Maritime Critical Infrastructure Threats. Management Research Paper

Running head: MARITIME CRITICAL INFRASTRUCTURE THREATS1
Maritime Critical Infrastructure Threats
Student Name
College/University Affiliation
MARITIME CRITICAL INFRASTRUCTURE THREATS

2

Maritime Critical Infrastructure Threats
I. Introduction
Threats are central to a world of uncertainty. In 21st century, risks of varying scale and magnitude have defined – and will define – operation systems across different economic activities. The growing convergence and integration of global commerce, coupled by exponential growth in Information and Communication Technology (ICT) innovations, has compounded risks in unprecedented ways. In contrast to conventional isolated and analyzable risks, risks in more recent years – cutting across different operation systems, industries, national borders and, not least, knowledge management frameworks – have made risk preparedness a mandate. The maritime sector is not an exception.
For decades, maritime activities, particularly warfare and commerce ones, have had established risk assessment, mitigation and management conventions. Specifically, risks in a maritime context have been confined to, largely, physical damage by local, regional and/or international adversaries in limited or open scale warfare; labor-related vandalism; piracy; and failures, intentional or not, internal or external, of operation systems brought about by internal/external stakeholders. The modernization of maritime assets, including physical infrastructure, has, however, introduced major innovations – and risks – to maritime operation systems. The digitization of maritime operation systems, increasing interconnectedness between ports at national, regional and international scales, and, not least, growing integration between maritime and non-maritime activities – all has exposed maritime assets to unprecedented risks. In recent years, maritime critical infrastructure threats (MCITs) have received more attention from policy makers, practitioners and research community.
MARITIME CRITICAL INFRASTRUCTURE THREATS

3

MCITs are, for one, growing in scale and magnitude in commercial and warfare contexts. In contrast to largely predictable and manageable risks, cybersecurity risks are becoming increasingly detrimental. Performed at minimum cost and at least exposure potential, cyber attacks aimed at maritime assets, particularly critical infrastructure (CI), usher in a new era for maritime risks. Given increasing global commerce interconnectedness, coupled by more digitization of maritime operation systems, has only made maritime critical infrastructure (MCI) more vulnerable. Granted cybersecurity substantial risks, MCI is also exposed to a growing range of no less critical risks as a result of increasing interconnectedness. That is, whilst focus has shifted in recent years on cybersecurity as a major risk for MCI, differences in operation systems adopted by different global maritime stakeholders offer an equal reason for concern over security gaps intruders, including cyber attackers, might make use of to cause extensive damage. Indeed, interconnectedness, long lauded for more synergies and optimized performance, is also vulnerable, as shown later, to knowledge gaps brought about by different knowledge frameworks different regional/international stakeholders adopt to perform routine and non-routine functions of maritime operation systems.
Then again, MCITs also include unpredictable risks usually not usually accounted for in current models or operation systems.
In recent years, climate change effects are extensively reported and discussed. Yet, such effects receive differential interest and are accounted for less in actual operational measures across different economic and warfare, activities – more so in maritime activities. Failure to account for climate change effects properly in current maritime operation systems is more likely
MARITIME CRITICAL INFRASTRUCTURE THREATS

4

to result in major risks beyond repair, probably surpassing cybersecurity and interconnectedness risks.
The issue of MCITs is clearly one proper for graduate study. If anything, MCITs offer a range of complex areas for discussion. This requires not only advanced understanding for MCITs but also, more important, in-depth knowledge and research in multiple, often overlapping areas of interest.
To put matters into perspective, further examination of MCITs is required. Specifically, emerging and existing risks in current maritime practice context are explored in order to offer an initial assessment of current risk prioritization measures as reported in literature and practiced on ground. The central Research Question of current project is, accordingly, as follows:
RQ: Do current risk prioritization measures as adopted in current maritime practice effective enough to protect against emerging and existing MCITs?
This research project is, moreover, based on a fundamental hypothesis as follows: Hypothesis: The underlying rationale of risk prioritization in current maritime practice is informed by emerging risks and is not properly accounting for actual scale and magnitude of identified risks.
II. Literature Review
The operation context maritime organizations, regulatory authorities, ports and wider community interact has grown in complexity dramatically in recent years. Given growing scale, interoperability and interdependencies, maritime operation systems are redefined. In contrast to conventional maritime operation systems – and for that matter, wider operation environment – current maritime landscape is facing emerging risks at a more rapid pace and scale. Specifically,
MARITIME CRITICAL INFRASTRUCTURE THREATS

5

MCITs are shown to face, or likely to face, risks inexperienced under more conventional, less modernized operation ecosystems including, most notably in recent years, cybersecurity risks.
The emergence of cybersecurity risks is well documented in literature in different industries. Notably, cybersecurity risks are shown to pose growing risks for increasing number of critical assets including risks for critical infrastructure now increasingly using ICT innovations (Clark & Hakim, 2017). Similarly, cyber attacks are raised as major risks for maritime operations. For instance a growing number of cyber attacks, ransomware ones in particular, against major ports in US and Spain have raised concerns – and questions – about in-place cybersecurity measures and, more important, whether current (outdated) operation systems are prepared to counter, let alone preempt, emerging risks (Fier, 2018). The lack of preparedness to cybersecurity risks, emerging or existing, has apparently shifted focus more on cyber risks as a number one risk priority state and private entities should account for. For instance, U.S. Government of Accountability Office (GAO) issued an extensive report about lack of proper attention by Department of Homeland Security (DHS) to growing cybersecurity risks in maritime context (GAO, 2015). The report, Maritime Critical Infrastructure Protection: DHS Needs to Enhance Efforts to Address Port Cybersecurity, places particular emphasis on cybersecurity and recommends DHS and stakeholders move ahead and make additional steps in addressing cybersecurity in maritime environment:
DHS's Federal Emergency Management Agency (FEMA) identified enhancing cybersecurity capabilities as a priority for its port security grant program, which is to defray the costs of implementing security measures. However, FEMA's grant review process was not informed by Coast Guard cybersecurity subject matter expertise or a
MARITIME CRITICAL INFRASTRUCTURE THREATS

6

comprehensive assessment of cyber-related risks for the port environment. Consequently, there was an increased risk that grants were not allocated to projects that would most effectively enhance security at the nation's ports [emphasis added]. (GAO, 2015)
Understandably, cybersecurity risks, particularly in a federal context, assume wider policy making implications and impact for multiple affiliate agencies. Unsurprisingly, cybersecurity receives much attention in literature from multiple perspectives, primarily as a high-impact, high-probability risk.
Fundamentally, a growing body of literature places particular emphasis on cybersecurity risks to protect MCITs. Complex in operations, interconnected at global scale and interdependent (Trimble, Monken & Sand, 2017), ports are becoming more and more attractive to cyber attacks, more so due to relatively insecure firmware linked to SCADA (supervisory control and data acquisition) systems (Chiappetta & Cuozzo, 2017). This consistent emphasis on cybersecurity and attacks in maritime context has initiated a parallel research interest to standardize frameworks in order to assess emerging cybersecurity risks, identify barriers to mitigating risks and, interestingly, create public-private entities on cybersecurity collaboration (Trimble, Monken & Sand). Similarly, automated systems, including Automatic Identification System used in aviation, is adapted for applications (Kessler, Craiger & Haass, 2018) and unmanned surface vehicles are used against possible terrorist assaults on LNG carriers at sea or harbor (Miętkiewicz, 2018) in maritime context in order to protect MCITs. In a similar vein, most extant literature on cybersecurity intended to protect MCITs, as far as author of current
MARITIME CRITICAL INFRASTRUCTURE THREATS

7

study knows, continues to lay emphasis on cybersecurity as most significant risk to MCITs.
There is, however, a growing interest in MCI beyond cybersecurity.
Interestingly, climate change has come front and center of global debates on sustainability. However, little attention is paid to impact of climate change on current maritime operation context. Specifically, whilst maritime operations are becoming more and more digitized, models accounting for complex, emerging climate and weather phenomena are hardly available, if at all. This is particularly peculiar given critical dependency of maritime operations on climate and weather data for non-intermittent operation. Moreover, a consistent emphasis on cybersecurity, important as is, without equal attention to historically maritime-related risks puts into question whether recent interest in cybersecurity as most important risk to maritime operations is driven by actual, identified concerns or largely by perceptions. As matters stand, a few attempts are made to help understand emerging climate-/weather-related risks under increasingly dynamic climate/weather conditions caused by excessive carbon emissions. Kołowrocki (2017) proposes, for example, a general safety analytical model of a complex, operation system under extreme conditions including primarily climate-/weather-related environmental risks. The model aims to define “critical infrastructure safety indices” whereby operation system under study would operate under safely. This study has wide implications for MCITs. Essentially, climate and weather conditions, as noted, are integral to maritime operation systems. Historically, maritime systems, including mechanical ones, have accounted for climate-/ weather-related conditions. Today, digitized systems are increasingly in place. Moreover, emphasis continues to grow on cybersecurity – at a notable lesser attention to climate/weather changes now becoming increasingly disruptive of complex systems, including maritime ones, if
MARITIME CRITICAL INFRASTRUCTURE THREATS

8

only by means of physical, immediate impact. The remote, i.e. cyber attacks, appear to distract from clear and present dangers to MCITs.
Put into stricter scrutiny, cybersecurity appears, moreover, to receive a skewed research attention. Notably, extant literature lays most focus on methods whereby a securer and safer maritime operation system could be in place. This emphasis, important as is, downplays equally important, if not more so, emphasis on usability and security interpretation issues. Specifically, whilst current emphasis in MCITs security research is on cybersecurity methods, much less attention is paid to humans using not only different operation systems across sub-sectors and national borders but, more important, frames of knowledge management not necessarily consistent, let alone exchangeable, according to which risks to supply chains and logistics in maritime operation systems are identified, interpreted and responded to. The presence of a “semantic gap” across different supply chain and logistics stakeholders is shown to result in disruptions in workflows and, more important attention of cyber attacks. Thus, a methodology is proposed to develop a “knowledge base” for maritime logistics and supply chain (MloSC) using semantic web technologies (Kalogeraki et al., 2018). Once again, standardization emerges as a critical issue lesser attention is paid to in extant literature beyond cybersecurity measures. That is, standardization of meaning-making and interpretation of supply chain and logistics data across different operation systems, sub-industries, geographies and cultures emerges as yet another area little attention is paid to in extant literature on MCITs. Interestingly, standardization, just as climate/weather issue above, appears to be limited to cybersecurity – at probably a considerable expense of more immediate risks, in current case supply chain and logistics data interpretation, to MCITs.
MARITIME CRITICAL INFRASTRUCTURE THREATS

9

The exponential growth and modernization of in maritime operations has, moreover, sidelined conventional risks. As noted, conventi...