The European Union Agency for Cybersecurity provides port operators with a set of good practices to help them evaluate cyber risks and effectively identify suitable security measures.
amely, the European Union Agency for Cybersecurity (ENISA) released cybersecurity guidelines to help European port operators manage cyber risks amid digital transformation and increased regulations.
EU Agency for Cybersecurity Executive Director Juhan Lepassaar stated:
The maritime sector plays a pivotal role in the global supply chain. Advancing digital technologies bring economic benefits to ports, but also introduce new cyber threats. The report provides guidelines and good practices to support them in effectively conducting this cyber risk assessment, which is where many of these operators face challenges.
Among other sections, the report summarizes measures for evaluating cyber-related risks:
- Contextualise the risk identification and evaluation process
- Identify cyber-related threats
- Identify vulnerabilities to assets and services
- Identify internal and external dependencies
- Assess the possible likelihood and impact of a cybersecurity incident
- Adopt a specific methodology for identifying and evaluating risks (e.g. scenario-based, empirical, data driven, workshops/brainstorming sessions etc.)
- Develop indicators (qualitative or quantitative) to evaluate identified risks
Overall, the report encourages port operators to develop a set of good practices in a means to develop this baseline level of cybersecurity. Practices include to:
- Identify cyber-related assets and services in a systematic way that includes maintaining an asset inventory, identifying dependencies and deploying automation;
- Adopt a comprehensive approach for identifying and evaluating cyber risks that includes CTI, risk indicators and business impact analysis, involves all relevant stakeholders and is integrated at an organisational level;
- Prioritise the implementation of security measures following a risk-based approach that considers security measure effectiveness and pertinence to the identified risks, and is founded in a security-by-design approach;
- Implement organisation-wide cybersecurity awareness and technical training programmes;
- Develop a comprehensive cybersecurity programme that involves a commitment by senior management;
- Conduct a cybersecurity maturity self-assessment to identify priorities for improvement, and budget and resource allocation.