By CDR Michael C. Petta
Port industry leaders recently submitted cybersecurity guidelines to the International Maritime Organization (IMO) for consideration. The IMO Member States should seize this opportunity and amend the International Ship and Port Facility Security (ISPS) Code to enact cybersecurity standards for ports and port facilities. Specifically, IMO Member States should amend the code, using the new industry guidelines as a model, to require port facilities to conduct regular cybersecurity assessments and develop distinct cybersecurity plans.
The IAPH’s Cybersecurity Guidelines for Ports and Port Facilities
Earlier this month the International Association of Ports and Harbors (IAPH), a trade association representing ports across the globe, announced the publication of cyber guidelines for ports and port facilities. With help from the World Bank, the IAPH developed these cybersecurity guidelines to mitigate, according to the publication’s executive summary, “the top risk for port authorities and the wider port community.” A review of the extensive list of cyber incidents occurring over the past year, as compiled by the Center for Strategic and International Studies, reinforces the IAPH’s view that cyberattacks are a preeminent global threat. Recently in a speech at the United Nations, President Biden recognized the immediacy of that risk, emphasizing the importance of “hardening our critical infrastructure against cyberattacks” and establishing “clear rules…for all nations as it relates to cyberspace.” Needless to say, the IAPH guidelines are a welcome move toward a nearly decade-old aspiration to improve cybersecurity resilience in the maritime sector.
The IAPH’s recent work toward cyber resiliency is not the only 2021 cyber milestone in the maritime transportation sector. Rather, at the start of the year the IMO’s guidelines for maritime cyber risk management, although adopted almost four years earlier, came into effect for parts of the Maritime Transportation System (MTS). It is no coincidence these two sets of guidelines emerged the same year. Indeed, the latter guidelines are a necessary consequence of the former because the earlier set, in fact, does not cover port facilities. Port leaders had no choice but to fill the gap, and they did so quickly.
The IAPH did more than jump into the breach. It also coordinated its effort with the IMO. This substantive coordination is evident in two 2021 submissions to the IMO’s Maritime Safety Committee (MSC). In MSC 103/92 of March, the IAPH, recognizing the port facility gap, stressed that “ports and port facilities would benefit” from a framework akin to that applied to vessels earlier in the year. The IAPH was motivated by cyber risks it considers to be “the most significant threats for ports today,” citing a “fourfold increase in cyberattacks in the maritime industry” over a four-month period last year. Equally motivating was an expected intensification of cyber threats from accelerated port digitalization, an ongoing modernization effort triggered by, inter alia, the coronavirus pandemic.
Driven by these long-standing and mushrooming risks, the IAPH declared to the MSC its intention to develop “a single comprehensive set of guidelines customized for Ports and Port Facilities.” Impressively, just four months later, via MSC 104/7/1, the IAPH reported completion of its work—the IAPH Cybersecurity Guidelines for Ports and Port Facilities.
The 73-page guide contains many valuable cybersecurity measures and instructs facility operators on many topics fundamental to security in the cyber domain. These include management buy-in, personnel training, risk assessment, proper staffing, threat detection, and incident response. While this article does not intend to explore each provision in depth, highlighting a few features is useful for illustrating the guidelines’ utility. For example, the guide expressly endorses port facilities conducting unique cybersecurity training, drills, and exercises. Also, it encourages facility operators to share cyber information with government regulators and industry partners. The guidelines further acknowledge the importance of planned cybersecurity incident response and reporting. Finally, and perhaps most importantly, the IAPH’s new guidelines favor port facilities conducting regular cybersecurity assessments and developing distinct cybersecurity plans.
To incorporate such measures into an international government framework, the IAPH asked the IMO to consider the new guidelines and measures at the next MSC session, which is scheduled to take place in the first week of October, next week.
Amending the International Ship and Port Facility Security Code
The IMO’s previous cyber guidelines, those adopted in 2017 and put into effect in 2021, were considered game changing. Certainly, they were a vital step toward a uniform approach for combating cyber threats in the shipping industry. Notably, IMO Member States relied on the International Safety Management (ISM) Code as the legal foundation for those guidelines. The ISM Code is a safety management system adopted in 1987 to help shipping industry leaders manage safety risks. Regardless of whether a safety management system is the best instrument for generally mitigating security threats, it is not the right tool for promoting cybersecurity at port facilities. This is because the ISM Code, fundamentally, applies only to ships, not port facilities.
