. Aurore Pelle.
- Mr. Luc Hellebooge;
Acknowledgements ENISA would like to acknowledge the contribution to the maritime cyber security workshop
organised in the light of this project and the report, and in particular:
- Mr. Andrea Servida, from DG INFSO;
- Mr. Jean-Bernard Erhardt and from DG MOVE;
- Mr. Jukka Savo, from DG MOVE;
- Mr. Allard Kernkamp, from CPNI.NL;
- Assistant Professor Nineta Polemi, the University of Piraeus, Dept. of Informatics Analysis of cyber security aspects in the maritime sector II About ENISA The European Network and Information Security Agency (ENISA) is a centre of expertise for the European Union (EU), its Member States (MS), the private sector and Europe’s citizens. As an EU agency, ENISA’s role is to work with these groups to develop advice and recommendations on good practice in information security. The agency assists MS in implementing relevant EU legislation, and works to improve the resilience of Europe’s critical information infrastructure and networks. In carrying out its work programme, ENISA seeks to enhance existing expertise in MS by supporting the development of cross-border communities committed to improving network and information security throughout the EU.
Contact details For questions related to Cyber Security aspects in the maritime sector, please use the
Mr. Wouter VLEGELS - Expert, Critical Information Infrastructure Protection E-mail: email@example.com Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources includi
Contents 1 Executive Summary
2.1 The maritime sector as critical infrastructure
2.2 The policy context
2.3 Purpose and scope of the study
2.4 Target audience
2.5.1 Desk top research
2.5.2 Interviews and questionnaires
3 Key findings and recommendations
3.1 Low awareness and focus on maritime cyber security
3.2 Complexity of the maritime ICT environment
3.3 Fragmented maritime governance context
3.3.1 Global level
3.3.2 European level
3.3.3 National/Regional level
3.4 Inadequate consideration of cyber security in maritime regulation
3.5 No holistic approach to maritime cyber risks
3.6 Overall lack of direct economic incentives to implement good cyber security in maritime sector
Analysis of cyber security aspects in the maritime sector IV 3.6.1 Impact
3.7 Inspiring initiatives, a call for collaboration
4 Conclusions & suggested next steps
5 APPENDIX A Workshop report
5.1 List of keynote speakers
5.2 Keynote summaries
5.2.1 EU Policy on network and information security and CIIP
5.2.3 Management of public-private partnerships and information sharing for the protection of critical infrastructures
5.2.4 Open issues and proposals in the security management of PIT systems – The SPort national case
5.3 Group discussions
6 APPENDIX B Summary of key findings and recommendations
Analysis of cyber security aspects in the maritime sector Executive Summary The maritime sector is critical for the European society. Recent statistics show that within Europe, 52%1 of the goods traffic in 2010 was carried by maritime transport, while only one decade ago this was only 45%. This continuous increase in dependency upon the maritime transport underlines its vital importance to our society and economy. As it can be observed in other economic sectors, maritime activity increasingly relies on Information Communication and Technology (ICT) in order to optimize its operations. ICT is increasingly used to enable essential maritime operations, from navigation to propulsion, from freight management to traffic control communications, etc.
These last years have also shown that cyber threats are a growing menace, spreading in all industry sectors that progressively rely on ICT systems. Recent examples of deliberate disruption of critical automation systems, such as Stuxnet 2, prove that cyber-attacks can have a significant impact on critical infrastructures. Disruption or unavailability of these ICT capabilities might have disastrous consequences for the European Member States’ governments and social wellbeing in general. The need to ensure dependability and the ICT’ robustness against cyber-attacks is a key challenge at national and pan-European level.
This first analysis of the cyber security aspects in the maritime sector identified key insights and considerations regarding this area. It also touches on the policy context at the European level and situates the topic of cyber security in the maritime sector as a logical next step in the global protection effort of ICT infrastructure. This document identifies essential problematic areas as well as initiatives being implemented, which could serve as a baseline towards helping the development of cyber security in this particular context. Finally, high-level recommendations are presented for each observation, suggesting the possible approaches that could be taken for addressing these risks.
High-level observations and recommendations
The awareness on cyber security needs and challenges in the maritime sector is currently low to non-existent. Member States should consider developing and implementing awareness raising campaigns targeting the maritime actors. In particular the provision of appropriate cyber security training to relevant actors (e.g. shipping companies, port authorities, etc.) would be highly recommended.. Such awareness campaigns and training initiatives should target all relevant actors involved in the maritime sector, while their provision could be coordinated by relevant cyber security organisations (e.g. national cyber security offices, national CERTs, public-private partnerships, etc).
In terms of value in Euros. Source: Eurostat database: EXTRA EU27 Trade Since 2000 By Mode of Transport (HS6) http://www.enisa.europa.eu/media/press-releases/stuxnet-analysis Analysis of cyber security aspects in the maritime sector Due to the high ICT complexity and the use of specific technologies, there are particular challenges to ensure adequate security provisions in maritime systems. It would be beneficial for all stakeholders to agree on a common strategy and development of good practices for the technology development and implementation of ICT systems in the maritime sector and ensuring “security by design” for all critical maritime ICT components.
