AAPA Seaports
Ports are jumping in ‘feet first’ to combat this emerging threat to operations and safety.
By Lori Musser
The task of securing cyberspace has emerged as perhaps the single most important seaport security challenge of the decade.
An increasing number of functions are dependent on port computer systems and the Internet. Any interference can have widespread impacts on business, employees, reputation or partners. Ultimately, economic impact – the calling card of a port – could be jeopardized.
What is Cybersecurity?
Beyond protecting information – cybersecurity goes on the offensive to protect the systems that incorporate and use seaport information. Strategies include identifying risks, managing those risks and managing incidents.
According to Bethann Rooney, manager of security for the Port Authority of New York and New Jersey (PANYNJ), “Most ports will tell you their cybersecurity is for desktops, networks and email, and that it is well under control. What they don’t have under control is the systems that are dependent – so many of our systems at ports and marine terminals run off computer networks.”
Rooney said a port’s first step toward effective cybersecurity is to understand what it is, then to create a plan that looks at the interdependencies of a port’s upstream and downstream computer connections and identifies risks.
Identifying Risks
A proactive cyber defense plan starts with having the right cost, security and risk metrics in place – that includes broad intelligence. Exposure must be assessed in order to prepare a port to weather a breach. Resiliency is the ultimate goal.
Cyber threats typically originate outside of an organization and include terrorism, malicious or mischievous sabotage, industrial espionage or political breaches, such as anti-war or pro-labor action. There is often criminal intent to disrupt systems sufficiently to enable cargo theft or the movement of contraband.
Cybersecurity is less focused on internal threats, such as employee sabotage, chicanery or ineptitude. Users routinely delete critical data, introduce links with executables and send information to incorrect recipients.
Preventative measures can be put in place to negate the impact of human error and deliberate malfeasance.
Each port has different assets to protect. At first glance, it may seem that some ports are unlikely candidates for cyber crime. Some – due to their infrastructure or iconic status – are logical targets, but all seaports have much to protect. Assets that are less prone to criminal attack may be more likely to be tampered with by wayward techies (reprogramming inane messages on electronic signage is common enough). Ports that are fast-tracking cybersecurity include those that operate their own terminals, handle military or hazardous goods, or run computer-controlled infrastructure, such as gates, bridges, tunnels, ramps, signage, road lanes, lighting, locks, gas lines, traffic control or cranes.
Even small ports can prove attractive to cyber criminals. Daniel Elroi, president of NorthSouth GIS LLC, specializing in enterprise-grade implementations of geospatial technology, said small ports may be more likely to operate their own terminals or handle hazardous goods, and they may be less likely to have implemented cyber protection.
There is risk for any data in the hands of a port – data ranging from vessel manifests to camera recordings to vessel traffic positions – especially if it is used to carry out automated functions, such as payroll, electronic alerts, bank deposits or infrastructure functions, including locking gates or turning on floodlights. There is also risk for any computer-controlled utilities or services – the port’s so-called lifelines, such as water, sewer, telephones, energy, fire and other emergency response.
Ports share data with authorities and the private sector. Storing or processing another organization’s data poses additional risk and requires extra vigilance.
On the Cusp
Most ports are just launching cybersecurity initiatives. October 2013 was designated National Cybersecurity Awareness month by the Department of Homeland Security, and the United States Coast Guard recently advised its maritime security committees to bring the topic to the forefront.
“We have gone feet first into it,” said PANYNJ’s Rooney. The port is developing a framework of standards, conducting risk assessments, cyber resilience reviews and utilizing the DHS Cyber Security Evaluation Tool to assess vulnerabilities and identify mitigation measures. She said there is a tremendous selection of available resources from the U.S. Computer Emergency Readiness Team, DHS and USCG, among others.
Port Canaveral CEO John Walsh said, “As a top cruise port, we are taking cybersecurity seriously.” Recognizing that the cybersecurity field is in its infancy, he noted the need for ongoing dynamic and proactive efforts.
Under Constant Attack
There are no cybersecurity standards for the maritime industry or for enforcement agencies. In the U.S., the president identified cybersecurity as a priority for critical infrastructure sectors including ports. A Presidential Policy Directive issued in February 2013 underscored the fact that the nation’s critical infrastructure is under constant attack. In the worst-case scenario, lives could be lost.
Elroi said that ports are grappling with several trends in data transfer and storage that increase the number of points at which information is shared, therefore accelerating the need for cybersecurity. These include enterprise computing (using a server), cloud computing (distributed computing using a real-time communications network to connect computers) and wide-area computing.
Sharing can open holes in the firewall that the port worked so diligently to create.
Managing Risks
Experts say the cost of cybersecurity is difficult to assess. Some cyber solutions, such as setting up a reverse proxy server by which users can get through a firewall but to only one location or creating replicated databases for outside use, have readily identifiable costs. Ports can conduct cost-benefit analyses and then pick and choose some elements, but others are imperative and the best a port can do is try to minimize the cost. They can create policies, databases, software, infrastructure controls and contracts with cybersecurity in mind. The key costs may reside not in the paraphernalia but in the cost of personnel to implement and oversee.
