Hidden in full view
Cyber security needs to be taken more seriously by vulnerable seaports, says Martin Rushmere
"Deficient" and/or "delinquent" are the accusations that politicians and the public are levelling against ports, with an implication that they are guilty of both strategic shortcomings when it comes to protection from cyber attacks. But industry analysts reckon that the criticism is to a large extent unfair.
Publicity about banking and commercial attacks is a large part of the reason. Brian Lord, managing director of PGI Cyber, says: “Ports are a hidden element of infrastructure, not like electricity, and many people forget about them.” He says the IT industry is also to blame “for making cyber security impenetrable to clients. The result is that people making investment decisions shove responsibility for cyber security to the IT department.”
But attacks are probably on the way. Peregrine Storrs-Fox, risk management director for TT Club, says: “The main media and public interest to date has been focused on banking and retail sectors, which have historically considered themselves to be most at risk and probably done more than other industries to protect themselves in the last 10-15 years. There is little reason to consider shipping, transport or the supply chain to be immune to attack; it is dependent on who is doing the attacking and to what end.”
Says Mark Gazit, chief executive of ThetaRay: “Communication channels for the maritime realms are expensive and often outdated. While some very targeted products do exist on the market, even if they are implemented by an organisation, updates and patching are not stringent and, much like it is in the industrial markets, usually way overdue. This leaves vessels and their ashore operators more vulnerable to attacks."
All the consultants note that attacks can come from any of the four types of threats - criminals, hacktivists, amateurs and foreign state-sponsored groups. “However," says Mr Lord, “ports are much more susceptible to state activism. These attacks can be subtle. All you have to do is stop a port from operating for a short time, not destroy any infrastructure, which will reverberate along the supply chain. Goods will quickly be unavailable and public psychology can get frightened through the fear factor, Because of interconnection of commerce, an attack on one country’s port will affect others."
Thomas Heverin, a cyber-security specialist with PGFM Solutions, reckons that ports should be on their guard against everyone. “Lone hackers may wish to disrupt seaport operations just to embarrass seaport authorities. Overall, threats can come from multiple sources, both internal and external, with each source having its own intent. Ports need to develop strategies to defend against the different types of threats and attackers."
Mr Heverin is certain that ports will increasingly become targets. “Even though small seaports may not feel the need to increase their security as much as major seaports, cyber attackers will view small seaports as prime targets due to the small seaports’ lack of funding and staffing to combat attacks.”
And what applies to ports, applies to vessels. The industry sees the two as inextricably linked and what affects one affects the other. Mr Lord points out that the trend for centralised electronic control, with the IMO pushing for ECDIS to become the focal point, brings an inherent weakness. “Every system must have a backup so that it can be operated on its own; otherwise attackers will find it easier to take control.”
Says Mr Gazit: “Ships, boats, patrol vessels, rigs, and naval resources can communicate using radio and IP based communications of different capacities, relying heavily on satellite communications. While these enable them better situational awareness and beyond-line-of-sight operations, they are considered insecure comparing to other types of encrypted communications used by different critical infrastructure.
“For example,” he says, “flaws in AIS can allow attackers to hijack communications of existing vessels, create fake vessels, trigger false SOS or collision alerts, and even permanently disable AIS tracking on any vessel.”
Sue Englebert, who teaches Maritime Security at Tulane University, New Orleans, says: “AIS is vulnerable in several ways. However the use of radar, cameras, or long-range tracking system in conjunction with AIS enables a ship or VTS to discern the truth.
Adds Mr Gazit: "Another main issue in this sector is the human factor. The maritime organisation is designed to serve the vessel’s most pertinent needs, manning it with an operational crew that rarely includes a cyber-security professional, or an information security officer. This is another factor that presents a challenge to the security of communications and cyber-safety of vessels and their port/ashore personnel.”
Mr Storrs-Fox says: "Disruption of AIS or VTS is perhaps less likely to be motivated by criminal activity, which currently appears to be the greatest vulnerability in the international supply chain.”
