Page 34: of Maritime Reporter Magazine (September 2018)
Maritime Port & Ship Security
PORT & SHIP SECURITY
If something happened today and you go into a court and you haven’t trained your mariners in the basics of “ cyber hygiene, it will be hard to plead ignorance: ‘Oh we did not know we were hacked,’ It won’t ? y.
The folks who manage legal and insurance need to worry about this, not just tech guys.
Dean Shoultz, CTO, MarineCFO
Adding to already existing risk within large sum of money to a vendor for some and a terrorism standpoint, those ? gures months earlier, gaining an unauthorized a company or the port as a whole are all service. Fortunately, the agent thought make the U.S. system of ports, individu- person access to certain company com- the external links to internal systems, the request strange, and checked on it. ally and together, prime targets. A cyber puter systems in the U.K., where they the advent of autonomous vessels, the Ignorance is no longer an option for attack that successfully brings a terminal copied data, and demanded a ransom for internet of things, the ubiquity of smart the port community. “If something hap- or port to its knees, and stops the ? ow its safe return. Using computer foren- phones and other mobile electronics, and pened today and you go into a court and of goods and materials, even brie? y, can sics, it was discovered the break-in was even the trend toward creating a single you haven’t trained your mariners in the have a devastating effect on the national perpetrated through an isolated user ac- portal through which members of a basics of cyber hygiene, it will be hard economy. And because no port is an is- count, which was disabled. Eventually, port’s supply chain can access multiple to plead ignorance: ‘Oh we did not know land, the ripple effect across other ports Clarksons recovered a copy of the stolen systems. we were hacked,’ It won’t ? y,” warns as vessels get backed up waiting to dis- data. It is now contacting potentially af-
It’s enough to make you ask if whether Shoultz, adding “The folks who manage charge and pick up cargo, can be equally fected individuals. the ports can, really, ever be made cy- legal and insurance need to worry about painful. ber secure. “We ask ourselves that ev- this, not just tech guys.” There have been several cyber inci- A Look Behind the Curtin ery day,” quipped Todd Epperson, port In September 2016, then U.S. Coast dents of note impacting U.S. and other But the real story lies in what hasn’t security specialist for the USCG/Sec- Guard (USCG) Rear Adm. Paul Thom- ports in the last two years: happened. Port of Los Angeles execu- tor Upper Mississippi River. He noted as, assistant commandant for prevention • The best-known incident was the tive director Gene Seroka told a con- that securing inland river ports involves policy, summed up the conundrum fac- “notPetya” malware outbreak in Oc- gressional committee at an October 2017 tackling facilities that stretch 70, 80, 90 ing the nation’s ports while speaking at tober 2017, which struck A.P. Moller- hearing in the wake of the Maersk inci- miles, and encompass 100s of business- a forum on cyber resilience. “The reason Maersk’s IT department, and through dent, that its cyber security center stops es, many small operators – a world away that our marine transportation system that, it’s APM terminals at ports world- “20 million” cyber-intrusion attempts from their coastal cousins. is ef? cient and productive is because it wide, including at Los Angeles, Long monthly. That’s an average of seven to is highly automated, and it’s becoming Beach and NY/Newark. The shut down eight attacks a second. Similarly, the
One Pinpoint more and more so. Cyber is how we are there and at other ports, and the ensuing Port of Long Beach was beating back
A weak spot at any point in the supply operating today, and more and more we cleanup of backlog, cost Maersk around 30 million threats a month. That level chain digital network could be all a bad need to ? gure out how to manage that $300 million. of assault makes it well worth the more guy needs to in? ltrate the port systems. risk,” said Thomas. • The recent cyber attack target- than $1 billion dollars annually that the “All it takes is one person who has not Every business sector is using tech- ing COSCO US, the American arm American Association of Port Authori- been trained to not click on a link, and nology to drive ef? ciencies, productiv- of Shanghai- based Cosco Shipping ties (AAPA) says seaports are investing that’s it, [a bad guy] is now in,” says ity and pro? t, but few are as vital to the Holdings, took out email and disrupted in security-related infrastructure, equip-
MarineCFO CTO Dean Shoultz. Once national economy and the ? ow of goods telephone communications at its cus- ment, operations, maintenance and train- in, malicious software can be launched and materials as is the country’s system tomer service center at the Port of Long ing.
behind the ? rewall and the cyber intrud- of ports. Beach, and also impacted the company Chilling as those numbers are, it only er is free to ri? e through ? les looking for One of the nation’s most critical in- in Canada, Panama, and South America. takes one successful attempt to get ? nancial data, competitive information frastructures, the maritime port system COSCO connected with clients through through, and it will happen. The real take or the email of key company executives. employs more than 23 million people, conventional communications and social away from the Maersk take down is that
Shoultz recounted the case of “one encompasses more than 25,000 miles media and never shut down. Armed with you can do all the right things, not be the of the larger operators on the market,” and includes 360 coastal and inland ports a contingency plan, the company iso- actual target, and still get stung. where an intruder sent out a wave of that account for an estimated 90% of lated the affected network, tested other Which is why after two years of con- emails that appeared to come from one U.S. trade, 26% of the world consumer regions for signs of the infection and sciousness raising about the threat of cy- of the company’s bigger customers, market, and at least $1.3 trillion in cargo. transferred and conducted operations via ber crime, the focus has now shifted to claiming it needed to see an invoice. remote access, to ensure continuous ser- breach response plans, or resilience, and
Just one person clicked on it, allowing Country First vice in the Americas. collaboration. Going on the assumption an intruder to hijacked the CEO’s email If the port communities aren’t worried • Shipbroker Clarksons revealed they will inevitably be attacked at some address and send a message to the pur- for their businesses (and they should be), it discovered a cyber breach in No- point – deliberately, unintentionally or chasing agent, requesting that she wire a consider that from both an economic vember 2017, which had opened up ? ve accidentally – port communities are be- 34 Maritime Reporter & Engineering News • SEPTEMBER 2018
MR #9 (34-41).indd 34 MR #9 (34-41).indd 34 9/5/2018 11:42:33 AM9/5/2018 11:42:33 AM