2023 Retrospective: Port Cybersecurity Crises
During the tumultuous period of 2023, the maritime industry, particularly port operations, faced a significant cybersecurity maturity gap. This era, marked by the increasing digitalization of port activities, exposed the industry’s vulnerability due to its lack of robust cybersecurity infrastructure, weak incident response planning, and a shortage of cybersecurity experts in the IT/OT departments of port authorities. These shortcomings, alongside the critical nature of port operations in global trade, made ports prime targets for cybercriminals.
This period witnessed a series of significant cybersecurity breaches in the maritime sector, particularly affecting major ports. On July 5, 2023, the Port of Nagoya, Japan’s largest and busiest port, handling about 10% of the country’s total trade volume, was struck by a ransomware attack. The attack disrupted the port’s communication systems, hindering the processing of import and export operations. Yokohama Kawasaki International Port Corporation (YKIP), the port’s operator, responded by isolating the affected servers. They managed to restore their systems using backups and resumed normal operations within a few days.
In a similar incident, DP World Australia, a key port operator in Australia, encountered a substantial cyber incident on November 10, 2023. Unauthorized access was detected on its network, prompting the closure of its Sydney, Melbourne, Brisbane, and Fremantle port operations. This cyberattack profoundly impacted DP World Australia’s operations, which manage ports handling about 40% of Australia’s import and export container traffic. The company had to halt operations for approximately three days, after which they resumed activities following successful testing of key systems.
These incidents highlight the frightening prospect of future concentrated attacks on ports and their implications for the global supply chain and critical infrastructure. Ports, as crucial nodes in global trade, are susceptible to operational disruptions. These disruptions can hinder the flow of goods, leading to delays in imports and exports, thereby affecting the stability of the global supply chain. Furthermore, such events could lead to economic losses, erode customer trust, and impact the overall efficiency of global markets.
Navigating Cybersecurity in Modern Ports
The European Network and Information Security Agency (ENISA) report titled Port Cybersecurity – Good practices for cybersecurity, published in 2019, was written to provide background information so that CIOs and CISOs of entities involved in the port ecosystem, especially port authorities and terminal operators, can build their cybersecurity strategy. We will be drawing from this report for our simplified breakdown of infrastructure and key aspects of ports. According to this report, there are a few moving parts that comprise a port’s infrastructure, which include:
- Marine infrastructure such as breakwaters, dredging, locks, basins, jetties, quays, mooring piers, etc.
- Distribution infrastructure such as internal roads, railways, walkways, etc.
- Buildings and terminals, which will sometimes be referred to as port facilities, are managed and maintained by the Port Authority.
Additionally, the Port Authority may lease specific areas or facilities within the port to private terminal operators. It then becomes these operators’ responsibility to maintain and manage the facilities, which includes overseeing equipment like cranes, silos, specific fencing, control facilities, and passenger terminals and ensuring that specific port facility operations run smoothly.
Ports are usually used to address activities that fall into three main categories, namely activities related to fishing, activities related to maritime cargo and activities related to passenger and vehicles transport. For the support of these activities, the port provides seven services:
- Vessel berthing services (services related to helping vessels dock and undock, refuel, repair ships, towing, ship supplies, etc.).
- Vessel loading and unloading services (services related to loading and unloading freight or cargo, fish, passengers, and vehicles that may require the use of cranes and conveyor belts, etc.).
- Temporary storage and staying services (holding onto the freight that was unloaded before they are distributed and transferred to their intended destination).
- Distribution and transfer services (mainly focused on ensuring hinterland connectivity, the transportation and communication links that connect inland or interior areas to coastal or border regions—the goal of hinterland connectivity is to ensure smooth movement of goods, people, and information between the inland regions aka hinterland and the external points like ports or borders).
- Support services (support is typically provided by either the Port Authority or other private companies and encompass many services, such as freight tracking, land and infrastructure management, maintenance, and terminal operations management, among others).
- Security and safety services (these services are meant to prevent harm to infrastructures, services and people passing through the port; this harm could stem from unintentional accidents or intentionally malicious activities such as terrorism).
- Authorities’ services (authorities are often located within port facilities to provide services such as controls and inspections).
The progressive convergence of Operational Technology (OT) and Information Technology (IT) in maritime environments has escalated the vulnerability of OT systems to cyber threats. This is particularly evident in the case of port operations undergoing digital transformation. A key application of OT in this sector is the development of advanced navigational alert systems for ships, aimed at reducing the risk of collisions during docking. These systems effectively monitor the movement of ships entering ports, issuing timely warnings in cases of abnormal speed to prompt corrective actions by the control tower.
