Guide to cybersecurity for port management

Brief guide to cybersecurity for port management teams

Port management is becoming digitised. Once the stuff of science fiction, autonomous straddle carriers, remote mooring line monitoring, computerised cargo planning and digital document transfer are becoming the norm. Unfortunately, port management cybersecurity isn’t growing at the same pace. A quick glance at the Kaspersky cyberthreat real-time map shows myriad cyberattacks in progress. While most of the Kaspersky-detected attacks are not against maritime ports, the maritime industry’s low profile won’t protect it for much longer.

Itai Sela, Naval Dome’s CEO, noted a 400% increase in attempted maritime hacks between February and June 2020. According to the Cyber Risk Management (CyRiM) Project, a single cyber attack on major Asia-Pacific ports could cost about the same as half of global losses from natural catastrophes in 2018. That’s about $110 billion.

The ENISA Port Cybersecurity report identifies a range of threats from data theft and fraud to kidnapping, trafficking and environmental disaster. Ports can no longer afford to overlook cybersecurity.

Protecting your port

Before you can protect your port, you need to understand where you’re vulnerable. The IET and UK Department for Transport Ports and port systems: cyber security code of practice suggests a list of assets as a place to start. For each asset, ask:

  • How critical is it to facility operations?
  • Could the facility operate without it?
  • Is it connected to an information technology (IT) network?
  • Does it have good cyber protection?

Anything that lacks good cyber protection and is critical to your operations is a juicy target. If it’s connected to the internet, it’s even worse.

To make it worse, cybersecurity isn’t a single problem. A hacker hiding in a basement can be a threat. So can the cleaner you hired without a background check, or the security guard who downloaded an attachment on their work computer.

By now, we’ve all heard the same old story: update your devices, don’t connect to unsecured networks, install anti-virus software, scan devices before connecting them to the network, and so on. It’s all excellent advice, but it’s not enough. Too many people still stick post-it notes with login details on their computers, or browse random websites during lunch. For ports with computer-controlled equipment, what happens when someone plugs in an infected USB device? When your operational technology’s connected to the internet, how do you secure it? If it’s not, how do you update it?

An effective cybersecurity strategy has to consider physical, technological, and personnel security, as well as cyber-resilience.

Physical security

A malicious actor with physical access to your computers or operational systems can do a lot of damage. Good physical security is critical in restricting access to the people who are entitled to it.

Technological security

For most of us, technological security is synonymous with cybersecurity. There are endless resources listing the best practices for technological security. The most critical are network security and segregation, access control, and intrusion detection and monitoring. Up-to-date backups and the ability to restore them are the last resort.

You’ve probably come across guest networks and login pages. These are a simple example of network segregation and access control. Guest networks keep guests away from sensitive data on the primary network, while login pages restrict access to people with permission.

Intrusion detection and monitoring are your first warning that something is wrong on your network. A properly set-up system will alert the administrator when something is wrong. If an unauthorised person tries to access something, the administrator will know. If someone tries to break into the network or log in from an unfamiliar location, the administrator will know.

Backups are the last resort. After a cyberattack, regular backups will let you restore services quickly. However, without all the other cybersecurity measures, backups won’t help. There’s no point restoring a system if you don’t know how it was breached in the first place – the attacker will take it down again.

Personnel security

People are your greatest weakness. On the one hand, social engineering is an effective way for cyber-criminals to gather information about your port, or convince people to let them into secure areas. On the other hand, most people have plugged an unauthorised device into a work computer or clicked the wrong link in an email at some stage.

Hiring the right people is essential. Your staff can access secure areas and sensitive data. Do you do background checks on new-hires? What about contractors? Could you identify a saboteur or a spy who applies for a job? What if someone tries to blackmail one of your staff?

Writing sensible policies isn’t enough – you have to implement them and train your staff. Regular training and support can transform your staff to powerful allies in keeping your systems secure.

Cyber resilience

Digital Guardian defines cyber resilience as, “… measure of how well an enterprise can manage a cyberattack or data breach while continuing to operate its business effectively.”

Ports need a management plan to maintain key services in the event of a cyber attack, as well as a recovery plan. Digitisation simplifies operations. However, falling back to manual operations during and after a cyberattack requires prior planning.

Tying it all together

Ports are complex. Multiple companies and contractors work with ships, charterers, and government departments. And all the planning in the world is worthless if it doesn’t work under pressure. Penetration testing companies like Cydome and Pen Test Partners can help to test systems and resolve any problems.

Drills are the only way to test emergency plans before a real incident occurs. Just as we never question the need to practise and improve our fire response in fire drills, there should be no question that ports need to practise their cybersecurity responses too.