iaph - X-Industry - Red Sky Alliance2024-03-29T05:06:18Zhttps://redskyalliance.org/xindustry/feed/tag/iaphClosing the Gaps - Digitalizationhttps://redskyalliance.org/xindustry/closing-the-gaps-digitalization2022-10-07T17:17:52.000Z2022-10-07T17:17:52.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10836667492,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10836667492,RESIZE_400x{{/staticFileLink}}" width="250" alt="10836667492?profile=RESIZE_400x" /></a>The International Association of Ports & Harbors (IAPH) has recently published its summary report “Closing the Gaps," highlighting key actions in <u>digitalization</u>, decarbonization and resilience the maritime sector.”<a href="#_ftn1">[1]</a> IAPH defines and identifies the principal gaps in port and port-related infrastructure on a global scale. These gaps were identified in terms of efficiency, connectivity and accessibility, digitalization, decarbonization, shipping costs and regulatory environment.</p>
<p>The report serves as serves as a basis for action plans in collaboration with the World Bank Group (WBG), with input from 85 maritime and logistics executives from 35 countries. “Back in 2021 our outgoing and incoming IAPH presidents concurred that ports were not prepared for the pandemic-affected, extreme swings in demand and their impact on the maritime transport chain,” wrote the WBG’s Managing Director. “This was principally due to long-term under-investment in port and port-related infrastructure. So, we took the decision to define and identify, on a global level, the principal infrastructure gaps and to envisage a concrete plan, along with the World Bank, to close those gaps. We are grateful to the global maritime and transport community for responding so openly and enthusiastically to this exercise.”<a href="#_ftn2">[2]</a></p>
<p>Over a three-month period in early 2022, eight regional workshops were conducted in partnership with the World Bank under the Chatham House rule between shippers, forwarders, container carriers, shipowners, Non-Vessel-Operating Common Carrier (NVOCCs), shipping agencies, digital innovators, terminal operators, port authorities, consultants, real estate experts, leading maritime academics and financing institutions. The eight workshops were moderated by transport specialists from the World Bank, said the maritime media experts and IAPH’s Communications Director. Findings on the gaps and how to resolve them were then summarized and discussed at eight regional forums which took place in person in May at the IAPH2022 World Ports Conference in Vancouver, Canada. The result of this exercise is now reflected in IAPH’s report.</p>
<p>One intriguing element of the report highlights <u>port automation</u> investment and its contrasts from greenfield to brownfield sites.<a href="#_ftn3">[3]</a> Typically, what a greenfield project entails is development on a completely vacant site. Architects start completely from scratch. A brownfield project is one that carries constraints related to the current state of the site. “Efforts to improve port efficiency through automation vary considerably between regions of the world and are impacted by their location, labor skillsets and labor regulatory environments,” the report wrote.</p>
<p>A Close the Gaps exercise identified several examples of greenfield sites successfully deploying automation processes (cyber) for cargo handling at the ship-shore interface and between the quayside and the port gates. However, achieving significant productivity improvements at brownfield sites has proved more challenging, with an absence of labor skillsets and the resistance to change by the workforce, evidenced during the current labor contract negotiations ongoing on the US West Coast, for example.</p>
<p>For those ports located in cities with limited options to expand capacity, combining investments in labor and a pragmatic combination of automated and skilled labor processes may offer a path forward to meet future demand,” the report wrote. “This report indicates the activities and potential sources of assistance available to ports in the client countries of the World Bank in the key priority “gap” areas of resilience, digitalization and decarbonization,” commented the Lead Transport Economist, World Bank. “This will become part of the ongoing reform of the World Bank Port Reform Toolkit, which is being undertaken by the World Bank and IAPH.” In July, IAPH produced the first dashboard and report for its World Ports Tracker.<a href="{{#staticFileLink}}10836667692,RESIZE_400x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10836667692,RESIZE_400x{{/staticFileLink}}" width="250" alt="10836667692?profile=RESIZE_400x" /></a></p>
<p>This is the first report of its kind, aiming to track critical aspects in the global port industry based on cargo and shipping trends at a time when the global supply chain is facing unprecedented challenges. Cyber security is an integral part of both new and current port operations, as IT/OT is the status quo and the future. These cyber touch points all present realistic gaps in supply chain security. Our past Vessel Impersonation reports have clearly shown that bad actors at all levels of the hacker tier parameters are spoofing vessels and trying to phish and attack multiple points along the supply chain. Maritime ports being just one point(s) along the vital global commerce chain. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://sustainableworldports.org/wp-content/uploads/IAPH-World-Bank-CloseTheGaps-Report.pdf">https://sustainableworldports.org/wp-content/uploads/IAPH-World-Bank-CloseTheGaps-Report.pdf</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.porttechnology.org/news/iaph-publishes-report-highlighting-port-infrastructure-gaps/">https://www.porttechnology.org/news/iaph-publishes-report-highlighting-port-infrastructure-gaps/</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://www.gray.com/insights/greenfield-vs-brownfield-whats-better-for-your-manufacturing-facility/">https://www.gray.com/insights/greenfield-vs-brownfield-whats-better-for-your-manufacturing-facility/</a></p></div>Port Security meets Cyber Security - a Requirement !https://redskyalliance.org/xindustry/port-security-meets-cyber-security-a-requirement2021-10-07T13:55:56.000Z2021-10-07T13:55:56.