Another innovative application involves leveraging IoT technology to create real-time maritime weather monitoring systems. By deploying a network of IoT sensors, these systems gather crucial data on wind, waves, currents, and tidal levels, enabling ports to swiftly adjust their operations in response to changing sea conditions. However, the risk lies in the potential compromise of OT networks, which can lead to the disruption of critical control systems like cargo and ballast water management. Such breaches pose significant threats to both physical safety and the integrity of maritime infrastructure.
On the landside, ports increasingly depend on sophisticated monitoring systems. Beyond routine security patrols, critical areas are often under continuous surveillance via CCTV cameras, providing real-time monitoring. The adoption of contactless technology for recording the movement of people and vehicles has been accelerated by the pandemic. This includes integrating diverse sensing devices, such as RFID readers for access control and OCR scanners for identifying vehicles and container numbers. These advancements facilitate more efficient and secure port operations.
Given the complexity of port infrastructure and its numerous points of interaction, the potential for cyber disruptions is immense. Any interference with logistical processes, customs procedures, or cargo handling could have far-reaching implications for the flow of goods, leading to significant financial repercussions on a global scale. Additionally, there are many new risks faced by ships and their crews that have also incorporated IoT into their systems to keep pace with the advancements of technology and the efficiency it offers. For instance, if the navigation system is tampered with, the ships can collide with one another or run aground; if communications are compromised, this could result in crewmembers stranded out at sea without being able to call for help. Risks such as these make it difficult for maritime entities targeted by ransomware to refuse paying the ransom, since the costs of downtime can be this high. On the other hand, conceding to ransomware would encourage other opportunistic malicious actors to continue targeting these systems. In this context, prevention is paramount. Establishing a robust cybersecurity framework, grounded in the principles of zero trust and zero knowledge, is essential to safeguard maritime operations against potential cyber threats. This proactive approach is crucial to mitigating the risks associated with increasingly sophisticated cyberattacks, as the maritime sector continues to evolve in an ever-more interconnected and digital world.
Global Regulatory Initiatives: Enhancing Port Cybersecurity
The International Maritime Organization (IMO), a specialized agency of the United Nations, plays a pivotal role in formulating and maintaining international maritime safety and environmental standards. Originating from the United Nations Maritime Conference in Geneva in 1948, the IMO initially functioned under the name Inter-Governmental Maritime Consultative Organization (IMCO) before adopting its current name in 1982. Its primary objective is to ensure safe, reliable, and sustainable transportation, fostering trade and amicable relations among nations. This mission is manifested through key international conventions such as the International Convention for the Safety of Life at Sea (SOLAS) and the International Convention for the Prevention of Pollution from Ships (MARPOL).
IMO Guidelines for Maritime Cyber Risk Management
In the realm of port security, two major regulatory tools under the IMO’s auspices stand out: the International Safety Management (ISM) Code and the International Ship and Port Facility Security (ISPS) Code, both falling under the SOLAS framework. The ISM Code, in particular, was expanded with the Guidelines on Maritime Cyber Risk Management in 2017, underscoring the escalating need to incorporate cybersecurity into the operational resilience of shipping.
The Maritime Safety Committee’s resolution MSC.429(98) in 2017 marked a significant milestone, establishing three major advancements in maritime cybersecurity risk management:
- Acknowledging the incorporation of cybersecurity in approved safety management systems as per the ISM Code’s objectives and functional requirements.
- Urging member states to address cybersecurity risks in their safety management systems by the first annual verification of the company’s Document of Compliance post-January 1, 2021.
- Recognizing the necessity of safeguarding certain aspects of cybersecurity risk management.
The Next Step: Cybersecurity Concerns in the IMO ISPS Code
The evolution of maritime safety regulations under the International Convention for the Safety of Life at Sea (SOLAS) and its subsidiary regulations such as the International Safety Management (ISM) Code has predominantly focused on physical safety measures. While effective in their domain, these regulations reveal a noticeable inadequacy when confronting specific cybersecurity threats. Notably, the ISM Code, despite its comprehensive risk management framework, applies solely to ships, leaving port facilities — vital nodes in global trade — under-addressed in terms of cybersecurity.
The ISPS Code, part of the SOLAS framework, stands as a comprehensive, mandatory security rubric for international shipping and port operations. Instituted in response to the September 11, 2001 tragedy, it aims to standardize risk assessment frameworks, ensuring governments implement proportionate security measures. The code, effective from July 1, 2004, is divided into two parts: Part A, which mandates detailed security-related requirements for ports and terminals, and Part B, providing recommendatory guidelines to fulfill these requirements.
At the core of the ISPS Code is the ship/port interface — the interactions that occur when a ship’s operations directly and immediately involve the movement of persons and goods, as well as the provision of port services. To comply with the ISPS standards, authorities must conduct Port Facility Security Assessments (PFSA) and formulate plans, appointing Port Facility Security Officers (PFSO) and investing in necessary security equipment. Moreover, monitoring and controlling access, alongside ensuring robust security communication, is critical.
