Resilience planning, Info Sharing Take Spotlight
“Oh what a tangled web we weave, when first we practice to deceive.” That old chestnut gets turned on its head when it comes to port cyber security. It’s more like “Oh what a tangled web we’ve woven, so much harder to stop data stolen.”
Ports today have the physical aspect of security pretty well nailed shut - gates, locks, fencing, alarms, cameras, drones, etc. As Chris Mason, Rajant Corp.’s director of sales for EMEA, notes, “Every port I’ve ever been to has signs of physical security – it’s the classic physically secure environment.”
It’s much, much more complicated on the cyber side of the coin. Ports today are comprised of many varied businesses operating via an immense tangle of open and proprietary networked and automated systems supporting all sorts of data storage; back office scheduling, invoicing, cargo manifests, compliance reports, client data; logistics and supply chain software; cargo movements, video, and connections to and between different terminals and transportation modes - on land and at sea. There’s voice and data communications over wireless, wired, radio, satellite networks etc., competing in some cases with interference from vendor, client, crew and area frequency signals. And there is security – biometrics, firewalls, authentication, encryption, passwords, anti-virus and anti-malware programs. That’s a staggering amount of technology, and every bit it constitutes a potential threat and must be assessed and secured.
Adding to already existing risk within a company or the port as a whole, are all the external links to internal systems, the advent of autonomous vessels, the internet of things, the ubiquity of smart phones and other mobile electronics, and even the trend toward creating a single portal through which members of a port’s supply chain can access multiple systems
It’s enough to make you ask is whether the ports can, really, ever be made cyber secure. “We ask ourselves that every day,” quipped Todd Epperson, port security specialist for the USCG/Sector Upper Mississippi River. He noted that securing inland river ports involves tackling facilities that stretch 70, 80, 90 miles, and encompass 100s of businesses, many small operators – a world away from their coastal cousins.
A weak spot at any point in the supply chain digital network could be all a bad guy needs to infiltrate the port systems. “All it takes is one person who has not been trained to not click on a link, and that’s it, [a bad guy] is now in,” says MarineCFO CTO Dean Shoultz. Once in, malicious software can be launched behind the firewall and the cyber intruder is free to rifle through files looking for financial data, competitive information or the email of key company executives.
Shoultz recounted the case of “one of the larger operators on the market,” where an intruder sent out a wave of emails that appeared to come from one of the company’s bigger customers, claiming it needed to see an invoice. Just one person clicked on it, allowing an intruder to hijacked the CEO’s email address and send a message to the purchasing agent, requesting that she wire a large sum of money to a vendor for some service. Fortunately, the agent thought the request strange, and checked on it.
Ignorance is no longer an option for the port community. “If something happened today and you go into a court and you haven’t trained your mariners in the basics of cyber hygiene, it will be hard to plead ignorance: ‘Oh we did not know we were hacked,’ It won’t fly,” warns Shoultz, adding “The folks who manage legal and insurance need to worry about this, not just tech guys.”
In September 2016, then U.S. Coast Guard (USCG) Rear Adm. Paul Thomas, assistant commandant for prevention policy, summed up the conundrum facing the nation’s ports while speaking at a forum on cyber resilience. “The reason that our marine transportation system is efficient and productive is because it is highly automated, and it’s becoming more and more so. Cyber is how we are operating today, and more and more we need to figure out how to manage that risk,” said Thomas.
Every business sector is using technology to drive efficiencies, productivity and profit, but few are as vital to the national economy and the flow of goods and materials as is the country’s system of ports.
One of the nation’s most critical infrastructures, the maritime port system employs more than 23 million people, encompasses more than 25,000 miles and includes 360 coastal and inland ports that account for an estimated 90% of US trade, 26% of the world consumer market, and at least $1.3 trillion in cargo.
If the port communities aren’t worried for their businesses (and they should be), consider that from both an economic and a terrorism standpoint, those figures make the U.S. system of ports, individually and together, prime targets. A cyber attack that successfully brings a terminal or port to its knees, and stops the flow of goods and materials, even briefly, can have a devastating effect on the national economy. And because no port is an island, the ripple effect across other ports as vessels get backed up waiting to discharge and pick up cargo, can be equally painful.
There have been several cyber incidents of note impacting U.S. and other ports in the last two years:
•The best-known incident was the “notPetya” malware outbreak in October 2017, which struck A.P. Moller-Maersk’s IT department, and through that, it’s APM terminals at ports worldwide, including at Los Angeles, Long Beach and NY/Newark. The shut down there and at other ports, and the ensuing cleanup of backlog, cost Maersk around $300 million.
•Last month’s cyber attack targeting COSCO US, the American arm of Shanghai- based Cosco Shipping Holdings, took out email and disrupted telephone communications at its customer service center at the Port of Long Beach, and also impacted the company in Canada, Panama, and South America. COSCO connected with clients through conventional communications and social media and never shut down. Armed with a contingency plan, the company isolated the affected network, tested other regions for signs of the infection and transferred and conducted operations via remote access, to ensure continuous service in the Americas.
•Also last month, shipbroker Clarksons revealed it discovered a cyber breach in November 2017, which had opened up 5 months earlier, gaining an unauthorized person access to certain company computer systems in the U.K., where they copied data, and demanded a ransom for its safe return. Using computer forensics, it was discovered the break-in was perpetrated through an isolated user account, which was disabled. Eventually, Clarksons recovered a copy of the stolen data. It is now contacting potentially affected individuals.
A Look Behind the Curtin
But the real story lies in what hasn’t happened. Port of Los Angeles executive director Gene Seroka, told a congressional committee at an October 2017 hearing in the wake of the Maersk incident, that its cyber security center stops “20 million” cyber-intrusion attempts monthly. That’s an average of seven to eight attacks a second. Similarly, the Port of Long Beach was beating back 30 million threats a month. That level of assault makes it well worth the more than $1 billion dollars annually that the American Association of Port Authorities (AAPA) says seaports are investing in security-related infrastructure, equipment, operations, maintenance and training.
Chilling as those numbers are, it only takes one successful attempt to get through, and it will happen. The real take away from the Maersk take down is that you can do all the right things, not be the actual target, and still get stung.
Which is why after two years of consciousness raising about the threat of cyber crime, the focus has now shifted to breach response plans, or resilience, and collaboration. Going on the assumption they will inevitably be attacked at some point – deliberately, unintentionally or accidentally - port communities are being urged to move beyond assessing and mitigating their risk. They need to build backup plans designed to get their facilities and operations up and operating as fast and as painlessly as possible.
Port executives will tell you they are working on all that plus some are participating in Area Maritime Security Committees (AMSC) and their cyber subcommittees. Created under the Maritime Transportation Security Act of 2002 (MTSA), the AMSC provide a collaborative forum in which government, law enforcement, the Coast Guard and industry representatives can work together to define, address and potentially, resolve problems, as well as establish best practices, and promote information sharing and resiliency.
Help is on the Way
Peer support and collaboration is one approach to tackling security. Technology is another, and there are plenty of products and guidance on the market capable of tackling cyber security on many levels. Here is a sampling:
MarineCFO is targeting users of its Vessel 365 fleet optimization application suite with a set of “actionable” checklists designed to “engender cyber security into the psyche” of mariners and shore side personnel. With a focus on simplicity and an absence of jargon, the checklists enable mariners to train, record the training, perform cyber drills and improve the physical and digital security of a vessel. Developed around the principles of the NIST 800-171 Cyber Security Framework, the checklists also provide a way to report cyber incidents and attacks.
KVH recently released 6-Level Cyber security, a group of initiatives that it says will provide proactive cyber security protection for KVH hardware and the maritime VSAT satellite network used by its customers.
The multi-part strategy covers the bases, starting with a free KVH Videotel “Cybersecurity at Sea’ training video for subscribers to its mini-VSAT broadband service will receive free, the. Based on regulations from the IMO and the BIMCO cyber guidelines for ships, the program covers assessing and reducing risks of a cyber incident, as well as how to recover from an attack.
In the event of an actual or suspected attack, KVH will dispatch a Cyber Security Incident Response Team to investigate, manage and help to minimize the risk.
To better secure its satellite and terrestrial networks, the company provides a mix of tools from infrastructure safeguards, authentication, encryption and proprietary air interfaces. In the latter case, the KVH network keeps satellite traffic off the internet before going through edge security devices at MegaPOPs. To better control shipboard system and internet access, customers can segment the KVH LAN to separate groups or uses, and use the myKVHTM portal to forces personnel to log in. KVH protects internet egress via application-level Universal Threat management firewalls in each KVH MegaPOP, application-level traffic shapers, multiple forms of threat blocking and optional global static IP addresses.
ABS unveiled methodology it said will provide a calculated risk index for vessels, fleets and facilities by measuring cyber security risk associated with operational technology and human and machine identities,. Rejecting the standard qualitative approach to assessing cyber risk, ABS says its methodology is unique in that its index quantifies risk. Using its Functions, Connections and Identities (FCI) Model, ABS said it can calculate a cyber risk index for anything from individual assets to entire fleets. An actionable report will enable ABS clients to better target their cyber security investments.
Rajant Corp.’s military-grade, Kinetic Mesh private wireless network provides a fully mobile, highly adaptable and secure connectivity that can turn any asset into a network and never breaks for handoff, ensuring no breaks in application performance. Rajant’s “breadcrumbs” - wireless radio nodes equipped with “instaMesh” software – are able communicate with each other via multiple simultaneous connections. el to communicate with each other. Each node supports up to four frequencies and provides configurable per-hop, per-packet data authentication.
The saleable network’s peer-to-peer technology – InstaMesh – performs real-time evaluation of network links to direct traffic via the fastest pathways between any wired, wireless or in-motion points. The fully redundant, self-healing network uses a completely distributed Layer 2 protocol to eliminate node or single points of failure. It instantaneously redirects traffic via the next best available link if in the event of a compromised or blocked pathway.