As current maritime regulations and policies consider only the physical aspects of security and safety, it is recommended that policy makers add cyber security aspects to them.
We strongly recommend a holistic risk-based approach, which would require the assessment of existing cyber risks associated with the current ICT systems implementations relevant to the European maritime sector as well as the identification of all critical assets within this sector. For maritime economic operators and stakeholders, it is important to proactively apply sound cyber and information security risk management principles within their organisations and environments.
With the maritime governance context being fragmented between different levels (i.e.
international, European, national), the International Maritime Organisation together with the European Commission and the Member States should consider aligning and harmonizing international and European policies related to this sector, particularly on its cybersecurity aspects. Member States should clearly specify the roles and responsibilities that should be endorsed for addressing cyber security matters at those various levels.
Proper coordination and cooperation between the relevant stakeholders should also be defined (e.g. CERTs and port authorities, shipping companies, etc.) through publicprivate sector interaction. We would recommend Member States to stimulate dialogue and public-private partnerships between the key stakeholders in the maritime sector (e.g. shipping companies, port authorities, etc.) and connected stakeholders (e.g. insurance companies / brokers).
From a different perspective, better information exchange and statistics on cyber security may help insurers to improve their actuarial models, reduce own risks, and therefore offering better contractual insurance conditions to the involved maritime stakeholders. Information exchange platforms, as for instance the ones implemented by CPNI.NL, should be also considered and developed by Member States in order to foster and facilitate communication on cyber security for the relevant maritime actors.
For further details and additional observations, please refer to chapter 3 (‘Key findings and recommendations’) and chapter 4 (‘Conclusions & suggested next steps’) of this document.
Analysis of cyber security aspects in the maritime sector
1.1 The maritime sector as critical infrastructure The maritime sector sustains society and the economy through the movement of people and vital goods, such as energy (transportation of oil and gas), food 3, etc. The criticality of the maritime sector for the European Member States and economies is clearly illustrated by
In Europe, 52% 4 of the goods traffic in 2010 was carried by maritime transport, where only one decade ago this was only 45%. This increase in maritime transport dependency underlines its vital importance to our society and economy. Based on data from the European Commission5, around 90% of EU external trade and more than 43% of the internal trade take place via maritime routes. Industries and services belonging to the maritime sector, contribute between 3 and 5 % of EU Gross Domestic Product (GDP), and maritime regions produce more than 40 % of Europe’s GDP. 22 Member States with maritime border manage more than 1.200 sea ports supporting the maritime sector activity.
Three major European seaports (i.e. Rotterdam, Hamburg and Antwerp 6) accounted in 20107 for 8% of overall world traffic volume, representing over 27,52 Million-TEUs.
Additionally, these seaports handled more than 50% of the entire European waterborne foreign container trade. The main European seaports carried in 2009 17,2% of the international exports and 18% of the imports 8.
The European economy is therefore critically dependent upon the maritime movement of cargo and passengers. On the other hand, the maritime activity increasingly relies on Information Communication and Technology (ICT) to optimize its operations, like in all other sectors. ICT is used to enable essential maritime operations, from navigation to propulsion, from freight management to traffic control communications, etc. These last years have also shown that cyber threats are a growing menace, spreading in all sectors. Disruption or unavailability of these ICT capabilities might have disastrous consequences - therefore there is an increased need to ensure the ICT robustness against cyber-attacks and dependability is a key challenge at national and pan-European level.
Securing the critical infrastructure of the maritime sector is increasingly becoming a priority for the key European stakeholders, including the European Commission, Member State governments and the main actors from the private sector.
See EICAR Conference Best Paper Proceedings 2003 In terms of value in Euros. Source: Eurostat database: EXTRA EU27 Trade Since 2000 By Mode of Transport (HS6) (DS_043328), accessed on 02/08/2011.
http://ec.europa.eu/maritimeaffairs/maritimeday/pdf/proceedings_en.pdf In terms of goods’ transhipments in 2008, Rotterdam, Antwerp, Hamburg ports were the most important in Europe.
http://www.worldshipping.org/about-the-industry/global-trade/top-50-world-container-ports Eurostat database: Trade in goods, by main world traders (tet00018), accessed on 02/08/2011.
Analysis of cyber security aspects in the maritime sector
1.2 The policy context Critical information infrastructures support vital services and goods such as energy, transport, telecommunications, financial services, etc., that are so essential that their unavailability may adversely affect the well-being of a nation. Due to their significant importance, the protection of critical information infrastructures is required to sustain and further enhance the wellbeing of the European society, the European Union economy, and the European citizens.
Therefore, this subject has also become an attention area for the policy makers in the European Union (EU).