See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/371262216

Towards Cybersecure Maritime Supply Chains in Latin America and the

Caribbean

Chapter · June 2023

DOI: 10.1007/978-3-031-32032-3_19

CITATIONS READS

2 104

4 authors, including:

Claudio Alvarez Camila Hinojosa

University of the Andes (Chile) University of the Andes (Chile)
30 PUBLICATIONS 560 CITATIONS 1 PUBLICATION 2 CITATIONS

SEE PROFILE SEE PROFILE

Luis Rojas

24 PUBLICATIONS 68 CITATIONS

SEE PROFILE

All content following this page was uploaded by Luis Rojas on 16 November 2023.

The user has requested enhancement of the downloaded file.

Chapter 19
Towards Cybersecure Maritime Supply
Chains in Latin America
and the Caribbean

Claudio Alvarez, Camila Hinojosa, Sebastián Gonzalez, and Luis Rojas

Abstract Maritime supply chains are a highly dynamic environment in which

multiple public and private stakeholders interact by exchanging digital data through
various systems and technologies in cyberspace. The maritime industry is immersed
in a digital transformation process that is evolving to be highly dependent on cyber-
physical systems composed of information and operational technologies. In the Latin
American and Caribbean region, there are multiple challenges in cybersecurity of the
maritime industry in general, as countries present different maturity levels in their
cybersecurity capabilities, particularly in protecting critical infrastructures, including
ports, terminals and intermodal connections. This chapter describes cyberthreats,
vulnerabilities, risks and recent cyberattacks in maritime supply chain operations in
Latin America and the Caribbean (LAC), discusses ongoing supranational initia-
tives towards the development of cybersecurity capabilities for maritime supply
chains in the region, analyzes advances of LAC countries in developing cyberse-
curity capabilities and adopting best practices for maritime supply chain operations,
discusses the region’s prospects for development of cybersecurity policy and strategy,
and provides recommendations for decision-makers and technical staff in charge of
maritime supply chain operations.

Keywords Cybersecurity · LAC region · Maritime supply chains · Capabilities ·

Best practices

C. Alvarez (B) · C. Hinojosa

Facultad de Ingeniería y Ciencias Aplicadas, Universidad de los Andes, Santiago, Chile
e-mail: [email protected]
C. Hinojosa
e-mail: [email protected]
S. Gonzalez · L. Rojas
Facultad de Ciencias Empresariales, Departamento de Ciencias de la Computación y Tecnologías
de la Información, Universidad del Bío-Bío, Bio Bio, Chile
e-mail: [email protected]
L. Rojas
e-mail: [email protected]

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 425
J. L. García Alcaraz et al. (eds.), Supply Chain Management Strategies and Methodologies,
Lecture Notes in Logistics, https://doi.org/10.1007/978-3-031-32032-3_19
426 C. Alvarez et al.

19.1 Introduction

The maritime industry represents around 80% of the volume of international trade in
goods worldwide (Sirimanne 2021). Maritime supply chains are nowadays immersed
in a digital transformation process by which they are evolving to be highly depen-
dent on Cyber-Physical Systems (CPSs) composed of Information Technology (IT)
as well as Operational Technology (OT) (Kuhn et al. 2021). Digital transformation
from steam-based Industry 1.0 to smart network-based Industry 4.0 has incorpo-
rated CPSs in vessels and seaports while the connectivity of cyberspace and the
physical environment has grown considerately (Cheung et al. 2021; Gunes et al.
2021). Nevertheless, technological changes are being implemented by private actors
more slowly than by other industries (Karamperidis et al. 2021). In addition, ports
vary in structure and ownership, making standardization and regulation challenges.
As a result, the maritime sector risks being the target of criminal activity not only
in its physical domain and cyberspace (McGillivary 2018). These attacks generate
alarming economic damage and harm corporate reputation and confidence in private
companies and state-run maritime operations (Park et al. 2019).
The Latin America and Caribbean (LAC) region includes many ports and major
maritime infrastructures, such as the Panama Canal, at various technological develop-
ment and maturity levels from a cybersecurity standpoint (Inter-American Committee
against Terrorism 2021). The region is rich in raw materials, energetic sources,
mineral resources, and pharmacological potential. It depends on maritime supply
chains for commercial exchange among its states and other locations worldwide.
Combining these factors with the lack of a robust apparatus of regional and national
cyber defense, maritime supply chains in the LAC region experience a dire vulnera-
bility regarding cybercrime (Díaz 2021). According to the European Union Agency
for Cybersecurity (ENISA), states’ greatest challenge in digital transformation in
ports and maritime supply chains is the effective design and implementation of poli-
cies, regulations and new maritime assets for establishing effective and secure IT and
OT (Drougkas et al. 2019). States in the Western Hemisphere, and particularly in the
LAC region, are beginning to take notice of the need to foster their cybersecurity capa-
bility and are rapidly developing national cybersecurity plans and increasing ways
to share information and respond rapidly to cybersecurity incidents concerning crit-
ical infrastructures and supply chains, including those serving the maritime industry
(Inter-American Committee against Terrorism 2021).
This chapter describes cyberthreats, vulnerabilities, risks and recent cyberattacks
in maritime supply chain operations in Latin America and the Caribbean (LAC)
(Sect. 19.2), discusses ongoing supranational initiatives toward the development
of cybersecurity capabilities for maritime supply chains in the region (Sect. 19.3),
analyzes advances of LAC countries in developing cybersecurity capabilities and
adopting best practices for maritime supply chain operations (Sect. 19.4), discusses
prospects for development of cybersecurity policy and strategy in the LAC region,
and provides recommendations for decision-makers and technical staff in charge of
maritime supply chain operations (Sect. 19.5).
19 Towards Cybersecure Maritime Supply Chains in Latin America … 427

19.2 Cyberthreats, Vulnerabilities and Risks in Maritime

Supply Chain Operations

Maritime organizations are critical in facilitating domestic and international supply

chain activities by connecting sea and inland transport services (Inter-American
Committee against Terrorism 2021). Port and maritime operations are complex and
involve a wide variety of fixed, technological, and communication assets that inter-
connect to support an array of vessel operations, cargo handling, supply chain, and
governmental services (Kuhn et al. 2021). As maritime organizations in the Western
Hemisphere become increasingly digitalized to improve efficiency and competitive-
ness and, in some cases, comply with national requirements, their operations become
increasingly vulnerable to the action of cyber criminals.
Maritime supply chains have become information hubs, integrating data from
terminal operators, carriers, logistics companies, and government authorities. As
data and information hubs, maritime organizations create, process, transmit/receive,
and store a wide variety of data and information in cyberspace (Park et al. 2019). This
data is commercially valuable to many, including competitors seeking an advantage
or criminals seeking to steal or compromise data to facilitate fraudulent transactions
or smuggling (Inter-American Committee against Terrorism 2021). In addition to
ensuring the digital security of their operations, maritime organizations must protect
the confidentiality, integrity, and availability of the data on their networks and in their
systems (Gunes et al. 2021).
Erstad et al. (2021) define a cyberdanger as a “threat that exploits cyberspace,”
while a cyberrisk is a risk generated by a cyber threat. As a result, a maritime
cyber threat may result in cyberattacks against maritime supply chain operations.
According to Mednikarov et al. (2020), there are two basic types of cyberattacks in
the maritime field: targeted and untargeted. Targeted attacks act on specific corporate
IT/OT technologies with a specific purpose of penetration, such as access to confiden-
tial information and obstruction of the normal functioning of port and vessel systems.
Untargeted attacks are carried out using an Internet environment and software tools
to detect unprotected communication components.
According to the Inter-American Committee against Terrorism (CICTE),1 an
entity part of the Organization of American States (OAS), maritime organizations
face threats from a wide variety of cyber threat actors (Inter-American Committee
against Terrorism 2021):
• Organized crime: By gaining access to cargo logistics and management systems,
organized criminals can access, monitor, and edit critical cargo information,
reducing the effectiveness of customs scrutiny on a shipment. It is possible that
organized crime operations can steal entire containers.
• Insider threats: Current and former workers, contractors, partners, and vendors
present potential cybersecurity hazards to maritime companies. These dangers are
the result of both purposeful and unintended behaviors. Insider threats may come

1 https://www.oas.org/en/sms/cicte/default.asp.
428 C. Alvarez et al.

from a dissatisfied former or current employee with access to credentials that

are not disabled. Employees may also be persuaded or blackmailed by outside
entities for disclosing essential information, downloading malicious software,
or even altering IT/OT protocols, processes, and configurations. Insiders can
easily download threatening software by accident via phishing emails or corrupted
websites.
• Insider threats: Current and former workers, contractors, partners, and vendors
present potential cybersecurity hazards to maritime companies. These dangers are
the result of both purposeful and unintended behaviors. Insider threats may come
from a dissatisfied former or current employee with access to credentials that
are not disabled. Employees may also be persuaded or blackmailed by outside
entities for disclosing essential information, downloading malicious software,
or even altering IT/OT protocols, processes, and configurations. Insiders can
easily download threatening software by accident via phishing emails or corrupted
websites.
• Insider threats: Current and former workers, contractors, partners, and vendors
present potential cybersecurity hazards to maritime companies. These dangers are
the result of both purposeful and unintended behaviors. Insider threats may come
from a dissatisfied former or current employee with access to credentials that
are not disabled. Employees may also be persuaded or blackmailed by outside
entities for disclosing essential information, downloading malicious software,
or even altering IT/OT protocols, processes, and configurations. Insiders can
easily download threatening software by accident via phishing emails or corrupted
websites.
• Terrorists: While the maritime industry has taken tremendous precautions to
protect itself from physical terrorist attacks on facilities and other crucial infras-
tructure, it remains exposed to the increasing threat of cyber-terrorism. For
example, terrorists in the Western Hemisphere may see key ports or other essential
marine infrastructure, such as the Panama Canal, as potential targets.
Attackers will generally follow a five-step methodology to perpetrate a cyberattack
on the maritime supply chain (Drougkas et al. 2019). Firstly, cyberattackers conduct
(1) intelligence and planning procedures, including investigation and surveillance
of target actors, systems, networks, and other cyberphysical infrastructure. Next,
attackers will (2) attempt to exploit cybersecurity vulnerabilities and gain access
to systems or data. (3) After a security breach has been exploited, the third step is
maintaining access. How access is maintained will depend on the characteristics of
exploited vulnerabilities and the method by which it has been possible for hackers to
penetrate. Later, (4) pivot infiltration may be accomplished by cyber attackers by
interrupting ITs and OTs in vessels or systems operating in ports and terminals. The
final step is (5) trace removal, where attackers will attempt to eliminate evidence of
their intrusion, aiming to reduce the odds of success of future forensic investigations.
For this, attackers can alter, edit, corrupt, or delete audit logs and records that include
any information about their activity.
19 Towards Cybersecure Maritime Supply Chains in Latin America … 429

The maritime industry can be affected by several intentional cyber-physical

attacks. According to Drougkas et al. (2019), common examples are the following:
• Eavesdropping, interception and hijacking: By these attacks, the attacker
can intercept communication within a vessel or between a port and various
stakeholders to compromise the targeted systems.
• Nefarious activity and abuse: This category includes attacks such as Denial
of Service (DoS), malware, ransomware, brute force password or encryption
cracking, identity theft, social engineering, phishing, abuse and theft of data,
and data manipulation.
• Fraud, sabotage and vandalism: These deliberate and purposeful acts break
international and civil Law and seek to weaken or damage the vessel or port
systems, infrastructure, and assets. Such attacks can impact both IT and OT
systems. For example, IT systems for port operation could generate errors that
delay or paralyze traffic. At the same time, OTs could support automatic controls
of gantry cranes with the risk of generating accidents in cargo movement on the
ship or within the port Gamboa et al. (2020).
• Fraud, sabotage and vandalism: Attackers expect to profit from their illegal
activity and obtain valuable information or money through violence or intimida-
tion. This will involve dishonest or unlawful actions directed toward the maritime
infrastructure and cyberspace.
Vulnerabilities presented by cyber-physical ship and port operations and attacks
that succeed at exploiting them can lead to risks, including disruption of operations
of the maritime supply, with repercussions at the port level. Such risks include (Inter-
American Committee against Terrorism 2021; Drougkas et al. 2019):
• Theft of high-value cargo or illegal trafficking: Cyber-physical port systems
are instrumental in attackers’ goal to steal cargo and containers. To succeed,
aggressors must have extensive knowledge of port systems, networks, processes,
and infrastructure.
• Propagation of ransomware: These attacks typically lead to a total shutdown
of port operations. Ransomware attacks can be either targeted or non-targeted.
Hackers create ransomware and spread it over port networks, encrypting various
systems and devices, resulting in information leaks and potential unrecoverable
destruction of data stored in affected systems.
• Compromise of Critical Systems Onboard Vessels or In-Ports: Risks of data
theft or hijacking affect systems, such as Port Community Systems (PCSs) and
Terminal Operating Systems (TOSs) in ports or vessel navigation systems. After
gaining illegal access to such systems, attackers may corrupt information about
port services to disrupt operations or modify system processes. Results are
commonly reputational, operational and financial damage to port stakeholders
and operations.
• Hijacking of OT systems: Risks of hijacking ship and port OT systems exist,
leading to significant accidents in port areas. These attacks can be perpetrated by
hackers, as cyberattacks that stem from the side of IT devices and infrastructures
430 C. Alvarez et al.

can pivot to the realm of cyber-physical (OT) systems, thus damaging machinery,
end-devices, security monitoring capabilities and safety checks in port and ship
operations.
A statistical study by the Chatham House Cyber-Security Group (Kapalidis 2019)
of the Royal Institute of International Affairs identified the essential systems, both
on-ship and in-port, that require cyberattack protection due to their respective vulner-
abilities. Findings showed that the number of vulnerable components in-port is higher
than on-ship. On the other hand, in a recent review of cybersecurity of components,
systems and services within the maritime industry, Ben Farah et al. (2022) conclude
that every port or vessel is at risk of cyberattacks if key information systems are
not adequately protected. The challenge is increasingly complex by proliferation
in the deployment of new technologies with associated increases in the scope of
vulnerabilities within most operation-critical infrastructures.
A report issued in 2021 by the Economic Commission for Latin America (ECLAC)
(Díaz 2021) informs that several cyberattacks have taken place in the Latin America
and Caribbean (LAC) region. Some high-profile cases include DoS and ransomware
attacks against companies such as Maersk (which resulted in a $300 million loss)
and CMA GGM, port terminals (e.g., Terminal Pacífico Sur, Valparaiso, Chile), port
authorities (e.g., Dominican Port Authority, Dominican Republic), and attacks to
critical infrastructures in the energy sector affecting port operations (e.g., CPFL
Energia, Brazil). Alarmingly, many of these attacks have affected several locations
at once. Cyberrisk is multiplied by the connectivity of information, communication
and cyber-physical systems. An isolated cyber incident in a port may have cascading
effects across the global port system (Kuhn et al. 2021). That can partly explain this
as with other industries, such as the banking sector, professional hackers like those
in APT groups target ports in the LAC region due to the cybersecurity capability in
the region is immature in comparison to other more developed regions, such as North
America and Europe (Pimenta and McKenzie 2021). To be effective, cybersecurity
must evolve rapidly and constantly alongside technology implemented in ports, and
private actors must jointly develop cybersecurity capabilities.

19.3 Development of Cyber Security Capabilities

for Maritime Supply Chains in the LAC Region

19.3.1 Oxford’s Cybersecurity Capacity Maturity Model

for Nations

As global trade and maritime supply chains have become more dependent on
cyberspace for their operations, developing national cybersecurity capabilities has
become a critical concern for sovereign states. Moreover, coordination between states
and among public and private actors within them is essential for progress to be
achieved.
19 Towards Cybersecure Maritime Supply Chains in Latin America … 431

To assess the cybersecurity capabilities of states globally, the University of

Oxford’s Global Cybersecurity Capacity Center (GCSCC 2021) has developed the
Cybersecurity Capacity Maturity Model for Nations (CMM). The CMM model is a
framework by which the maturity of the cybersecurity capabilities of a country can
be measured and analyzed considering five dimensions:
1. Cybersecurity Policy and Strategy: This Dimension encompasses a country’s
capacity to develop and enact cybersecurity strategy and enhance its cybersecu-
rity resilience by improving its incident response capabilities, cyberdefence and
critical infrastructure protection capacities. This Dimension considers effective
strategy and policy in delivering national cybersecurity capability while main-
taining the benefits of cyberspace vital for Government, international business
and society in general.
2. Cybersecurity Culture and Society: Includes cybersecurity culture, such as
understanding of cyberrisks in society, trust in the Internet, e-government and e-
commerce services, and users’ understanding of personal information protection
online. Moreover, this Dimension considers the existence of channels for users
to report cybercrime. In addition, the Dimension includes the role of media and
social media in shaping cybersecurity values, attitudes and behavior.
3. Building Cybersecurity Knowledge and Capabilities: Comprises the avail-
ability, quality and uptake of programs for various stakeholders, including the
Government, private sector and the population, and relates to cybersecurity
awareness-raising programs, formal cybersecurity educational programs, and
professional training programs.
4. Legal and Regulatory Frameworks: Considers the Government’s capacity to
design and enact national legislation that directly and indirectly relates to cyberse-
curity, with a particular emphasis on regulatory requirements for cybersecurity,
cybercrime-related legislation and related legislation. The capacity to enforce
such laws is examined through law enforcement, prosecution, regulatory bodies
and court capacities. Moreover, this Dimension observes issues such as formal
and informal cooperation frameworks to combat cybercrime.
5. Standards and Technologies: This Dimension addresses the effective and
widespread use of cybersecurity technology to protect individuals, organizations
and national infrastructure. The Dimension specifically examines implementing
cybersecurity standards and good practices, deploying processes and controls,
and developing technologies and products to reduce cybersecurity risks.
Each of the above dimensions is evaluated by constituent factors that relate to the
descriptions given above. In turn, each factor has multiple components called aspects.
The number of aspects related to a factor depends on the themes that emerge in the
content, that is, on factor complexity. The most granular measurement of CMM is
indicators. Each indicator describes the steps, actions, or building blocks indicative
of a specific stage of maturity in cybersecurity aspects, factors and dimensions.
Per each factor or aspect, the CMM defines stages of maturity. The most basic
stage is (1) Start-Up, in which there is no cybersecurity maturity. This is followed by
the (2) Formative stage, in which some characteristics of the factor or aspect have
432 C. Alvarez et al.

begun to be formulated in a disorganized, poorly defined, or ad-hoc way. The next

level of maturity is described by the (3) Established stage, where there are indicators
in place, demonstrable evidence, and a functional and operational definition of each
aspect. Then, the (4) Strategic stage determines that there are decisions about the
importance of prioritizing certain aspects over others. Such decisions are based on
national or organizational interests. Finally, the (5) Dynamic stage establishes that
there are well-defined mechanisms to alter the national strategy depending on the
prevailing circumstances, such as the threat environment, global conflict, or changes
in some area of concern. The Dynamic stage also determines that there is global
leadership in cybersecurity and that there is the ability to make quick decisions, with
reallocation of resources, and in response to changes in the environment.

19.3.2 Strategic, Political and Institutional Cybersecurity

Capabilities for LAC’s Maritime Industry

Oxford’s CMM model has become influential in public policy decisions by countries
in the LAC region. In an effort that began in the past decade, involving the Orga-
nization of American States (OAS), the Inter-American Development Bank (IDB),
and the University of Oxford’s Global Cybersecurity Capacity Centre (GCSCC),
the Observatory of Cybersecurity in Latin America and the Caribbean (OCLAC)2
has published measurements of cybersecurity capabilities in countries of the LAC
region in 2016 and 2020. The 2020 measurement is based on 32 countries and is
extensively documented in a public report (GCSCC 2020), hereafter referred to as
the ‘OCLAC 2020 report’. The report concludes that states in the LAC region are not
sufficiently prepared to face cyberattacks, including the capacity to face attacks on
critical infrastructures and those involved in the maritime industry and its associated
supply chains.
Regarding developing national cybersecurity policies and strategies and legal and
regulatory frameworks, the first global precedent has been the Budapest Convention.
This agreement is the first international treaty created to protect society against
computer and Internet crimes through legislating, improving investigation techniques
and increasing international cooperation. Currently, 67 countries have signed the
Budapest Convention (Council of Europe 2022). In the LAC region, only Argentina,
Chile, Colombia, Costa Rica, Panama, Paraguay, Peru and the Dominican Republic
had ratified the agreement until late 2020 (GCSCC 2020).
International maritime security and safety efforts began in the early twentieth
century. The first version of the International Convention for the Safety of Life at
Sea (SOLAS) treaty was signed in 1914. Later conventions modernized regulations
and kept up with technical developments in the shipping industry. SOLAS conven-
tions and amendments have set minimum standards in merchant ships’ construction,
equipment and operation. The International Ship and Port Facility Security (ISPS)

2 https://www.cybersecurityobservatory.org.
19 Towards Cybersecure Maritime Supply Chains in Latin America … 433

Code was an amendment to SOLAS Convention in 2002 (International Maritime

Organization (IMO) n.d.-b) and defines measures to enhance maritime security both
on board ships and in ports (Kuhn et al. 2021). The ISPS Code was initially based on
a traditional approach to container security. However, it has recently included port
cybersecurity regarding access control and authentication requirements. The ISPS
Code has three security levels, ranging from low to high, in correspondence to the
nature and scope of the security threat or incident. The ISPS Code requires ports
and port authorities to develop and implement Port Facility Security Plans (PFSP)
for multiple operational levels, outlining measures to address threats and counter-
measures. PFSP is based on the Port Facility Security Assessment (PFSA) and a
risk analysis scheme that governments and authorized security organizations imple-
ment to identify major assets, possible threats and countermeasures (Inter-American
Committee against Terrorism 2021).
The IMO, the leading international maritime organization and the organiza-
tion behind SOLAS, has significantly addressed cybersecurity considerations in the
maritime area since 2017. All states in the LAC region are members of the Inter-
national Maritime Organization (IMO) (n.d.-a). The IMO has developed a strategic
plan for the period between 2018 and 2023 (International Maritime Organization
(IMO) 2017b), where the need for an integration between the existing and new
technologies in the regulatory process is recognized, aiming at balancing benefits
between security, safety, and environmental protection as well as the influence on
personnel both onboard and ashore (Mraković and Vojinović 2019). As part of its
strategic plan, IMO passed resolution MSC.428(98) (International Maritime Organi-
zation (IMO) 2017c), which came into force on January 1st, 2021, and IMO Guidance
MSC-FAL.1/Circ.3 (International Maritime Organization (IMO) 2017a). These regu-
lations address the implementation of maritime risk management in vessels’ safety
management systems (SMSs) under the ISM (International Safety Management)
Code objectives and requirements. MSC.428(98) and MSC-FAL.1/Circ.3 comple-
ment the IMO ISPS (International Ship and Port Facility Security) code for vessels
dealing with cyber and physical port security (Progoulakis et al. 2021).
Recently, CICTE has focused on identifying threats to the Western Hemisphere’s
critical infrastructure. In particular, the CICTE Cybersecurity Program assists OAS
member states in developing national or regional cybersecurity strategies. By the
end of 2020, thirteen countries throughout the Western Hemisphere had developed
national cybersecurity strategies, and seven are currently under development with
support from the OAS/CICTE Inter-American Committee against Terrorism (2021).
Concerning maritime security strategies, the CICTE Maritime and Port Security
Program (Organization of American States (OAS) 2022) focuses on strengthening
the protection and security capacities of OAS member states, from the national
level to the port level, according to their needs, vulnerabilities, and regulatory and
legislative frameworks. The CICTE Maritime and Port Security Program organizes
regional and national activities in consultation with other organizations, authorities
and key actors involved in developing maritime and port security capabilities. OAS
and CICTE initiatives lay the groundwork for addressing maritime cybersecurity risks
and vulnerabilities in the region (Inter-American Committee against Terrorism 2021).
434 C. Alvarez et al.

19.3.3 Operational Cybersecurity Capabilities for Maritime

Supply Chains in the LAC Region

After a country addresses relevant dimensions of policy, strategy and legislation for
cybersecurity, it can focus on incorporating the regulatory framework that contributes
to mitigating the impact of cybercrime in institutions, the economy, and citizens’ lives
(Díaz 2021). Local regulations on cybersecurity define how incidents are managed
by bodies providing tactical and operational capacity. The objective of operating
bodies in the public and private sectors is to minimize the time between the detection
of incidents and the start of their management, which includes resistance, response,
resilience and recovery capabilities.
‘Cybersecurity Incident Response Team’ (CSIRT) or ‘Computer Emergency
Response Team’ (CERT) are names often used synonymously for key operational
bodies that the public sector and private actors can count on to anticipate, resist and
recover from cyberattacks (Killcrece 2004; OAS Cyber Security Program 2016). A
CSIRT is a team or entity within an agency that provides services and support to
a particular target community (OAS Cyber Security Program 2016). CSIRTs are
multidisciplinary specialists who adopt formal procedures and policies to respond
quickly and effectively to cybersecurity incidents and mitigate cyberattack risks.
CSIRT services have evolved from basic functions related to incident management
and response to sophisticated R&D activity for threat intelligence and security moni-
toring of ecosystems comprised of public and private actors (i.e., contractors and
technology providers) through Security Operation Center (SOC) facilities.
While a CSIRT will respond to cybersecurity incidents, a SOC can be deployed
as a unit specialized in cyberattacks preventions and data breaches (Ruefle et al.
2014). Thus, CSIRTs and SOCs play synergistic roles in the cyber defense capa-
bilities of a country, industry, and public or private organizations. To prevent cyber
threats and attacks and to protect infrastructure, applications, data and users from
cybercrime, SOC staff and technical resources are dedicated to continuously moni-
toring and analyzing network traffic and behavior. To accomplish this, a SOC will
comprise threat intelligence technologies and procedures. In particular, Indicators of
Compromise (IOCs) are artifacts observed in networks or hosts, which are evidence
suggesting that cybersecurity has been compromised and are commonly distributed as
cryptographic digests of malware and ransomware infection. A SOC will ingest IOC
streams into its Security Information and Management System (SIEM). Through a
SIEM and other technologies and activities, a SOC can collect insight on malware and
ransomware attacks, threats that deploy several attack vectors (i.e., blended threats),
denial of service and botnet activity, data on phishing attacks, reputational informa-
tion about Internet domains, networks and hosts, among other valuable information
for cyberthreat and cyberattack prevention. A SOC will triage alerts and take action
or escalate incidents to CSIRTs to coordinate response and resolution (Krasznay and
Hámornik 2019).
According to the report mentioned above (GCSCC 2020), in 2020, only 7 of the
32 countries in the LAC region had a critical infrastructure protection plan, and only
19 Towards Cybersecure Maritime Supply Chains in Latin America … 435

20 countries had established a cybersecurity incident response team in the form of

a CSIRT or a CERT. In addition, 22 countries were considered to have a very low
capacity to investigate cybercrime. Concerning the maritime industry, no country in
the region has incorporated an operational body fully dedicated to maritime supply
chain operations, such as a maritime CSIRT or a SOC. The lack of development both
in the development of public policy and in the implementation of operating bodies
is attributed by the OAS to financing deficits and regional human capital formation.
ISC2 has estimated a deficit of human capital in cybersecurity to be around 515,000
workers in the Latin America region alone in 2022 (ISC2 2022). Consistently, the
OAS estimated a human capital deficit in cybersecurity in the LAC region of close
to 600,000 workers in 2020 (GCSCC 2020).

19.3.4 State of Cybersecurity Capabilities in Maritime Supply

Chain Operations in the LAC Region

Based on data collected by IDB, OAS and Oxford’s GCSCC, presented in the OCLAC
2020 report (GCSCC 2020), and public documentation from different countries in the
LAC region, in this section, we discuss the current state of cybersecurity capabilities
in the region and relate these findings to the operation of maritime supply chains. Our
analysis is split into three dimensions of Oxford’s CMM Model for Nations that hold
a close relationship to the development of cybersecurity capabilities in the maritime
industry, namely, Cybersecurity Policy and Strategy (i.e., Dimension 1 of CMM),
Legal and Regulatory Frameworks (Dimension 2), and Standards, Organizations,
and Technologies (Dimension 5). To compare the realities of different countries in
the region, we sourced data from indicators of the report mentioned above, which
have associated scores in a 1 (i.e., Start-Up maturity level) to 5 scales (i.e., Dynamic
maturity level) and computed average scores per domain factor. In the following
subsections, we discuss results per each of the dimensions.

19.4 Cybersecurity Policy and Strategy

In 2016 only five countries in the LAC region had approved a national cyberse-
curity strategy (BID 2016). The figure increased to twelve in 2020 (Global Cyber
Security Capacity Centre 2020), including the following countries: Colombia (orig-
inally in 2011, then revised in 2016), Panama (2013), Trinity and Tobago (2013),
Jamaica (2015), Paraguay (2017), Chile (2017), Costa Rica (2017), Mexico (2017),
Guatemala (2018), Dominican Republic (2018), Argentina (2019), and Brazil (2020)
(Global Cyber Security Capacity Centre 2020). Despite notable progress in five years,
according to the OCLAC 2020 report, only 7 of 32 countries analyzed had a critical
infrastructure protection plan. Furthermore, the OCLAC 2020 report informs that
436 C. Alvarez et al.

approximately one-third of the countries in the region lack the appropriate definition
of a legal framework for dealing with cybercrime.
Figure 19.1 presents average scores (i.e., stages according to Oxford’s CMM
for Nations model (GCSCC 2021)) of factors in the ‘Cybersecurity Policy and
Strategy’ Dimension of the OCLAC 2020 report (GCSCC 2020). As noted previ-
ously, Colombia, the first country to establish a national cybersecurity strategy in
2011, has taken the lead on this Dimension. Moreover, in 2016 Colombia improved
its national strategy by strengthening risk management aspects and elements for
fostering cooperation among stakeholders (Cámara de Comercio de Bogotá 2016).
However, concerning the cybersecurity of critical maritime infrastructures, according
to Gamboa et al. (2020), regulation of the ISPS Code has been adopted by Colombian
authorities partially and even informally in consideration of specific commitments
acquired by the SOLAS Conventions. Thus the Colombian Government has taken a
discretionary approach to defining policy to protect critical maritime infrastructure.

Fig. 19.1 Average maturity levels of states in the cybersecurity policy and strategy dimension of
CMM for Nations, based on Global Cyber Security Capacity Centre (2020)
19 Towards Cybersecure Maritime Supply Chains in Latin America … 437

Despite the above, Colombia has the region’s most mature crisis management
capability. This is explained partly due to the operation of its CSIRT, which coordi-
nates with security forces and government entities. Concerning the protection of crit-
ical infrastructure, Colombia also takes the lead over other Latin American countries
due to CSIRT operations, the publication of guidelines for the management of digital
security risks in public entities (Dirección de Gobierno Digital 2018), clear definition
and protection measures applied to critical infrastructures, that is, especially focused
on telecommunications network providers and services, as described in Resolution
CRC 5050 of 2016 (Comisión de Regulación de Comunicaciones, República de
Colombia 2016). In 2017, the Joint Cybernetic Command of the General Command
of the Colombian Military Forces adopted a National Protection and Defense Plan for
Colombia’s Critical Cybernetic Infrastructure. The plan aims to improve resilience
capabilities through five strategic lines, tending to strengthen cybersecurity of critical
maritime infrastructure throughout the country: Identity, Protect, Detect, Respond
and Recover. The plan includes implementing guidelines, certification and awareness
programs, strengthening response capacities and recovery from threats (Comando
Conjunto Cibernético 2017).
Chile also stands out due to a National Cybersecurity Policy launched in 2017,
which emphasizes five aspects, including cyber defense of IT infrastructure, civilian
rights in cyberspace, a culture of cybersecurity in society, establishing cooperation
with foreign actors and entities, and promoting a cybersecurity industry aligned with
strategic goals (Comité Interministerial sobre Ciberseguridad 2017).
Uruguay was observed with a high capability in cybersecurity policy and strategy
despite not having a specific national strategy, but rather an organized framework
that complies with international regulations applied in a national context, specifically
in the cyberdefense of critical infrastructure and public organizations. Uruguay has
reached top-level maturity in the categories of organization and coordination for
incident response. Like most higher-performing countries in this area, Uruguay has a
national CSIRT called CERTuy, and a SOC. The latter has operated uninterruptedly
since 2016. Uruguay’s CSIRT is under the tuition of the Government Agency of
Electronic Government and Information and Knowledge Society (AGESIC) (Poder
Ejecutivo UY 2009). This response team also receives technical support and advice
and uses the CSIRT Americas Network,3 which is part of OAS and CICTE. Similarly,
other well-rated countries with a national CSIRT are Argentina, Brazil, Colombia
and Mexico.
Concerning cyber defense capabilities, the highest-ranked countries, according to
the GCSCC (2020), are Colombia and Uruguay, both of which have a defined func-
tional organization. However, Colombia outperforms Uruguay in terms of strategy
by adopting models and regulations that afford flexibility and adaptability, consid-
ering future cyber threats at a national level. On the other hand, Uruguay shows
a better evaluation of Redundancy in Communications indicators, as it appears to

3 https://csirtamericas.org/.
438 C. Alvarez et al.

have developed better communication protocols and unique delegations of respon-

sibilities, allowing better cohesion between the entities involved in cyber defense
according to their qualification in the CMM for Nations Model (GCSCC 2021).
Santos Port Authority of Brazil has recently improved its cybersecurity policy and
strategy. They have launched initiatives for data loss prevention, improved access
control, and preventive penetration testing Santos Port Authority (2021a).

