Maritime port cybersecurity

Let’s talk about cyber risk in the maritime and port setting to better understand Maritime Port cybersecurity.

In order to better understand the evolutionary trend of worldwide shipping and port facilities from 2007 to present, it is necessary to talk again about cyber risk in the maritime and port setting.

It is not the purpose of this article in any case to retrace the several cyber security attacks that, starting with A.P. Moller-Maersk, involved the world’s most important shipping companies, as well as the biggest port hubs in Europe and the United States of America.


Although acknowledging previous relevant cases, the chosen starting point will be June, 16th 2017, when the International Maritime Organization (IMO) formally adopts the recommendations included in the three declarations of principles in the Resolution MSC.428 (98) entitled Cyber Risk Management in Safety Management System.

In this sense, the cyber security risk assessment becomes integral part of the objective (Art.1.2) included in the ISM Code; according to which the management of the cyber security risk must be included in the general objective, for this reason shipping companies must “…ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular to the marine environment and to property“. In particular, these objectives are identified in the pursue of the following obligations:

1.         provide for safe practices in ship operation and a safe working environment;

2.         assess all identified risks to its ships, personnel and the environment and establish appropriate          safeguards; and

3.         continuously improve safety management skills of personnel ashore and aboard ships, including       preparing for emergencies related both to safety and environmental protection.

In the declarations related to the MSC.428 (98), the IMO introduces for the first time the date of Jan., 1st 2021, stating that: “…Administrations (are encouraged) to ensure that cyber risks are appropriately addressed in safety management system no later than the first annual verification of the company’s Document of Compliance after 1 January 2021“.

The second date to remember is Jul. 5th 2017, when the IMO, through the Maritime Safety Committee released the Guidelines on Maritime Cyber Risk Management included in the MSC-FAL.1/Circ.3. These guidelines suggest recommendations identified as “high level“ for the management of cyber risk in the maritime sector, with special reference to shipping. The pursued aim is to promote the mitigation of cyber risks, through the adjustment of the safety management system, included in the ISM Code framework.

In the Italian context, a third important date to remember is Dec. 13th, 2019, when the Comando Generale del Corpo della Capitanerie di Porto (The General Command of Italian Harbor Masters) with the Circolare Titolo Sicurezza della Navigazione, Serie Generale 155/2019, which refers to the Circolare Titolo Security n. 35/2017 (the Circolare n. 40/2017 has the same content, but is addressed to the port sector and port facilities) and with it resumes the Resolution and the circular of 2017 issued by the IMO and the NIS Guidelines, underlining the existing connection between the Ship Security Plan and the procedures of cyber risk prevention (included in the Safety Management System of the ISM framework). The Annex “Cyber Risk Management is a relevant part of the “Circolare” and it suggests a model of identification and management of the cyber risk, in the field of the required assessment of the specific risk.

Cyber Security in Ports and Port Facilities

Cyber security in Ports and Port Facilities has developed in a different way. At present, although acknowledging that port infrastructures have a strategic role in the global commerce, as well as a growing use of dedicated technologies which are expanding the IT system network (also by integrating them with OT systems) and the subsequent interconnection with the land transport infrastructures, no formal measures have been issued regarding cyber risk management.

As mentioned before, the ISPS Code, which regulates the security model of ports receiving ships coming from international voyages with tonnage over 500 GT (so not all ships), does not address the risk scenarios in terms of IT, and except for the generic call for the protection of IT infrastructures, it does not provide directions or guidelines for the development of a cyber risk management model. Thus, the ISM Code only concerns the ship world and so the possible extension to the port facilities world, besides being incorrect on a conceptual level, could also be dangerous, as the underlying concepts are only pertinent in relation to ships.

In the absence of IMO guidelines on the management of cyber risks, we have to highlight the work of the ENISA “European Union Agency for cybersecurity”, that from Dec., 19th 2011, has focused the attention also on shipping, cruise lines and ports.

This was developed in a first report of 2011 Cyber Security Aspects in the Maritime Sector and later in November 2019 in a second one entitled Port Cyber Security – Good practices for cybersecurity in the maritime sector

In December 2020, the ENISA published a new report titled Cyber Risk Management for Ports; which aims to introduce a specific approach for the cyber risk assessment in ports, regarding both IT and OT systems and based on the basic principles of risk management. This approach was written in compliance with the security risk assessment method in port and maritime domain as per ISPS Code and thus compliant with the main European regulations on port and

Read the full article at