Cyber resilience has never been more important than it is today. If cybercrime were an economy it would be the third largest in the world, according to the World Economic Forum.
For ports and the maritime sector at large, connected systems are under an increasing amount of threat. In 2020, security firm Naval Dome said that reported cyber-attacks had risen by a staggering 900% since 2017.
Cyber-attacks on ports and terminals are not a new phenomenon, one of the most destructive attacks occurred in the Port of Antwerp back in 2011, when drug traffickers breached the port’s container management system to smuggle drugs through containers.
In 2021, online systems continue to be rocked by cyber-attacks. Ports and shipping stakeholders ranging from liner HMM to South African port infrastructure owner Transnet have been impacted by IT disruptions, stalling operations and risking financial and data loss.
However, as ports have become increasingly digitalised, introducing Internet of Things (IoT) assets to their networks, the ‘attack surface’ for criminals has also grown.
Digitalisation drives risk
Athanasios Drougkas, Cybersecurity Expert at the European Union Agency for Cybersecurity (ENISA), outlined how the maritime industry’s digital transformation has led to a change in the sector’s cyber risk profile.
“The connectivity and proliferation of Information Technology (IT) [and] Operational Technology (OT) assets that have driven this digitalisation have increased the attack surface of maritime operators and, thus, the likelihood of cybersecurity incidents,” he told PTI.
Reliance on IT to deliver automated and optimised services – such as remote crane control to optimise box stacking in a container yard, for example – has increased the risk for a cybersecurity incident.
Historically, assets in ports were initially designed to operate as closed networks/system, Drougkas said.
Now, the increased number of connected assets – such as a gantry cranes sending data to a TOS on cable health or productivity output, for example – increases the risk areas for a port complex.
“In modern port environments, these include assets that may significantly vary in terms of cybersecurity characteristics, ranging from quick-to-market IoT devices to legacy systems to a plethora of IT and OT assets,” he said, adding, this all creates a challenge in maintaining a resilient cybersecurity network around a port.
Further, Drougkas said increased supply chain connectivity can introduce differing levels of cybersecurity maturity.
Centralised data exchanges such as Port Single Windows have allowed ports, shippers, and inland logistics actors to become smarter and more agile in operations – no doubt a positive progression, and something which will only grow more in the future.
But this increased connectivity “introduces challenges,” on securing areas of entry for cyber-attackers Drougkas explained, that go beyond the ports own assets and control.
Who might be behind a cyber-attack?
Richard Oloruntoba, Associate Professor in Supply Chain Management at Curtin University, and Nik Thompson, Associate Professor and Discipline Lead of Business Information Systems in Curtin Business School outlined the confluence of drivers for criminals to target ports and maritime operators.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has categorised cyber -criminals into one of five categories: national governments; terrorists; industrial spies and organized crime groups; hacktivists; and hackers, Oloruntoba told PTI.
Motives behind an attack can span from immediate financial gain through ransomware; to stealing and profiting confidential value information such as banking records; or smuggling weapons and illegal goods evidenced in the Port of Antwerp cyber-attack in 2011.
“The motivations for cyber-attacks do vary, but financial return is a key priority for the organised crime groups perpetrating the attacks,” Thompson said.
When considering industries such as critical infrastructure or supply chains, there is also a potential for politically motivated, or state-sponsored cyber-attacks, the experts noted. Even state-sponsored cyber-attacks can have a financial angle: the high profile ‘NotPetya’ ransomware, which halted supply chains and caused some $300 million in losses for shipping giant Maersk, has been formally attributed to Russian state-sponsored actors.
What port assets can a cyber-attacker target?
Oloruntoba outlined several online areas of risk for a Smart Port:
- Container tracking systems
- Port Management Information Systems (PMIS)
- Automated terminals – particularly gantry crane scheduling and control systems
- Routine maintenance of port IT systems and work routines, which may expose ports to increased vulnerabilities:
- The maintenance of some IT systems by companies not related to the port
- Remote working of employees from their devices off site using unsecured or undocumented protocols
- The lack of regular practice in conducting cybersecurity briefings among port personnel, leaving them susceptible to phishing emails
The human element of cyber-risk in port operations must not be underestimated. Well known attack vectors, such as phishing emails which sends false emails to recipients in a bid to receive critical personal information, is a key area of weakness for port information security teams, Thompson said.
“The security and resilience of the entire system is dependent on the weakest link,” Thompson highlighted.
Within an organisation, high system dependencies can mean that an attack which is localised to a single business unit – even operations away from the port functions themselves – can halt operations across the business. The cyber-attack which hit US fuel pipeline Colonial Pipeline, for example, was launched through a weakness in the firm’s billing system and led to the shutdown of the pipeline operations.
How can ports defend?
When HMM came under attack from its internal email system, the liner told PTI that its commercial activities were largely unaffected due its independent cloud-based system.
Cyber security software can be deployed through cloud-based applications or stored on centralised servers – either on the port complex or remotely. Both formats have their pros and cons, highlighted Oloruntoba and Thompson.
“If we consider a perimeter-based approach to security, then certain security measures are well suited to be moved outside of the centralised servers in the port complex,” Thompson said.
He continued that email security is one such example: having a cloud-based email system, such as Office365, means that common attacks such as phishing and malware attachments are quarantined by the cloud provider and never reach the organisations systems.
Oloruntoba echoed Thompson’s sentiment, arguing that ports have been advised to increase connectivity over encrypted online connections such as Virtual Private Networks (VPN), as well as cloud computing.
However, both experts noted that the overarching cyber-defence strategy is that there is no one-size-fits-all solution.
“There is no single security architecture that will suit all organisations,” Thompson said.
Oloruntoba said cyber-defence strategies involve the identification of vulnerabilities, port threat scenarios and risk exposure, as well as self-protection and detection measures a port has at its disposal.
More broadly, ports can conduct regular operating system updates, use stronger passwords, secure satellite connections, run resilience exercises, and establish employee awareness campaigns, Oloruntoba said.
CASE STUDY: Port of San Diego
Billy Marsh, Chief Information Security Officer at the Port of San Diego, said expanding interconnectivity globally will continue to drive the number of vulnerabilities in sectors like ports.
“The internet is like an ocean. It is vast and the sheer volume of internet connected computers is staggering. When a specific industry gets successfully attacked, it is like blood in the water and attracts the attention of the sharks in the water,” he said.
“There are always scans being performed for vulnerabilities by those who are looking to exploit them – and when a key vulnerability is discovered, it becomes a race to find and exploit that vulnerability first.”
From Marsh’s perspective factors behind attacks on ports are relative to the attacker themselves.
“If the attacker is on their own, then profit tends to be the driver. If the attacker is state-sponsored, then data is a likely target,” he told PTI. “An insider threat could be either.”
Marsh echoed that social engineering – manipulation to exploit human error – remains “one of the greatest threats” across all industries, most notably phishing emails.
“All industries are trying to fight phishing and related attacks, and as technology improves, so do the safeguards,” he explained.
Moreover, increasing digitalisation across ports like San Diego comes with its own set of risks, changing the security footprint of any organisation.
“Every device comes with its own set of risks – be it a laptop, connected TV, mobile device, even that smart espresso machine which might be in the break room,” Marsh outlined.
“Anything that has a way of sending or receiving data is a potential point of entry for an attack.”
The key is to develop a fluid strategy – akin to that highlighted by experts Thompson and Oloruntoba – that encompasses port needs, Marsh highlighted.
The Port of San Diego reported a ransomware type of cyber-attack named ‘SamSam’ on 25 September 2018, at the hands of a state-sponsored hacker operating inside the Islamic Republic of Iran.
Since the attack, the Port told PTI several next-generation security processes and technologies have implemented – with Tracey Sandberg, Chief Technology Officer, arguing the port “is now more secure than it has ever been.”
“If there is there one positive item that came out of the attack, it allowed the port to take the security roadmap and accelerate it by an order of magnitude,” she said.
“From a human perspective, every port employee – whether in the technology department or not – takes cyber security very seriously.”
The Port of San Diego employs a hybrid model, with its system partially in the cloud and partially on-premises for its defence strategy.
Sandberg reiterated previous experts that there is more to cyber security than the storage of your systems.
“We should acknowledge that both cloud-based as well as premise-based systems are vulnerable to cyber attacks,” she told PTI.
“Once systems and applications have been secured, the next key element is diversity and segmentation of backups. Meaning, when you are attacked, can you recover?”
Whilst Sandberg recognised that the growth in connectivity and interoperable systems could open up areas of exploitation for would-be hackers, areas of risk can be found just as easily for isolated Microsoft Windows systems at a port, she said.
“The root cause is the same. And the precautions to take are the same: be diligent, have a patching strategy, segment your data and backups, and train your staff to be extensions of the Information Security Team.”