On that morning, around a hundred members of the Rouen Port Union (UPR) gathered in a conference room at the joint invitation of their professional organization and Haropa Port: the public establishment overseeing the three major ports along the Seine. The agenda for the half-day event, which we are informed will be followed by others, focused solely on port cybersecurity. The recurring mantra echoed by all speakers was: « Do not wonder if you will be attacked, but when. »
Those who doubt it are invited to watch the slides that are scrolling on the screen at the back of the room. They show the extent of the phenomenon, which has been growing dramatically since the Covid crisis. The numbers are staggering. According to the panorama of maritime cyber threats published by the France Cyber Maritime association, attacks on operators and infrastructure have increased by 900% (!) between 2019 and 2021 at the height of the pandemic. The pressure has not subsided with the outbreak of the war in Ukraine. In 2022, the same association counted « 90 major incidents » in ports. This number is likely far from reality as it only covers publicly disclosed intrusions.
Des interfaces vulnérables
The root of the problem actually dates back to the early 2000s with the automation of goods’ input and output flows. Since then, virtual connections between operators have continued to grow, reaching an unprecedented level of interdependence and exposure. This is evidenced by the rise of concepts such as e-navigation or smart ports, which « no one really knows where they begin and end, » as admitted by Dominique Ritz, director of the port of Rouen.
All computer-controlled, the docking, unloading, storage maneuvers where the goods declaration operations are all possible entry points for hacktivists, cyber terrorists, or rogue states. So, how can we protect ourselves? In response, the digital transformation manager of Haropa calls for complementing the regulations by deploying a « circle of trust » at the scale of the Seine Valley to raise awareness among each other.
« I cannot reword »
According to Jérôme Besancenot, systematically reporting incidents would prevent IT directors from overreacting in the event of a malicious intrusion somewhere in the supply chain. « In certain situations, the medicine is more toxic than the ailment, » he notes as an expert. Gilles Kindelberger, president of UPR, agrees with this analysis. He also believes that it is important to unite against the threat. « We need to share experiences. Like a rape, a cyber attack is often experienced as a shameful secret that should be hidden, when in fact the opposite should be done. »
Un enjeu de réputation
The call for unity and solidarity is directed towards both major shipowners and logistics companies, as well as the hundreds of subcontracting SMEs and microenterprises that revolve around them. These smaller entities, which are less familiar with barrier measures than multinational corporations, are increasingly becoming targets of cybercriminals. « The threat is shifting towards the least protected entities in the supply chain, » warns Bénédicte Pilliet, founder of CyberCercle.
In this anxiety-inducing climate, the « first cyber-guide of industrial port areas along the Seine axis » has recently been published. Edited by Haropa Port and the Seine Port Union alliance, this 20-page directory of best practices marks the first step towards a collective awareness initiative, as explained by its authors in the introduction.
The challenge is not only technical or financial for the Normandy-Francilien region, which is trying to catch up with Rotterdam and Antwerp, but also reputational. « Some shipowners now consider the robustness of cybersecurity as a differentiating factor when choosing which ports to use, » emphasizes the CEO of the Port of Rouen. Take note.