Maritime security and port infrastructure: reconciling modern operational practices and cybersecurity
Published on: 06 12 2021
The major commercial ports are responsible for ensuring the smooth movement of nearly nine billion tonnes of goods around the world (90% of world volume). To remain competitive and efficient, the digital transformation of ports has become vitally important. The last decade has seen the birth of “smart ports”, which use new technologies to automate and accelerate logistics processes. But the problem is: this transformation has been accompanied by an increase in cyber attacks against maritime transport. What are the risk vectors specific to port activity? How can we ensure port security? Here are some clues to solving the puzzle.
The European Network and Information Security Agency (ENISA) makes no bones about it: a cyber attack could compromise “digital equipment such as port bridges or cranes”, which could “be operated remotely and move unexpectedly, possibly even causing incidents that are both destructive for port infrastructure and potentially fatal”. This scenario, from a guide for European port authorities, highlighted the cyber threats to which major international ports are exposed. And the consequences of such cyberattacks can be felt far beyond port activities. In France, given their crucial role in international exchanges, the Interministerial Committee for the Sea pointed out in 2015 that a “a major cyberattack on a large port could massively disrupt the entire supply chain and consequently the country's economy.”
A major cyberattack on a large port could massively disrupt the entire supply chain and consequently the country's economy
These findings are all the more alarming considering that the cyber attack surface of port infrastructures continues to increase as the digital modernisation of ports increases.
Smart Port: when productivity and cybersecurity collide
Olivier Jacq is the technical and scientific director of the France Cyber Maritime association, a forum where solution providers, public and maritime players can contribute to improvements in the French maritime cybersecurity ecosystem. The association's missions are to increase the resilience of the maritime and port world in the face of cyber threats, and to contribute to the creation of a French sector of excellence in maritime cybersecurity. Olivier Jacq sees the rise of “smart ports” as being linked to a desire to “respond to the challenges of productivity and competitiveness in a maritime transport sector in which flows are extremely tight worldwide.”
As they seek to become intelligent, ports are investing in technologies such as the Internet of industrial objects (IIoT, e.g. connected sensors), artificial intelligence, and digital twins. Together, these technologies offer great potential for automation and process acceleration. For example, the port of Yangshan in China managed to completely automate the operation of its ship-to-shore gantries and other overhead cranes in 2017. An impressive feat, given that ship loading and unloading processes were until then considered to be the most complex part of the chain to automate. Meanwhile, ports such as Rotterdam and Hamburg stand out for the automation of their container routing processes. The International Association of Ports and Harbors (IAPH), an association based in Tokyo that represents the largest commercial ports in the world, confirms: "Maintaining competitiveness depends on the abilities of the IT and OT infrastructures of maritime organisations to adapt to new automation systems".
From a cyber perspective, the attack surface of ports is increasing
The problem is that if the past is any indicator to the future of smart ports, the result will be a profileration of potential entry points to networks, and greater porosity between information (IT) and operational (OT) systems. Remote control of these (previously manual) sensors and systems for electronically controlling port machinery (cranes, gantries, bridges, etc.) is now possible. This vulnerability has been increased by the Covid crisis, because as Olivier Jacq reminds us: “A significant proportion of the solutions operated by the ports are maintained remotely by service providers.” In fact, under the pressure of health constraints, port organizations have often “given the urgency, opted for widespread remote access to IT and OT networks, and thus automatically increased the attack surfaces of their systems during the crisis.” Another characteristic of ports that helps account for their large attack surface: they have effectively become what is known as “one to many” digital systems. “Many players connect to their IS through Port Community Systems (PCS) or Cargo Community Systems (CCS)”, Olivier Jacq says. “This makes port information systems extremely sensitive to supply chain attacks, because it potentially just requires one subcontractor with access to fail to comply with the rules, and an unanticipated flaw can be exposed,” he explains.
General risk vectors to be taken into account
In addition to the risk vectors specific to their activity, ports are faced with aggravating issues that are common to all economic sectors, as highlighted in the IAPH report.
First of all, many of them place a low priority on cybersecurity issues, instead putting business considerations first: after all, maintenance work or the application of security patches very often results in a slowdown, or even a complete halt, in business processes. The priority of port organisations is still to fulfil their primary mission. This means that many still do not prioritise updates that are essential to their cybersecurity. Port software ecosystems are extremely complex and often reliant on outdated third-party technologies, or technologies which human skills are lacking within the organisation. And so cyber criminals keep on exploiting software vulnerabilities. The port of Houston recently survived an attack exploiting a critical flaw in a password management solution.
The priority of port organisations is still to fulfil their primary mission. This means that many still do not prioritise updates that are essential to their cybersecurity
In addition, the accelerating digital transformation of ports is inevitably accompanied by an increase in demand for qualified profiles to operate these new technologies. But when it comes to cybersecurity, a joint investigation by ESG and ISSA reveals that 57% of worldwide organisations suffer from a skills shortage in this area. And the port sector is no exception...
Port cyberattacks: serious economic consequences
And the result? According to information from M-CERT, the number of cyber attacks targeting ports is set to keep rising. In 2018, 7 public incidents at major international ports were recorded, compared to 26 in 2021. And this figure presumably only documents publicly reported incidents: the true figure could be much higher. To reliably and comprehensively monitor these incidents, the M-CERT listing is public and freely available. via their GitLab space.