Most port cybersecurity programs will take the form of retrofits. Where possible, incorporating cybersecurity elements into infrastructure design may result in long-term cost savings. PANYNJ is doing just that; the new intelligent transportation systems being put in its tunnels and bridges will incorporate cybersecurity from the start.
According to John Felker, director of cyber and intelligence strategy for Hewlett Packard, the annual cost of cyber crime is $110 billion – mostly in the theft of intellectual property. This impacts both security and competitiveness. Felker added, “98 percent of data breaches are from outside network. All are avoidable.”
Chris Silva, president of KOVA, Corp., specializing in solutions for public safety, customer service and workforce optimization, said, “The ostrich approach will not work.” Chances are someone out there is trying to exploit your weaknesses. “Even though it is very difficult to measure the ROI for something that doesn’t happen, it doesn’t mean the investment is not necessary,” he said.
Fortunately, some of the security measures put in place since 9/11 to combat terrorism also deter cyber threats. Others, such as port perimeter security, may thwart old-fashioned walk-on/drive-on crime but foster the development of cyber crime.
It may be possible for ports to decrease vulnerabilities by relying more on internal staff and less on consultants, who tend to be granted free reign once initially vetted, but this is not always possible or cost-effective. Nor does it address the issue of employees as threats.
The pervasive “doing more with less” philosophy means that today’s ports must try to extract ancillary benefits from their cybersecurity investments.
Security resources can be tapped for operational work, but multiple uses can create additional security issues. Elroi said, “Security cameras, for example, are usually on a separate network for protection, but there may be times that port ops people could make use of the cameras. Is that okay?” He said employee access and authorization is an ongoing challenge for ports.
Refining Current Risk Management Processes
Ports will begin to integrate cybersecurity management into corporate policy, and crisis and continuity planning, but first cybersecurity discussions will have to be elevated to the executive level to align with port goals.
Ports have long protected themselves against breaches of data, and most ports have excellent firewalls, patches and other protection against spam, malware, viruses and low-level threats to their local area networks and internet/email. Those computer hygiene solutions have been the traditional responsibility of port IT professionals. Security staff must now work with IT.
Cdr. Ulysses Mullins, chief of the USCG’s Critical Infrastructure Protection Branch, said the knowledge base and role of port operations on cybersecurity should not be underestimated. He said, “They bring critical operational information to the table.”
There is an emerging trend to merge IT and security professionals. Ports that rise above an inter-departmental territorial quagmire and create a well-executed cyber security program may well create a competitive advantage.
Seaports and their maritime partners are hacked daily – viral emails are sent from port servers or laptops, contractors steal employee identities, and criminals alter cargo manifest data. In a highly publicized case in June 2013, police uncovered a smuggling operation that used hackers to break into the systems at two container terminals at the port of Antwerp. They reportedly used spear phishing and malware to change the location and the delivery times of containers housing drugs.
In August 2013, hackers hit the world’s largest oil company, Saudi Aramco. They said the malicious virus was in retribution for the government’s support of “oppressive measures” in the Middle East.
In October 2013, cybersecurity researchers announced they had hacked into the vessel tracking Automated Identification System (AIS) used by U.S. ports. Reportedly, a lack of protection on the system could allow hackers to make ghost ships appear or fake emergency alerts. Since AIS is used to also broadcast the location of Aids to Navigation, an intrusion could wreak havoc.
Going Beyond Compliance
Federal efforts are underway to establish cybersecurity standards for U.S. ports and help prevent intrusions. Cdr. Mullins said the framework for the standards is expected to be rolled out within a few months. Although there will not be a regulatory requirement to participate, the USCG plans to actively encourage voluntary participation via incentives.
The 2011 U.S.-Canada Beyond the Border Initiative contains an action plan with a cybersecurity collaboration element. Canada’s Ambassador to the U.S. Gary Doer, in a speech at the AAPA Annual Convention in Orlando in October 2013, said that the two countries have enjoyed a joint command of their border perimeter for 55 years, and they should emulate that success by managing technology-related risks. He said his country’s goal is, “… sharing information before it can represent a red risk to citizens on both sides of the border.”
Security for Tomorrow
Security programs that build upon current strengths and best practices will best leverage the standards as they are introduced. Cybersecurity must be able to protect, detect, respond and recover far faster than traditional security systems.
Only after financial, economic, competitive, regulatory and image-related risks are recognized can specific protective measures be identified, funded and implemented. There will never be enough money to manage every risk, so cybersecurity is really about keeping risk at an acceptable level.
Whether a port discovers them or not, and even if it rules its cyber territory with an iron fist, there will be incidents. With foresight, awareness of vulnerabilities, diligence, timely detection, help from allies and early intervention, damage will be minor.
In 2013 and beyond, cybersecurity has become an enterprise imperative. It will never go away.
Five Questions Port CEOs Should Ask about Cyber Risks
• How is executive leadership informed about the current level and business impact of cyber risks to the port?
• What is the current level and business impact of cyber risks to the port? What is the plan to address identified risks?
• How does the port’s cybersecurity program apply industry standards and best practices?
• How many and what types of cyber incidents does the port detect in a normal week? What is the threshold for notifying executive leadership?
• How comprehensive is the cyber incident response plan? How often is it tested?
Source: U.S. Department of Homeland Security; derived from “Cybersecurity Questions for CEOs”
