Resilient ports: lessons from the past, challenges of today

Resilient ports were already a relevant topic in ancient times. With the rise of digitalisation and automation, a new dimension has been added: security of information and management of assets. Wilco Vahrmeijer (ShipLogic) takes you on a journey through history, projects lessons from the past onto the present and elaborates this on the basis of a case study.

Introduction

We find ourselves in the 4th century BC, in the thriving port city of Carthage. The city flourishes thanks to trade and industry, with a population comparable to that of modern-day Ghent. The port is tightly organized: there is an outer harbor, an inner harbor for trade, and behind that, a military harbor—a pentagon-shaped stronghold with strict access control. Foreigners see only a high wall. The army guards the hinterland. Everything seems under control.

Yet Carthage is completely destroyed in a short time. What went wrong? The only serious rival at the time was Rome. The Romans had no fleet and no nautical experience. Still, they decided to build a navy. With the help of Greek shipbuilders and a reverse-engineered Carthaginian ship, they built 120 warships in six months and trained 30,000 rowers.

The Carthaginians were superior at sea, but the Romans introduced an innovation: the boarding bridge. This transformed naval battles into land battles—the terrain where the Romans excelled. Carthage lost its dominance and was ultimately destroyed.

Are we aware of our risks?

In the Netherlands and Belgium, everything also seems well organized. Trade, logistics, and shipping run smoothly. Customs and military police provide oversight, governments collaborate, and port areas are well secured. But there is a new, less visible threat: digital risks.

The three biggest digital risks for ports are:

1. Lack of access to data
2. Infiltration of digital processes
3. Manipulation of data

Anyone who has taken a course or training in risk management knows:
Risk = probability × impact.
This is followed by mitigating measures. Major seaports are aware of this and have appointed dedicated officers. But what about inland ports in the hinterland? And municipalities, which often see inland ports more as a burden than as a public, essential facility?

If the hinterland is not digitally resilient, it directly affects the major ports. Cargo gets stuck, ships cannot unload or depart, and congestion quickly increases. The solution begins with awareness and collaboration. And that is needed: during a recent webinar on NIS2, organized for all inland ports, only three ports were represented. That is concerning. The big players must help their smaller counterparts.

Case Study: ShipLogic

ShipLogic is a port management system for ports and water-related businesses. 28 sea and inland ports use ShipLogic daily, and seaports manage their operations 24/7 with our software. From the start, the focus has been on digital security. We took measures even before a single line of code was written:

• Network architecture: Our network is simple. We use the "internet café" model. The line of defense is where it should be: as close as possible to the data and the devices. Our Wi-Fi network is a disappointment for hackers—there’s nothing to find.

• Data storage: We deliberately chose cloud solutions for scalability, geo-redundancy, and availability. Cloud providers invest heavily in cybersecurity:
  Google: nearly €2 billion per year
  Microsoft: over €3 billion per year
  AWS: more than €7 billion in a European cloud

• User security: Mandatory multi-factor authentication (MFA). Initially, our users were unhappy—too much hassle—but now everyone is used to working with an authenticator app.

After onboarding our first clients, we had penetration tests conducted by an external party. They launched a battering ram at ShipLogic: what can someone without an account access, and what can a logged-in user do beyond their permissions? We passed both tests with flying colors. The next step was ISO 27001. The internal audit is coming up, followed by the external audit. The process is intensive but necessary.

European Cloud?

American cloud providers are under scrutiny, especially after blocking the email address of the chief prosecutor of the International Criminal Court. During the Transport and Logistics fair in Munich, we visited a European cloud provider with data centers in Germany, Austria, and Switzerland. We are currently investigating whether this provider offers a lower risk profile than our current one. Digital security requires continuous evaluation.

Conclusion

Are we invincible? Certainly not. But we can significantly reduce the likelihood of incidents. Complete security is a utopia—you can approach it, but never fully achieve it.

Just like Carthage, we too can be surprised by a new threat. We were surprised by AI; the next surprise will be quantum computing. The technology is developing, and its impact on cryptography, for example, will be significant. ISO 27001 requires constant vigilance.

Finally, let me return to Carthage with the slogan:
Beware of the Roman!

Let the boarding bridge of the past not become the Enter key of today.

Wilco Vahrmeijer