But how much does a cyberattack cost a port? The answer is not simple, give the delicacy of estimating the financial damage of these attacks. Especially since not all have the same impact, and each port has a different economic value. After the discovery in 2013 that its computer network had been infiltrated by a drug cartel, the port of Antwerp had to invest nearly 200,000 euros in a new system (including a new password management solution). That’s relatively minor compared to the damage inflicted on Danish shipowner Maersk in 2017. Maersk was the victim of the NotPetya virus. Through its network, the 12 port terminals it operates around the world were affected and shut down. The group was forced to invest in replacing its IT infrastructure (i.e. nearly 4,000 servers, 45,000 PCs and 2,500 applications reinstalled). Officially, Maersk suffered losses of up to $300 million.
Opportunistic hackers motivated by profit ... and more
While cyber attacks force port authorities and maritime transport operators to invest in their protection, they are significantly more profitable for cyber criminals. According to the French ANSSI cyber-agency, the main motivation of these “2.0 pirates” remains the promise of financial gains. Olivier Jacq confirms this: “Hackers usually choose their targets out of opportunism. They attack wherever the loophole is, and wherever the payoffs are likely to be fastest, whether that means a large or small port, a hospital or a school.”
After money, another motivating factor for cybercriminals is strategic or industrial espionage. To combat this, the ENISA guide describes several attack types aimed at maintaining the ability to observe port information systems. Such espionage may relate to information such as routing data for transport containers, like the example of the port of Antwerp discussed earlier in this paper. Between 2011 and 2013, the port fell victim to drug traffickers who hijacked the routing system in order to transport drugs to Europe.
Finally, the emergence of geopolitical tensions is likely to increasingly expose ports to cyberattacks aimed purely at sabotaging their operations or the image of the relevant port authorities. For example, the rivalry between Iran and Israel is thought to have been the cause of complete shutdown of the Shahid Rajaee port systems in Iran.
Legal requirements at national and international level
Faced with the rise of these disparate cyber threats, port authorities are taking action – often in line with legal obligations. At European level, the Network and Information Security (NIS) directive also identifies a number of essential service operators (OSEs) who are “required to take appropriate security measures and report serious cyber incidents to the competent national authority.” These measures include risk prevention, securing networks and information systems, as well as managing incidents and their consequences. In addition, ENISA offers a detailed four-phase roadmap for integrating cybersecurity into the digital DNA of ports.
Phase 1: identification of cyber-connected assets and services
It is recommended that all port authorities begin their cybersecurity investigations by identifying and accurately mapping the IT and OT systems on which they depend, as well as the services they support. Due to the very strong interconnection of port systems with those of other players in the river maritime transport value chain, it is important for this mapping also to include the systems of all partner stakeholders.
Phase 2: cybersecurity risk analysis
Once the task of mapping IT / OT systems and services has been carried out, it becomes more realistic to carry out a cybersecurity risk analysis. The port authority must then be able to develop a reliable methodology to identify and assess the cyber risks inherent in the operation of its systems and services.
Phase 3: definition of security measures and solutions to be adopted
This phase focuses primarily on identifying and prioritising security measures and solutions to be implemented to reduce risks to acceptable levels. Phases 1 and 2 are therefore essential to properly allocate financial, human and technical resources and implement priority measures according to the specific requirements of each port.
In its guide, the European Agency identifies 23 key security measures for port organisations. Several of these stand out, including:
- the implementation of a protection strategy “for monitoring port terminals and strengthening their security by implementing security tools and mechanisms such as antivirus, encryption, mobile device management (“MDM”) and hardening”. This is a key requirement, especially in a hybrid work structure where the use of teleworking is on the rise;
- the definition of an architecture based on network segmentation to limit the spread of attacks within port systems and avoid direct access to very critical port systems such as Vessel Traffic Management Information Systems (VTMISs) and security systems;
- the establishment of an IT security awareness program for all personnel within the port ecosystem, focusing first on the main threats. Then reinforce this acculturation process with specific mandatory training on cybersecurity for certain key groups dealing daily with IT and OT (system administrators, project managers, developers, security agents, port masters, etc.);
- Implementation of multi-factor authentication mechanisms for accounts that access critical applications and data (personal data, sensitive operational data such as detailed information on ships, hazardous goods and cargo).
Phase 4: cybersecurity maturity assessment
Lastly, this roadmap must include a self-assessment of port authority maturity levels in terms of cybersecurity. This enables them to re-assess their specific strengths and weaknesses with each update of IT and OT systems and move forward in cycles, identifying new security measures to be introduced in the future.
Maritime IT security: strength in unity
But the NIS directive also offers an international framework for collaboration between public and private services from all member countries of the European Union. In this respect, the Computer Security Incident Response Teams (C-SIRT or CERT) play a central role as a trusted third party. A prominent example of this is the Maritime Computer Emergency Response Team (M-CERT), a French initiative dedicated to the Franco-European maritime and port sector. In collaboration with other similar organisations of international rank, its role is to centralise all security information supplied by its members, and to ensure anonymous sharing, improving the response capacities of all stakeholders in terms of cybersecurity. “For this to be possible, you need to be able to monitor your IS to detect attacks, but more importantly, to identify their characteristics in order to share them with competent bodies such as our M-CERT,” Olivier Jacq concludes.
And this type of initiative, aimed at co-ordinating the efforts of public and private actors on common issues, extends far beyond European borders. Many countries are equipping themselves with cooperation frameworks between private and public actors united by shared cybersecurity issues. In the United States, for example, the Facility Security Plan (imposed by the Maritime Transportation Security Act) co-ordinates joint responses by the FBI, Coast Guard and port authorities. This recently enabled the very rapid circulation of technical and strategic information following the cyberattack on the Port of Houston. In an ocean of cyber threats, it seems that there is strength in unity.