Countering port workforce weak spots
Iain MacIntyre speaks to experts in the field from around the world to examine the level of cyber security risk presented by the human factor in ports.
Eager to prevent a catastrophic and potentially reputation-destroying cyber security attack on your port or terminal? If so, you had better take stock of your workforce: basic human vulnerabilities remain the largest threat to any organisation, and that’s in spite of investments that may have already been made in expensive and sophisticated system protections.
As relevant an issue to the port sector as any other industry, the need for such vulnerabilities to be acknowledged, understood and mitigated against is an imperative to protecting individuals and organisations alike from the latest cyber security risks.
Protection Group International (PGI) senior cyber threat analyst Olly Jones emphasises that while there is undoubtedly an important role for technology to play, the biggest weakness in the defensive chain is “still the individual on the end of a keyboard”.
“Even some of the most sophisticated nation state attacks primarily target end users, as it is often far easier to entice an individual to click on a malicious link, rather than to develop and exploit a technical vulnerability in a system,” he tells Port Strategy.
“Social engineering pulls on our natural curiosity and willingness to want to help, so for many people the lure of an attractive link or attachment is too much to ignore which is why it is still so widely exploited as an attack vector. Increased awareness and online vigilance are key elements to help combat the threat.”
He advises that individuals be more responsible with their online behaviour to help mitigate the cyber risk, both to themselves and the businesses they work for — if an email even seems slightly suspicious or if a link or attachment from a distant or unknown contact seems too good to be true, do not click on it.
“In acknowledgment that businesses are becoming increasingly aware that every one of their employees is a potential target, we are receiving a growing number of requests for general awareness training for staff,” Mr Jones adds.
Holman Fenwick Willan (HFW) partner Toby Stephens agrees that human behaviour makes ports vulnerable: “Whichever way you look at it, people are known to be your biggest risk in terms of cyber security.
“This can cover a multitude of interpretations and we will leave you to reach your own conclusions, but it extends from those inadvertently introducing risks to systems right through IT professionals to CIO/CTO level, and whether they are getting senior management onboard and supporting the plans and strategies they have to combat cyber risks,” he says.
He concedes that it will take time for the industry to develop and implement strategies to counter growing cyber threats. However, HFW has already seen a general move with some players in the container supply chain revisiting their template contracts to ensure they have general provisions to deal with cyberattacks, and tightening up their force majeure provisions.
Brough Marine director Captain Richard Brough observes that an individual's viewpoint on and awareness of cybersecurity risk will largely be influenced by their experiences at both work and in their personal life.
“I think in general [awareness] is very low,” he says. “Some corporate events such as the NotPetya attack on Maersk have focused their attention on it for sure. Some organisations are trying to raise awareness and vigilance and the International Cargo Handling Coordination Association now has this firmly on its agenda, as do our insurance company members.”
Captain Brough says it is imperative that individuals show due “discipline and vigilance” and he urges organisations to “look at their systems”, particularly with respect to access issues.
“Firewall integrity, double security measures — their insurance company will be able to offer many pointers to good cyber security governance and industry 'codes' have now been developed.”
Waking up to the threat
Emphasising that the “human element is huge”, American Association of Port Authorities (AAPA) freight and surface transportation policy director John Young nonetheless reports positive developments in regard to awareness, education and counter measures.
“Los Angeles, for example ... they have a mobile cyber security operation centre that prevents 15–20 cyber threats each month on their network,” he says.
“Certainly, there is more awareness ... great communication with the Coast Guard, the Department of Homeland Security has put out a lot of indicators as to what a clean bill of cyber health should be in this country, not just in maritime, but in general.”
Mr Young observes that 85% of AAPA ports anticipate an increase in direct cyber or physical threats to their port over the next ten years.
“Cyber is not something that is an annual appropriation — it is something that you work on every day. If you have ever been hacked, then you know the vulnerability that you have.
“As more and more time goes on, and more people are hacked or come to the realisation that they are vulnerable, then that translates into greater security all round.”
