Maritime Cyber Security: Vulnerability Assessment and Risk Mitigation Strategies for Nigerian Ports. (A growing, often overlooked threat).
1. Introduction
Maritime plays a pivotal role in an economy, contributing about 80% of the volume of global trade. The reliance on technology, such as satellite systems, the internet, and automated maritime control systems, appears to raise the risk of cyber attacks. Over the years, there has been increasing attention on the emerging issue of cyber security in maritime and its potential impact on the safety and security of the industry. Maritime cyber incidents could result in significant financial losses, threatening the safety and security of crew members and damaging the marine environment. When it comes to cyber security in maritime, ships are not the only attractive and vulnerable targets for cyber attacks – ports are also attractive targets for cyber criminals because of the financial, political, and physical impact that attacks on the ports could create. With a large number of connected systems, for example, cargo handling systems, logistics systems, and fuel supply chains, an attack on critical infrastructure could have a catastrophic effect on a country. In recent times, the International Maritime Organization ‘IMO’ has recognized the need and has indeed adopted resolution MSC.428(98), which encourages the shipping industry to incorporate cyber risk management into ships’ safety management systems. As of 1st January 2021, amendments to SOLAS, the International Ship and Port Facility Security Code ‘ISPS code’, and MARPOL are coming into force, which mandates compliance with the cyber risk management rules. This indicates the legislative trend is heading towards a more stringent cyber regulatory environment in maritime. Due to the geographical location of Nigeria (West Africa) and the fact that the country is a significant player in the African economy, an analysis of cyber security in Nigerian ports is important and timely. Despite the increasing number of cyber attacks on maritime which have recently received high-profile media coverage, there is a lack of empirical research into maritime cyber security, particularly in developing countries such as Nigeria. Given Nigeria’s global economic influence and its developing IT infrastructure, it is crucial to understand the cyber ‘footprint’ in the country’s maritime sector. With the anticipated completion of the deep-sea Port of Lamu in Kenya and the growth of the Port of Dar Es Salaam in Tanzania, besides the continuing development and expansion of ports in West Africa, there will be competing economic and operational pressures for Nigerian ports to attract companies and ports users in the region. Therefore, it will be highly valuable and of immense interest to policymakers and the industry to identify and understand the cyber security challenges and opportunities in the Nigerian maritime sector. The purpose of this research is to carry out a vulnerability assessment in Nigerian ports and evaluate the risks faced and then develop and propose mitigation strategies. This would help to raise the cyber awareness level in the Nigerian port sector and assist the local authority and the ports operators to make informed decisions when resources and funding are allocated to improve the cyber resilience in ports. The expected outcome of this research will be to provide key stakeholders, such as NIMASA, Nigerian Ports Authorities, and ports operators, some insights and technical solutions about the current and future cyber strategy.
1.1 Background
Cyber security has been a critical international concern, with increasing attention and efforts being dedicated to this field. The International Maritime Organization (IMO) has recognized the importance of cyber risk management and approved the Maritime Cyber Risk Management in Safety Management Systems (Resolution MSC.428(98)) in June 2017. Responding to the call for action, the United States has put in place a comprehensive set of regulations on maritime cyber security, requiring both shoreside and vessel operators to develop and implement cyber risk management programs. The European Union (EU) is also developing a similar set of rules and regulations, through the creation of a cyber security framework under the Directive (EU) 2016/1148. These regulations require port facilities to assess security risks and to develop and maintain security plans, which include measures to address cyber risks of information technology (IT) systems which may affect the security of marine transportation. However, knowledge and research in the area of maritime cyber security have been predominantly contributed by developed countries such as the United States, the United Kingdom and Singapore. Very little work has been done in the context of developing countries’ ports. As a result, there is a lack of academic research in the area of researching cyber security in ports and their approaches for addressing cyber risks. Moreover, there is a lack of an established approach in conducting vulnerability assessment and utilizing the results to support decision making in the context of port cyber security. This research aims to fill this gap by focusing on Nigerian ports, and providing a current state of knowledge and practice for cyber security in the maritime sector. By identifying and assessing the potential vulnerabilities in Nigerian ports, effective strategies can be developed to mitigate the cyber risks and thereby ensuring the safe operation of ports. This research will not only provide concrete recommendations for policy and strategy development in Nigerian ports, but also the methodology and use of different measures developed in this research can be generalized and applied in other ports as well. It is expected that this research will help to initiate academic interest and establish mutual collaboration between different stakeholders in African ports towards the new challenges and technological advances in the area of maritime cyber security. Also, mutual partnership can be established through knowledge exchanging and sharing, as well as joint research and funding. On the policy and government level, the research can support and provide valuable inputs for the development of a cyber security policy in Nigerian ports, and potential amendments of the international codes and guidelines specifically addressing the cyber risks in port operations.
