Invisible enemy at the port gate
Stevie Knight discovers that ports are, sometimes unwittingly, in the front line when it comes to cyber attacks
There is an old Samurai saying, “those who join the battle are all on the front line”. Well, that now applies to the modern, largely unseen war for global IT networks as new regulations underline our ports are in a combat zone.
HFW’s Felicity Burling explains: “Governments around the world have recognised that they can be completely brought to their knees by a cyber attack. This applies to ports: they are a country’s gateways and without them you could see international physical trade grind to a halt.”
Some are ahead of the curve, but even those recognise they have a battle on their hands. The Port of Los Angeles (POLA) established the first Port Cyber-Security Operations Center in 2014, and it has to be said the news from there is disturbing. Gene Seroka, POLA’s executive director, recently told the US Homeland Security Committee that “at present, the centre is managing an unprecedented level of attacks - over 20m cyber intrusion attempts per month”. He underlined, “that’s seven to eight attacks every second on average”.
Sadly, Ken Munro of Pen Test Partners expects it all to get much worse before the industry turns a corner. After all, he says Maersk’s fall to NotPetya, which cost the Danish shipowning company an estimated $250m to $300m “was collateral damage, it wasn’t even aimed directly at them”. He explains that as other sectors have raised their game, “criminals will start to look for softer targets, so surprise, surprise, the ports and maritime industry is now starting to see more attacks”.
Given this, governments are applying some rather hefty penalties to make sure that the security software of Essential Service Providers (ESPs) such as ports is up to scratch. For example, the European Union’s NIS Directive is presently being transposed into national law by various member states to be implemented in May this year: the fines could be as much as E19m or 4% of global turnover.
The UK’s National Cyber Security Centre (NCSC) guidance acknowledges that it is “not possible to devise an effective set of prescriptive rules” and explains that the NIS principles define a set of top-level outcomes that, collectively, “describes good cyber security”.
So, even though there’s some support (in the UK it is through the NCSC), it’s no tick-box exercise; the focus on outcomes leaves organisations firmly holding the baby. Therefore if a port suffers a successful attack, it may well be concluded that it just hasn’t taken enough care and the NIS penalties will merely add insult to injury.
While Ms Burling says the authorities “will likely focus fines on those who’ve been reckless”, she underlines it’s down to the ports to uncover their vulnerabilities, adding that the authorities may come down hard on any organisation that shows “systemic weaknesses”.
It is going to be tough. As POLA’s Mr Seroka pointed out, “our organisation – and the rest of maritime shipping industry, for that matter – is becoming increasingly reliant on digital industrial infrastructure”.
However, as Mr Munro notes, it’s not just ‘new’ technologies that are vulnerable: “The supply chain has long-standing legacy systems. Take Edifact; this is the accepted international EDI standard adopted by globally trading organisations, and it’s been around since just after WW2.
“Of course, it’s designed to be flexible, easy to connect to and interoperate with... all the usual things that people need... but actually, that doesn’t make for a very secure system,” he concludes.
On the same note he says the multimodal nature of the industry gives it “a massive attack surface”. He points to “web-based booking systems, lorries with mobile applications, wi-fi and Bluetooth networks, ship and crane links... even the sheer physical areas inside a port that could allow you to access the hardware”. Plus, he adds: “Satellite connectivity has made it all so accessible and interesting, especially to criminals.”
The rub is, if a port goes under as the result of cyber intrusion, saying “we’ve all been doing it for years and never had a problem before” won’t be any defence, either against the attack or the wrath of the authorities.
It is going to take some effort to fix. Mr Munro argues that after looking after the basics, the first stage is simply to think about things differently: “Port managers are usually concerned with moving boxes or product from one place to another as efficiently as possible. So, they should stop, turn it on its head and ask themselves, ‘knowing what I know, what could I do to break the system?”
While it may seem far-fetched, criminals are now putting effort into taking advantage of hidden weaknesses. He adds that “a lot of security has a hard shell, but inside, it’s like an egg”. So, he asks: “If someone got behind your firewall, are there more layers to keep them from running riot?”
Mr Munro’s views echo those of the NCSC which recommends penetration tests “as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities”. But he goes one step further, suggesting that penetration testers – who know and understand the specifics of the industry and the infiltration techniques of attackers – can help ports identify the not-so-obvious issues earlier.
However, all agree a lot comes down to staff awareness: the NCSC website talks of creating “a positive security culture” and adds it is “particularly important where a technical solution is not possible”. Security, therefore, relies on people making the right decisions.
The NCSC isn’t that upbeat on people prospects, saying: “It is likely to take some time, with some changes possibly taking years to become established and is unlikely to be achieved simply through written guidance or training events”. However, Mr Munro advises a little cleverness: “Tell them about looking after their credit cards and how to keep safe on social networking sites. No one is all that interested in securing a corporate email - but their own identities? You have to talk about things that mean something to them; it’ll stick and then they’ll apply the same level of security when they come into work.”
Finally, while the NIS directive is a necessary goad, Mr Munro is clear that a lot of the supply chain is already taking the threat seriously. “There is a very, very fast arms race going on as organisations are trying to come to terms with the scale of the problem,” he says, “However, the shipping and ports industry is coming from an extremely low base.”
It undoubtedly means ports will have to work hard to catch up with other industries, but it’s necessary to get on top of it, sooner rather than later. Mr Munro concludes: “Have the conversations now, before inadvertently exposing your whole supply chain.”
BLENDING SECURITY RESPONSES
Some ports are just as worried about terrorist cyber attacks as attacks perpetrated by physical criminals. Rafael Company of Valencia Port, co-ordinating Europe’s SAURON project, says: “The idea is to provide information, not just for IT specialists, but, say, for security officers for example, so that they can understand what action needs to be taken.”
Therefore SAURON - an acronym of ‘Scalable multidimensionAl sitUation awaReness sOlutioN’) is looking to bring together the warnings for both physical and the unseen cyber intrusion.
“It’s like an onion with different layers,” says Mr Company. The system will integrate the port’s various alarms and control sensors with intelligent software that will identify the threats, and use both data and some quite new imaging techniques (immersive models along with virtual and augmented reality technologies) “to make it all as visible as possible”, he explains.
Further, as well as triggering an alert, SAURON promises to highlight the consequences: not just the location of an incident, but also what part of the physical or IT system is under threat and what combination of port assets, like gates or other safety systems such as fire alarms, could be compromised as a result of a cascading, ‘hybrid’ attack.
It will, he says, “provide valuable information for decision-making”. Furthermore, the development allows a co-ordinated, joint operation by the various stakeholders in tackling a combined threat.
It’s a big ask. The outcomes of two pilots, one centred on container traffic in the Port of Valencia, the other focused on cruise safety in the Port of Piraeus, will likely be closely monitored.
LATEST PRESS RELEASES
The exhibition series ‘Intermodal Africa’ organized by Transport Events is always a good possibility... Read more
The German based Headquarters of ShibataFenderTeam recently completed an order for the Port of Esbje... Read more
Start-up for ocean route planning enters ESA’s Business Incubation Centre (BIC) Read more
AMRO, a specialist marine equipment and services provider, is proud to announce that they will now c... Read more
Ninth Consecutive “Excellent” Coast Guard Security Assessment Awarded to Port of Baltimore Read more
In 2017, the US office of ShibataFenderTeam delivered 55 nos. CSS 1450 Cell Fender Systems (G2.0), 8... Read more