Cyber Scared? Be Ever Vigilant

Experts Share Top Seaport Cybersecurity Tips

Every seaport is vulnerable to cyber intrusions. Many of these attacks are harmless; some are disastrous.

Ransomware, malware, spear phishing, and credential harvesting are some of the threats — all are new to the lexicon of seaports in the last decade or so.

Each year, cyber attacks of all sorts against seaports escalate and become more sophisticated. The only way forward is to be ever vigilant.

That’s a tall order when you are hit with 40 million cyber attacks per month, as the Port of Los Angeles reports.

“We are a big target. There are threat actors trying to find ways to cause havoc and disrupt. They know the port is critical to the nation. And there are those that want to hobble the country,” said Tony Zhong, chief information security officer for the Port of Los Angeles.

Unfortunately, it really only takes one savvy cyber criminal or one misguided staffer to bring a port to its knees.

More Digitalization, More Threats

Ports need better security against cyber threats and attacks on ports and terminals because they are using more complex technology and widespread automation.

The Jones Walker 2022 Ports and Terminals Cybersecurity Survey reports, “Business-system failures or other compromises of port and terminal systems can disrupt or shut down operations, interrupt supply chains, and cause significant financial, physical, and even geopolitical impacts.”

The survey cites attacks on ports in San Diego, Houston, Long Beach, Rotterdam, and Barcelona, all within just the past five years.

The digitalization and automation of terminal operating and industrial control systems — such as automated operational technology systems that augment information technology (IT) and/or communicate data, operate equipment, track cargo and containers, and manage commercial operations — is inherently risky.

The IAPH Cybersecurity Guidelines for Ports and Port Facilities deemed any level of digital adoption at a port or port facility the “handmaiden” to cyber risk. The report called cyber attacks “the top risk for port authorities and the wider port community.” Also, it added, “The accelerated pace of digitalization … only intensifies the urgency for executives to focus on organizational cyber resilience in order to safeguard the integrity and availability of critical data, ensure service delivery and protect maritime infrastructure.”

One of the reasons that cyber attacks are escalating is that many are run by bots. “These bots can operate constantly, trying to poke holes in different areas,” said Ken Washington, CIO for Port Tampa Bay and chair of the AAPA IT Committee. To fight the non-stop hacking, ports need a similarly robust and relentless defense system.

CDR Brandon Link of the U.S. Coast Guard Office of Port and Facility Compliance said, “As the available technologies continue to evolve, so do potential risks, threats, and vulnerabilities, whether from insider threats, criminal activity, malicious nation-state actors, and even unintentional effects of indirect information technology and operational technology system complications.”

Mark Dubina is vice president of security for Port Tampa Bay and AAPA Security Committee vice-chair. He said that, while even inadvertent cyber attacks can have severe repercussions, he is particularly mindful of malicious attacks that originate internationally. The port is a global player, as are its partners, and many interact with parts of the world known for a proliferation of cyber attackers.

Organizational Cybersecurity Reengineering

“The biggest mistake a port can make is investing in a range of toolsets/technologies that it implements without a plan or the organizational structure to manage/oversee its use,” said Bobys, who outlined an eight-step plan for seaports, starting with getting organized, a seemingly simple but sometimes grueling activity due to egos and empires within an organization.

Cybersecurity responsibility must be assigned and an internal cybersecurity steering committee or working group should be created. “It serves as a forum for implementing oversight, facilitating information sharing, driving cross-functional consensus building, investment planning (for CAPEX), budgeting (for OPEX), oversight and accountability, training and collaboration, and incident response and recovery,” said Bobys.

Once organized, cybersecurity capabilities should be identified, assessing gaps in staffing, technologies, processes/procedures/controls, and budget planning and allocation.

With the expectation that every port will be breached at some point, ports also need to create a cyber incident response plan (aligned with the Coast Guard-Approved Facility Security Plan) and test it.

The resource planning is much easier after potential financial losses are assigned to possible breaches, but because ports can never be 100% secure, they should consider cyber insurance. Bobys said, ports can, “evaluate cyber risks for acceptance, mitigation, avoidance, or transfer (insurance) in an informed manner.”

Next, the port should identify third-party cybersecurity risks and implement cyber supply chain risk management, train all personnel (and board) with access to digital assets about cyber awareness, and continue training.

