Seaport Cybersecurity – A Serious Undertaking

Image courtesy of the Department of Homeland Security.

In January 2022, port facilities in Belgium, Germany and the Netherlands reported large-scale ransomware attacks that disrupted operations at oil terminals and prevented tankers from delivering energy supplies throughout the region.

The attacks impacted at least 17 terminals, including those in Hamburg, Ghent, Antwerp-Zeebrugge and Rotterdam. The reported ransom demands were around $14 million, well above the average demand.

In 2019, a Singapore-based public-private initiative called Cyber Risk Management (CyRiM) studied a hypothetical cyberattack against 15 Asian seaports. In their analysis – called the Shen Attack – the theorized cyberattack would be launched by a computer virus carried by a ship which would then scramble cargo database records at major ports. This would lead to severe disruption and could cost up to $110 billion with the transportation, aviation and aerospace sectors most affected. Ports would not be able to accommodate cargo and cruise ships. Large freight trucks would be stranded, causing backlogs at the affected ports.

In 2014-15, a retail-consulting firm projected that a slowdown to U.S. West Coast seaports would cost the retail industry $7 billion. The loss would be due to missed sales, below optimal inventory levels and the high price of moving goods during the slowdown.

And in July 2022, BBC World Service published a report saying that cyberattacks on the Port of Los Angeles have doubled since the pandemic. The number of monthly cyberattacks the Port of Los Angeles experiences are around 40 million, according to the port’s Executive Director Gene Seroka.

These are just four real and projected scenarios where international seaports can be impacted and possibly shut down due to cyberattacks. Because this publication focuses on U.S. and Canadian West Coast seaports, this article offers an overview of the seaport “threat surface” relative to cyberthreats and offers a list of actions to take if you are attacked or compromised.

West Coast Port Overview

The U.S. Maritime Transportation System consists of about 95,000 miles of coastline, 361 ports, more than 25,000 miles of waterways and intermodal land connections that allow the various modes of transportation to move people and goods to from, and on the water. More than 90% of the volume of overseas trade enters or leaves the U.S. by ship. This integrated network fuels $5.4 trillion in economic activity annually and supports over 30 million U.S. jobs.

The primary U.S. West Coast seaports include the Port of Los Angeles, Port of Long Beach, Port of Oakland and the Northwest Seaport Alliance, which includes the Ports of Tacoma and Seattle.

According to Union Pacific Railroad, these ports maintain the largest intermodal footprint in North America. The ports also maintain the largest seaport infrastructure on the continent with direct access to intermodal services such as warehousing, cross-docking, transloading and trucking.

Union Pacific observes that U.S. West Coast ports provide greater container capacity than all U.S. East Coast seaports combined.

Seaport Facility Risks

To operate efficiently, seaports and associated maritime facilities use information technology (IT) and operational technology (OT) systems for functions such as communications, equipment operation, cargo tracking and dispatch and performance of seaport business operations. If these cyber-systems are compromised with a computer virus, worm, ransomware, denial-of-service attack, etc., disruptions to seaport operations could negatively impact supply chains, resulting in financial losses such as the ones depicted in the attack scenarios above.

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has developed a handy infographic to help seaport executives, managers and operators better understand how cyberattacks can impact various aspects of seaport operations. Compromising seaport facilities and their cyber-operations could lead to public health and safety concerns, environmental spills/damage, transportation system disruptions or substantial negative economic impact.

You can find the CISA infographic Port Facility Cybersecurity Risks at https://bit.ly/3A7KFoh.

