CESNI published guide on cybersecurity in inland navigation

The European Committee for drawing up standards in the field of Inland navigation (CESNI) has published a guide on cybersecurity in inland navigation, focusing on ports.

This document has been published on 28 June 2023.

Scope of this guide

Generally speaking, when faced with a cyber-risk, there are five possible responses:

Accept the risk, namely do nothing and take the consequences.
Avoid the risk, namely eliminate it completely by radical measures, for example taking a lock out of service, closing the port to navigation or prohibiting certain crafts that may pose a given risk.
Transfer the risk, for example by taking out an insurance policy or by recourse to a third party who will bear the consequences on the port’s behalf.
Share the risk, namely conclude an agreement with third parties to share the cost or the consequences if the risk materializes.
Mitigate the risk, namely implement various measures that will reduce the probability of the risk materializing or else limit its impact.

In the main, this guide adopts a risk mitigation approach. It contains a number of components of a transfer or sharing nature, but only marginally so.

It should be noted that doing nothing as far as cybersecurity is concerned is tantamount in effect to accepting all the risks, identified or otherwise.

This guide is intended to provide an overview of cybersecurity risks, threats, and mitigation measures, primarily within the scope of inland navigation ports.

It is intended to enable the target audience (see below) to understand the motivations and actors behind cyber-attacks, the assets of ports to be considered when evaluating cybersecurity threats and risks.

This guide also gives an overview of good practices for the implementation of cybersecurity risk mitigation measures.

However, in order to provide a better picture of the port ecosystem, assets relevant for inland navigation craft have been included in this guide.

The guide is divided into three parts.

The first part focuses on the cybersecurity threat landscape of inland navigation ports. It provides a detailed description of the port threat landscape, including information about threat actors, port assets, threat taxonomy, and various attack scenarios.
The second part delves into mitigating cybersecurity risks for inland navigation ports. It outlines a portfolio of mitigation actions that should be taken to reduce cybersecurity risks for ports.
The third part offers tips for the implementation of risk mitigation measures. It provides actionable security hygiene measures to be taken as a first step by both IT and non-IT stakeholders.

It is important to note that while this guide is intended to be used as a reference point for port stakeholders, it does not replace published cybersecurity risk evaluation methodologies.

However, it aims to empower each stakeholder to identify the most appropriate measures for evaluating and addressing cyber risks.

Target audience

The target audience for this guide primarily includes port actors such as port authorities or subcontractors, terminal operators or subcontractors, and logistic companies working with port authorities or terminal operators.

However, there is also potential value for a wider audience indirectly involved, including national inland waterway authorities, shipping companies, public institutions with inland waterway regulatory power, craft operators, boatmasters, crew members of the crafts, and manufacturers of inland navigation sector products.

Within this public, this guide differentiates between three types of stakeholders who need to be closely involved with the implementation of the good practices contained in this guide: