Navigating cyber resilience in seaports: challenges of preparing for cyberattacks at the Port of Rotterdam

PurposeCyber resilience has emerged as an approach for seaports to deal with cyberattacks; it emphasizes ports' ability to prepare for an attack and to keep operating and recover quickly. However, little research has been undertaken on the challenges of governing cyber risks in seaports. This study aims to address this gap. Design/methodology/approachGoverning cyber resilience is shaped by distributed responsibilities, uncertainties and ambiguities. The authors use this conceptualization to explore the governance of cyber risks in seaports, taking the Port of Rotterdam as a case study and analyzing semistructured interviews with stakeholders, participatory observation and policy documents and legislation. FindingsThe authors found that many strategies for governing cyber risks remain dedicated to protecting computer systems against cyberattacks. Nevertheless, port stakeholders have also developed strategies in anticipation of disruptions. However, these strategies appear informal and uncoordinated due to a lack of information exchange, insufficient knowledge regarding cyber risks and disagreement about how to make the Port of Rotterdam cyber resilient. What mainly hampers the cyber resilience of the port is the lack of a comprehensive regulatory framework and economic incentives. The authors conclude that resilience is merely an ideal at the Port of Rotterdam, meaning related governance strategies remain incremental and await institutionalization. Originality/valueThis paper offers insights into the cyber resilience of critical socio-technical systems, which have been underexposed in cyber resilience debates, but, when exploited, can manifest in large-scale disruptions.

Automated summary

This study aims to fill the research gaps in governing cyber risks in seaports. By using the conceptualization of distributed responsibilities, uncertainties, and ambiguities to shape the governance of cyber resilience, the authors explore the case study of the Port of Rotterdam through interviews, observation, and analysis of policy documents and legislation. The findings reveal a challenge in balancing strategies for protecting computer systems against cyberattacks and strategies for anticipating disruptions. Lack of information exchange, inadequate knowledge, and disagreement hinder the coordination of these strategies. The lack of a comprehensive regulatory framework and economic incentives is the main obstacle to achieving cyber resilience in the port. The authors conclude that resilience at the Port of Rotterdam remains an ideal, with governance strategies awaiting institutionalization.