National cyber security centres need to be at the heart of shipping and ports’ defence against online threats
These centres can provide threat intelligence, guidance on cyber security and cross-industry collaboration to protect ships and ports from hackers.
A panel of technical experts debated the advantages of cyber security centres securing vulnerable maritime assets during Riviera’s Maritime’s zero-day exploit: port cyber security webinar.
This event was held on 17 March 2021 as part of Riviera’s Cyber Security Webinar Week. This panel consisted of University of Plymouth research fellow for cyber security Dr Kemedi Moara-Nkwe, NORMA Cyber managing director Lars Benjamin Vold and McDermott Will & Emery partner Paul Ferrillo.
They explained how port facilities remain vulnerable to, and are unprepared for, cyber threats. They agreed port cyber security is maritime’s zero-day exploit, which is a secret vulnerability no one has generated protection for.
Cyber attacks on logistics hubs would devastate the supply chain network with tremendous financial damage, said Mr Moara-Nkwe. He said cyber threats could affect operational technology (OT) such as supervisory control and data acquisition (SCADA) systems and IT networks in ports.
“Ports are unique in their interfaces between IT and OT, such as for cargo loading and unloading,” he said, adding a cyber attack initiated in IT could impact substations, electrical systems and automated cranes. “Ports depend on the technology and need to consider the risks as a cyber attack can affect availability of technology and assets,” said Mr Moara-Nkwe. “Potential consequences are disruptions to port operations and to supply chains.”
There are also consequences to cyber issues jumping between IT and OT on ships as more owners, operators and managers adopt digitalisation and internet of things (IoT). “This could potentially cause a vessel to lose access to onshore services, with no communications,” said Mr Moara-Nkwe. “There could be a loss of access to electronic devices used for navigation or for safety purposes on ships.”
He said countermeasures need to include direct approaches such as hardening IT and OT systems, improving personnel training and regulatory changes to reduce vulnerabilities.
“There are also indirect approaches such as risk sharing, and projects such as Cyber-MAR, with the aim of quantifying the effects of cyber attacks and proposing risk models that would aid risk mitigation,” said Mr Moara-Nkwe.
He would promote and encourage growth of the cyber-insurance market. “This will allow players in the maritime space to adequately hedge against cyber risks,” he said, adding the “rise of cyber security centres is the way forward in cyber security”.
Mr Vold explained the purpose of the Norwegian Maritime Cyber Resilience Centre (NORMA) for building unified resilience against cyber threats for Norway’s maritime and shipping sectors. “We are finding new ways to collaborate, share best practice and technical information,” said Mr Vold. “We need to find a holistic way in the industry to tackle cyber threats.”
NORMA was established on 1 January 2021 after more than 18 months of interviews and meetings with shipowners, operators and other stakeholders. There is a positive drive in Norway for the sector to collaborate to reduce the risk of successful cyber attacks.
“Several organisations are willing to move forward and invest time and money in collective cyber resilience,” said Mr Vold. “New technology has been developed for cyber defence purposes, while existing structures and organisations can be built on.”
NORMA provides an intelligence and information-sharing service and an incident response and crisis support service. “From 1 June 2021, we will be a security operations centre, with services tailored for the shipping and maritime sector,” said Mr Vold.
One of the key comments from this webinar’s panel was the importance of regulation and authorities’ response to cyber issues on ships.
Mr Ferrillo provided an update on the regulatory framework and changes in the US, including the National Maritime Cyber Security Plan. The main priority of this plan is to establish clear lines of command of who oversees maritime security, mostly the US Coast Guard in US continental waters.
Other aims are developing maritime standards and best practices for IT and OT technologies and strengthening port cyber security best practices through contractual requirements.
“Developing procedures to identify, prioritise and mitigate cyber security risks for ports and vessels would include developing a framework for ports and vessel assessments to follow,” said Mr Ferrillo. “Better information sharing and more timely sharing of cyber security threat intelligence and increased educational training to produce more cyber security specialists for ports and vessels” would also be part of the plan.
Mr Ferrillo spoke about the role of the US Coast Guard as the chief maritime law enforcement agency in the US. He said the national maritime cyber security plan “rides side by side with US Coast Guard’s guidelines for addressing cyber risks” at Maritime Transportation Security Act (MTSA) regulated facilities (NVIC).
“Which generally require these ports to address and document network and cyber security vulnerabilities,” said Mr Ferrillo.
MTSA requirements are mandatory, while US Coast Guard’s NVIC is guidance for reminding port facilities of the need to comply with MTSA regulations.
To identify cyber security vulnerabilities, ports and regulated facilities should conduct facility security assessment and plan to address cyber security vulnerabilities using a facility security plan.
These are some of the key documents port owners can consider for cyber risk management and security. There are also cyber security guides for port stakeholders.
But there is lack of awareness of these, as demonstrated by one of the poll questions to attendees of the webinar.
Only a third (33%) said they think workers are aware of the existence of cyber security guides for port stakeholders, and 67% thought there was no awareness.
Attendees were then asked what proportion of ports have mandatory cyber security training for their workers. Of those who responded, 52% thought it was 20% of workers and 39% thought it would be 40% of port employees. Only 9% thought it was as high as 60 workers out of 100 and none thought the proportion was any higher.
Attendees were then asked: When do you believe the first port will experience significant physical damage caused be a cyber security incident?
Around 64% of respondents thought it had already happened, while 27% said between one to five years and 6% said more than five years, while 3% thought ports would never be significantly damaged by a cyber security incident.
They were then asked a similar question for ships. 56% thought a merchant vessel had already experienced significant physical damage caused be a cyber security incident. 34% thought it would happen in one to five years, 7% in more than five years and just 3% thought it would never happen.
Finally, attendees were asked their thoughts on a hypothetical scenario. Imagine two ports located in two different places in the world. They have the exact same IT and OT infrastructure and the same preventive measures in place. Which of the of the statements do you agree the most with? 84% of respondents said they might have a totally different cyber risk level, 12% agreed these two ports have the same cyber risk level since they have the same attack surface, and 4% thought this experiment had nothing to do with the real world.
Panellists on Riviera’s Maritime’s zero-day exploit: port cyber security webinar were (left to right): University of Plymouth research fellow for cyber security Dr Kemedi Moara-Nkwe, NORMA Cyber managing director Lars Benjamin Vold and McDermott Will & Emery partner Paul Ferrillo.
To view details of upcoming Riviera webinars and virtual conferences use this link to the events page