Port security – maritime cyberattacks

port

Security News Desk – UK looks at the biggest threats facing port security in today’s society and addresses why there is a vulnerability 

The maritime industry is the unquestionable driver of the global economy. Through a vast network of vessels, ports, logistical and administrative infrastructure – some 90% of the world’s goods are moved each year. Like most industries, maritime has become increasingly automated, connected and remotely monitored. 

Not surprisingly, maritime trade has also become a prime target for cyber-attackers. The sector is especially vulnerable owing to its dependence on technology for navigation, communication, and logistics. At the same time, both onboard and land-based systems are aging rapidly – a fact exacerbated by the average 25-30 year lifespan of many cargo vessels. 

This combination of vulnerability and economic centrality has led to an ever-increasing pace of cyberattacks on maritime vessels and infrastructure. The World Economic Forum cited cyberattacks on transportation infrastructure as the world’s fifth highest risk in 2020, and cyberattacks on the maritime sector increased by a staggering 900% over the last three years. Among the targets hit in 2020, the UN Maritime Agency, shipping giant MSC, and French container transport company CMA CGM. 

A high profile attack in May last year on Iran’s Shahid Rajaee port facility at Bandar Abbas illustrated the domino effect of disruption cyberattacks on port computer systems can have. This attack, considered relatively minor, nonetheless created long lines of vehicles outside the port, and led to numerous vessels being stuck in the harbour for hours. 

 

This combination of vulnerability and economic centrality has led to an ever-increasing pace of cyberattacks on maritime vessels and infrastructure

 

The motivations of cyberattackers in choosing ports are diverse. From pure financial motives to international espionage, and including straightforward criminal activity – ports are a focal point for both domestic and national threat actors seeking: 

Financial gain: Ransomware thrives in under-protected environments like ports, where ransom payoffs are often a fraction of the potential loss from shutdowns and disruptions. 

Criminal goals: Since ports regulate the influx and exit of goods to a country, smugglers that can control port computing systems can gain access to valuable cargo or tamper with records to facilitate criminal gain. 

Intelligence: Information on the movement of goods and passengers is valuable to rival nation-states looking to better understand a country’s activity and plans. In the event of war, disruption of the flow of goods can impede military plans, potentially tipping the scale of conflict. 

The problem of port cyber vulnerability is compounded by the state of networks and training. Port and maritime employees often lack the skillset to deal with common cyberthreats, leaving them open to social engineering attacks like phishing emails. Moreover, the legacy OT networks that control the operations of many of the world’s ports are frequently not updated and thus unprepared to meet a concerted cyber onslaught by a well-funded attacker. Through exploiting exposed services like websites, email logins or VPN gateways, attackers can easily gain remote access. 

Finally, ports are large and geographically diffuse facilities. Unauthorised physical access to port facilities can offer attackers direct access to actual target computers and systems. 

Mitigating risk  

Securing the industrial networks that control the world’s physical ports, demands a different type of maritime cybersecurity approach. 

OTORIO offers the world’s first end-to-end, industrial-native portfolio of cybersecurity solutions together with a rich portfolio of field-proven professional services including Incident Response, Risk Impact Assessment, Penetration Testing and Training. 

Discovering, analysing and monitoring all OT, IT, and IIOT assets within the operational environment, OTORIO’s digital and cyber risks management system, RAM2, correlates security events and digital risks from across the entire OT network. OTORIO’s RAM2 platform helps our maritime clients mitigate the risks to ports and shipping alike. 

This enables our industrial and maritime partners to leverage attack mitigation tools that were designed and built from the ground up for OT ecosystems with operational processes and port business continuity as their number one priority. With the global shipping industry already under pressure, Joel Snape, Security Researcher at Nettitude, explains why addressing the risk to port infrastructure from cyber-attack has never been more critical. 

In early November 2020, the 20,400 TEU Ever Grade was forced to skip its scheduled call at the UK’s Felixstowe port, instead heading straight to Rotterdam and unloading UK-bound containers there for onward transport via London Thamesport. Similarly, the first call of CMA CGM’s new ultra-large container vessel to Southampton was cut short with around a thousand containers staying aboard until a later visit. 

The UK’s port infrastructure has never before been under such strain – the double challenges of COVID-19 and Brexit mean that freight volumes are at an all-time high. This has caused a significant backlog with importers struggling to obtain their goods and factories pausing manufacturing lines due to a shortage of component parts. 

 

Attackers will use whatever mechanism gets them to their goals as easily as possible, within the constraints of their capabilities 

 

Although this is not the result of any kind of malicious activity, it has sharply highlighted the significant impact that port disruptions can have on the wider economy. With the global shipping industry already under pressure, and the UK facing new challenges in 2021 as the Brexit transition period has ended, addressing the risk to port infrastructure from cyber-attack has never been more critical. 

The risk is not just academic – 2020 has seen the IMO, MSC and CMA CGM both attacked, and port infrastructure in the USA targeted by ransomware. In Iran a cyber-attack on the Shahi Rajaee port, allegedly carried out by Israel, caused significant disruption to both land and sea traffic while systems were restored. 

Why would ports be a target? 

Different classes of attackers have different motivations, depending on their objectives, and these can vary both between groups and over time. However, some of the key motivations we see today are: 

Direct financial gain: Criminal groups have realised that there is money to be made from targeting a company or organisation, stealing data and/or disabling key systems and demanding a ransom payment to restore operation or prevent further disclosure of sensitive information. By causing huge disruption they hope to pressure their victims into paying out to quickly restore operations. Due to the critical nature of ports, and the publicity and knock-on effects of disruption, ports are an attractive target, and may be viewed as being more likely to pay up. 