The future is definitely much more of the same, with greater sophistication. “Attacks will always be ahead of defence,” is the blunt opinion of Mr Lord. Mr Heverin agrees: “The future will consist of more advanced and co-ordinated attacks including advanced persistent threats. A co-ordinated attack targeting one or more ports can result in major economic impacts locally, regionally and even nationally. Says TT Club: “Where the returns are sufficient, the attack capability will advance rapidly and companies may have difficulty keeping abreast of these developments.”
Mr Gazit says there is reason to be optimistic. “Defenses and attack methods are always going to be in an arms-race of sorts, with issues that have plagued cyber-defence for decades. But things are definitely changing, and the good guys are starting to catch-up as new types of technology and big data solutions bring about major paradigm shift in the way we detect threats.
“Nowadays, cyber security is already an integral part of the overall security in any organisation,” he says. “It is as important, if not more so, as physically securing perimeters and having the right surveillance elements on site. The costs of cyber security really depend on the needs, the human factor, the size of the deployment and types of internal/remote environments and assets that needs to be protected.”
And greater co-operation is a key element in thwarting attacks. “As cyber attacks become more advanced and complex, individual seaports, including small and large seaports, will not be fully prepared to defend against such cyber attacks,” says Mr Heverin. “Collaboration between stakeholders in the maritime community will be essential. The way of the future in cyber defence is to share information across ports and types of organisations including the government (at all levels) and the private sector.”
A dollar short and a day late
US ports are seen as lagging behind other infrastructure sectors in the country and need to chart a clearer course on cyber protection.
A June 2014 report by the US Government Accountability Office said that the government has still to carry out a “thorough cyber risk assessment” of ports and that there is no way of knowing just how weak the system is. The biggest danger is seen as an advanced persistent threat (APT).
A startling illustration of how little has been done, and how little attention the ports are paying, is shown by the amounts spent on cyber security. The government set up a Port Security Grant Program, with more than $2bn available. Less than $6m went on cyber security. What’s more, since 2007 Long Beach has been the only major port to carry out a vulnerability assessment.
Mark Gazit of ThetaRay has a bleak assessment. "At this time there is no standard or authority that supervises this aspect for the maritime industries. Government-funded research into cyber security in ports exposed a glum picture where even basic cyber security hygiene measures are not being practiced in ports.”
Thomas Heverin of PGFM Solutions adds: “Although other critical infrastructure sectors have guidelines that focus on specific problems, the seaport sector lacks similar guidelines. The Defense Security Information Exchange (DSIE) is an information sharing initiative for critical infrastructure organisations including defense agencies and private companies. Seaports should aim to become part of DSIE or create a similar effort."
Lanier Watkins at Johns Hopkins Information Security Institute says: “APT may become the primary perpetrator exploiting vulnerabilities in mobile devices to gain entry into the IT systems, then targeting operator’s networks to track and route containers, or targeting industrial control systems (ICS) to sabotage or manipulate port operations."
Sue Englebert of Tulane University adds that US Vessel Traffic Systems are less vulnerable because they are run off of US Coast Guard equipment.
But Mr Watkins points out another problem: “The increased use of personal mobile devices in US maritime port IT systems could significantly increase the cyber vulnerability of US port maritime systems to APT."
Ms Englebert sums up the situation: “Where there is a will; there is now a computer hacker…”
LATEST PRESS RELEASES
Since 2012 ShibataFenderTeam fenders support the smooth berthing operations from VABI in Surinam. Read more
Exis Technologies, with the support of leading shipping and freight insurers, TT Club and UK P&I Clu... Read more
The exhibition series ‘Intermodal Africa’ organized by Transport Events is always a good possibility... Read more
The German based Headquarters of ShibataFenderTeam recently completed an order for the Port of Esbje... Read more
Start-up for ocean route planning enters ESA’s Business Incubation Centre (BIC) Read more