European maritime companies vulnerable to cyber threats

BRUSSELS – Ports and shipping companies in Europe are increasingly adopting technologies such as automation or internet-connected devices to analyze data and improve services. But their cybersecurity defenses haven’t caught up, creating loopholes that hackers could exploit, according to a report released Tuesday by the European Union’s cybersecurity agency.

Adding to the pressure: Shipping companies tend not to share sensitive information with each other, which means they are less likely to catch pirates, experts have said. Compared to their counterparts in US companies, employees of European maritime companies do not communicate as much with their competitors because they lack an industry-wide group to share details about cybersecurity threats, said Chronis Kapalidis , European representative for HudsonAnalytix, a New Jersey-based consulting firm. firm specializing in maritime cybersecurity.

The vast majority of world trade is by sea, and Europe has two of the world’s 15 largest container ports by volume: Rotterdam in the Netherlands and Antwerp in Belgium, according to the World Shipping Council, a trade group based in Washington representing the shipping companies. The others are located in Asia.

The international shipping industry will soon face tougher cybersecurity rules aimed at protecting ships from pirates, but the rules are already outdated. New guidelines from the International Maritime Organization, part of the United Nations, are due to come into force in January 2021. The guidelines were written in 2016 and do not refer to new technologies such as artificial intelligence or cloud computing .

The European Union Agency for Cybersecurity, known as Enisa for the abbreviation of an older name, said in Tuesday’s report that European industry could strengthen its cyber defenses with a public organization -private such as the US Maritime and Port Security Information Sharing and Analysis. Center. The Florida-based center, established in 2015, includes representatives from ports, shipping lines and other shipping companies on its advisory board.

The U.S. Coast Guard is also encouraging the commercial shipping industry to improve its security measures and issued an alert this summer about a cyberattack in February that hit a ship en route to New York Harbor and New Jersey, a previously reported WSJ Pro Cybersecurity.

Conservative and outdated ideas about cybersecurity are common in European maritime companies, Enisa said in its report. Port operators often prioritize adopting new tools before considering how to secure them, the agency said. That means hackers could intercept port communications to monitor activity and access data, potentially using that information to steal goods, the report said.

Among the new technologies used by the ports, according to the report: the ports of Rotterdam and Amsterdam are using drones to monitor operations, while the port of Antwerp has launched a data analysis project to monitor traffic and prevent bottlenecks.

It’s difficult for companies to find and hire cybersecurity experts familiar with complex maritime technologies and industrial equipment, said Magdalena Szwiec, a Norway-based senior partner at professional services firm KPMG LLP, which advises companies in the maritime sector with regard to cybersecurity. Companies around the world are struggling to fill cybersecurity positions and the challenge is greater in specialized industrial fields such as maritime operations, she said. Europe has around 291,000 unfilled cybersecurity jobs, up from 142,000 in 2018, according to a survey by (ISC)2, a trade association for cybersecurity professionals.

Enisa recommended that ports develop tailor-made training courses for employees working on different types of equipment. Major European ports work with up to 900 companies of varying sizes which may have different cybersecurity standards, according to the agency’s report.

Some experts say EU laws are helping companies in the complex maritime supply chain close cybersecurity gaps. EU regulations have encouraged companies to upgrade their cyber security measures, said Steve Purser, head of core operations at Enisa.

A directive on the security of networks and information systems, adopted in 2016, required the 28 EU countries to identify, by last year, companies that operate critical services, including major ports . These companies must report cybersecurity incidents to regulators and implement security measures.

“You can’t reasonably expect entire supply chains to be secure within a few years, but that’s certainly the idea,” Purser said.

Write to Catherine Stupp at [email protected]

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8