For the past six months seaports have been in the news. The stories range from supply-chain disruptions, large numbers of ships waiting to offload their containers, and most recently, a ransomware attack on at least 17 European oil port terminals. Obviously, the news is affecting the day-to-day management of seaports and just adds to the list of “to-dos” for Port leaders and their management teams.
This article is intended to offer a high-level introduction to the cybersecurity attack surface offered by today’s modern seaports with some ideas on ways to better prepare your port for future cyber threats and attacks.
Port Infrastructure
It is recognized that not all seaports are the same. Their size and complexity will vary from a massive port like Long Beach to a small port handling petroleum coke and sulfur in Anacortes, Washington. However, there may be merit on breaking down port activities so we can better understand the associated technology deployment and how a cyber attacker would view it.
First, we have the physical infrastructure: breakwaters, jetties, mooring piers, roads, railways, walkways, buildings and terminals. Secondly, we have the important superstructures such as cranes, silos, specific fencing, access control facilities, passenger terminals. Then we have the activities the infrastructure supports, such as marine cargo handing, passenger and vehicle transport and fishing.
In its “textbook,” Port Cybersecurity, by the European Union Agency for Cybersecurity (ENISA), services usually provided by the local port authority to sustain infrastructure and activities include:
- Vessel berthing
- Vessel loading and unloading
- Temporary storage and staying
- Distribution and transfer
- Support services (e.g., freight tracking, maritime traffic control, real estate and facility management, port administration, etc.)
- Security and safety
- Government controls and inspections (e.g., police, coast guard, fire protection, pollution prevention, etc.)
The port infrastructure is busy with complicated physical and cyber interactions. You could look at a seaport operation as a large metropolitan entity—such as the Port of Long Beach or NY/NJ—or even a small town with its own governance and oversight requirements.
With this complexity, ports and terminals have been driven by demands for increased speed, fewer delays, optimal visibility into supply-chain operations, and more efficient cargo-handling turnarounds. Therefore, seaports have increased their deployment of and reliance on technology. And, with the broader use of technology, there is increased exposure to cyber threats and vulnerabilities. In other words, the cyber attack surface of a port has expanded and is increasingly complex.
Port Cyber Systems of Concern
You can view the port cyber systems of concern in a few different ways; however, let us consider them as the port cyber systems and then the third-party systems networked with them.
For the port systems there are two primary categories: 1) exchange data systems for vessel/fishing/freight-related services and 2) port management information systems (aka PMIS) such as maritime traffic control, email, security and safety systems, and Terminal Operation Management Systems (TOMS). In many cases private companies own these.
With these data flows, you can categorize them into:
- mandatory declarations (e.g., required by port and coast guard authorities)
- control and authorization (e.g., authorization to access the port, unload goods, etc.)
- operational data (e.g., needs for ship cargo operations, refueling, water, power, waste management)
- financial data (e.g., invoicing and payment)
- navigation data (e.g., GPS position, shipboard automatic information system (AIS))
You can consider these data flows—processed by information technology (IT) and operational technology (OT) machines and devices—as an opportunity to attack, impede, delay or steal by an attacker.
Cybersecurity Threats and Consequences
ENISA’s Port Cybersecurity offers a list of the possible impacts on seaports by cybersecurity incidents. The list is not necessarily all-inclusive, but should give the reader a sense of the breadth and depth of the damage a successful cyber attacker can achieve. Some of these categories include the following:
- Drug and contraband smuggling
- Eavesdropping, interception, message hijacking—sensitive and critical data theft
- Environmental spills or disasters
- Failures and malfunctions of IT and OT systems/components
- Financial loss
- Fraud and money theft
- Global supply-chain disruption and ripple effect
- Hactivism—computer hacking for a cause (e.g., environmental protest)
- Human Injuries, death
- Kidnapping and human trafficking
- Loss of port competitiveness
- Outages—electrical, network, telecommunications, water, sewer, Wi-Fi
- Piracy
- Shutdown of operations, port paralysis (e.g., the BlackCat ransomware attack on European oil ports in 2022)
- Tarnished reputation of port and/or port operators
- Theft of cargo and goods
- Unintentional damage—information leakage
- Vandalism
- Cyber terrorism, cyber war
Getting Started with Cybersecurity Defense
So, as a port operator or administrator, what should you be doing to protect your port, facilities, customers and maritime stakeholders from cyber threats? Here are a few immediate actions to consider, which are recommended by the U.S. Coast Guard Domestic Ports Division:
- Establish a cyber risk management team—Promulgate policies, procedures and programs to stand up an effective cybersecurity operation.
- Identify and inventory critical systems and components—Use National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as guidance.
- Conduct a risk assessment of your port and port operations—assess what parts of your port operation are controlled or supported by computer systems. Ask yourself, what are the consequences if those systems become inoperable, controlled by outside parties or misused by internal troublemakers? (An excellent resource to consider for this effort is my book, Critical Infrastructure Risk Assessment. The book is available on Amazon at https://amzn.to/3GYI6WS .)
- Identify and adopt best practices—what cybersecurity standards are most applicable to your port IT and OT systems? Are your systems meeting those standards? Are your employees familiar with them? When were your cyber systems last updated and patched? What backup systems, redundancies or replacements are available?
- Secure your supply chain—Consider the cyber vulnerabilities and practices of your suppliers, customers and other organizations critical to your port’s operations.
- Measure your progress—Test your cyber practices through drills and exercises. Ensure your cyber-incident response is timely and effective. Identify any gaps or lessons learned and set specific goals with timelines for making needed improvements.
- Continually revise and improve your security—Review your recent risk assessment and evaluate any new cyber systems you have added since then. Incorporate lessons learned from recent incidents or other industry cyber events into your cybersecurity policies and procedures.
Useful References and Reading
To learn more about port cybersecurity here are several useful resources:
CISA–U.S. Cybersecurity & Infrastructure Security Agency
Port Facility Cybersecurity Risks (infographic) December 2020 https://bit.ly/368yqMG
ENISA – European Union Agency for Cybersecurity
Port Cybersecurity, November 2019: https://bit.ly/3BqnCoJ
Cyber Risk Management for Ports, December 2020: https://bit.ly/3HXKTAT
IAPH – International Association of Ports and Harbors
IAPH Cybersecurity Guidelines for Ports and Port Facilities, V1.0, July 2021: https://bit.ly/3BrW8iH
USCG – U.S. Coast Guard
Domestic Ports Division–Cybersecurity: https://bit.ly/3HYJeLE
Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities NVIC 01-20, February 2020:
https://bit.ly/3oSIm3F
Ernie Hayden’s background includes management and technical roles focused on cyber and physical security since the tragedy of 9/11. He was previously U.S. Navy Nuclear and Surface Warfare Officer, and has published a book entitled Critical Infrastructure Risk Assessment – The Definitive Threat Identification and Threat Reduction Handbook which has been awarded the 2021 ASIS Security Book of the Year.