Nowadays, just about everyone lives tethered to their cellphones, but that wasn’t an option for Tracey Sandberg on that random Tuesday in September 2018 when the Port of San Diego was struck by a ransomware attack.
Sandberg, who had joined the port as director of information technology earlier that year, was cut off from the outside world, sequestered in a jury room at the county courthouse, when Iranian hackers used malware to freeze the port’s computer systems. After the attack, the port had limited access to permits and public documents for several days, and the administrative functions of the Harbor Police were impacted.
When Sandberg arrived at work the next day, she knew she’d have her hands full.
“On Day 2, I walked back into the building, and the team said, ‘Thank God you’re here,’” said Sandberg, now the port’s chief technology officer. “Imagine that every laptop, every desktop and every server in your organization doesn’t work. What do you do? How do you even begin to organize that recovery?”
At the time, the port was working to upgrade its IT infrastructure, and though that process wasn’t complete, the port’s focus on cybersecurity paid off. The port had a disaster-recovery plan in place and was able to recover its data through backups, so it chose not to pay ransom to the two hackers, who eventually were indicted but never arrested.
Sandberg said the port’s leadership team lined up color-coded Post-it Notes in a long hallway Kanban to map out the recovery process. The first step was to clean about a dozen laptops and some servers so the IT department could establish a computer lab in a conference room. With few trusted workstations available, the port’s top executives lined up alongside line-level employees for their turn at a laptop, and the IT team worked feverishly to clean and reconnect more critical components.
“Technical staff would pick up a Post-it Note from the hallway and work that Post-it Note, and that’s really how we got through the first few weeks of work,” Sandberg said. “It was a bonding time for the company as we made our way through this experience.”
For every headline-making cyberattack – such as those on the Port of San Diego, the Colonial Pipeline and the JBS meat-processing company – there are countless similar attacks noticed only by businesses and their customers. Last year alone, the FBI’s Internet Crime Complaint Center received 2,474 complaints identified as ransomware, with adjusted losses exceeding $29.1 million, an increase of 225% over the prior year, according to the agency.
Ransomware attacks on businesses happen every 11 seconds on average, with global damages projected to reach $20 billion this year, according to the Boston-based cybersecurity firm Cybereason.
The increasing frequency and sophistication of ransomware attacks represent a top security concern for port administrators, along with physical threats such as terrorism and natural disasters. In response, many ports have been upgrading their IT hardware and software over the past few years, often with help from the Department of Homeland Security’s Port Security Grant Program, which provides up to $100 million in annual funding to protect the nation’s critical port infrastructure.
Sandberg said the ransomware attack accelerated the Port of San Diego’s planned cybersecurity upgrades, which included investments in IT hardware, software and manpower. It also underscored the importance of following best practices, such as patching servers and laptops every month, using two-factor authentication to access computers and having a standardized process for making changes to IT infrastructure.
Port employees also are trained to recognize spear-phishing attempts, in which hackers send suspicious emails to workers, encouraging them to click on a link or enter sensitive information. Employees are taught to flag spear-phishing attempts in the port’s email system to help prevent them from spreading, and when they are detected, the IT team sends out a bulletin to workers showing them what those attempts look like.
This fall, the Port of San Diego is planning to hold a tabletop exercise simulating another ransomware attack that brings operations to a halt. IT staff will be told to pretend that their laptops, desktops and other devices no longer work, and they’ll begin the recovery process anew. With the threat from cyberattacks constantly evolving, the defensive preparation never ends.
“We’ll be testing ourselves and gauging our own preparedness,” Sandberg said.
Here’s a snapshot of other ports’ cybersecurity initiatives:
Port of Los Angeles
The busiest port in the United States made big news in December, announcing a partnership with IBM to create a Port Cyber Resilience Center.
Focused on detecting and defending against cyberattacks that could disrupt the supply chain, this first-of-its-kind system is expected to greatly improve the quality, quantity and speed of cyber-threat information sharing within the port community, according to Thomas E. Gazsi, the port’s chief of public safety and emergency management.
The three-year, $6.8 million agreement calls for IBM to provide the port with hardware, software and services to design, install, operate and maintain the Cyber Resilience Center.
