Guidance for ports: security and safety against physical, cyber and hybrid threats

Abstract

The European Commission (EC) has funded the Scalable multidimensionAl sitUation awaReness sOlution for protectiNg european ports (SAURON) project to reduce the vulnerabilities of EU ports, as one of the main European critical infrastructures, and increase their systemic resilience in the face of a physical, cyber or combined cyber-physical threat. The goal of SAURON has been to provide a multidimensional yet installation-specific Situational Awareness platform to help port operators anticipate and withstand potential cyber, physical or combined threats to their businesses and to people. During the SAURON project port authorities and stakeholders stated that it would be very helpful to have generic guidance to help ports respond to the combined cyber-physical security threat. The goal of this paper is to help ports understand the hybrid cyber-physical security threat, and how to reduce port vulnerabilities, based on lessons from the SAURON project. The paper is structured in line with the International Ship and Port Facility Security (ISPS) Code Port Facility security assessment process, and relates port security planning based on the ISPS guidelines to insights and lessons from SAURON. This paper demonstrates the importance of understanding the interdependencies between the cyber and physical domains and improving security situational awareness when incidents (including deliberate attacks) cause cascading effects across these domains. Furthermore, the paper draws conclusions and makes recommendations to ports and policy makers to reduce the vulnerability of ports to hybrid cyber-physical attacks.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Data availability (data transparency)

Data sharing is not applicable to this article as it is based on insights from work carried out in the SAURON project whose data is proprietary to the partners. Results that can be shared are reported at www.sauronproject.eu.

Code availability (software application or custom code)

Code sharing is not applicable to this article as it is based on insights from work carried out in the SAURON project which has used and developed modelling tools which are proprietary to the partners. Results that can be shared are reported at www.sauronproject.eu.

Notes

  1. 1.

    SAURON Horizon 2020 project, Grant agreement 740,477, May 2017–September 2020, Website: https://www.sauronproject.eu/.

  2. 2.

    For more information go to European Union Agency for Cyber Security Website: https://www.enisa.europa.eu/.

  3. 3.

    Austrian Institute of Technology SAURON propagation engine editor: https://atlas.ait.ac.at/sauron/.

Abbreviations

BYOD:

Bring Your Own Device

CCTV:

Closed-Circuit Television

CI:

Critical Infrastructure

COTS:

Commercial Off-The-Shelf

CSA:

Cyber Situational Awareness

DTTAS:

Department of Transport, Tourism and Sport [Ireland]

EC:

European Commission

ECDIS:

Electronic Chart Display and Information System

ENISA:

European Union Agency for Cybersecurity

EPWS:

Emergency Population Warning System

GDPR:

General Data Protection Regulation

HMI:

Human-Machine-Interface

HSA:

Hybrid Situational Awareness

ICT:

Information and Communications Technology

IDS:

Intrusion Detection System

IMO:

International Maritime Organisation

IoT:

Internet of Things

IPR:

Intellectual Property Rights

ISM:

International Safety Management

ISPS:

International Ship and Port Facility Security

IT:

Information Technology

MSRAM:

Maritime Security Risk Analysis Model

OT:

Operational Technology

PCS:

Port Community System

PFSA:

Port Facility Security Assessment

PFSO:

Port Facility Security Officer

PSA:

Physical Situational Awareness

PSIM:

Physical Security Information Management

RO-RO:

Roll-on/Roll-off

RSO:

Recognized Security Organization

SAURON:

Scalable multidimensionAl sitUation awaReness sOlution for protectiNg european ports

SeMS:

Security Management System

SOC:

Security Operations Centre

SOLAS:

Safety of Life at Sea

TOS:

Terminal Operating System

UAV:

Unmanned Air Vehicle

References

  1. Adams N, Chisnall R, Pickering C, Schauer S (2020) How Port Security has to evolve to address the Cyber-Physical Security Threat: lessons from the SAURON project. Int J Transp Dev Integr 4:1. https://doi.org/10.2495/TDI-V4-N1-29-41

    Article  Google Scholar 

  2. BBC News (2013) Police warning after drug traffickers' cyber-attack. https://www.bbc.co.uk/news/world-europe-24539417, 16 October 2013

  3. Bell S (2013) Bullguard Blog, Cyber-attacks and underground activities in Port of Antwerp, https://www.bullguard.com/blog/2013/10/cyber-attacks-and-underground-activities-in-port-of-antwerp.html. Accessed 21 Oct 2013

  4. Cooper D (2017) LCDR United States coast guard, United States Coast Guard Risk Management Overview, Presentation for Department of Homeland Security Summit. https://www.orau.gov/DHSsummit/presentations/March17/plenary/Cooper_Mar17.pdf

  5. European Union Agency for Cyber Security (ENISA) (2019) Port Cybersecurity - Good practices for cybersecurity in the maritime sector