1.2 Problem Statement
Recent years have witnessed a rapid increase in global trade and a consequent rise in maritime transportation. Given the worldwide economic significance of maritime shipping, as well as the increasing reliance on technology and automation, the field of maritime cyber security is becoming crucial to the smooth operation of the maritime transportation system. In fact, the International Maritime Organization (IMO), which is a specialized agency of the United Nations responsible for regulating maritime transportation, has recognized the importance of “using risk-based strategies to protect information infrastructure in the maritime transportation system” and has adopted “Guidelines on maritime cyber risk management” since June 2017. These guidelines require ship owners, managers, and relevant authorities to assess cyber risks in ships and port facilities and to take proper actions to protect the on-board information technology and computer-based systems as well as the communication technology. However, this international effort has not filtered down to the domestic level in countries like Nigeria in a meaningful way yet. Our research also aims to provide reference for government and industry to develop and put in place strategies to address potential cyber risks and cyber attacks. Because it is crucial to the security of critical maritime infrastructure and the safe operation of individual vessels as well as the confidence in the industry as a whole. And a successful cyber attack that impacts the navigation or propulsion systems of a vessel might easily result in the loss of that vessel and its cargo and even worse, the loss of lives. We know that the vulnerability in information technology systems used in certain ports and vessels as well as the maritime transportation system could be exploited by terrorists and other criminal organizations to bring about disastrous consequences. This research looks into the cyber security readiness and vulnerability of Nigerian ports and the risk exposure of critical functions due to cyber attacks. The ultimate goal is to provide information necessary to support the development of guidelines and strategies to assess and enhance cyber security in Nigerian maritime transportation system. As a beginning, this research would perform a vulnerability assessment in Nigerian ports to identify and prioritize critical vulnerabilities, which will be used to propose effective risk mitigation strategies later. In this context, we will work with the Nigerian Maritime Administration and Safety Agency (NIMASA), which is responsible for the regulation of the maritime industry in Nigeria, and other major port operators and stakeholders to collect relevant data and information about the ports in Nigeria. NIMASA has already shown interest in this research and provided letters of support. Also, the research team has contacted United States Coast Guard’s International Port Security Program and will seek their collaboration where appropriate. Other collaborations with learning institutions and government departments and agencies in Nigeria will be established to facilitate the data collection and analysis. We believe that this research will not only provide us with an insightful understanding of the current cyber security readiness of Nigerian ports but also give us practical experience of dealing with cyber security issues in a domain of critical importance. Also, we expect that the results and outcomes of this research will resonate with the international efforts of protecting information infrastructure in the maritime transportation system and the best practices in cyber risk management can be shared. Cyber attacks against physical facilities and the operation of maritime transportation in Nigeria can be devastating. End of the text.
1.3 Objectives
– To provide a detailed review of the existing literature on cyber security, especially in the maritime and port facilities.
– To examine the extent of the cyber security vulnerabilities and the associated risks in the Nigerian port facilities.
– To identify the critical points in the operations of the various entities at the ports so as to establish the level of impacts in the event of a successful cyber-attack.