19.5 Legal and Regulatory Frameworks

Figure 19.2 presents the average scores of LAC countries in factors

regarding the ‘Legal and Regulatory Frameworks’ Dimension of Oxford’s CMM
for Nations model. Table 19.1 presents detailed scores in this Dimension for the
most advanced countries in the region. The Dominican Republic and Brazil are the
countries with the greatest progress.
Dominican Republic obtains high compliance rates in Legislative Frameworks for
ICT Security, Substantive Legislation Against Cybercrime, and Procedural Legisla-
tion Against Cybercrime. Its national strategy is part of the Digital Republic Program
created through Decree 258-16 (Medina 2019), where the legal framework and insti-
tutional strengthening is one of the fundamental pillars. Also, Dominican Republic
has specific legislation covering cybercrime (i.e., Law No. 53-07 (Poder Ejecutivo
RD 2007) on Crimes and High-Tech Crimes). Similarly, Law 172-13 (Poder Ejec-
utivo RD 2013) aims at “comprehensive protection of personal data stored in files,
public records, data banks or other technical means of data processing intended to
provide reports, whether public or private.” In addition, the 2010 Constitution grants

Fig. 19.2 Average maturity levels of states in the legal and regulatory frameworks dimension of
CMM for Nations, based on Global Cyber Security Capacity Centre (2020)
Table 19.1 Maturity of leading LAC states in legal and regulatory frameworks for cybersecurity, based on Global Cyber Security Capacity Centre (2020),
expressed as stages 1–5 of CMM
Country Legal frameworks Formal and informal
cooperation frameworks to
combat cybercrime
Legislative Data protection Consumer Intellectual Substantive Penal Formal Informal
frameworks for protection property cybercrime law legislation cooperation Cooperation
ICT security against
cybercrime
Brazil 4 4 4 3 4 4 2 2
Chile 3 3 4 5 3 3 3 3
Dominican 5 3 3 4 5 5 3 3
Republic
Uruguay 4 5 2 2 2 2 2 4
19 Towards Cybersecure Maritime Supply Chains in Latin America …
439
440 C. Alvarez et al.

every citizen the right to access any personal data held by government entities and the
right to request authorities to update, amend or eliminate any data that could illegiti-
mately affect the rights of a person (Poder Ejecutivo RD 2013). Recently, Dominican
Republic has signed an agreement with the United States Trade and Development
Agency (USTDA) and the North American company HudsonAnalytix, to implement
a technical assistance project evaluating cyberrisk and cybersecurity levels in its ports
(Santos Port Authority 2021b).
Brazil obtains scores similar to the Dominican Republic but also stands out
in Data Protection Legislation and Consumer Protection Legislation. Brazil relies
on various provisions established in the Federal Constitution (Poder Legislativo
BR 2019), the Brazilian Penal Code (Poder Legislativo BR 1940), the Consumer
Protection Code (Garcia 2020) and the Brazilian Civil Rights Framework to protect
privacy on the Internet. Recently, the main port of Brazil and Latin America (i.e.,
Santos Port Authority) reported plans to update its cybersecurity processes to comply
with European General Personal Data Protection Regulation (GDPR) (Santos Port
Authority 2021a).
Uruguay and Chile’s legal frameworks should also be highlighted. On the one
hand, Uruguay has legislation protecting personal data and privacy, as described in
Law No. 18331, which applies to databases in the public and private sectors (Registro
Nacional de Leyes y Decretos 2008). On the other hand, Chile has recently updated
its legislation against cybercrime. Law No. 21459, passed on June 2022, supersedes
former Law No. 19223 (Poder Legislativo CL 1993, 2022) from 1993. This updated
legislation was developed to be aligned closer to the Budapest Convention. It intro-
duces new penal figures and sanctions for various cybercrimes, including the attack
on IT system integrity, illegal access, illegal interception, data integrity, data forgery,
cybernetic fraud and device abuse. The Law modifies the Penal Code (i.e., article 218
bis), demanding that digital service providers maintain data for criminal investiga-
tions for up to 180 days. This requirement applies to port operators; thus, law compli-
ance requires that data backups of transactional systems are kept secure and opera-
tional. In addition to the updated legislation on cybercrime, Chile counts with legis-
lation for personal data protection, namely, Law No. 19628 (Poder Legislativo CL
2022). Also, a constitutional reform was passed in 2018, recognizing citizens’ right
to their honor, private life, and personal data protection (Poder Legislativo CL 2018).
Colombia has developed maturity in legal and regulatory frameworks similar to
that of Uruguay, which is slightly lower than Brazil (see Fig. 19.2). Challenges in
Colombia regarding legislation aimed at protecting critical maritime infrastructure
have been noted by Gamboa et al. (2020). Their study highlights that domestic
Law in Colombia lacks regulation allowing the effective state control of maritime
operations in the country’s jurisdictional waters to prevent cybernetic risks in port
facilities. Additional legislation and regulations are needed to prevent, manage and
control cybersecurity incidents from foreign ships using the right of innocent passage
in Colombia’s territorial sea.
19 Towards Cybersecure Maritime Supply Chains in Latin America … 441

19.6 Standards, Organizations and Technologies

Figure 19.3 presents the average scores of LAC countries in factors regarding the
‘Standards, Organizations and Technologies’ Dimension of Oxford’s CMM for
Nations model (GCSCC 2021), as per the OCLAC 2020 report (GCSCC 2020). Table
19.2 presents detailed scores (i.e., maturity stages on a 1–5 scale) in this Dimension
for the most advanced countries in the region. As can be seen, Uruguay has the most
advanced capability maturity in factors including Standards Compliance, Software
Quality, Technical Security Controls, Responsible Disclosure and, especially, Cryp-
tographic Controls. For example, Uruguay has a cybersecurity framework organized
regarding international standards applicable to national regulations to improve the
cybersecurity of critical infrastructure and public organizations (AGESIC 2018).
Likewise, it is possible to highlight Brazil, which obtains high levels of compliance
with ICT Security Standards. The financial and ICT sectors are more advanced in
cybersecurity since they are frequent targets, so they invest highly in cybersecurity.
Santos Port Authority in Brazil has strengthened security against cyberattacks in
its corporate network by adopting technologies and standards widely at the organi-
zational level (Santos Port Authority 2021a). For example, user access rights and
policies have been revised with measures such as generalized blocking of USB ports
of staff’s PCs, periodic forced updating of user passwords, forensic procedures for
dealing with computers and devices suspected of infection, and updates to centralized
security.

Fig. 19.3 Average capability maturity levels of states in the standards, organizations and tech-
nologies dimension of CMM for Nations, based on Global Cyber Security Capacity Centre
(2020)
 442

Table 19.2 The maturity of leading LAC states in standards, organizations and technologies for cybersecurity, based on the Global Cyber Security Capacity
Centre (2020), is expressed as stages 1–5 of CMM
Country Standards compliancea Software quality Technical security Cryptographic controls Cybersecurity Responsible disclosure
controls marketb
Brazil 4 2 2 2 3 3 3 3 3
Uruguay 4 4 4 4 4 5 3 3 4
a Includes ICT Security, Procurement, and Software Development Standards
b Includes Cybersecurity Technologies and Cybercrime Insurance
C. Alvarez et al.
19 Towards Cybersecure Maritime Supply Chains in Latin America … 443

The Dominican Republic also presents advances in cybersecurity standards and

risk prevention. For example, the private ports of Caucedo and AES-Andrés have been
certified by the Specialized Port Security Corps and the Dominican Port Authority
(PortalPortuario 2021). These certifications validate measures adopted by ports for
strengthening the protection and surveillance of technology-assisted operations in
their facilities.