Criminal: Ports play a significant role in the regulation of the flow of people and goods into and out of a country, something smuggling groups need to evade. By getting access to data and systems within the port, they can get information on goods movements, or attempt to amend records to evade taxes and excise duties. 

Espionage: Nation states are continuously looking to further their own aims. Information held by ports such as passenger movements, goods flows or operational techniques can be hugely revealing to help build a better picture of activity in a country or region. Additionally, nation-states may also carry out active/destructive activity to disrupt the flow of goods into a country in the event of a diplomatic dispute or even war. 

How do attacks take place? 

Attackers will use whatever mechanism gets them to their goals as easily as possible, within the constraints of their capabilities. However, there are some key attack classes that have been recently seen in attacks on ports: 

Phishing: By sending emails containing malicious attachments or links, attackers hope to get a “foothold” within an organisation, which they can then leverage to carry out further attacks. Phishing is attractive for attackers because many messages can be sent out to hundreds or thousands of potential targets for little or no cost. Ports are especially exposed as they typically have to interact with a large number of stakeholders on a daily basis, which can give attackers a wide range of opportunities to attempt to impersonate legitimate entities. 

Exposed services: Every organisation has services connected to the internet – whether it’s a website, email logins or VPN gateways to allow remote access. Attackers are constantly scanning the internet for services that might give them access, and probing for weaknesses and vulnerabilities. 

Physical security: By gaining unauthorised access to a port facility, attackers can get direct access to their target computers and systems. This can let them attach their own equipment capable of modifying records or giving them further unauthorised remote access. 

Onward movement: It’s rare that an attacker will ever get access to their target in one step. Much more commonly it will take a “chain” of vulnerabilities to allow them to move from how they got initial access (e.g. a user’s desktop computer) to the system or data of interest.  

The ways in which technology and automation have been rapidly adopted to improve port operations and efficiency can only be a good thing. However, it is important that as it is adopted, the risks that it might introduce are considered in a holistic, and realistic way, commensurate with the threats present in the environment you operate in. 

By doing this, risks can be mitigated in an appropriate and proportionate way through the introduction of risk controls. There are three key areas to consider for controls to ensure that organisations are prepared for the threats that they are facing: 

Organisational practices: How the business functions have the biggest impact on the effectiveness of other controls. 

  • Procedural: Defining the ways in which tasks should be carried out helps to enshrine best practice. 
  • Technical: Implementing technical controls can help mitigate risks present in the systems and technologies used. 

It’s important to stay up to date with the latest threats to your business. Due to maritime being key to critical infrastructure, and the risks involved with port congestion proving more expensive than paying a ransom, cyberattacks are more frequent than ever as the payout is lucrative for criminals. Governments and organisations must remain vigilant.  

Commentary John Lund, Marketing Director, Americas, Visy Oy 

To protect against threats like damage, crime and accidents, ports must be ready to face all challenges, in both the real and virtual worlds. A challenge for all ports is the constant occurrence of new security issues, whether through the growing incidence of cyber-crime or from real world events. The most obvious example of the latter is COVID-19. While port sector companies strive to run businesses as smoothly as possible, they must also ensure maximum safety of staff and visitors. 

Accordingly, security product manufacturers are devising products to help realise this objective. SICPA Certus’ myHealth pass, for example, is a technology-based solution that enables health status management in real time. The pass was trialled in Singapore and the Philippines in Autumn 2020 in conjunction with CrewAssist, a Hong Kong-based non-profit organisation. Other ports have introduced temperature screening systems. Portsmouth International Port’s temperature scanner takes temperatures of employees before they commence work, adding extra protection for staff and passengers. X-ray machines, walk-through detection arches and hand-held detectors are also employed at the UK-port as a way of maximising detection and the protection of individuals against the virus. 

With the rising cost of shipping products and the cost of goods themselves, ports that do not invest in security measures to protect from the threat of organised crime and terrorist attacks could be left with costly consequences. The Suez Canal incident underlines it just takes one catastrophic event. 

Commentary: Neal Armstrong, Head of Police, Security and Resilience, PD Ports 

PortSafe, powered by CrimeStoppers, officially launched in March 2021, and encourages registered facilities to raise security awareness through a combination of industry-focused briefings and training sessions whilst also providing a dedicated hotline to allow anonymous reporting for matters of concern. 

PD Ports already operates a dedicated Harbour Police force whose jurisdiction covers the entirety of the Teesport complex. Operating under the Tees and Hartlepool Authority Act 1966, the Harbour Police use traditional policing methods and their extensive local knowledge to effectively respond to, investigate and control any potential incidents across the maritime complex. 

In addition to ongoing regular patrols and the recently introduced Community Policing plan – a scheme in which individual officers are assigned to each site across Teesport, allowing for direct, seamless communication between businesses and the Harbour Police – the PortSafe initiative is positioned to further safeguard the businesses that rely on the River Tees to trade. 

Teesport, as the fifth largest port in the UK, is a key piece of national infrastructure and the UK’s northern gateway for international trade. With this position comes a responsibility to ensure leading security practices. Whilst we already have exceptional security provisions in place across Teesport we hope that by becoming a PortSafe facility we can further expand on people’s understanding of potential security threats and in turn enhance resilience across the port complex. 

As a Harbour Police force we are committed to providing a safe environment for all of the businesses and people within our jurisdiction. The PortSafe hotline provides an extra layer of security to the measures we already have in place at Teesport and demonstrates how safety remains our top priority. 

 

To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio

Tel: +44 (0) 1622 823 922
Email: editor@securitynewsdesk.com