Ports looking to get smarter need to consider the cyber risks, advises Felicity Landon
"Beware of the Internet of dumb Things", business and IT strategist Kris Kosmala warned in a recent article. In his view, as our lives are more open to electronic devices that know our daily habits (think fitness monitors), we are becoming less and less aware of intrusive things happening to the digital devices we might carry around.
In the port world, the role that controllers, sensors, electronic connectivity and the Internet of Things can or might play in reducing costs and increasing efficiency across the logistics chain is increasingly. But, he warns, in a world where multiple parties are linking into or providing systems within your network, that network is only as secure as the weakest link.
When it comes to cyber risks and security, there is understandable reluctance in the ports sector to talk specifics – companies simply don’t want their name associated with such a sensitive topic.
“I am really not surprised nobody wants to talk about it,” says Mr Kosmala, Quintiq’s general manager APAC, based in Singapore. “Everybody is trying not to talk about it or bring themselves to attention – they are only discussing it in the most generic way.
“Everybody is talking about how exciting IoT, smart ports, etc., are, but not comprehending what might happen. It is easy to get excited – vendors are talking about nothing but IoT and Big data, so you can clearly get distracted. You can’t slip behind on technology but this is all about awareness, so at least ports understand what should be done and what could be done, and can prepare themselves a little bit better. You need to know when you need help in the first place.”
Linda van Moorst, security expert at the Port Community Systems provider Portbase, chairs the Port of Rotterdam’s ISAC (Information Sharing and Analysis Centre), set up to exchange information and experiences about cyber security. “This subject does come up there,” she says. “The main problem members of the ISAC are mentioning is that vendors don’t always seem to be very interested in providing secure solutions. And security by design is not realised with all the legacy (SCADA) systems.
“Sometimes it is not even possible to patch these systems, which of course is of a big concern to some of the port organisations. It would be really helpful if vendors would take their responsibility in providing secure systems – because indeed, the chain is only as secure as the weakest link.”
James Douglas, director of Exis Technologies, says that in general, ports have historically been more inward-looking for IT, focusing on optimising their own resources, and have tended to keep things tight. “But this does seem to be changing, as a number are prepared to talk about optimising their resources around and en route to the port, so the need to integrate with other solutions outside the port will increase – for example, the position of vehicles en route to the port.”
Mr Kosmala adds: “I work with a lot of telecoms companies – we are extra security-conscious in order to prevent anybody hacking into our systems. We do extreme testing of every piece of equipment by our own security forces. Every vendor coming in says they have the highest level of security – we try all the possible means of hacking, whether by software or hardware.
“However, in a port area it is hardly possible to imagine that they would have that sort of extensive security capability. Securing every device you allow on the network is probably beyond the capability of a basic port operation. So, in the case of ports, that means they have to rely on the promises of vendors that whatever devices they are bringing in or arming their vehicles with are essentially unbreakable by any means of hacking.”
The implications for a port sourcing TOS, gate automation, crane remote controls and any number of smart port sensors or systems from a variety of suppliers are therefore alarming.
“Is there a way to secure it all? Yes. Is there a cost associated with that? Yes. Is every port willing to protect themselves? Probably no, it is too expensive. Maybe they will have someone go in there from time to time and do some tests, but you also have to have an IT department that can take very swift action.”
Mr Kosmala says ports not only need robust procedures, but must also invest in a diligent IT team and audit team "and that is a big ask of many ports".
“Maybe some of the top-end sophisticated ports/terminals can protect themselves because they have enough resources, but the smaller operations cannot.”
As to the risks, he doesn’t hold back. “Half of this [hacking] is mischief, but the other half is malice. Imagine a remote-controlled quay crane. Just as an algorithm is built to avoid a crash, you can easily build an algorithm to organise a crash on purpose, damaging crane, ship and terminal. Imagine a hacker telling multiple vehicles or pieces of equipment to execute a head-on crash and the mayhem that could cause.
“The movement of vessels and vehicles is becoming more and more automated. We interact vessel to shore, and shore back to tugs and support vessels, we have movement on land and on water. The larger the network, the more potential weak points for someone to access – and from that point, they can keep working across the network, linking with other devices.
“Obviously it becomes more and more complicated as we become smarter and smarter, and at the same time we have to entrust a lot into other parties doing their job.”
At some point, the complexity can easily outpace the sophistication of the port’s IT department, he warns. So what’s the failsafe solution? “You can only be secure if you are completely manual, but that can’t happen now because of the costs of a labour-intensive operation. It is inevitable that technology will have to be taken in. For example – a crane finding a container by itself, based on the co-ordinates fed to it by the container. More and more equipment will have to talk to each other and not even ask a human for action.
“Be prepared for it and realise that you have to ask much more from your IT department than before, when it was 'help me find a TOS, then maybe some auxiliary software for a basic ERP'. Whether you have your own IT team or you outsource to specialists doesn’t matter – but you have to be diligent and take responsibility.”
Ports, he says, must gain assurance that they are not taking on any weak components. That means going a lot further than simply specifying this in the contract – it means sending your own IT expert to the facilities of the company building the equipment to review how their software is embedded, how their device is being controlled and how it is tested at the time of production.
At the same time, ports must have a clear procedure for bypassing the connection for every device in case something goes wrong. “So essentially, you need stringent IT requirements on how to access the device, how to disable the vehicle, how to re-route the vehicle and work against the hacker.
“You can’t ask for a source code because that’s usually the intellectual property of the device manufacturer but you should be able to ask for layer that allows you to take over control or plug into control in times of emergency.”
GETTING TO THE CORE OF LOGISTICS
The EU-funded CORE project team has recently launched its Internet of Logistics (IoL) demonstrator, described as a network of physical devices such as vehicles, containers, pallets and vessels which are embedded with electronics, software, sensors, actuators and network connectivity that enable these objects to collect and exchange data for logistics purposes.
A four-year R&D project, CORE has brought together more than 70 partners including Dutch and UK Customs, the World Customs Organization, Interpol, the European Shippers Council, CLECAT, Maersk and DHL.
The IoL is based on a ‘data pipeline’ concept and enables Customs administrations to collect more accurate data from the relevant supply chain partners about imported goods, with the aim of effective de-risking of consignments in trusted trade lanes. CORE’s aim is to enhance the protection and security of the global supply chain, while reducing its vulnerability to disruption.
LATEST PRESS RELEASES
As one of the world's leading fender specialist, we consider it our responsibility to do our part fo... Read more
Prince Rupert is the second largest container terminal in Canada Read more
Warrenpoint Port has commissioned a new crane and has commenced the refurbishment of two other crane... Read more
A vision for inland waterway transport (IWT) in the Baltic Sea Region as well as means to strengthen... Read more
Over two million containers and five million tonnes of cargo handled Read more
Bendezu Port Equipment GmbH, an international trading company offering second-hand port equipment, h... Read more