In 2014, the port established its Cyber Security Operations Center to monitor threats to the port’s internal systems, and Los Angeles remains the only port to hold the prestigious ISO 27001 cybersecurity certification from the International Organization for Standardization. The new Cyber Resilience Center will bring the port’s other stakeholders into the fold, creating a “system of systems” accessible to terminal-operating shipping lines, rail companies, trucking companies, labor groups and others, Gazsi said.
“We take very seriously the fact that we are the busiest container port in the United States, and with that comes the responsibility to fortify and secure the supply chain in a responsible, digitized fashion,” Gazsi said. “You constantly have to prepare for a cyberattack and be ready to respond effectively, not only for yourself but for your stakeholders.”
Port of Beaumont
It’s out with the old and in with the new at this port in southeastern Texas, which hired a third party to perform a cybersecurity audit of its IT network in 2019. The goal was to bring the port into compliance with the Cybersecurity Framework for Improving Critical Infrastructure established by the National Institute of Standards and Technology (https://www.nist.gov/cyberframework).
The port has hired a third-party integrator to install new equipment and software that will address the priorities outlined in the cybersecurity audit, according to Randal Ogrydziak, the port’s director of security, facilities, regulatory compliance, safety and emergency management.
“Our administrative network was last upgraded many years ago, and back then, people didn’t even know how to spell cybersecurity,” Ogrydziak said. “This will reduce our risk to cybercrime, but it won’t eliminate it. You don’t know what you don’t know unless you have a trusted third party come in and assess your network. There’s a cost associated with that, but you get what you pay for.”
Ogrydziak said the port focuses on cybersecurity training since the “insider threat” from employees is always present. A disgruntled worker might click on the wrong link intentionally, but most of the time, the offender makes an honest mistake and forgets what he’s been taught about spear-phishing schemes, he said.
Ogrydziak pointed to a cybersecurity presentation offered by a DHS official that he attended several years ago. The official said that the very next day after DHS employees were instructed on how to handle suspicious emails, he sent a fake email offering free NFL tickets to those who clicked on a link and provided some personal information.
“They had to redo training for everybody,” he said.
A good cybersecurity training program covers not only the basic threats but also the creative ways hackers can gain entry into a computer network. Simply connecting a smartphone to a computer for charging can give cybercriminals a way in. Alternatively, they might even label a flash drive “port employees’ salaries for 2021” and leave it in the parking lot, hoping an employee plugs it into a computer.
“You can have the latest hardware, software, firewalls and everything else, but it comes down to that insider threat, which is usually someone not thinking about what they’re doing,” Ogrydziak said.
Port of Redwood City
This Northern California port has used federal grants to fund a variety of security improvements, including construction of an Interagency Operations Center; equipment such as cameras, lights and fencing; a new jet dock; and CBRNE (chemical, biological, radiological, nuclear, explosive) detection equipment for the Redwood City fire and police departments.
The Interagency Operations Center (IOC) will be a place where local, state and federal first responders can collaborate with the port and its stakeholders to manage emergencies. The Port of Redwood City is a FEMA-designated Federal Staging Area in the event of an earthquake or other disaster.
Kristine A. Zortman, the port’s executive director, said building the IOC involves replacing the port’s existing IT hardware and software systems with newer versions, helping the port to stay one step ahead of hackers. She said IT infrastructure is similar to consumer electronics such as televisions and cellphones in that the latest products seem antiquated in just a few years.
“It’s about making sure that you have the most up-to-date technology, assessing whether that technology is giving you what you need, and identifying how that technology may leave you vulnerable to a breach,” Zortman said. “You don’t ever want to be static because once you stop reassessing and looking to upgrade, that’s when people start being able to find inroads into your system.”
The Cyber Resilience Center will automate the process of sharing cyber-threat information throughout the port community, giving stakeholders that choose to participate more-detailed, accurate and timely information, according to Lance Kaneshiro, the port’s chief information officer.
“The Cyber Resilience Center will reduce the risk of a disruption to the flow of cargo by allowing us to work with our stakeholders to share cyber-threat information and to be available as a resource to help to restore individual operations if appropriate,” Kaneshiro said. “We needed to look beyond our individual systems for cybersecurity and look at it more from the ecosystem and supply-chain perspective by collaborating with our stakeholders.”