19.7 Discussion

19.7.1 Prospects for Cyberstrategy and Policy in the LAC

Region

Cybersecurity of maritime supply chains in the LAC region is an issue of growing

concern that, until less than a decade ago, was not prioritized by many states in the
region (Díaz 2021). In recent years, there has been increasing awareness in LAC
countries about the need to formulate national cybersecurity policies and strategies,
especially regarding the cyber defense of critical infrastructures, particularly those
related to maritime supply chains. Through resolutions and specialized programs,
supranational bodies such as the OAS and the IMO have facilitated the advance-
ment of states of the LAC region towards developing basic maritime cybersecurity
and cyberdefense capabilities (GCSCC 2020; Inter-American Committee against
Terrorism 2021). Prospects in this regard are optimistic, particularly due to OAS-
led programs and efforts to develop cybersecurity capabilities in its member states.
Most importantly, by adopting the CMM for Nations model (GCSCC 2021), the OAS
has led the implementation of a consistent methodology to diagnose the maturity of
cybersecurity capabilities at the state level and has launched the Maritime Port and
Security Program through CICTE (Organization of American States (OAS) 2022).
The CMM for Nations model covers the complexities of a State’s cybersecu-
rity challenges, from political and strategic concerns to tactical and operational
aspects. However, other complementary cybersecurity assessments can be lever-
aged by government authorities, leadership in the maritime sector, and other rele-
vant stakeholders for awareness, discussion and decision-making. For example, the
International Telecommunication Union (ITU), United Nations’ specialized agency
for ICTs, developed the Global Cybersecurity Index (GCI) to measure the devel-
opment of cybersecurity in nations worldwide, including five dimensions: Legal,
Technical, Organizational, Capacity Development, and Cooperation (International
Telecommunication Union (ITU) 2020). The indicator was launched in 2015, and
the latest version of the GCI report was published in 2021 based on data from 194
countries collected in the previous year. The GCI is based on an aggregate score
by which countries are ranked and compared. GCI and CMM cybersecurity assess-
ment models measure similar aspects regarding developing cybersecurity in nations
(Global Forum on Cyber Expertise 2021). However, CMM does not aim at ranking
444 C. Alvarez et al.

countries but is centered on the evidence required to determine that a certain stage of
maturity has been reached for a factor/aspect in a state. To reach a level of maturity
in any CMM dimension, all indicators for a factor/aspect of that Dimension must
have been met. The CMM, therefore, directly indicates what areas require further
development in a state to reach the next stage of maturity and the data required to
evidence such a level of capability maturity.
To encourage the development of cybersecurity capabilities in countries of the
LAC region, states’ commitment to supranational institutions, such as the OAS,
through human and financial resources contributions is essential. This is because
the region’s public and private actors involved in maritime logistics face shared
cybersecurity risks, threats and challenges. In addition, ensuring the continuity of
regional initiatives such as those promoted by OAS, including their escalation to all
states in the LAC region, will require that states determine institutional formulas to
monitor and develop their cybersecurity capabilities locally and autonomously while
cooperating with regional institutions. Venues for systematization and dissemination
of knowledge at the regional level are needed to inform different roles according to
multiple specialty areas in cybersecurity (Petersen et al. 2020). In addition, as in other
areas that concern the operation of states, political decisions on cybersecurity must be
informed by technical knowledge and expertise. Therefore, states must adopt knowl-
edge management systems and organizational structures aimed at creating, sharing
and systematizing cybersecurity knowledge at the local level while continuing to
cooperate with supranational institutions, involving technical actors from both the
academic and professional worlds.
OAS recommends that its member states underpin cybersecurity strategies and
implementation plans with existing frameworks and standards for critical infras-
tructure cybersecurity and develop key governance and policy documents to guide
their organizations and staff in securely using systems and data. However, once
countries define their cybersecurity and critical infrastructure protection strategies
and policies, it is necessary to strengthen cooperation between public and private
actors for prevention, resilience and recovery from cybersecurity incidents in the
maritime industry. This is because security vulnerabilities in maritime logistic oper-
ations can originate from public and private entities cooperating in this environment
(Cheung et al. 2021). Digital transformation and the Fourth Industrial Revolution
bring widespread use of IoT technologies, artificial intelligence, machine learning,
and large-scale machine-to-machine communication to maritime supply chain oper-
ations. This context presses that public–private cooperation can take place effectively
because there is a growing integration of services and systems in maritime logistics.
Therefore, the development of cooperation models is required at policy, governance
and procurement levels among public and private entities and at a technical level.
19 Towards Cybersecure Maritime Supply Chains in Latin America … 445

19.7.2 Recommendation of Good Practices for Cyber Secure

Operations in LAC Maritime Supply Chains

Several good practices for strengthening the cybersecurity of maritime operations

have been recommended by the Maritime and Port Security Program of CICTE
to OAS member states (Inter-American Committee against Terrorism 2021). For
successful implementation of measures, parties involved in maritime supply chains
must allocate in budget plans CapEx and OpEx that are needed for comprehensive
cybersecurity. Then, good operational practices come from a wide range of aspects.
A key practice for countries developing cybersecurity capabilities in the LAC region
is implementing training programs that effectively consider the needs of maritime
industry personnel, ensuring that training is continuous and recurring.
In designing and implementing IT/OT infrastructure for maritime operations,
access control to cyber-physical systems is of utmost importance, including segmen-
tation (independence) of communication networks for IT and OT operations and
personnel and machinery access management to physical and digital assets. In addi-
tion, Port Facility Security Plans (PFSPs) must be thoroughly updated to include
cybersecurity aspects. Other good practices essential for strengthening preventive
and defensive cybersecurity capabilities are email security, including email usage
policies, anti-spam measures, and staff training on the safe use of email. Awareness
and protection against social engineering, commonly spread by email as the primary
attack vector, although potentially based on multi-vector attacks, is also essential.
CICTE recommends good practices for network security, vulnerability manage-
ment and situational awareness. These include periodic offensive exercises against
infrastructure, services and applications to promptly detect (and remedy) threats
and vulnerabilities (Inter-American Committee against Terrorism 2021). Applica-
tion security is also emphasized as part of vulnerability management. Namely, mobile
applications and IoT platforms require security audits and controls, as these are being
widely adopted in vessel and port operations. Patch management for software must
be functional in every IT operation. This permits keeping software updated in an
automated manner, including operating systems and applications, throughout the
logistics chain. Patching must effectively minimize system downtime while being
performed as often as necessary to minimize the opportunity for attackers to exploit
known vulnerabilities in IT/OT systems and applications. In addition, commonplace
ransomware attacks must be countered by measures to prevent data loss and facilitate
data recovery. In this regard, data backups must be performed in highly secure remote
locations. Redundancies in data backups are needed for critical systems. Also, data
recovery drills must be conducted with staff responsible for enacting data recovery
plans.
Maritime organizations must collect and analyze information about cyberthreats
and share information about threats and successful attacks. To prevent incidents
occurring at the intersection of public and private actors, to implement early-alert
systems that operate within existing national CSIRTs and SOCs in several states
of the LAC region. An important reference in this matter is the Spanish Internet
446 C. Alvarez et al.

Early Warning System (SAT-INET) (Centro Criptológico Nacional N/D), which

depends on the National Cryptologic Center (CCN-CERT) that is affiliated with
Spain’s National Intelligence Center (CNI). Through an operation similar to that of
a SOC in Managed Security Service Provider (MSSP) mode, SAT-INET deploys
probes in affiliated entities—public and private—to detect the presence of indicators
of compromise and anomalous activity. The benefits of such an approach are partic-
ularly (1) that affiliated organizations have access to a large set of incident detection
rules integrated by CERT or CSIRT experts. This allows the detection and control
of a greater number of threats than an individual entity may cope with by its means.
(2) Early detection of incidents already replicated in other assigned domains, also
known as inter-domain detection of threats. (3) Detection based on the correlation
of events and the provision of information by all entities monitored by the early-
alert system and the respective CSIRT’s cyber-intelligence operation. (4) Delivery
of valuable statistical reporting to administrative staff in charge of IT/OT, and (5)
the CSIRT can offer affiliated parties stronger resilience capabilities to contain and
eliminate cyberattacks.
As maritime organizations are key players in the complex global logistics envi-
ronment and rely on digital and increasingly integrated systems that exchange data
with a large number of external parties, maritime organizations are required to take
measures to ensure that customers, vendors and other third parties take appropriate
measures to minimize their vulnerability to cyberattacks. Thus, maritime organiza-
tions should take notice of sensitive data they exchange with third parties, such as
confidential contracts and cargo details and personnel information that is exchanged
between parties. Maritime organizations need to implement third-party management
programs to deal with this effectively. Namely, there must be roles and responsibili-
ties for personnel working with third parties and a tiered ranking of security controls
for managing each third party according to the required security level. Procurement
contracts must be updated to include clauses enforcing cybersecurity standards and
measures, including governance, physical security, personnel security, information
security, risk management and cyberincident response requirements. Maritime orga-
nizations should also consider clauses, such as indemnification and a requirement
for cyberliability coverage, that reduce the maritime organization’s financial risk if
a vendor’s practices result in a cyberincident. Lastly, there must also exist training
requirements for third parties. All third parties, including vendors and contractors,
should complete cybertraining before exercising roles that require dealing with any
digital asset or IT/OT system connected to a network.