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p style="text-align:left;"><a href="{{#staticFileLink}}9654396667,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9654396667,RESIZE_400x{{/staticFileLink}}" width="250" alt="9654396667?profile=RESIZE_400x" /></a>Port industry leaders recently submitted cybersecurity guidelines to the United Nations International Maritime Organization (IMO) for consideration. The IMO Member States should seize this opportunity and amend the International Ship and Port Facility Security (ISPS) Code to enact cybersecurity standards for ports and port facilities. Specifically, IMO Member States should amend the code, using the new industry guidelines as a model, to require port facilities to conduct regular cybersecurity assessments and develop distinct cybersecurity plans.</p>
<p>The IAPH’s Cybersecurity Guidelines for Ports and Port Facilities - Earlier this month the International Association of Ports and Harbors (IAPH), a trade association representing ports across the globe, announced the publication of cyber guidelines for ports and port facilities. With help from the World Bank, the IAPH developed these cybersecurity guidelines to mitigate, according to the publication’s executive summary, “the top risk for port authorities and the wider port community.” A review of the extensive list of cyber incidents occurring over the past year, as compiled by the Center for Strategic and International Studies, reinforces the IAPH’s view that cyberattacks are a preeminent global threat. Recently in a speech at the United Nations, President Biden recognized the immediacy of that risk, emphasizing the importance of “hardening our critical infrastructure against cyberattacks” and establishing “clear rules…for all nations as it relates to cyberspace.” Needless to say, the IAPH guidelines are a welcome move toward a nearly decade-old aspiration to improve cybersecurity resilience in the maritime sector.</p>
<p>The IAPH’s recent work toward cyber resiliency is not the only 2021 cyber milestone in the maritime transportation sector. Rather, at the start of the year the IMO’s guidelines for maritime cyber risk management, although adopted almost four years earlier, came into effect for parts of the Maritime Transportation System (MTS). It is no coincidence these two sets of guidelines emerged the same year. Indeed, the latter guidelines are a necessary consequence of the former because the earlier set, in fact, does not cover port facilities. Port leaders had no choice but to fill the gap, and they did so quickly.<a href="#_ftn1">[1]</a></p>
<p>The IAPH did more than jump into the breach. It also coordinated its effort with the IMO. This substantive coordination is evident in two 2021 submissions to the IMO’s Maritime Safety Committee (MSC). In MSC 103/92 of March, the IAPH, recognizing the port facility gap, stressed that “ports and port facilities would benefit” from a framework akin to that applied to vessels earlier in the year. The IAPH was motivated by cyber risks it considers to be “the most significant threats for ports today,” citing a “fourfold increase in cyberattacks in the maritime industry” over a four-month period last year. Equally motivating was an expected intensification of cyber threats from accelerated port digitalization, an ongoing modernization effort triggered by, inter alia, the coronavirus pandemic.</p>
<p>Driven by these long-standing and mushrooming risks, the IAPH declared to the MSC its intention to develop “a single comprehensive set of guidelines customized for Ports and Port Facilities.” Impressively, just four months later, via MSC 104/7/1, the IAPH reported completion of its work—the IAPH Cybersecurity Guidelines for Ports and Port Facilities.</p>
<p>The 73-page guide contains many valuable cybersecurity measures and instructs facility operators on many topics fundamental to security in the cyber domain. These include management buy-in, personnel training, risk assessment, proper staffing, threat detection, and incident response. While this article does not intend to explore each provision in depth, highlighting a few features is useful for illustrating the guidelines’ utility. For example, the guide expressly endorses port facilities conducting unique cybersecurity training, drills, and exercises. Also, it encourages facility operators to share cyber information with government regulators and industry partners. The guidelines further acknowledge the importance of planned cybersecurity incident response and reporting. Finally, and perhaps most importantly, the IAPH’s new guidelines favor port facilities conducting regular cybersecurity assessments and developing distinct cybersecurity plans.</p>
<p>To incorporate such measures into an international government framework, the IAPH asked the IMO to consider the new guidelines and measures at the next MSC session, which is scheduled to take place in the first week of October, next week.</p>
<p>Amending the International Ship and Port Facility Security Code - The IMO’s previous cyber guidelines, those adopted in 2017 and put into effect in 2021, were considered game changing. Certainly, they were a vital step toward a uniform approach for combating cyber threats in the shipping industry. Notably, IMO Member States relied on the International Safety Management (ISM) Code as the legal foundation for those guidelines. The ISM Code is a safety management system adopted in 1987 to help shipping industry leaders manage safety risks. Regardless of whether a safety management system is the best instrument for generally mitigating security threats, it is not the right tool for promoting cybersecurity at port facilities. This is because the ISM Code, fundamentally, applies only to ships, not port facilities.</p>