The seaport facilities at risk from cyberattacks and their impacts include the following:

  • Facility Access Controls – this could result in significant congestion due to stalled cargo and trucks and possibly closure of the terminal until the access controls are restored. Consider the impact if the required Transportation Worker Identification Card (TWIC) card readers were disabled at a busy seaport.
  • Terminal Headquarters—Data. Cyberattackers could access sensitive client and cargo information and use the information to steal containers or smuggle illicit goods through the seaport.
  • Terminal Headquarters—Ransomware. Ransomware has a recent history at U.S. and overseas seaports. These attacks have resulted in seaport facilities being partially or completely shut down and offline for days, resulting in significant financial and business losses and impacts on interdependent critical infrastructure.
  • Positioning, Navigation, and Timing (PNT)—PNT plays an essential role in many maritime functions such as vessel navigation and seaport logistics. Loss of PNT services could disrupt vessel and container movements. It also could lead to collisions and allisions resulting in damage to fixed infrastructure, pollution, fires, loss of life/injuries, sinking of vessels and possibly blocking of a navigable channel. This could include GPS, too.
  • Operational Technology (OT) Systems—OT systems are used to control physical processes at the seaport, including cargo handling equipment. Cyber-compromise of OT systems could negatively impact cargo movements, interrupt port operations, and cause physical damage to equipment resulting in safety risks for personnel. The OT systems that can be seriously affected include:
  • Automated cargo container tracking systems
  • Automated cargo handling equipment, vehicles, etc.
  • Commercial long-haul trucks
  • Cargo handling equipment at the port/railway interface
  • Container cranes

Reporting Cyber Incidents

In the event of a cybersecurity incident resulting in significant impacts to your seaport IT or OT systems, non-federal facilities in the maritime subsector should be ready to report the incident to appropriate authorities and organizations, according to CSIA.

When reporting to the U.S. Coast Guard, CISA and the FBI, offering non-technical information will assist these agencies in understanding the event and the context. Non-technical information includes:

  • Incident location
  • Physical address
  • Type of facility
  • Summary of the event or activity
  • Impact to the facility

Additionally, while not a requirement, CISA and the FBI can use technical data provided by the victim to assist in mitigating and investigating the cyber-incident. Technical information includes computer log files, source ports involved in the attack and indications of sophisticated tactics/techniques/procedures (TTPs).

U.S. Coast Guard (USCG)

For Maritime Transportation Security Act of 2002 (MTSA)-regulated facilities or vessels, cybersecurity breaches or suspicious cyber-activity should be reported to the Coast Guard’s National Response Center (NRC). Guidelines for reporting a cyber-related incident can be found in CG-SP Policy Letter 08-16 titled “Reporting Suspicious Activity and Breaches of Security,” online at https://bit.ly/3K7AWCM. Reach the NRC at 1-800-424-8802, nrc@uscg.mil

Cybersecurity Infrastructure Security Agency (CISA)

CISA’s National Cybersecurity and Communications Integration Center (NCCIC) is a national nexus of cyber and communications integration for the federal government and may be able to provide technical assistance. MTSA-regulated facilities or vessels may report to CISA in lieu of the NRC if the cybersecurity incident does not involve any physical or pollution effects. The reporting party must inform CISA that they are a Coast Guard-regulated entity, and the CISA center will report the incident electronically to the NRC.

Contact the NCCIC at 1-888-282-0870 or NCCICCustomerService@hq.dhs.gov.

The FBI

The Federal Bureau of Investigation (FBI) encourages victims of cyberattacks to report information concerning suspicious or criminal activity to their local field office or the FBI’s 24/7 Cyber Watch (CyWatch).

Find field office online at www.fbi.gov/contact-us/field. Contact CyWatch at 1-855-292-3937 or cywatch@fbi.gov. To learn more about cyber-incident reporting guidelines, visit https://bit.ly/3cbqrSA.

Establish a Cyber Point-Person

In a March 2022 speech by Homeland Security Secretary Alejandro Mayorkas, he referred to the importance of partnerships with the maritime sector. This begins, he said, with accountability and focus.

“Companies need to identify and empower a responsible point-person with the authority to address cyber-challenges and companies need to have a plan in place and hold regular exercises so every employee is aware of their policies and procedures – and so cybersecurity is ingrained in their operations,” Mayorkas told the audience.

Ernie Hayden, MIPM CISSP GICSP (Gold) PSP, is an industrial control systems cyber and physical security subject matter expert. He has extensive experience in industrial controls security, the power utility industry, critical infrastructure protection/information security, cybercrime and cyberwarfare.