Topics

A

Search

Are ports protected against cyber-attacks?

Maritime activity and its operational optimization are increasingly dependent on information technologies, so cybersecurity has become an indispensable requirement for ports. Cybercrime is a threat that pervades the entire maritime ecosystem. PierNext analyze the main challenges of the supply chain in digital security.

Posted on 11.15.2024
Experts warn that cybercriminals are transforming this business at high speed, collaborate between different groups and use very sophisticated tools. “We have to get much better at staying ahead of them,” they warn. (iStock)

“I've been working in this sector for 30 years and I can say that cybercriminals are transforming the business at high speed because they don't have to stick to any standards, they collaborate between different groups and use very sophisticated tools. It is not impossible to beat them in the battle, but we have to improve a lot to stay ahead of them”. This is how Lluís Vera, CEO of Ackcent, summed up during the last Smart Ports: piers of the future the experts' perception that cybercrime is a very profitable business and it is very difficult to get ahead of the actions planned by cybercrime.

Cyberresilience or cybersecurity?

Before going into the whys and wherefores of this statement, let us define the concept of cyber resilience and cybersecurity. According to the description provided by the World Economic Forum in its recently published white paper ' Unpacking Cyber Resilience', “cyber resilience is not the same as cybersecurity; however, cybersecurity is essential to achieving cyber resilience”.

There are numerous definitions of cyber resilience, but the most relevant for the purposes of this paper is provided by the National Institute of Standards and Technology (NIST):

  • “The ability to anticipate, resist, recover from, and adapt to adverse conditions, stresses, attacks, or compromises in systems that utilize or are enabled by cyber resources.”

When considering cyber resilience, it is important to take a broad view of what cyber risk is, explains the World Economic Forum report: “cyber risk can refer to any risk arising from an organization's use of its information and digital technology services or their use by others in the supply chain or wider business environment.”

The report acknowledges that, ultimately, there is no such thing as 100% cybersecurity. “Organizations must act on the assumption that significant cyber incidents will occur,” they note, pointing out that ”the advantage of this definition is that it allows for a wider range of cyber risk scenarios.”

“It's a complicated field, but we have to do something. At the Port of Los Angeles, we invest in technologies, people and processes to try to level the playing field with criminals. We also have a dedicated cybercrime resilience center,” explained Tony Zhong, director of Information Security at the California port, during the recent Smart Ports: piers of the future.

Cyber resilience is not the same as cybersecurity, but cybersecurity is essential to achieving cyber resilience. (iStock)

Supply chain cyber-attacks

According to the U.S. Coast Guard, ransomware attacks on port infrastructure increased by 80% in 2023, causing disruptions that go far beyond financial losses, as they can lead to supply chain disruptions with cascading effects on global economies. Ports in Australia or Seattle, have also been victims of cybercrime in recent months.

Among other recommendations, the World Economic Forum suggests that organizations should assess their exposure torisks within the supply chain. Where it is not possible to achieve the required level of security assurance and resilience within the supply chain, they should consider how this dependency relationship can be designed or how to otherwise contain incidents within the supply chain.

This assessment will require continuous monitoring of the threat environment to understand the likelihood of supply chain compromise. In considering these risks, organizations will also need to self-assess to gauge whether supply chain compromises could have serious enough consequences to require reinforcement against these spreading risks.

According to the U.S. Coast Guard, ransomware attacks on port infrastructure increased 80% by 2023. (iStock)

First diagnosis: lack of investment in cybersecurity

A DNV report finds that the global volume of cyberattacks in the maritime sector grew by 38% between 2021 and 2022. However, the adoption of preventive and mitigating measures in the sector has been slow. According to another report by the same company called Maritime Cyber Priority, in 2023 only 40% of 800 professionals surveyed stated that their organization invests enough in cybersecurity.

“We need resources and support from our own organization because the security, tools and technologies needed to deal with cybercrime are very expensive. But we cannot afford, as a port authority, not to invest. In terms of funding, I think each organization has to look at what they can afford and prioritize based on the level of risk out there,” admits Zhong, from the Port of Los Angeles.