<p>Fortunately, there is an international instrument designed specifically to protect port facilities from attacks—the International Ship and Port Facility Security (ISPS) Code. Twenty years ago this month, subversive actors exploited vulnerabilities in the global transportation system and attacked civilian locations across the US. The ISPS Code was developed in direct response to those attacks and has become the IMO’s “comprehensive mandatory security regime.” One of the code’s express objectives is to assess and detect “security threats to… port facilities… [and] to implement preventive security measures against such threats.” Ultimately, if IMO Member States intend to comprehensively secure port facilities against attacks from within the cyber domain, they must turn to the ISPS Code.</p>
<p>Even though the ISPS Code is the right tool to pull from the international toolbox, the instrument first needs calibrating. Indeed, the code’s existing, albeit implicit, cybersecurity provisions are soft law, non-binding instructive guidance that is unenforceable. Such soft cyber law makes port facilities soft cyber targets. Within the past few weeks, subversive actors backed by a foreign nation, according to the testimony of the Director of the US Cybersecurity and Infrastructure Agency, breached servers and planted malicious code at a port facility in Houston, Texas. When discussing this recent breach, one cybersecurity expert predicted that such incidents would bring about a “much more regulatory” framework instead of the current “aspirational” model.</p>
<p>The ISPS Code has two parts: a mandatory Part A and a recommendatory Part B. Of note, there are no cybersecurity provisions, explicit or implicit, in Part A. Meanwhile, Part B hints at cybersecurity as it encourages port facilities to consider “radio and telecommunications equipment, including computer systems and networks” when they assess physical security vulnerabilities. Encouraging facilities to consider certain threats is a notable aspiration, but it is not a clear, enforceable cybersecurity rule. This is all to say, the ISPS Code, enacted for the specific purpose of preventing attacks on the MTS, is the right tool for the job, but to be an effective instrument against threats in the cyber domain, it must be amended.</p>
<p>Certainly, amending the ISPS Code will take careful consideration. One adjustment IMO Member States might consider is amending Part B Section 18 to encompass training, drills, and exercises specific to cybersecurity. Such cyber-specific requirements do not presently exist. Section 9 of the IAPH guidelines provides useful examples. Also, Member States might consider amending Section 15 of Part A and Part B to expressly require a cybersecurity assessment based on the factors in the IAPH’s model. The cybersecurity assessment would be separate from and a complement to the facility security assessment already required by Section 15 of the code.</p>
<p>Another adjustment to the ISPS Code worth earnest consideration is a change to Section 16 of Part A and Part B to require port facilities to prepare and governments to approve distinct cybersecurity plans. The IAPH provides a model as a baseline. Like the cybersecurity assessment, the cybersecurity plan would be an independent document, a supplement to the already required facility security plan. These are just a few examples of potential ISPS Code adjustments that can be used to effectively incorporate the work of the IAPH into international law.</p>
<p>In a 2020 Port Community Cybersecurity Note, the IAPH seems to recognize a need to amend the code. In chapter five of the note, the IAPH insightfully concludes “that the role of the [Port Facility Security Officer] must evolve to encompass cyber security… rather than being focused purely on physical threats.” Arguably, because the Port Facility Security Officer’s role is controlled by the ISPS Code, it follows that to evolve this role IMO Member States must evolve the code. Moreover, the IAPH seems to recognize that any adjustments should be comprehensive. As it asserts in the 2020 note, due to the “unpredictability and everchanging [sic] nature of cyber threats… a limited or partial approach probably will not suffice.”</p>
<p>Conclusion - The IMO’s MSC meets the first week of October. The IAPH provided the MSC with fully developed port facility cybersecurity guidelines and asked the MSC to consider them. This invitation should be dutifully accepted and used as a springboard to enact IMO standards internationally. The cyber threats and vulnerabilities are well known and expected to multiply with ongoing digitalization across the MTS. The time is ripe for IMO Member States to act. When they meet next week, they should build on the IAPH’s momentum and start the process to amend the ISPS Code, with strongest consideration given to mandating regular cybersecurity assessments and distinct cybersecurity plans.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that offers cyber threat services that include RedXray and Cyber Threat Analysis Center (CTAC) to aid organizations for cyber threat hunting, notifications, and analysis. Our analysts have assisted and supported the maritime community for many years. Service descriptions can be found at <a>https://www.wapacklabs.com. </a> For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://cimsec.org/incorporating-the-iaphs-new-cybersecurity-guidelines-into-the-international-ship-and-port-facility-security-code/">https://cimsec.org/incorporating-the-iaphs-new-cybersecurity-guidelines-into-the-international-ship-and-port-facility-security-code/</a></p></div>