Cybersecurity at ports and terminals: Roles and responsibilities

"In principle, the division of responsibilities is simple: The system provider is responsible for the cybersecurity of their software and solution, while the customer will generally be in charge of their own IT infrastructure," notes Jani Mäntytörmä, Chief Cybersecurity Engineer, Kalmar. "In practice, however, the division of roles can be quite complex. For example, what kinds of cybersecurity requirements and expectations do we, as a solution provider, have for the customer's system? Who is responsible for user management and access control in the automated system? And so on."

In principle, the division of responsibilities is simple: The system provider is responsible for the cybersecurity of their software and solution, while the customer will generally be in charge of their own IT infrastructure

Watch those connections

A common issue that cybersecurity professionals face is undocumented ad-hoc changes to a production system by a third party on behalf of the customer.

"This is actually a fairly common scenario," says Jouni Auer, Chief Information Security Officer, Kalmar. "For example, if the customer's IT partner replaces a router in our automation system with another product that turns out to have a hardware vulnerability, whose responsibility is it? There is no simple answer to these questions, but they definitely need to be discussed in detail."

For example, if the customer's IT partner replaces a router in our automation system with another product that turns out to have a hardware vulnerability, whose responsibility is it?

"For product security, the general principle holds that we at Kalmar will be responsible for the cybersecurity of the applications we provide," adds Arttu Rantanen, Director, Automation Operations, Kalmar. "This is addressed in our contracts with a list of software modules that are our responsibility, while the customer will handle the cybersecurity of their servers and network. When providing remote support services in which Kalmar's experts are able to connect to the customer's network over VPN, these services will have their own additional set of cybersecurity protocols."

For product security, the general principle holds that we at Kalmar will be responsible for the cybersecurity of the applications we provide

Keeping the discussion open

Cybersecurity regulations such as the EU's Cyber Resiliency Act are designed to steer organisations towards a secure operating culture and a clear division of responsibilities. However, they are only the start, as vendors and terminal operators need to understand the cybersecurity features and requirements of each others' systems, and to ensure that assumptions about the security of these systems are correct on both sides.

"It's especially crucial for both parties to keep track of what will change with the deployment of each new feature and solution," says Henri Kettunen, Cybersecurity Lead, Kalmar. ”This really calls for a detailed dialogue between our respective cybersecurity teams alongside the software developers.”

This really calls for a detailed dialogue between our respective cybersecurity teams alongside the software developers.

"Regulatory compliance alone is not a competitive asset," concludes Jouni Auer. "Whether for system providers or terminal operators, it's merely the absolute minimum on which to build. The delivery of a solution such as the Kalmar One automation system requires careful collaboration between all participants in the project, but our job here at Kalmar is to work it out together, making sure our customers' systems stay secure while letting them focus on their core business."

Our job here at Kalmar is to work it out together, making sure our customers' systems stay secure while letting them focus on their core business.