Cybersecurity at ports and terminals: Our house in order, yours secure
In this article series, we explore multiple perspectives on cybersecurity at ports and terminals. How can terminals ensure the security of their systems and processes, and what are some of the most common threats and attack vectors that they face? What are the roles and responsibilities of the terminal operator and system provider? What are the benefits of cybersecurity certification and what kinds of new demands will regulation bring over the next few years? Stay tuned for an expert discussion on these and many more topics.
Two cybersecurity standards that are relevant for ports and terminals are IEC 62443-4-1 and ISO 27001. But what do these standards encompass, and why are they important for terminal operators? Read on to learn more.
IEC 62443-4-1 is an industrial standard that defines Secure Development Lifecycle (SDL) requirements and practices for the development of industrial automation and control systems. ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) in an organisation.
"To use a simple analogue, compliance with IEC 62443-4-1 ensures that we can build houses that are secure for our customers, while ISO 27001 demonstrates that our own house is in order," says Jouni Auer, Chief Information Security Officer, Kalmar. "Both standards are widely used, although of the two, ISO 27001 is probably better known in the ports and terminals industry."
To use a simple analogue, compliance with IEC 62443-4-1 ensures that we can build houses that are secure for our customers, while ISO 27001 demonstrates that our own house is in order
IEC 62443-4-1: Ensuring secure solution development
In 2023, the Kalmar Innovation Centre in Tampere, Finland and its Automation Business Line received IEC 62443-4-1 certification for the Kalmar One automation system. Kalmar was the first solution provider in the ports and terminals industry to receive the certification for the software development of its automation system for all terminal equipment. The certification was recently extended to the MyKalmar INSIGHT solution.
The Secure Development Lifecycle (SDL) concept defined in IEC 62443-4-1 includes practices such as security requirements definition, security training, secure design, secure implementation, verification and validation, defect management, patch management and product end-of-life. Certification of compliance with the standard demonstrates Kalmar's commitment to ensuring the highest level of security for its products and solutions.
The SDL processes of Kalmar One were independently audited by leading product certification company Exida to meet the requirements of maturity level 3 of the IEC 62443-4-1 standard with the same certification process currently ongoing for MyKalmar INSIGHT. Achieving this maturity level demonstrates that the organisation has implemented a structured approach to industrial cybersecurity and is committed to improving its security capabilities.
"Certification to IEC 62443-4-1 validates that we are addressing cybersecurity at every stage of our software and product development process," says Jani Mäntytörmä, Chief Cybersecurity Engineer, Kalmar. "Alongside Kalmar One and MyKalmar INSIGHT, we are in the process of expanding our certification to our other solutions and are constantly developing our work in this area."
Certification to IEC 62443-4-1 validates that we are addressing cybersecurity at every stage of our software and product development process
"In practical terms, IEC 62443-4-1 certification means that an independent auditor has evaluated the security of our development processes, along with how these processes are documented," adds Henri Kettunen, Cybersecurity Lead, Kalmar. "It's a fairly extensive undertaking, in which final certification is only granted after a full examination of our development work."
ISO 27001: Maintaining cybersecurity for the whole organisation
A key standard that addresses a different area of cybersecurity is ISO 27001, which defines the requirements for an information security management system throughout an organisation or for part of it. Kalmar has full-scope certification for ISO 27001 compliance for the entire company.
"ISO 27001 is the internationally recognised benchmark for well-managed cybersecurity within an organisation," says Jouni Auer. "The standard takes a holistic approach to cybersecurity and covers general governance, risk management and security controls. It also includes the requirement for continuous improvement, which is a critically important aspect of cybersecurity."
The standard takes a holistic approach to cybersecurity and covers general governance, risk management and security controls
Why certify?
Achieving certification to cybersecurity standards such as IEC 62443-4-1 and ISO 27001 holds numerous benefits. Certification not only ensures that the company's processes are designed, managed and documented in line with best practices in the industry, but also simplifies communication and the definition of security requirements between system providers and customers.
"Standards certification means that an independent third party has already examined the cybersecurity of the certified processes, systems or products," says Henri Kettunen. "As a result, our customers don't need to spend time on evaluating whether our processes are secure. This saves significant resources while providing peace of mind that they are working with a cybersecure partner."
As a result, our customers don't need to spend time on evaluating whether our processes are secure. This saves significant resources while providing peace of mind that they are working with a cybersecure partner
Click here to see the IEC 62443-4-1 certificate and assessment report for Kalmar One.
Related articles
Further reading
Subscribe and receive updates in your email
Subscribe