Since last year, Jens Rohlandt and Jan Schirrmacher have been working for Lower Saxony and Bremen respectively as port cyber security officers – making them the first in Germany’s seaports. They talked to the LOGISTICS PILOT about their tasks and the greatest challenges facing ports in terms of security.
Jens Rohlandt: In addition to my regular job as system administrator for JadeWeserPort, I have also been working as port cyber security officer for the state-owned ports of Lower Saxony since the 1st of January 2019.
Jan Schirrmacher: I started a full-time position as port cyber security officer at bremenports on the 1st of April 2019, at the request of the Senator for Science and Ports in Bremen.
How did these job opportunities come about?
Schirrmacher: Cyber security has of course been an important topic for quite some time now. For years there has been an increase in networking among companies and authorities in the ports of Bremen. My job was then created with the aim of counteracting the associated danger of cybersecurity incidents.
Rohlandt: It was the same with me. Among IT professionals, cyber security has been a major concern for the last ten years or so. The cyber attack on Maersk in 2017 finally got everyone’s attention. Since then, the topic has been discussed more and more in the ports; it takes some time before it reaches the institutions. At present, my main concern is to establish contacts with other ports and their experts, for example with Jan Schirrmacher.
Schirrmacher: We meet up regularly and have a lot to discuss.
Rohlandt: And since there are now a great many events on the topic of IT security in the maritime industry, we sometimes alternate between participating and then brief each other on what was said.
How are the other ports positioned?
Rohlandt: In Germany, Lower Saxony and Bremen are to date the only federal states that have created such a position. In Hamburg there is a team of employees from the waterway police and the Hamburg Port Authority, the HPA. As far as I know, there is nothing comparable in Schleswig-Holstein or Mecklenburg-Vorpommern. Rotterdam and Antwerp are already very well established in this regard, with their teams consisting of 10 to 20 people. Ultimately it is a matter of resources.
Schirrmacher: I am in the process of establishing a network that is as comprehensive as possible, which includes, for instance, regular dialogue with Jens Rohlandt. Even if this type of position does not yet explicitly exist in this form in the other federal states, we do of course exchange information with those responsible there. By attending the European events, I have made initial contacts with the ports in the Netherlands. My main focus, however, is firmly on the ports of Bremen. Here I am involved in a research project with a local terminal operator, as well as with another port. I am also currently planning to establish a prototype cooperation with other members of the port community.
Rohlandt: It is the same with me. I am also still in the process of gathering all the necessary contacts – especially in those cases where there is no such clear responsibility as there is with us as port cyber security officers. I also find the European summits very helpful. This is where I met, for example, the specialists from the German Federal Maritime and Hydrographic Agency and from the German Federal Office for Information Security, both of which also deal with the subject. Although the network dedicated to ports and security has been operating very successfully for years, the network for cyber security was only launched in 2019, so there is still a lot of work to be done here. It is my goal to have a stable foundation of contacts.
In this digital age, what are currently the greatest risks and challenges for ports and their infrastructure?
Rohlandt: At the outset: It is not possible to achieve one hundred per cent security. However, smaller companies in particular should know what is needed to first achieve 90 per cent. Informing and advising on this issue is an important task for Jan Schirrmacher and me. Because one thing is certain: People are always the weakest links. While most IT systems are now well protected against normal hackers, employees remain the most vulnerable, especially via e-mail contacts and phishing. No matter how good the systems in place may be. This is why we regularly inform our employees here at JadeWeserPort in order to keep drawing attention to this topic.
Schirrmacher: Within the port industry, we are highly dependent on many, sometimes very diverse, types of people involved. All operative activities, that is, ship owners, vessel traffic management and lock control, terminals, freight forwarders, rail transport companies, as well as IT service providers and many more activities also have to work. This is the only way to ensure overall operation.
To what extent does trust play a role?
Schirrmacher: Nearly all those involved are connected to the Port Community System and are also connected to each other through IT systems. This does in fact require a certain amount of trust. And it is precisely this that makes specific cybersecurity attacks easier or possible.
The safety precautions are probably not uniform either, are they?
Rohlandt: I would go so far as to say that the safety precautions are fundamentally different. There are hundreds of companies with very diverse cybersecurity standards operating in the ports. While the larger terminal operators, logistics service providers and shipping companies are of course highly developed in this field, this is not always the case with smaller companies. This applies, for example, to some shipping companies with only a few ships. In this case, there are ancient systems on board that can be accessed by all crew members.
have mainly been prepared for operational attacks become prepared for cyber threats?
Rohlandt: Essentially, every company, meaning the port and terminal operators in Lower Saxony, has to take care of its own IT system. I have no authority to issue instructions; companies must do this purely out of vested interest. The exchange of information is therefore crucial in order to develop a common standard.
Do you have a port cybersecurity programme or a corresponding strategy?
Schirrmacher: bremenports certainly pursues a cybersecurity strategy, even though we are not currently subject to the IT Security Act. This could, however, change with the amendment this year.
Rohlandt: We primarily follow the recommendations of the BSI, the German Federal Office for Information Security. We are also not subject to the IT Security Act, but we are already trying to comply with it as well as we can.
What does a typical day as port cyber security officer look like, does a typical day even exist?
Schirrmacher: No, I cannot say that I have something like that. One important aspect is the evaluation and comprehensible presentation of issues and the guidance of IT security concepts, for example for the new port railway system or the new harbour fee accounting system. Needless to say, I do some of my work in an office in the traditional way, but in the first nine months of the year my working day was always very different. At bremenports, for example, I also conduct awareness workshops for employees and carry out simulated attacks on our IT networks. I also go to events often. For instance, in November I was in Lisbon for an international cybersecurity workshop for the maritime industry. That’s part of the appeal for me, too: I get to meet a lot of different and interesting people.
A typical, rather unsociable programmer would probably be wrong for the job, right?
Rohlandt: Absolutely. You should definitely have an IT background, but you should especially enjoy exchanging experiences and networking. Incidents of this kind are global, so international cooperation is extremely important here. There are still security policy concerns when it comes to exchanging information. Both the European Maritime Safety Agency (EMSA) and the European Union Agency for Cyber Security (ENISA) have called for more exchange within Europe regarding problematic incidents, even if it might be inconvenient for the standing of the persons concerned.
What skills should a person have for this position?
Schirrmacher: It is very important that you enjoy
working with cyber security. And also the desire to constantly learn something new. IT and the associated weak spots and threats are extremely fast-moving, so you need to keep on learning and training. Independent work is also required, because there is no textbook or template
that can be applied. Analytical thinking is also required. You also need to have a certain frustration tolerance, because not everything you try will work out. The most important thing, however, is that you enjoy dealing with other people. (cb)