Cyber criminals have already struck. When Maersk Line found itself infected with the NotPetya ransomware virus in 2017, it took ten days to rebuild its network of 4000 servers and 45,000 PCs. The outage cost about US$300 million.
Just this February, Australian 3PL Toll Group’s IT platform was temporarily crippled by a ransomware attack. Other instances include attempts to steal cargo from the terminal or disrupt terminal systems unless a ransom is paid, or to commandeer ships in port waters, to block approaches or berths, for political purposes.
Ports are showing increased awareness as a result. The Port of Melbourne has helped establish a Port Cyber Security Forum, with experts advising port users on pro-active cooperation to address cyber security risks.
Governments too are recognising the threat to ports. The UK government has published an updated version of its “Ports and port systems: cyber security code of practice” document, which aims to provide guidance for companies with responsibility for protecting technical systems at port facilities and vessels docked in ports.
It offers advice on developing a cyber security assessment and how to plan for protecting important assets, processes and potential vulnerabilities.
NEED FOR SAFEGUARDS
The need to educate staff on how to recognise risks has led Singapore-based Stapleton International to develop a specialist course that has been endorsed by the Maritime and Port Authority of Singapore and recognised by Inmarsat along with the Institute of Maritime Engineering, Science and Technology and the University of Sunderland in the UK.
Stapleton chief executive Dr. Mick Thurlbeck says data transfer is at unprecedented levels and the multiplicity of systems in use in ports and on board vessels could prove to be a huge opportunity for cyber-crime.
He says that 95% of cyber breaches are a result of personal error by staff and this can happen at any level within the port organisation or on the ships in port.
“There has been a marked shift of attacks from corporate systems to target individuals. Almost every company has the latest security software and firewalls in place so many presume that the IT department will keep everything safe and intact. But human error is the weakest link.
“C-level staff are no exception, just as management are also generally prone to attack. The methods used by cyber criminals – phishing, social engineering, ransomware etc –are not targeted at any particular level. All they look for is someone to make the mistake and the consequences can be alarming. Once the hackers have breached, you are then under their control.”
The legal implications for a port authority whose cyber defences have been breached will depend upon the country within which the port is situated, says Toby Stephens, partner of international legal firm HFW.
“The primary concern is that a port’s security is sufficient to prevent criminals from operating within it, misdirecting cargo, or allowing contraband to pass through it. This may have implications for the port’s concession with the state or other authorities.
“Ports may be exposed to third-party claims arising from breach of contract and/or breaches of duty and negligence if for example, cargo is lost or stolen as a result of a cyberattack. Given the sophistication and novelty in cyber-attacks, imposing a duty of care in tort claims will be driven by the facts of each case, but the more widely the problem and the better the information, the higher the standard that the port will be held to.
“There is also a reputational issue, which has a knock-on commercial impact. For example, the safe port warranty is fundamental to charter parties and, arguably, a port might be considered legally ‘unsafe’ if it suffers cyber-attacks due to poor cyber security. Claims may also be brought under the data privacy legislation.”
Defences available depend upon the circumstances of any case. A deliberate criminal act by another person or persons is usually a good starting point for any defence. However, if the claim is being made by a contractual counter-party it will depend upon the contractual terms, says Stephens.
“The contract may specify the level of security the port should maintain. Alternatively, the contract may just imply that the port will take reasonable care of goods in its custody. This suggests that the port will have adequate systems in place based on the known or anticipated threats. ‘Systems’ in this context isn’t just computer systems, but also procedures and training which help an organisation cope with the threat.”
Stephens says businesses are susceptible to any kind of a cyber-crime and ports and terminals are no exception. This can range from a GPS spoofing, phishing emails, doctored fraudulent payment instructions, a denial of service attack, a malware attack, ransomware or even honey-traps.
Political and economic motives may also spur an attack. “Phishing and malware are the most common types of attacks and could be catastrophic for a port or terminal operator. Most cyber criminals are looking for a way to earn money, but ports and terminals may attract those seeking to steal cargo. However, given the nature of ports and terminals, they are more likely to attract the attention of organised crime seeking to smuggle contraband or, even worse, terrorist organisations seeking to cause maximum chaos.”
He confirms that with diverse infrastructure systems in a company, every individual in the hierarchy can be a potential target for cyber terrorists – “A cyber event on the whole is a failure of an organisation or private person’s IT systems, which can either be caused by a malicious actor (for example a cyber-attacker) or a technical failure. It is all the more important to have robust systems and regular training in place for all personnel.”
Stephens says there is very little consistency in how ports are responding to cyber threats. “This is the most critical issue – many people think that cyber security is simply an IT issue. It isn’t. You can spend as much as you can afford on IT and in a year or two it will need updating. Companies need to have proper procedures in place to deal with an attack before it happens, and they need to have a system of regular training in place for all personnel.”
As a final thought from a lawyer’s perspective he adds, “Review your contracts to understand your exposure to your counter-parties. It may be that much of the exposure can be mitigated or transferred if it is given proper thought.”
Ransomware attacks the most problematic
Michael Yarwood, the TT Club’s Managing Director – Loss Prevention, says that arguably the most problematic subject for the port authority is the ransomware-type attack. This may, for instance, result in the port authority not being able to access key IT infrastructure and, as a consequence, not being able to fully operate or serve its customers.
The TT Club’s messaging has been focused on practical strategies of prevention, thereafter, developing systems to detect and identify, contain, eradicate and recover. In terms of prevention, layers of defence need to be established starting with the outermost layer of physical security, followed by management-level procedures and policies, firewalls and architecture, computer policies, account management, security updates and antivirus solutions.
Information and access should be limited to a need-to-know basis. Legacy systems should be reviewed, and networkhardening measures embraced, ensuring patch management is adequate and proactively reviewed. All USBs should be encrypted and tested for viruses prior to being used with other devices. Frequent awareness briefings and training programmes should educate all employees on best practice.
Comprehensive threat assessments should determine areas of potential attack and vulnerability assessments should identify critical systems, understand the potential exposures faced by each and the impact on overall business continuity in the event of a cyber-attack.
“Risk assessment and risk treatment options can then be reviewed and implemented to ensure a robust system is in place to prevent incidents where possible and equip employees to detect and respond in cases which could not be prevented,” says Mr. Yarwood.
Vetting of third-party providers is also necessary to ensure cyber security precautions are taken.
Finally, for ports considering a way forward, Stapleton’s Dr. Mick Thurlbeck says it is imperative not to adopt an attitude of “if it’s not affecting the bottom line at the moment, then we will deal with it later".
He advises: “If you have not done so already, don’t delay training any longer. If you have been free from cyber-attack it is possible that thus far you have just been lucky."