However, despite best endeavours — including through targeted AAPA initiatives — he notes that there are “complexities” to achieving a united cyber security front in the US port scene given the different private and public ownership models.
“We can make people aware but there is no one way to implement or integrate.”
Not just an IT issue
A repeated message emphasised by experts in the field is that managing cyber security is “not just the IT person's gig”, but instead needs to be addressed as an organisation-wide priority, with individual responsibility assumed from “top to bottom”.
PGI's Mr Jones explains that the responsibility for the procurement and implementation of technical defences and security processes should still rest within IT teams, but “it is the responsibility of every employee to ensure that their online activity does not threaten the security and integrity of their organisation's systems”.
“Quite often, malicious actors will intentionally target junior staff who may not be expecting to be the focus of a targeted intrusion, as they mistakenly believe that attackers are only interested in network administrators or senior-level executives.”
A determined actor will exploit any route into a target organisation, then look to 'pivot' their way through internal systems to target the specific individual or department they are after, he continues.
“Improving your employees' cyber hygiene and having an awareness of basic social engineering techniques can defeat an estimated 80%–90% of cyber threats — not only protecting individuals from cybercrime, but also helping improve the security of your business.”
Brough Marine's Capt Brough believes larger corporations are now adhering to the top-to-bottom responsibility premise, but expresses concern that “many smaller port interests are not”.
“There are now industry initiatives to raise awareness — from simple, but potentially-devastating impacts of using an infected USB stick right through to major attacks,” he says. “A very good video has been developed highlighting some of the basic risks, such as USB sticks and wandering onto 'inappropriate' websites and then being held to ransom and compromising company confidentiality. SAURON, of which we are part, is also trying different initiatives in the port sector.”
HFW's Mr Stephens agrees that cyber security needs to be a company-wide priority and a change in thinking is likely already happening. “It is likely that port and terminal operators are now taking cyber risks more seriously since the APM Terminals cyberattack last year.”
From his oversight of the AAPA's security and IT committees, Mr Young adds: “We truly believe it starts from the top — you have to have good cyber security policy from the port director, CEO, president, on down.”
INSURANCE PART OF DEFENSIVE ARMOURY
HFW’s Toby Stephens points out that port and terminal operators can consider cyber risk insurance so as to manage potentially significant financial losses and adds it is his personal priority to ensure organisations have processes in place to both detect and manage real cyber security attacks.
“A company can invest as much as it wants into its cyber defensive strategy, but a determined criminal will eventually find a way though (and most companies don't have an infinite budget).
“So, while a defensive strategy is of course important (focusing on the human element and training staff), a robust crisis management plan will significantly reduce liability at the back-end.
“My plug for the legal profession is that people often appoint a response consultant — yes of course, they need to — but if they get their lawyer to do it, the work product is more likely to be covered by legal privilege, which means it won’t be immediately discloseable to a counter-party.”
In parting, Protection Group International’s Olly Jones explains that in reality, it is not possible to provide a 100% guarantee that every business can be fully protected from every cyber security threat. With the discovery of new vulnerabilities on a daily basis, a system that was thought to be secure one day, can overnight become insecure if a new flaw or bug is discovered.
“What is crucial is that business leaders are aware of the threats that exist, understand those threats, then take appropriate and proportionate measures to mitigate the risk.”
LATEST PRESS RELEASES
Warrenpoint Port has commissioned a new crane and has commenced the refurbishment of two other crane... Read more
A vision for inland waterway transport (IWT) in the Baltic Sea Region as well as means to strengthen... Read more
Over two million containers and five million tonnes of cargo handled Read more
Bendezu Port Equipment GmbH, an international trading company offering second-hand port equipment, h... Read more
ShibataFenderTeam looks forward to the fruitful exchange with all WG members and trusts that the out... Read more
CIRCLE S.p.A.: continues its growth abroad with a new cooperation with Bulgarian Ports Infrastructure Company.
Circle S.p.A. (“Circle”), a Company leading its own Group specialized in process and management cons... Read more