The broader perspective on cybersecurity under the ISPS Code necessitates a more expansive approach. While the primary focus remains on physical protection during a ship’s port stay, the potential for ships themselves to pose a cybersecurity threat to port facilities cannot be ignored. For instance, section 1.4 of Part B of the ISPS Code emphasizes the need to recognize both external and internal threats in security assessments. The role of the PFSO must evolve to encompass cybersecurity at the ship/port interface, extending beyond the traditional focus on physical threats.
Embracing NIST 2.0 for Modern Ports
The National Institute of Standards and Technology (NIST) in the United States has developed a framework designed to reduce cyber risks to critical infrastructure. This framework is expected to officially release its 2.0 version in 2024, serving as a tool for managing and mitigating risks associated with cyber threats. It focuses on six distinct functions to enhance cyber resilience: governance, identification, protection, detection, response, and recovery. Below, we provide some specific operations to explain how these can be applied to your organization and port community within an Operational Technology (OT) environment using the NIST CSF 2.0:
Governance in Cyber Risk Management
In the maritime sector, effective cyber risk management necessitates periodic assessments of OT/Industrial Control Systems (ICS) assets. This comprehensive approach includes identifying interdependencies between applications and IT/OT assets, integrating risks from third-party OT/ICS contracts, and considering regulatory changes to maintain critical process integrity.
Utilizing the TXOne Networks Portable Inspector, port operators can perform detailed vulnerability assessments across various operating systems. This tool helps with identifying vulnerabilities, conducting malware scanning, and enhancing risk management capabilities.
Identification: Laying the Cybersecurity Foundation
The identification function is crucial in establishing or advancing an organization’s cybersecurity strategy. It encompasses understanding the business context, inventorying assets, mitigating known vulnerabilities, and prioritizing cybersecurity measures. Automated solutions for asset inventory collection are vital at this stage.
Edge solutions play a pivotal role in passive asset identification, thereby enhancing visibility within OT networks. This passive monitoring bolsters network security and helps in maintaining an up-to-date asset inventory, crucial for identifying and mitigating shadow IT/OT issues.
In addition, the Portable Inspector collects asset information to generate an inventory list that grants IT/OT visibility and eliminates Shadow IT/OT.
Protection: Safeguarding Maritime Assets
Protection is key in managing defensive services, including firewalls and endpoint protection, and in overseeing vulnerability management. Continuous staff training across IT, OT, and support departments is vital for adapting to cybersecurity’s evolving nature. Rigorous control of OT network access and stringent policies prevent unauthorized connections to IT and OT assets.
EdgeFire/EdgeIPS, designed for OT environments, offers network segmentation and advanced access control. Stellar, an endpoint protection solution, prevents unauthorized application execution, reinforcing system security.
Detection: Unveiling Hidden Threats
Detection has become increasingly important, even with protective measures in place. Recognizing abnormal behavior in IT and OT systems is essential to identifying potential threats. Maintaining records of TTPs and having systems to identify primary threats are necessary for effective detection.
Stellar’s operations behavior anomaly detection catches deviations in system operations, providing real-time alerts and enhancing the ability to respond to OT threats.
Response and Recovery: Ensuring Continuity
The final functions of the NIST Framework, response, and recovery are integral to boosting resilience against cyber threats. Effective incident response planning and training minimize breach duration and prevent reputational damage. Establishing methods for vulnerability reporting and maintaining recovery plans for business-critical assets are essential.
EdgeFire/EdgeIPS ensures secure interaction with OT/ICS assets, effectively mitigating unauthorized access risks. Stellar’s anomaly detection aids in early identification and response to operational deviations. TXOne’s solutions ensure that only trusted sources can interact with OT/ICS systems, effectively limiting the scope of damage and controlling the risk of unauthorized access or vulnerabilities.
Conclusion
The increasing challenges of cybersecurity in maritime operations demand an evolution in global maritime safety regulations. This evolution should encompass not only ship safety but also extend to the critical infrastructure of port facilities. If port operators can proactively reduce the impact of emergencies and ensure continued operations during a crisis, it would demonstrate their ability to quickly resume activities and maintain uninterrupted port information services. This would attract more shipping companies and allow them to establish dominance within the international port space. The events of 2023 unequivocally show that cybersecurity is no longer a peripheral concern but a central pillar upholding the fundamental functionality of global trade. As the maritime sector continues to evolve in a digitally interconnected world, adopting comprehensive cybersecurity frameworks like NIST 2.0 and adhering to global regulatory initiatives becomes indispensable. Through proactive measures and continuous innovation, the maritime industry can navigate these challenges, securing not just ports but the entire spectrum of global supply chains against future cyber threats.
Reference
Experts discuss cyberattack at Japan’s largest port | Security Magazine
https://www.imo.org/en/OurWork/Security/Pages/Port-Security-Project.aspx
https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf