Digitalizing the maritime industry is an ambitious goal, and while we are busy bringing innovative products to help our clients and partners achieve it, it is just as important to look into the process.
In this article, we would like to share some insights on one very important but often neglected topic, cybersecurity.
What makes cybersecurity increasingly important in the maritime industry?
One core problem with the maritime industry is that it is slow to change. When discussing digitalizing the industry, we almost forget that information security comes hand-in-hand with digitalization.
More often than not, when we speak of digitalization, information security is left behind and comes as a separate requirement long after implementing a new system. And that is one of the key problems.
With the industry finally kicking into first gear to implement modern solutions in the forms of SaaS applications, smart IoT devices, and prediction systems to make daily operations more efficient, it is more important than ever to make sure good information security practices are in place and streamlined with the digitalization and implementation processes.
What are the risks that the maritime industry might encounter while sharing data?
Speaking from experience at PortXchange, it is still challenging to convince a partner to share their data with us, and we urge the entire industry to be more open-minded about sharing their data, from a small agent to a major port authority.
With that said, the underlying concerns of data sharing should not be easily dismissed: what happens to the data once shared, how is it stored, and what measures are taken to protect it?
A while ago, the French shipping giant CMA CGM informed the public about a significant data breach, and a year before that, CMA CGM was hit with a ransomware attack.
While such breaches and attacks are certainly not unique to the shipping industry, we do believe that the industry is more susceptible to them, as it tends to be slower to implement changes and even slower to implement security measures.
Lack of asset visibility, perimeter security, and weak security practices while developing data-sharing solutions, such as APIs, are all recurring themes in these breaches.
How can we minimize security risks without hindering collaboration and data sharing?
The last thing a company in the maritime industry wants is to lengthen its already excruciating long processes. When we think of information security, we often imagine robust policies and procedures to be put in place. While that can absolutely improve the organization’s maturity, it can also greatly hinder agility and flexibility of operation if followed strictly, often bringing minuscule security benefits to the actual security posture of the organization.
An alternative is to think proactively about security; it can significantly reduce risks while remaining agile and swift to implement new technologies or develop new data-sharing platforms, APIs, and systems.
It is crucial to make sure that the endpoints that expose data are cataloged and have restricted access only to the relevant parties using modern means of authentication and authorization. This should be easily manageable and not as time-consuming as it sounds, with identity providers such Auth0 and built-in security controls of cloud giants such as AWS and Azure being a click away.
How does PortXchange ensure secure information exchange?
Since we know all about the struggle of bringing our partners to share their data with us, we have developed an in-house data authorization system to ensure the confidentiality and overall security of what is being shared.
In practical terms, this means we have tight control over who has access and visibility to any information displayed in products.
To ensure this system works, we have undergone an extensive security audit by an external independent information security consultancy. We plan to repeat these audits twice a year.
But data security does not end at the front-end of the application, on top of existing controls and security frameworks we put in place, we make sure our developers are on top of their game when it comes to information security, and our staff is being trained quarterly by our Information Security Officer.