19.8 Conclusions

In this chapter, we have described the state of development of cybersecurity capabil-

ities in the countries of the LAC region and the challenges maritime supply chains
currently face in operating securely. Recently, several cybersecurity attacks have
compromised the operation of multiple ports, resulting in operational and economic
19 Towards Cybersecure Maritime Supply Chains in Latin America … 447

damage. Although there are a few countries in the LAC region that are more advanced
in their cybersecurity capabilities, several states in the region are at an early stage
of capability development without yet defining their national cybersecurity policies
and strategies, including security policies for the defense of critical infrastructures
concerning port and maritime operations. Faced with this, the Organization of Amer-
ican States has led several relevant efforts and advancements for the region’s progress.
Efforts made by the states of the LAC region and OAS need to crystallize and persist
over time, as cyberspace is a domain that is not limited by physical borders, whereby
states face shared risks and challenges. The nature of the cybersecurity vulnerabilities
presented in this chapter shows that the protection of maritime supply chains requires
specialized strategic, political and tactical-operational definitions and joint action of
stakeholders in these areas through juridical-legal and organizational structures that
facilitate coordinated and efficient action for effective cyber defense and resilience.
On the other hand, maritime supply chains are a highly dynamic environment
due to the diversity of stakeholders that interact in them and the multiple interfaces,
devices and technologies involved in digital data exchange. In the maritime industry,
human operators interact with cyber-physical systems that integrate information and
operational technologies. This has been identified as a source of cybersecurity risks
by multiple authors and studies (Alcaide and Llave 2020; Ben Farah et al. 2022;
Cheung et al. 2021; Park et al. 2019). In addition, the growing adoption of Industry 4.0
technologies in maritime supply chains results in machine-to-machine interactions
that increase the possibility of new cyber vulnerabilities and increase the risks of
cyberattacks. In this chapter, we have identified a series of practical recommendations
on cybersecurity for stakeholders who make decisions in maritime supply chains and
operate the technologies involved. Finally, it cannot be overemphasized that there is
a significant shortage of human capital trained in cybersecurity in the LAC region.
This calls for the involvement of higher education institutions and public and private
entities in maritime supply chains to cooperate in providing comprehensive education
and training to governing bodies and technical personnel.

Acknowledgements Our special thanks go to Mr. Juan Ignacio Nicolossi and the Senator of the
Republic of Chile, Kenneth Pugh, for their valuable insights and references about cybersecurity in
the LAC region, which resulted in highly informative and inspirational for the authors of this work.

References

AGESIC (2018) Marco de ciberseguridad, Uruguay. https://www.gub.uy/agencia-gobierno-ele

ctronico-sociedad-informacion-conocimiento/comunicacion/publicaciones/marco-cibersegu
ridad. Accessed 1 Sep 2022
Alcaide JI, Llave RG (2020) Critical infrastructures cybersecurity and the maritime sector. Transp
Res Procedia 45:547–554. https://doi.org/10.1016/j.trpro.2020.03.058
Ben Farah MA, Ukwandu E, Hindy H, Brosset D, Bures M, Andonovic I, Bellekens X (2022)
Cyber security in the maritime industry: a systematic survey of recent advances and future
trends. Information 13(1):1–33. https://doi.org/10.3390/info13010022
448 C. Alvarez et al.

BID (2016) Cybersecurity: are we ready in Latin America and the Caribbean? https://publications.
iadb.org/publications/english/document/Cybersecurity-Are-We-Ready-in-Latin-America-and-
the-Caribbean.pdf. Accessed 2 Jul 2022
Cámara de Comercio de Bogotá (2016) Documento Conpes 3854, Política nacional de
seguridad digital. https://colaboracion.dnp.gov.co/CDT/Conpes/Econ%C3%B3micos/3854_A
denda1.pdf. Accessed 20 June 2022
Centro Criptológico Nacional (N/D) Sistema de Alerta Temprana SAT-INET 2.0. https://www.
ccn-cert.cni.es/gestion-de-incidentes/sistema-de-alerta-temprana-sat/sat-inet.html. Accessed
12 Mar 2022
Cheung KF, Bell MG, Bhattacharjya J (2021) Cybersecurity in logistics and supply chain manage-
ment: an overview and future research directions. Transp Res Part E Logist Transp Rev
146:102217. https://doi.org/10.1016/j.tre.2020.102217
Comando Conjunto Cibernético (2017) Plan Nacional de Protección y Defensa para la Infraestruc-
tura Crítica Cibernética de Colombia. https://www.ccit.org.co/wp-content/uploads/sesion-5-
panel-infraestructuras-criticas-ciber-en-colombia.pdf. Accessed 1 Sep 2022
Comisión de Regulación de Comunicaciones, República de Colombia (2016) Resolución no. 5050
de 2016. https://bogota.gov.co/sites/default/files/tys/2020/10/Resoluci%C3%B3n-CRC-5050-
de-2016-PDF.pdf. Accessed 1 Sep 2022
Comité Interministerial sobre Ciberseguridad (2017) Política Nacional de Ciberseguridad, Chile
2017–2022. Asesoría Técnica Parlamentaria 1–7. http://biblioteca.digital.gob.cl/handle/123456
789/738. Accessed 12 Apr 2022
Council of Europe (2022) Parties/observers to the Budapest convention and observer organizations
to the T-CY. https://www.coe.int/en/web/cybercrime/parties-observers. Accessed 10 Sep 2022
Drougkas A, Sarri A, Kyranoudi P, Zisi A (2019) Port cybersecurity. Good practices for cybersecu-
rity in the maritime sector. Technical report, ENISA. https://www.enisa.europa.eu/publications/
port-cybersecurity-good-practices-for-cybersecurity-in-the-maritime-sector. Accessed 23 May
2022
Díaz RM (2021) State of cybersecurity in logistics in latin america and the caribbean. Production
Development series, No. 228 (LC/TS.2021/108), Santiago, Economic Commission for Latin
America and the Caribbean (ECLAC). https://www.cepal.org/en/publications/47655-state-cyb
ersecurity-logistics-latin-america-and-caribbean. Accessed 22 Jul 2022
Dirección de Gobierno Digital (2018) Anexo 4 Lineamientos para la gestión de riesgos de
seguridad digital en entidades públicas. República de Colombia, Ministerio de Tecnologías de
la Información y las Comunicaciones, Viceministerio de Economía Digital. https://www.fun
cionpublica.gov.co/documents/418548/34316316/Anexo+4+Lineamientos+para+la+Gestion+
del+Riesgo+de++Seguridad+Digital+en+Entidades+P%C3%BAblicas+-+Gu%C3%ADa+rie
sgos+2018.pdf/1ce5099d-c5e5-8ba2-00bc-58f801d3657b. Accessed 14 Jul 2022
Erstad E, Ostnes R, Lund M (2021) An operational approach to maritime cyber resilience. TransNav:
Int J Mar Navig Saf Sea Transp 15(1):27–34. https://doi.org/10.12716/1001.15.01.01
Gamboa YBG, Ramírez-Cabrales F, Jiménez JAM (2020) Cyber security vulnerabilities in
Colombia’s maritime critical infrastructure (MCI). Smart Innov Syst Technol 181(20):3–15.
https://doi.org/10.1007/978-981-15-4875-8_1
Garcia LMd (2020) Direito do consumidor: Lei no 8.078/1990. https://www.planalto.gov.br/ccivil_
03/leis/l8078compilado.htm. Accessed 12 June 2022
GCSCC (2020) Cybersecurity risks, progress, and the way forward in Latin America and the
Caribbean. Technical report, Inter-American Development Bank and the Organization of
American States. https://doi.org/10.18235/0002513
GCSCC (2021) Cybersecurity capacity maturity model for nations (CMM)-2021 edition. Technical
report, Department of Computer Science, University of Oxford. https://gcscc.ox.ac.uk/the-cmm.
Accessed 15 May 2022
Global Forum on Cyber Expertise (2021) Global overview of existing national cyber capacity
assessment tools (GOAT). https://cybilportal.org/publications/global-overview-of-assessment-
tools-goat. Accessed 2 Jul 2022
19 Towards Cybersecure Maritime Supply Chains in Latin America … 449

