Digitalizing the maritime industry is an ambitious goal, and while we are busy bringing innovative products to help our clients and partners achieve it, it is just as important to look into the process.
In this article, we would like to share some insights on one very important but often neglected topic, cybersecurity.
What makes cybersecurity increasingly important in the maritime industry?
One core problem with the maritime industry was always the fact that it is slow to change, and when we speak of digitalizing the industry, we almost forget about the fact that information security comes hand in hand with digitalization.
More often than not, when we speak of digitalization, information security is left behind and comes as a separate requirement long after the implementation of a new system. And that is one of the key problems.
With the industry finally kicking into first gear to implement modern solutions in the forms of SaaS applications, smart IoT devices, and prediction systems to make daily operations more efficient, it is more important than ever to make sure good information security practices are in place and streamlined with the digitalization and implementation processes.
What are the risks that the maritime industry might encounter while sharing data?
Speaking from experience at PortXchange, it is still challenging to convince a partner to share their data with us, and we urge the entire industry to be more open-minded about sharing their data, from a small agent to a major port authority.
With that said, the underlying concerns of data sharing should not be easily dismissed, what happens to the data once shared, how is it stored, and what are the measures taken to protect it?
As an example, In September, the French shipping giant CMA CGM informed the public about a major data breach, and a year prior to that CMA CGM was hit with a ransomware attack.
While such breaches and attacks are certainly not unique to the shipping industry, we do believe that the industry is more susceptible to them, as it tends to be slower to implement changes, and even slower to implement security measures.
Lack of asset visibility, perimeter security, and weak security practices while developing data-sharing solutions such as APIs, are all recurring themes in these breaches.
How to minimize security risks without hindering collaboration and data sharing?
The last thing a company in the maritime industry wants is to lengthen the already excruciating long processes it has. When we think of information security we often imagine robust policies and procedures to be put in place, and while that can absolutely improve the maturity of the organization, it can also greatly hinder agility and flexibility of operation if followed strictly, often bringing minuscule security benefits to the actual security posture of the organization.
An alternative is to think proactively about security, it can greatly reduce risks while remaining agile and swift to implement new technologies or developing new data-sharing platforms, APIs, and systems
It is crucial to make sure that the endpoints that expose data are cataloged, and have restricted access only to the relevant parties using modern means of authentication and authorization. This should be easily manageable and not as time-consuming as it sounds, with identity providers such Auth0 and built-in security controls of cloud giants such as AWS and Azure being a click away.
How PortXchange ensures secure information exchange?
Since we know all about the struggle of bringing our partners to share their data with us, we have developed an in-house data authorization system to ensure the confidentiality and overall security of what is being shared.
In practical terms, this means that we have tight control over who has access and visibility to any piece of information displayed in products.
To make sure this system actually works, we have undergone an extensive security audit by an external independent information security consultancy. We plan to repeat these audits twice a year.
But data security does not end at the front-end of the application, on top of existing controls and security frameworks we put in place, we make sure our developers are on top of their game when it comes to information security, and our staff is being trained quarterly by our Information Security Officer.