Maritime Sector Sails through rough 'Cybersecurity' Seas

Back to News

Organised by the European Union Agency for Cybersecurity (ENISA), the 2nd Maritime Cybersecurity Conference hosted by the European Maritime Safety Agency (EMSA) sought to explore the dynamics behind the cyber threat landscape and the challenges faced by the sector.

The conference, which took place on 14th October, was intended to allow a dialogue among the relevant stakeholders to address the current key cybersecurity challenges of the maritime sector as well as the ongoing process of digitalisation.

These challenges include the implementation questions raised by the provisions of the Directive on Network and Information Security Systems 2 (or NIS 2 Directive) as well as those of the new legislative framework, the proposed Cyber Resilience Act (CRA), which is expected to introduce cybersecurity requirements for digital products used in all critical sectors, including maritime.

Cybersecurity Policy Challenges

ENISA moderated a panel keen to explore the different aspects of the cybersecurity policy questions.

Speakers from the European Commission explained the different elements of the EU policy and regulatory framework and presented how the different pieces around cybersecurity and maritime security fit together.

Representatives of national authorities described how this framework is implemented at national level and how Member States go beyond this framework to support the maritime sector, e.g. via information sharing activities. Discussions centred around the new challenges introduced by NIS2 especially due to the significant increase in the number of operators in scope. The panel agreed that in order to face these challenges effectively, collaboration between national authorities is key.

Threats faced by maritime

Preliminary findings from the ENISA Transport Threat landscape report to be published soon reveal that ransomware is the primary threat in maritime, followed by data breaches with corporate IT/business side being the main targets.

Speakers explained how the attack surface changes as we move from traditional ships to Maritime Autonomous Surface Ships (MASS), where the focus shifts from on-board security policies such as password management and social engineering to network aspects. Particular emphasis was placed on attacks on supply chain becoming more and more common and on the cyber-physical aspects of security, especially in the context of port operations. Given the volume of people and cargo served by major ports in the EU, a supply chain incident could have a cascading effect disrupting key port operations resulting in significant economic and societal impact.

Subsequently, a key point of the agenda included the security of supply chains. As highlighted in the threat landscape discussion, supply chain remains the most sensitive target due to the complexity and size of the maritime ecosystem where port operations alone may involve hundreds or thousands of companies in any given port. Operators and industry pointed to the necessity of systematically addressing this risk via pragmatic approaches and through the involvement of multiple actors, from classification societies, ship building companies and maritime equipment manufacturers to the shipping companies and port operators. EMSA gave the example of fragmentation resulting from the possible overlaps in cybersecurity legislation. The need for further cooperation was therefore highlighted in this respect.

The Conference ended with the joint conclusion that more support is required for operators, industry and national authorities in maritime in order to navigate the evolving policy and threat landscapes and address the emerging challenges. As this sector is by nature based on interconnections and interactions between all stakeholders and Member States, the way forward should focus on collaboration within the maritime community with the support of ENISA.

Background

The EU Agency for Cybersecurity supports the EU maritime sector by providing cybersecurity recommendations, supporting the development of regulations, facilitating information exchange and organising awareness-raising events. The Agency published a first Port Cybersecurity Report in 2019 including a set of cybersecurity good practices for the sector, and organised two maritime security workshops with the European Maritime Safety Agency (EMSA).

Further information

ENISA Guidelines – Cyber Risk Management for Ports - 2020

ENISA Port Security – Good Practices for Cybersecurity in the maritime sector - 2019

ENISA topic - Maritime Cybersecurity by ENISA

Cyber risk management for ports – ENISA web tool

1st ENISA Maritime Cybersecurity Workshop

Contact

For press questions and interviews, please contact press (at) enisa.europa.eu