Fortunately, there is an international instrument designed specifically to protect port facilities from attacks—the International Ship and Port Facility Security (ISPS) Code. Twenty years ago this month, subversive actors exploited vulnerabilities in the global transportation system and attacked civilian locations across the United States. The ISPS Code was developed in direct response to those attacks and has become the IMO’s “comprehensive mandatory security regime.” One of the code’s express objectives is to assess and detect “security threats to… port facilities… [and] to implement preventive security measures against such threats.” Ultimately, if IMO Member States intend to comprehensively secure port facilities against attacks from within the cyber domain, they must turn to the ISPS Code.
Even though the ISPS Code is the right tool to pull from the international toolbox, the instrument first needs calibrating. Indeed, the code’s existing, albeit implicit, cybersecurity provisions are soft law, non-binding instructive guidance that is unenforceable. Such soft cyber law makes port facilities soft cyber targets. Within the past few weeks, subversive actors backed by a foreign nation, according to the testimony of the Director of the U.S. Cybersecurity and Infrastructure Agency, breached servers and planted malicious code at a port facility in Houston, Texas. When discussing this recent breach, one cybersecurity expert predicted that such incidents would bring about a “much more regulatory” framework instead of the current “aspirational” model.
The ISPS Code has two parts: a mandatory Part A and a recommendatory Part B. Of note, there are no cybersecurity provisions, explicit or implicit, in Part A. Meanwhile, Part B hints at cybersecurity as it encourages port facilities to consider “radio and telecommunications equipment, including computer systems and networks” when they assess physical security vulnerabilities. Encouraging facilities to consider certain threats is a notable aspiration, but it is not a clear, enforceable cybersecurity rule. This is all to say, the ISPS Code, enacted for the specific purpose of preventing attacks on the MTS, is the right tool for the job, but to be an effective instrument against threats in the cyber domain, it must be amended.
Certainly, amending the ISPS Code will take careful consideration. One adjustment IMO Member States might consider is amending Part B Section 18 to encompass training, drills, and exercises specific to cybersecurity. Such cyber-specific requirements do not presently exist. Section 9 of the IAPH guidelines provides useful examples. Also, Member States might consider amending Section 15 of Part A and Part B to expressly require a cybersecurity assessment based on the factors in the IAPH’s model. The cybersecurity assessment would be separate from and a complement to the facility security assessment already required by Section 15 of the code.
Another adjustment to the ISPS Code worth earnest consideration is a change to Section 16 of Part A and Part B to require port facilities to prepare and governments to approve distinct cybersecurity plans. The IAPH provides a model as a baseline. Like the cybersecurity assessment, the cybersecurity plan would be an independent document, a supplement to the already required facility security plan. These are just a few examples of potential ISPS Code adjustments that can be used to effectively incorporate the work of the IAPH into international law.
In a 2020 Port Community Cybersecurity Note, the IAPH seems to recognize a need to amend the code. In chapter five of the note, the IAPH insightfully concludes “that the role of the [Port Facility Security Officer] must evolve to encompass cyber security… rather than being focused purely on physical threats.” Arguably, because the Port Facility Security Officer’s role is controlled by the ISPS Code, it follows that to evolve this role IMO Member States must evolve the code. Moreover, the IAPH seems to recognize that any adjustments should be comprehensive. As it asserts in the 2020 note, due to the “unpredictability and everchanging [sic] nature of cyber threats… a limited or partial approach probably will not suffice.”
The IMO’s MSC meets the first week of October. The IAPH provided the MSC with fully developed port facility cybersecurity guidelines and asked the MSC to consider them. This invitation should be dutifully accepted and used as a springboard to enact IMO standards internationally. The cyber threats and vulnerabilities are well known and expected to multiply with ongoing digitalization across the MTS. The time is ripe for IMO Member States to act. When they meet next week, they should build on the IAPH’s momentum and start the process to amend the ISPS Code, with strongest consideration given to mandating regular cybersecurity assessments and distinct cybersecurity plans.
Commander Michael C. Petta, USCG, is the Deputy Chair, the Director for Maritime Operations, and a professor of international law at the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the U.S. Department of Homeland Security, the U.S. Navy, the Naval War College, or the U.S. Department of Defense.
Featured Image: Container ship Houston Express in Hamburg, Germany. (Credit: Prosertek)