  6. Hutchison Ports (2018) Press Release, Hutchison Ports rolls out Cyber-Security Recovery Programme, https://hutchisonports.com/media/stories/hutchison-ports-rolls-out-cyber-security-recovery-programme/

  7. International Labour Organisation and International Maritime Organisation (2003) Working Group on Port Security, ‘International Ship and Port Facility Security Code and SOLAS Amendments 2002’

  8. International Maritime Organisation Maritime Safety Committee, Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems, June 2017 and Circular MSC-FAL.1/Circ3 Guidelines on maritime cyber risk management, 2017

  9. International Maritime Organisation (2018) IMO117Ee - International Safety Management Code (ISM) and Guidelines on Implementation of the ISM Code

  10. Irish Government Department of Transport, Tourism and Sport: Maritime Security Ports Publications - Port Facility Security Assessment Checklist and Port Facility Security Assessment Template dated 31st January 2019 and updated Port Facility Plan and Port Security Plan dated 24th July 2019. http://www.dttas.ie/maritime/publications/english/maritime-security-ports-publications. Accessed Jul 2019

  11. König S, Rass S, Rainer B, Schauer S (2019) Hybrid Dependencies Between Cyber and Physical Systems. In: Arai K, Bhatia R, Kapoor S (eds) Advances in Intelligent Systems and Computing, vol 998. Springer, Cham, Intelligent Computing. CompCom http://doi.org/10.1007/978-3-030-22868-2_40

  12. König S, Gouglidis A, Rass S, Adams N, Smith P, Hutchison D (2020) Analysing disaster-induced cascading effects in hybrid critical infrastructures: a practical approach, chapter 31 of ‘guide to disaster-resilient communication networks’ Springer. https://doi.org/10.1007/978-3-030-44685-7

  13. Munro K (2017) Pen test partners blog, maritime cyber security - Sinking container ships by hacking load plan software, https://www.pentestpartners.com/security-blog/sinking-container-ships-by-hacking-load-plan-software. Accessed 16 Nov 2017

  14. Munro K (2018) Pen test partners blog, maritime cyber security - hacking, tracking, stealing and sinking ships, https://www.pentestpartners.com/security-blog/hacking-tracking-stealing-and-sinking-ships/. Accessed 4 Jun 2018

  15. Proctor M (2012) In: Schürr A, Varró D, Varró G (eds) Drools: a rule engine for complex event processing; applications of graph transformations with industrial relevance, AGTIVE 2011, lecture notes in computer science, vol 7233. Springer, Berlin. https://doi.org/10.1007/978-3-642-34176-2_2

    Chapter  Google Scholar 

  16. SAURON (2018) First Newsletter. https://www.sauronproject.eu. Accessed Sept 2020

  17. SAURON (2019) Second newsletter. https://www.sauronproject.eu. Accessed Sept 2020

  18. SAURON (2020a) Piraeus Port Pilot Demonstration Presentation: Video and Slides. https://www.youtube.com/watch?v=J9qH1x3GmSQ&feature=youtu.be. Accessed Sept 2020

  19. SAURON (2020b) Third Presentation of Valencia Port project Pilot. https://www.sauronproject.eu. Accessed Sept 2020

  20. The Indian Express (2017) PTI: New malware hits JNPT operations as APM Terminals hacked globally, https://indianexpress.com/article/india/cyber-attack-newmalware-hits-jnpt-ops-as-apm-terminals-hacked-globally-4725102/

  21. UK Department for Transport and UK Civil Aviation Authority (2018) Framework for an Aviation Security Management System (SeMS)

  22. UK Home Office and Department for Transport (2010) Airport Security Planning Quick Guide

Download references

Acknowledgements

This work was supported in part by the EC SAURON project (http://sauronproject.eu) under grant agreement No. 740477 addressing the topic CIP-01-2016-2017. The authors would like to thank other SAURON project members for their valuable insights.

Funding

This work was supported in part by the European Commission SAURON project (http://sauronproject.eu) under grant agreement No. 740477 addressing the topic CIP-01-2016-2017.

Author information

Affiliations

Authors

Contributions

All authors contributed to and commented on the manuscript and all authors read and approved the final manuscript.

Corresponding author

Correspondence to Neil Adams.

Ethics declarations

Conflicts of interest/Competing interests (include appropriate disclosures)

The authors have no conflicts of interest to declare that are relevant to the content of this article.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Adams, N., Chisnall, R., Pickering, C. et al. Guidance for ports: security and safety against physical, cyber and hybrid threats. J Transp Secur (2021). https://doi.org/10.1007/s12198-021-00234-6

Download citation

Keywords

  • Port security
  • Cyber security
  • Physical security
  • Cyber-physical security
  • Situational awareness
  • Critical infrastructure