Making Difficult Decisions

While every organization is a target for cyber crime, seaports, with their global tentacles and central role in critical national infrastructure, have an even higher risk. But cyber protection isn’t easy, because, as the Jones Walker survey concludes, “The technologies can often be complex, threat actors are highly motivated and skilled, and the cost of protecting an organization’s data and systems may appear steep.”

Fortunately, help is available. There are ways and means to harden a port’s cybersecurity.

AAPA Seaports spoke with leading experts to pull together some of their top tips and tricks for staying safe in the digital era.

1 Get Buy In from Above

The decision to make cybersecurity readiness a priority is difficult, especially as ports simultaneously manage other pressures like supply chain disruptions, climate action, and labor shortages.

In order to start moving in the right direction, a port needs “buy in” from top brass. This is critical, not just because the leaders hold the purse strings — and cybersecurity does indeed require substantial resources — but also because ports have an obligation to perform. Without top-level support, cybersecurity efforts are severely hamstrung.

“Cyber risk management is not just an IT issue, but rather a strategic risk that can impact a port’s reputation, its operations, financial performance, and its legal and/or compliance posture,” said Max Bobys, vice president and practice leader for HudsonCyber, a cyber risk management firm focused on the maritime industry.

Executive management and board members therefore have inherent legal and regulatory oversight obligations to manage the port’s cybersecurity risks, including data privacy and confidentiality.

To really grab the attention of the C-suite, Bobys recommends attaching a dollar value to a potential intrusion. When presented with a loss scenario in dollars and cents, leadership can more easily see the relationship between good cyber safety and a strong balance sheet. Knowing how much of the port’s financial value is at risk underscores the need for fiduciary responsibility.

Using loss scenario analysis, ports can also better prioritize investment planning and resource allocation.

2 Don’t Shortchange your Defense

Cybersecurity requires people, processes, tools and funding. Some ports allocate cybersecurity investments in a reactionary, ad hoc manner. According to Bobys, “This creates a ‘whack-a-mole’ approach to managing cyber risk and leaves the port vulnerable.”

Some cybersecurity resources and tools, perhaps surprisingly, are available at little or no cost and many are not technology based.

Most ports are ultimately accountable to taxpayers. Bobys said, to ensure financial and operational viability, the executive team and board must ensure that adequate resources are provided to appropriately manage a wide range of cyber risks.

As luck would have it, some cyber-secure funding assistance is available.

There are grants, the most well-known probably being Department of Homeland Security’s Port Security Grant Program. And, sometimes partner funding, because port seaport security is a collaborative effort, including tenants, the state, federal agencies and other partners on multiple aspects of cybersecurity.

Zhong said a holistic approach to cybersecurity is ideal, if ports have enough resources. But for ports that have smaller operations or very limited resources, he said, it is still important to identify cybersecurity solutions for top issues. “Even if you take baby steps, eventually you’ll get there,” he said, noting that the field is changing so rapidly that no port can take a one-and-done approach — cybersecurity is a longterm commitment.

3 Don’t Try to Do it Alone

Safeguarding the integrity and availability of critical data, ensuring service delivery, and protecting maritime infrastructure can seem like an impossible task. But every day the cybersecurity capabilities of supply chains are improving. The fact that threat actors are also improving means seaports need all the help they can get.

One of the most important steps for a seaport, is to ensure its IT and security forces are on the same page. “The physical and technological sides of security are both needed — if they don’t work together they are not going to be successful,” said Washington.

Port Tampa Bay calls this Total Protection. “My camera system, access control, credentialing are all IT based. We rely on the IT department to help us provide a secure environment. And, IT has hard assets like underground fiber, utility vaults, computer closets,” said Dubina. “I protect their infrastructure and they protect mine for a total protection model.” At Tampa Bay, the security division vets all specs for security tech to ensure a good fit with IT protocols and security protocols.

A nation’s security and its economic prosperity depend on safe and efficient transportation systems. That alone puts a bullseye on the backs of seaport hubs. It also makes cyber threats a shared responsibility — government and industry must work together. (See related sidebar on page 15.)

There are many sources of assistance to ensure a port’s cyber safety. AAPA’s working committees and the International Association of Ports and Harbors’ cybersecurity guidelines are a good start, and in the U.S., the Coast Guard’s Area Maritime Security Committees (AMSCs) and new cybersecurity specialists are designed to help.