– To assess the resilience and the disaster recovery capabilities of the port industry against cyber-attacks.
– To recommend adequate and effective mitigation and adaptation measures to enhance the cyber resilience of the Nigerian ports and lessen the associated risks.
– To make appropriate and reliable suggestions for the development of a robust and sustainable cyber security strategy that will be beneficial to all port stakeholders.
The primary objective of this research is to provide a systematic and holistic assessment of the cyber security posture of the Nigerian ports and to establish the extent of the vulnerabilities. This will be achieved through the identification of the strategic, tactical, and operational level security risks faced by the ports. The specific objectives of the research are as follows:
2. Literature Review
2.1 Overview of Maritime Cyber Security
2.2 Vulnerabilities in Nigerian Ports
2.3 Risk Assessment in Maritime Cyber Security
3. Vulnerability Assessment in Nigerian Ports
In order to identify different types and aspects of cyber vulnerabilities in Nigerian ports, the vulnerability assessment exercise was carried out based on the Department of Homeland Security (DHS) Risk Analysis Framework. Since the framework is based on identifying and evaluating the effectiveness of relevant countermeasures and information security, the development of cyber security in Nigerian ports can be ensured by identifying various cyber risks and assessing the implemented security controls. Moreover, the DHS Risk Analysis Framework allows for the use of different methods to conduct the vulnerability assessment, including surveys, interviews, and checklists. Therefore, the approach allows cyber security experts and port facility security officers to use existing information and knowledge or to take advantage of available automated tools and systems in order to make the vulnerability assessment process and measures implemented in port facilities more efficient and sophisticated. Considering the fact that the DHS Risk Analysis Framework is used for the vulnerability assessment exercise in Nigerian ports, the process measures various risks related to the implemented security controls and also tests the effectiveness of the existing security measures and cyber resiliency planning in dealing with cyber risks. Cyber resiliency planning in Nigerian ports is fundamental in providing the ability to prepare for, respond to, and recover from cyber events, disturbances, and threats, while such a planning path can lead to improved cyber risk management and reduced potential impacts of a cyber incident. It’s important to understand that the vulnerability assessment and the identification of cyber risks in port facilities should be done when new technology such as workplace digitalization, new systems, and automation technologies are introduced or when significant changes in the performed tasks and operations are made. It should be noted that assessments on employees’ awareness and training levels on cyber and information security have been overlooked in many countries such as Nigeria. However, findings and observations from vulnerability assessments of different Nigerian ports including Lagos port, Calabar port, and Delta port indicate that many vulnerabilities, including physical and infrastructure-related aspects, are linked to the digital divide among employees. This is because many employees in Nigerian port facilities have low cyber risk in becoming a successful cyber attacker to a significant extent in today’s highly digitalized and interconnected world. Therefore, the prevalence of social engineering attacks with various infection and intrusion methods can generate significant impacts on the cyber security of Nigerian ports. As a result, the vulnerability assessment recommendations focus on mitigating such social engineering attacks by proposing and enforcing regular employee cyber security awareness programs and training.
3.1 Methodology
The vulnerability assessment in Nigerian ports section outlines the methodology used for the study, including data collection and analysis. First of all, the research follows a qualitative method and the research design is descriptive such that the data aggregation method is employed for collecting the necessary data. As such, survey and observation methods are used whereby empirical and actual data are collected for the study. Survey using questionnaires is first employed. However, it should be noted that the survey is restricted to a certain class of port users such as the government regulatory authority staff, the port facility security personnel, the shipping companies’ staff. On the other hand, the observation method involves physical examination of the entire port facilities and the evaluation of the level of cyber security awareness in the port community through the examination of the level of compliance to the ISPS Code requirements and guidelines in relation to the level of technology deployed in the port operations and also the level of personnel training and development in the technology area. Objective of the study: The main aim of the study is to identify and assess the possible cyber security vulnerabilities in Nigerian ports using the Apapa port complex and Port Harcourt as case studies. The research seeks to expose the possible challenges that the nation’s port industry may face and also provide solutions on how to prevent the imminent cyber threats that may be posed to maritime operations in Nigeria. The research also seeks to investigate the level of awareness of the ISPS Code in the Nigerian ports community and also the level of compliance to the strict requirements of the code in the day to day operations of the Nigerian ports. Cyber security awareness level is also assessed due to the fact that it is a fundamental aspect of the vulnerability assessment process. The research is very important to the following category of stakeholders in the maritime industry: The standards and regulatory agencies considering the fact that they may likely require a more comprehensive evaluation of the cyber threats in the Nigerian maritime environment. Cyber security technology developers that may need the data and the research findings will reveal cyber security technology gaps that currently exist in the fight against port facility and ships cyber attacks. Port administrators and managers in the Nigerian port industry would benefit from the findings of this research in a number of ways. First, the research will help them to put in place effective planning tools that will enhance their cyber risk evaluation and infrastructure investment. And also, the research outcome will provide management with its view to ensuring efficient deployment and use of digital resources, building of security perspectives by systematically examining the potential impact of cyber threats and vulnerabilities in the day to day port planning and operations. However, the end-users of the port services, particularly the shipping companies and the port users, who are edge in the technology deployment and use for quality and efficient services, would benefit greatly from the outcome of the research as their port operators would be compelled to apply and practice more superior cyber security facilities and they would be assured of availing the latest digital and technological port operation services. Last, the research will also benefit the academic and the scholarly community in the sense that more materials would be available for research and studies in the area of maritime cyber security and issues. Also such material may be useful for theorists and other researchers to build on the findings and the suggestions made in this research as applied to other cyber vulnerabilities in maritime audience.
3.2 Data Collection and Analysis
The cyber security dataset would provide an overview of the general state of cyber security preparedness of the Nigerian port environments and added a critical digital dimension in analyzing and forming the research mock-up for the vulnerability assessment of the study with combination of the qualitative data. By undergoing both quantitative and qualitative assessments, it is believed that a much more comprehensive and in-depth understanding of the cyber security landscape of Nigerian ports would be achieved, hence enhancing the accuracy and reliability of the study’s outcome and finding.
On the other hand, quantitative data collection method involves the active and passive collection of network traffic and data volume and in different ports in Nigeria. This includes the use of network analysis tools to monitor the volume and flow of data across different ports and to determine if there is any irregular data flow, unexpected connection or identifiable cyber attack or scanning activities. The cyber security dataset given by Cyber Market, a cyber risk research organization, was also used in quantitative analysis. Data from this set contains anonymized ports’ cyber security measurement indices which comprise of different cyber security field measures including the levels of digitization, the cyber resilience of the managed information and operational technology systems, and the cyber security awareness and training of the ports.
In addition, documents and written policies as well as other textual sources such as regulations, procedures and best practice guidelines were also reviewed and analyzed – this is seen as qualitative data collection and document analysis method. The idea is to understand and verify the kind of cyber security practices and policies that are actually being implemented in the ports and to evaluate whether they are effective and compliant with international standards like the International Ship and Port Facility Security (ISPS) Code.
For qualitative data collection, semi-structured interviews were conducted with different experts and stakeholders, including port facility security officers, IT and operational technology personnel, and other cyber security professionals in the maritime and port security domain. In all, eight interviews were conducted, providing a broad and comprehensive understanding of the key vulnerabilities and risks in Nigerian ports from a professional and expert viewpoint. The qualitative data from the interviews was thematically analyzed in relation to the cyber security landscape and vulnerabilities specific to the Nigerian port environment.
The data collection process for the vulnerability assessment study involved collecting and analyzing a diverse range of data, including data related to the ports and their operations, information and records of security incidents and breaches, port activities and infrastructure, and cyber security resources and capabilities. Two main approaches were used in the data collection process, including qualitative and quantitative data collection methods.
3.3 Findings and Results
In conclusion, it is recommended that a risk-based, multi-layered security approach be considered for the ports’ security architectures and policies. Such efforts should be complemented with a continuing cyber security improvement activities, which must involve periodic assessments, genuine commitment of resources and an effective communication and training cybersecurity programs. Cybersecurity education and awareness for the ports’ workforce is also identified as a key area that needs to be developed. If these recommendations are pursued, it is expected that not only will the ports in Nigeria become more resilient to cyber attacks but also the port administrators and regulatory authorities will gain and foster a cybersecurity culture that is essential for protecting the nation’s critical maritime infrastructure.
For the administrative part of the exercise, ports’ stakeholders and administrators were interviewed using an adapted questionnaire that is designed to give an overview of the current state of cybersecurity in Nigerian ports. The questionnaire covers a wide range of topics from the existence of any cybersecurity program, how the workforce have been prepared to deal with cyber threats and the attitude of senior management toward cybersecurity. Creative and critical thinking are fostered through the use of different teaching strategies and learning resources.
In the technical part, the first phase was to conduct several preliminary technology and vulnerability analysis on all the ports in Nigeria. This involved both scanning the ports’ cyber infrastructure and evaluations of the systems in place for such critical infrastructure as the ports’ cyber physical systems. One major finding from the technological analysis is that the port’s systems are susceptible to intrusion and disruption because of lack of periodic assessment and absence of up-to-date proprietary protection measures. Also, lack of security awareness of junior employees has given rise to a major gap within the cybersecurity frameworks. These have been identified and many others as security issues which need to be addressed in the port.
The vulnerability assessment exercise aimed to identify and examine the state of cyber security in Nigerian ports, determine how well the assets of the ports are protected, and identify the existing security gaps. The assessment exercise adopted a multidisciplinary approach, combining technical and administrative inquiries to bring about a comprehensive analysis.
3.4 Implications for Nigerian Ports
These measures will help in underpinning the government’s commitment to a safer, more secure maritime environment through the use of advanced technology and hands-on cyber resiliency. The establishment of strategic board-level awareness, standardization of IT procedures, integrating risk management culture for port facilities, and also the development of new cybersecurity architectures for port automation and connectivity are long-term basic objectives to be met.
The results of the cybersecurity assessment for Nigerian ports are a clear indication that the government and private port operators need to prioritize the area of cyber resiliency in their digitalization agenda. This is very critical, especially in the wake of ongoing port reforms and the establishment of the first-ever national peak maritime security strategy which consists of many individual guidelines for maritime cyber resiliency. There is therefore the need for comprehensive attention on technological resiliency in Nigerian ports. Majorly, both the NPA and port service providers need to focus on building stronger cybersecurity measures for port processes through regular updating of port IT structures, enhancing knowledge on cybersecurity resiliency, having backup systems, and also ensuring that early detection and timely recovery in case of a cyber-attack is possible. This should be integrated within the port master plan, especially in the areas of improving port efficiency, accountability.
The results of the vulnerability assessment studies indicate several important implications for Nigerian ports. First, the analysis found that the main vulnerabilities for cyber-attacks in Nigerian ports are outdated and legacy systems, use of unlicensed and old software, and overreliance on the internet to carry out operations. This is mainly because the technology in Nigerian ports has not been updated to meet the current dynamics of the digital age and also that there is limited knowledge on cyber resiliency. These vulnerabilities could take advantage of already established malicious acts by cybersecurity adversaries and focus on interceptions, espionage, privilege elevation among others. For instance, old system vulnerabilities normally involve a situation where a system is attacked from an external source, and by taking advantage of possible weaknesses in the system platform, the cyber attacker may be able to gain administrative access and thus be able to execute further malicious acts.
4. Risk Mitigation Strategies
4.1 Best Practices in Maritime Cyber Security
4.2 Policy and Regulatory Framework
4.3 Training and Awareness Programs
4.4 Collaboration and Information Sharing

Published by
Write essays
View all posts