Safer Shipping
For almost two decades, maritime security has largely been framed by the implementation of the International Ship and Port Facility Security (ISPS) Code, which focuses on detecting and preventing security threats against ports and ships. But due to increasing concern for the safe and secure movement of cargo, as well as the maturity of the implementation of the ISPS Code over the last 14 years, maritime security has begun to focus on treating ports and ships as conduits within the supply chain—not just targets.
This shift from port and vessel security to broader cargo and supply chain security is driven by the evolution of both global trade and threats to the supply chain—issues that the ISPS Code does not adequately address. While the code has well-established security requirements for ports and ships, it views these assets as targets of nefarious activities—specifically terrorism—and not as broader conduits of illicit activity or movement of contraband or theft of cargo.
As global trade continues to increase at a rapid rate, there is more cargo in the system, as well as an increasing reliance on just-in-time delivery, which makes cargo and supply chain security more sensitive to disruption, with greater potential impacts. The movement of cargo is also increasingly dependent on electronic data streams, which increase the risks of converged cyber, physical, and operational security challenges. Maritime security is no longer just about protecting vessels and ports—it goes hand-in-hand with cargo and supply chain security. Updated codes, regulations, and best practices should reflect this evolution of the industry. This shift should emphasize a broader focus on maritime security as an integrated system of physical assets, cargo, and data that needs to be secure and resilient, rather than simply a collection of ports and ships that need to be protected.
An Evolving Industry
The amount of cargo shipped by ocean containers has multiplied almost 17 times over the last few decades, from 102 million tons in 1980 to 1.7 billion tons in 2016.
Trade expansion. Global trade continues to expand at an extremely rapid rate. The United Nations Conference on Trade and Development (UNCTAD), in its Review of Maritime Transport 2017, found that global maritime trade increased 2.6 percent between 2015 and 2016. Trade has nearly doubled since 2000, the UNCTAD review found, and will continue to increase at a rate of 3.2 percent per year through 2022. This expansion of trade will drive increased cargo throughput in ports around the world and result in greater potential disruption of the supply chain.
With increasing trade comes the need for infrastructure growth, but the land constraints of existing ports within cities in some regions is fairly significant. An increase in the development of new ports in areas where land is more plentiful is taking place globally, as well as the expansion of existing ports through the creation of inland container yards that are not physically adjacent to the port.
These developments create both security opportunities and challenges. The construction of new ports provides the opportunity for physical, operational, and cybersecurity to be designed into new projects. Properly planned and executed, this approach can create security efficiencies that can contribute to the overall operations of a new port. For existing ports, the increase in moving cargo to off-port, inland storage areas complicates cargo and supply chain security within port regions by adding additional movements between facilities within a port network. This requires additional measures of tracking, information flow, and physical security that previously may not have been necessary.
System sensitivity. Just-in-time delivery of products continues to drive changes in shipping and supply chain management. Since its inception in the 1950s and 1960s Japanese auto industry, the concept of retaining minimal inventory by retailers or manufacturers has continued to mature and expand to many industries. The result is the reduction of large warehousing operations and an increase in smaller regional warehouses where small inventories are kept for short periods of time. The concept of just-in-time delivery relies on the continued functionality of its associated supply chain to ensure the delivery of goods and parts when necessary. A disruption of any part of the supply chain, whether due to physical risks or a lack of trust in the integrity of the supply chain, can have extremely disruptive effects on industries, markets, and economies.
While estimates vary, a shutdown of ports on the West Coast of the United States could have a financial impact of anywhere from several hundred million dollars per day to one billion dollars. Further, shipping would be disrupted in other geographic locations because ships would be stuck at anchor off U.S. ports, and other ships would experience delayed departures from Asian and European ports until the dispute was resolved. A study performed by the Interindustry Forecasting at the University of Maryland (Inforum) in 2014 projected that the potential economic impact of a 10-day shutdown of U.S. West Coast ports would result in 169,000 disrupted jobs, a reduction in the gross domestic product of 0.12 percent, and a cost to the American economy of $2.1 billion per day.
Cybersecurity. The maritime industry is in the throes of adapting to the digital age, and for shipping and ports, cybersecurity has several distinct characteristics. Cybersecurity is important to the operating technologies within ports and shipping companies; it can have a direct effect on the ability of those elements of the industry to perform. This includes systems such as supervisory control and data acquisition (SCADA), industrial control systems (ICS), security scanning and access control systems, and ship navigational and propulsion systems. The compromising of these systems and data could be debilitating to the global supply chain.
The shipping industry is rich in data that could be valuable to criminals or terrorists, including personal and human resources data; financial data such as contracts, banking details, and money transfers; cargo data, including cargo contents, destinations, shipper and consignee information, and cargo seal numbers; and other logistics and business operations systems. In the infamous Port of Antwerp case, criminals accessed information systems in the port for two years beginning in 2011 and were able to use the information they obtained to target cargo for narcotics trafficking and facilitate cargo theft.
In the port environment, security management is increasingly split between the port facility security officer (PFSO)—who is responsible for ISPS compliance and company security—and cybersecurity, which is often within the purview of the information technology manager. This management arrangement reflects corporate management structures that were common before the convergence of physical, cyber, and operational security.
As the lines between security disciplines increasingly blur, the need for a new management structure is evolving. This challenge is exacerbated by the skill sets traditionally required by each position. PFSOs are often former or retired law enforcement or military personnel who may not have deep knowledge in cyber or information security. Conversely, the information technology staff may not have expertise in broader physical security issues and investigative requirements.
A Challenge of Governance
There are many standards and codes that provide some governance to supply chain security programs, but none of them are mandatory, and there is no industry standard governing cybersecurity. The lack of a globally accepted and mandated standard that addresses present-day maritime security challenges poses a significant challenge to the likely shift towards cargo and supply chain security.
The ISPS Code—the current maritime industry security model—was introduced after the September 11, 2001, terror attacks and came into worldwide force in 2004. Because of the focus at the time on the protection of critical infrastructure, the code was designed to emphasize the prevention of attacks on ports and ships rather than the use of ports and ships as channels of illegal activity, contraband, or persons. While the code addresses access control and some cargo issues, the focus on cargo security is minimal.
Additionally, the ISPS Code does not address cybersecurity in a meaningful way and has not been updated since its adoption in 2004. It was implemented before the rapid advancements in information technology, the Internet, and the shipping industry, and does not address those digital security issues that have arisen in recent years. While still relevant and effective in protecting ships and ports from attack, the code is not fully effective in addressing cargo security issues and merging cybersecurity challenges associated with the industry.
Other common supply chain security programs, codes, and standards include the World Customs Organization's SAFE Framework, the International Standards Organization's ISO 28000 series, and numerous national and regional programs such as the U.S. Customs Trade Partnership Against Terrorism (CTPAT) and the European Union's Authorized Economic Operator (AEO) program. These programs have common features, including a focus on the vetting and reliable behavior of participants. Unlike the ISPS code, which focuses on physical and operational issues, most supply chain security programs require a history of compliant behavior by participants before full acceptance into the programs. Further, participants must have well-established security policies in place, including processes to protect the integrity of data that is shared with governments.
While the ISPS code is mandatory for ports and ships that trade internationally, supply chain programs are not mandatory and are incentivized by the promise of expedited entry into target markets and minimized inspections by participating customs agencies. In reality, the level of expedited access appears to vary with some programs being perceived as more beneficial to participants than others.
Additionally, there is no global cybersecurity standard or requirement for ports or shipping. The International Maritime Organization (IMO) intends to require that cybersecurity be included as a component in the Safety Management System of ships starting in January 2021, but there is no similar effort for ports. Further, by including the cybersecurity requirements in the Safety Management System, the focus is likely to be on the potential risks for cyberattacks or compromise to vessel operating systems rather than the protection of sensitive data.
Therefore, cybersecurity in ports remains largely ungoverned, except for the efforts of some national governments. For example, the U.S. Coast Guard is in the process of developing an approach that will involve including cybersecurity in the development and approval of facility security plans. These national-level efforts, however, do not equate to a globally accepted approach to maritime supply chain and cargo security.
The Future of Maritime Security
Considering the developments of increased trade, greater sensitivity to disruption, convergence of types of security, and a lack of global governance beyond the ISPS Code, there should be a shift in port and maritime security to a supply chain approach where ports and ships are conveyances and conduits. Security professionals and policymakers must focus on infrastructure, ships, and ports as facilitators, conduits, and conveyances of cargo, goods, and people. This requires a shift in thinking away from the current emphasis on ships and ports as potential targets of possible attack.
Information in the maritime industry is as important as the infrastructure. This includes the potential for cyberattacks and compromise that may target navigation systems, operating technology, or industrial control systems, but also the equally important potential compromise and manipulation of data to facilitate the trafficking of contraband, cargo theft, or financial crimes.
To address these converged risks in a comprehensive and industrywide manner, port cybersecurity standards or requirements should be developed and included in supply chain security standards that are globally accepted and enforced. These supply chain security requirements should be developed and promulgated by a respected, international organization with an official status as an intergovernmental organization—preferably within the UN system—and should be implemented along the same lines as the ISPS Code with the commitment of all signatory countries to enforce the new code. If the IMO is not the appropriate organization for port and supply chain security standards, then other potential candidates could include the World Trade Organization or World Customs Organization.
Additionally, maritime industry port and vessel operators need to organize themselves to reflect the changing requirements of the digital age. The roles of the PFSO and the IT director need to be aligned in some form to ensure a unity of effort across all facets of security within the organization. Further, this effort must have high visibility in top management, and staffing and position descriptions will need to adjust to reflect the need to provide senior leadership expertise in cybersecurity and cargo security.
Global trade is dynamic and will only increase. More than 80 percent of cargo travels by sea, thereby inexorably linking supply chain and maritime security. And to protect the ever-evolving industry, individual organizations and international standards alike must adopt best practices that address such changes.
Michael Edgerton, CPP, vice president of HudsonTrident, Inc., is a retired military officer with service in both the U.S. Navy and U.S. Coast Guard. He is a member of the ASIS international Global Terrorism, Political Instability, and International crime council and the author of the book, A Practitioner's Guide to Effective Maritime and Port Security.