For Lluís Vera, of Ackcent, the complexity of the financial aspect lies in the fact that managers often do not see a clear return on the investment made. “My opinion is that companies are not investing enough because we need well-trained professionals and a lot of technology to protect organizations,” he laments.

Port cybersecurity experts lament that there is a shortage of cybersecurity professionals in the field. Finding the right professional is a challenge, as few have the specific skills (iStock).

Second diagnosis: low number of qualified personnel

“There is a shortage of cybersecurity professionals in our field. Finding the right professional is a challenge, as there are few of us with the specific skills, even in big cities like Los Angeles,” laments its Director of Information Security, Tony Zhong.

“Demand exceeds supply. That means there is a shortage of professionals and we do not expect the situation to improve in the future. We must develop a strategic vision and try to build a pool of experts. In our case, something that has worked was to invite professionals from other fields with experience in business, IT or psychology to train them and try to fill this gap,” Vera pointed out as a possible solution.

Another issue Zhong points out is that cybersecurity does not rest and therefore requires shifts that cover all hours of the day throughout the year, since, as he shared with the audience, most cyberattacks occur during holidays or long weekends, when there are usually fewer staff.

Cristian Medrano, director of Information Security at the Port of Barcelona and moderator of the round table on cybersecurity at the last edition of Smart Ports: piers of the future, shared a shattering statistic: up to 60% of professionals working in cybersecurity would change careers if the opportunity arose to do so.

Supply chain cybersecurity professionals already use AI to improve their capabilities and time to detect and respond to threats. They also use it as a predictive technology, to analyze how malware, for example, migrates or mutates or changes (iStock).

AI, a solution to cybersecurity challenges?

Following this statistic, Medrano raised the question of whether Artificial Intelligence is an ally or an enemy of cybersecurity and whether it can help solve the aforementioned problems.

“We use AI to improve our capabilities and time to detect and respond to threats. We also use it as a predictive technology, to analyze how malware, for example, migrates or mutates or changes, and to increase efficiency and automation,” explained Vera.

The cybersecurity expert pointed out, however, that from the other side it is also being exploited for criminal uses and recalled that, often, “it is more difficult to defend than to attack”. He again insisted on the need for experts who know how to train and use AI for these purposes.

For his part, Zhong defined AI as “friend and foe,” as the qualifier depends on the purpose for which it is used.

“In cybersecurity operations, we want to have as much visibility into our infrastructure as possible. So if we have tools like AI that can help us achieve that, of course we're going to explore them,” he said.

The Port of Los Angeles expert also reflected on the need to understand where the data collected is located, as the information used for security needs to be protected.

Is it in the cloud? On-premises? We have to understand all the governance behind the data set. That's why, in addition to AI, we are looking into the data storage tools and whether they are located, for example, in the U.S. or offshore,” he added.

There are three main categories of actors in the attacks: nations (experts point to Russia and China), organized criminal groups or hackers (iStock).

Where does the risk come from?

During the 5th Annual Global Maritime Transportation System Cyber Security Symposium, the nature of cyber attackers targeting the maritime sector was discussed at length. Three main categories of actors were identified that match those identified by Zhong:

  • nations
  • organized criminal groups
  • hackers

As for states, Russia was singled out during the symposium as the most active cyber aggressor with highly developed offensive capabilities. China and the development of malware by hackers from that country was also identified as a threat.

It was also recognized that by far the most frequent type of attacks against the sector are criminally motivated, with the aim of extorting money from companies and their employees. Cybercriminals vary enormously in the sophistication and scale of their activities.

However, even at the lower end of threat risk, the sheer number of such activities targeting large, complex organizations such as ports represent a serious, ongoing and growing risk.

On the other side of the coin, it should be noted that the regulatory environment around cybersecurity is evolving rapidly. The International Maritime Organization's cybersecurity resolution requires owners, operators and managers to have a cybersecurity management system in place.

This is being expanded with the implementation of the new IACS unified requirements (UR) for cybersecurity, E26 and E27, which require owners, shipyards and suppliers to incorporate cybersecurity barriers into their systems and vessels, and to be verified by ship classification societies.

As of today, the battle against cybercrime does not appear to be won. However, barriers and resources have been identified that may change the cyber risk landscape in the future.