Gunes B, Kayisoglu G, Bolat P (2021) Cyber security risk assessment for seaports: a case study of
a container port. Comput Secur 103:102196. https://doi.org/10.1016/j.cose.2021.102196
Inter-American Committee Against Terrorism (2021) Maritime cybersecurity in the western
hemisphere: an introduction and guidelines. Technical report, Organization of American
States. https://www.oas.org/en/sms/cicte/docs/Maritime-cybersecurity-in-the-Western-Hemisp
here-an-introduction-and-guidelines.pdf. Accessed 2 Jul 2022
International Maritime Organization (IMO) (2017a) Circular letter no.4204/Add.20. https://
wwwcdn.imo.org/localresources/en/MediaCentre/HotTopics/Documents/COVID%20CL%
204204%20adds/Circular%20Letter%20No.4204-Add.20%20-%20Coronavirus%20(Covid-
19)%20-%20Accelerating%20Digitalization%20Of%20Maritime%20Trade.pdf. Accessed 14
Apr 2022
International Maritime Organization (IMO) (2017b) Resolution a.1110(30) strategic plan for the
organization for the six-year period 2018 to 2023. https://www.liscr.com/strategic-plan-organi
zation-six-year-period-2018-2023. Accessed 25 Aug 2022
International Maritime Organization (IMO) (2017c) Resolution msc.428(98): maritime cyber risk
management in safety management systems. https://wwwcdn.imo.org/localresources/en/Our
Work/Security/Documents/Resolution%20MSC.428(98).pdf. Accessed 5 Aug 2022
International Maritime Organization (IMO) (n.d.-a) Technical cooperation-Latin America
and Caribbean. https://www.imo.org/en/OurWork/TechnicalCooperation/Pages/LAC.aspx.
Accessed 5 Aug 2022
International Maritime Organization (IMO) (n.d.-b) International convention for the safety of life at
sea (SOLAS), 1974. https://www.imo.org/en/About/Conventions/Pages/International-Conven
tion-for-the-Safety-of-Life-at-Sea-(SOLAS),-1974.aspx. Accessed 7 May 2022
International Telecommunication Union (ITU) (2020) Global cybersecurity Index. https://www.itu.
int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx. Accessed 2 Aug 2022
ISC2 (2022) Cybersecurity professionals focus on developing new skills as workforce gap widens.
Cybersecurity workforce study. https://www.isc2.org/Research/Workforce-Study. Accessed 30
Aug 2022
Kapalidis C (2019) Cyber security challenges for the maritime industry. https://safety4sea.com/cm-
cyber-security-challenges-for-the-maritime-industry. Accessed 30 Aug 2022
Karamperidis S, Kapalidis C, Watson T (2021) Maritime cyber security: a global challenge tackled
through distinct regional approaches. J Mar Sci Eng 9(12):1323. https://doi.org/10.3390/jmse91
21323
Killcrece G (2004) Steps for creating national csirts. Carnegie Mellon Software Engi-
neering Institute. https://resources.sei.cmu.edu/asset_files/WhitePaper/2004_019_001_53064.
pdf. Accessed 1 Aug 2022
Krasznay C, Hámornik BP (2019) Human factors approach to cybersecurity teamwork–the military
perspective. Adv Mil Technol 14(2):291–305. https://doi.org/10.3849/aimt.01296
Kuhn K, Kipkech J, Shaikh S (2021) Maritime ports and cybersecurity. Maritime Transport and
ITS Solutions in Port Logistics; Fiorini, M, Gupta, N, Eds. IET
McGillivary P (2018) Why maritime cybersecurity is an ocean policy priority and how it can be
addressed. Mar Technol Soc J 52(5):44–57. https://doi.org/10.4031/MTSJ.52.5.11
Medina D (2019) Decreto 258-16, República Dominicana. https://optic.gob.do/wp-content/uploads/
2019/02/Decreto-258-16.pdf. Accessed 25 Aug 2022
Mednikarov B, Tsonev Y, Lazarov A (2020) Analysis of cybersecurity issues in the maritime
industry. Inf Secur 47(1):27–43. https://doi.org/10.11610/isij.4702
Mraković I, Vojinović R (2019) Maritime cyber security analysis–how to reduce threats? Trans Mar
Sci 8(01):132–139. https://doi.org/10.7225/toms.v08.n01.013
OAS Cyber Security Program (2016) Best practices for establishing a national CSIRT. https://
www.oas.org/es/sms/cicte/ciberseguridad/publicaciones/2016%20-%20Best%20Practices%
20CSIRT.pdf. Accessed 22 Jul 2022
Organization of American States (OAS) (2022) CICTE maritime and port security program. https://
www.oas.org/en/sms/cicte/prog-maritime-security.asp. Accessed 21 Jul 2022
 450 C. Alvarez et al.

Park C, Shi W, Zhang W, Kontovas C, Chang C (2019) Cybersecurity in the maritime industry: a
literature review. In: 20th Commemorative annual general assembly, AGA 2019-proceedings of
the international association of maritime universities conference, IAMUC 2019, pp 79–86
Petersen R, Santos D, Wetzel K, Smith M, Witte G (2020) Workforce framework for cybersecurity
(nice framework). Natl Inst Stand Technol. https://doi.org/10.6028/NIST.SP.800-181r1
Pimenta B, McKenzie C (2021) Cyber exploration: the geostrategic quest of apt groups in LATAM.
Technical report, AdvIntel LATAM. https://www.advintel.io/post/cyber-exploration-the-geostr
ategic-quest-of-apt-groups-in-latam. Accessed 4 Jul 2022
Poder Ejecutivo UY (2009) Decreto No 451/009, Uruguay. https://www.impo.com.uy/bases/dec
retos/451-2009. Accessed 4 Jul 2022
Poder Ejecutivo RD (2007) Ley 53-07, República Dominicana. https://www.opd.org.do/descargas/
Ciberpolitica/Leyes/Ley-No.53-07-Sobre-Cri%CC%81menes-y-Delitos-de-Alta-Tecnologia.
pdf. Accessed 29 Jul 2022.
Poder Ejecutivo RD (2013) Ley 172-13, República Dominicana. https://migracion.gob.do/wp-con
tent/uploads/2019/10/Ley-172-13-sobre-proteccion-de-datos-personales-de-fecha-13-de-dic
iembre-de-2013.pdf. Accessed 29 Jul 2022
Poder Legislativo BR (1940) Decreto-Lei No 2.848, de 7 de Dezembro de 1940.
Brasil. https://www2.camara.leg.br/legin/fed/declei/1940-1949/decreto-lei-2848-7-dezembro-
1940-412868-publicacaooriginal-1-pe.html. Accessed 15 Jul 2022
Poder Legislativo BR (2019) Proposta de emenda à constituição n 17, de 2019. Brasil. https://
www25.senado.leg.br/web/atividade/materias/-/materia/135594. Accessed 20 Jul 2022
Poder Legislativo CL (1993) Ley 19223 de la República de Chile. Chile. https://www.bcn.cl/ley
chile/navegar?idNorma=30590. Accessed 26 Jul 2022
Poder Legislativo CL (2018) Ley 21096 de la República de Chile. Chile. https://www.bcn.cl/ley
chile/navegar?idNorma=1119730. Accessed 29 Jul 2022
Poder Legislativo CL (2022) Ley 21459 de la República de Chile. Chile. https://www.bcn.cl/ley
chile/navegar?idNorma=1177743. Accessed 29 Jul 2022
PortalPortuario (2021) Dp world caucedo y puerto AES-Andrés consiguen certificación en seguridad
y prevención de riesgos. https://portalportuario.cl/dp-world-caucedo-y-puerto-aes-andres-con
siguen-certificacion-en-seguridad-y-prevencion-de-riesgos/. Accessed 18 Jul 2022
Progoulakis I, Rohmeyer P, Nikitakos N (2021) Cyber physical systems security for maritime assets.
J Mar Sci Eng 9(12). https://doi.org/10.3390/jmse9121384
Registro Nacional de Leyes y Decretos (2008) Ley 18331 de la República Oriental del Uruguay.
https://www.impo.com.uy/bases/leyes/18331-2008. Accessed 16 Jul 2022
Ruefle R, Dorofee A, Mundie D, Householder AD, Murray M, Perl SJ (2014) Computer security
incident response team development and evolution. IEEE Secur Priv 12(5):16–26. https://doi.
org/10.1109/MSP.2014.89
Santos Port Authority (2021a) Relatório annual 2021. https://www.portodesantos.com.br/wp-con
tent/uploads/spa-relatorio-anual-2021.pdf. Accessed 19 Jul 2022
Santos Port Authority (2021b) Tito mella. https://www.titomella.com/. Accessed 20 Aug 2022
Sirimanne S (2021) Review of maritime transport 2021. In: United nations conference on trade
and development (UNCTAD), Geneva, Switzerland. https://unctad.org/system/files/official-doc
ument/rmt2021_en_0.pdf. Accessed 09 Jul 2022

View publication stats