Cyber legislation makes demands of ports

Dover is one of many UK ports that will have to adhere to the new Cyber Directive. Credit: hawkflight1066 Dover is one of many UK ports that will have to adhere to the new Cyber Directive. Credit: hawkflight1066
Industry Database

HFW’s Matthew Gore examines the implications of new virtual security regulations

The importance of cyber security to the maritime transport sector was brought into sharp focus in June 2017 when the ‘NotPetya’ malware attack struck organisations in more than 60 countries worldwide, including many prominent organisations within the maritime transport sector.

Incidents such as this demonstrate the need to improve the security of network and information systems across the maritime transport sector. The Directive on Security of Network and Information Systems (EU 2016/1148) (the Cyber Directive), which was transposed into UK law on May 9, 2018, brings cyber security onto a legislative footing. It applies to organisations termed as ‘Operators of Essential Services’ (OES) and requires such organisations to demonstrate that they have implemented ‘appropriate and proportionate’ cyber security measures to prevent, or at least alleviate, the potential harm of cyber security incidents.

The latest UK Government publication on the application of the Cyber Directive indicates that OES within the maritime transport sector will apply to harbour authorities, ports or port operators that either have annual passenger numbers greater than 10m or that account for more than 15% of the UK’s ro-ro traffic, 15% of the UK’s lo-lo traffic, 10% of UK total liquid bulk; or 20% of UK total bio-mass fuel.

The Cyber Directive will also impact sea freight carriers that handle more than 30% of freight at any UK port that falls within the parameters above, and 5m tonnes of total annual freight in UK ports as a whole.

While those identified as OES pursuant to these thresholds will need to comply with the requirements of the Cyber Directive summarised below, it is important to note that businesses that supply or contract with OES are also likely to be affected due to the highly interconnected nature of the sector.

Compliance requirements

OES within the maritime transport sector will be required to comply with a set of fourteen security requirements based on the following four objectives as defined by the National Cyber Security Centre:

Managing security risk – OES will need to ensure that appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services across their assets and supply chains.

Protecting against cyber attack – This objective necessitates the implementation of proportionate security measures to protect essential services and systems from cyber attack. Examples include managing access to relevant systems, the protection of data and providing staff with appropriate training.

Detecting cyber security events  – OES must demonstrate they have the capability to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.

Minimising the impact of cyber security incidents – This objective centres on an organisation's ability to minimise the impact of a cyber security incident on the delivery of essential services. It calls for OES to have a robust incident response plan to cover all relevant potential incidents. In addition, any incident having a ‘significant’ impact on the continuity of essential services must be formally reported.

Oversight and enforcement

Once the Cyber Directive is effective, each ‘Competent Authority’ will have responsibility for the oversight of its sector. The Competent Authority for the maritime transport sector will be the Secretary of State for Transport, and by extension the Department for Transport. Responsibilities of the Competent Authority will include the designation of OES; monitoring the application of the Cyber Directive; the publication of guidance (including incident reporting thresholds); and enforcement and the imposition of penalties.

The Competent Authority will have the right to impose financial penalties (up to a maximum of £17m) on OES which contravene the Cyber Directive. However, the UK Government is keen to stress that the maximum penalty should be regarded as a last resort - indeed, the latest guidance dictates that the Competent Authority will take a reasonable and proportionate approach to enforcement.

Matthew Gore is a partner at HFW, where he is a specialist lawyer covering the ports and terminals, shipping and logistics sectors. The author would like to thank Mark Devlin of HFW for his input on research and drafting for this article.


Taylor Machine Works, Inc. Introduces the Battery Electric ZLC Series

Taylor Machine Works, Inc. is proud to announce the release of the ZLC Series. Read more

Bruks Siwertell’s proven technology and delivery capabilities secures new ship loader contract from Martin Operating Partnership

Bruks Siwertell’s proven technology and delivery capabilities secures new ship loader contract from ... Read more

Crane with lifting cantilever for Dutch customer

Kuenz recently delivered a rail-mounted container crane to the Netherlands that features a lifting c... Read more

Taylor’s New Focus on International Markets

Taylor is proud to announce a new focus on the International markets for heavy industrial lift equip... Read more

Subsequent order for ShibataFenderTeam for Phase II of Aqaba Container Terminal, Jordan

The Aqaba Container Terminal (ACT) is the only container port in Jordan and the primary trade gatewa... Read more

Terminal Intermodale Venezia Goes Live with Navis N4 Terminal Operating System

Terminal Intermodale Venezia (TIV), part of Hili Company, has gone live with Navis N4 TOS. On Sunday... Read more

View all