Port Automation cannot ignore cybersecurity

Hinne Hettema, Acting Chief Information Security Officer, Ports of Auckland

Hinne Hettema works at Ports of Auckland. He is the author of Agile Security Operations (Packt 2022), and is also a Senior Research Fellow at the University of Queensland in UQCyber.

Ports and their surrounding ecosystem of line operators, freight handling, and logistics are attractive targets for cyber actors. The environment operates with high stakes and disruptions cascade quickly. Significant sums of money may be involved in outages. Moreover, the integrations between the various systems that make up the environment is complex and involve a large amount of legacy technology.

This situation attracts cybercriminal opportunists as well as state-sponsored attackers. Criminal operators can expect a quick and significant pay-out from a successful attack, while for the state-sponsored attacker, a successful denial of service on a nation’s transport and logistics capability amounts to an economic embargo without the associated political cost of having to declare one.

Insurance further adds to the problem. Insurers have had to pay out significant sums to ransomware operators in the last few years, and it shows in the length and complexity of the forms that need be filled out. Lacking cyber maturity, cyber insurance will be harder or impossible to get.

From this perspective, ports embarking on automation initiatives need to pay deep and careful attention to cybersecurity as an ongoing risk.

For an automated port, there is no fallback away from technology. And that technology is compromised during and after a cyber-attack.

Automated ports need a credible cybersecurity program to safely automate and keep operating. Here, I do not have the space to outline in detail how to initiate and execute a program, but the below gives some pointers to what I consider essential.

1. Define who has responsibility: the resolution of cyber incidents needs clear lines of decision-making and responsibility. What is needed for the resolution of cyber threats is also necessary for the running of a credible cyber defense capability. Define who has the authority to make decisions, and ensure these people are available to the people tasked with executing the cyber program.

2. Develop a strategy but focus on execution: all too often organizations collect their ideas in a strategy document that ends up in the bottom drawer. To get started, it sometimes helps to get an eye on threats already facing you today. To do that, it helps to ask ‘bottom-up’ questions such as ‘what was detected by my antivirus recently’, or ‘what type of threats are held in my malware mail queue’? These are things you can start today. In this way, top-down strategy gets connected to actual tactics.

3. Integrate automation and cybersecurity operations to understand the business context of threats. Ports are specialized setups, where the way in which threats play out is unique to each port. That also means that cyber security operations in a port environment are not easily outsourced in their entirety. The understanding of the business context of threats is vital to the capability to recover from intrusions resulting from them. A dedicated small team working closely with the operational teams is ideal to quickly diagnose threats and deal with them before they become a problem.

4. Understand what can be outsourced: to achieve cost-efficiencies in the program, some things, such as desktop anti-malware monitoring and management, firewall monitoring, and email queue management can be outsourced, or acquired through an uplift in a current outsourcing contract. These are real threats but are also of a more generic nature. This allows the on-site team to focus on what is specific to the port and automation aspects, which are unique to the business.

5. Understand where to get the specialized knowledge to deal with intrusions. A successful intrusion, especially in an automated or robotic system, may require significant amounts of analysis and reverse engineering by experts with deep knowledge of these systems. Make sure that you know where to access such knowledge before an incident actually happens allows for faster and more efficient response.

“Creating a cyber security function at a port is not easy, but vital to enable the efficiencies that come with automated systems and technology”

6. Work together with the rest of the ecosystem. While an individual port is unique, a collection of ports working together and sharing information on their common challenges can be a powerful force in thwarting attacks by sharing attack data, and indicators or working with agencies during times of crisis. This cooperation can be created prior to a crisis to enable a better response. Such cooperation also allows for shared cyber exercises, where, for instance, the effect of a cyber incident at the port can be exercised with freight forwarders to estimate the total impact of incidents on the ecosystem.

Serious compromise does not happen in a vacuum. Creating a cyber security function at a port is not easy, but vital to enable the efficiencies that come with automated systems and technology. Security operations must deeply understand the contexts in which ports and port automation operate, and be able to take the correct action on the landscape when and where intrusions occur.