Their presence is appreciated. For example, in late 2021 the Coast Guard received a report from a U.S. port because a “malicious cyber actor gained user account credentials and access to the gate operating system where trucks entered and exited the port.” Within three hours of the intrusion, the port flagged the suspicious activity and took the server offline. Then they requested Coast Guard Cyber Protection Team (CPT) support. The Team captured computer forensics associated with the event and deployed a team to ensure the port’s response measures were adequate for the risk level. The Coast Guard reported, “While the intruder was able to steal user account information, it did not appear to have time to deliver other malicious software like ransomware.”

In this case, the Coast Guard had the port’s back, and was able to allay fears of lingering impacts on the port’s digitized systems.

The Jones Walker survey pointed out that many government and private “organizations not only provide training and resources but also act as a clearinghouse for updated, real-time information that can help raise awareness about imminent threats and provide strategies and tactics for minimizing risk.

More than anything else, cybersecurity is about people. It can only be effective if a seaport’s management, staff, partners, and stakeholders have proper training, effective communication, commitment, and a strong support group.

Employees are the primary gatekeepers. Without their commitment, cyber attacks will be more harmful. Washington said that it is vital that ports provide regular and meaningful training to help build awareness and protect the organization and its employees. Cyber threats are always changing, so training must too.

Some ports have learned the hard way that it isn’t just permanent staff that need to be committed. Temporary staff, consultants, vendors, and contractors — and any number of other stakeholders with whom the port interacts — should have appropriate preventive and response measures in place.

At Port Tampa Bay, Dubina said, cybersecurity language has made its way into business contracts of all types. After all, cybersecurity is only as secure as its weakest link.

5 Cybersecurity Tips from the U.S. Coast Guard

Become active with your local AMSC, and leverage the efforts and resources of your port partners across government and industry.

Practice and enforce good cyber hygiene. Often, a cyber incident can be avoided by taking simple steps to avoid threats and vulnerabilities.

Reach out to your local Captain of the Port for Coast Guard-specific guidance on cybersecurity. Each Captain of the Port Zone has hired, or is hiring, newly-established Marine Transportation System Specialist — cyber positions that serve as a liaison to port and industry partners and can help with identifying available resources.

Identify what services the Coast Guard, or other agencies such as CISA, can provide to your port.

Become familiar with cyber incident reporting requirements. Stakeholders regulated under MTSA are required to report Breaches of Security, Suspicious Activity, and Transportation Security Incidents to the National Response Center without delay. Other agencies such as CISA also have reporting requirements for critical infrastructure stakeholders. By sharing information regarding cyber incidents early, agencies are able to respond quickly to mitigate the impact and prevent the incident from spreading.

SOURCE: CDR BRANDON LINK

4 Plan, Test, Update, and Plan Again

When a port knows its weaknesses, it can take action.

The Jones Walker survey said about three quarters of U.S. ports have written cybersecurity plans. Most of the rest incorporated their cyber planning into their general security plans.

However, a plan on a shelf achieves nothing. The plans have to be practical, with enough detail to guide action in a hurry when needed. That means they also have to be updated, and tested, frequently.

According to the Jones Walker survey, about 64% of ports had updated their plan within the last two years. About 45% of respondents conducted tabletop exercises annually, and about half of coastal and 26% of other ports had conducted data-security systems or breach-readiness reviews or audits in the past year. While those numbers show commitment, there is a gap in testing and updating plans at many U.S. ports.

In Tampa Bay, the cyber incident response plan involves sequential call-downs, among other elements. “When we discover an attack we immediately notify the CEO, then our security department to set up the laws enforcement chain. Next is legal, to decide if legal processes are necessary, and then PR to be ready for public inquiries,” said Washington.

Elements of the protocols are constantly being refined, but the port is always clear on if, and when, it should go dark. Server shut downs are not taken lightly.

Of special note — ports should always maintain redundancy for cybersecurity. Cloud computing means system downtime won’t jeopardize a port’s digital files while attacks are being investigated and resolved. “If you can, eliminate remote access and/or VPN (virtual private networks) to your business network,” Washington said.

At PortLA, Zhong said that when cybersecurity teams assess incidents there are often lessons to be learned. “When it doesn’t jeopardize our security, it may be relevant to share detection, mitigation, recovery, and those lessons learned,” with the security community or others, said Zhong. “There are always efforts toward greater collaboration,” he continued. More insights mean more cyber vulnerability gaps are closed.

In LA, the Cyber Resilience Center is a collaboration among all stakeholders to counter cyber risks. Cooperation on security efforts allow parties to prepare for similar types of attacks. “Sharing information about correlated attacks is a valuable way to help port stakeholders protect their systems,” said Zhong.