10/23/2018 – https://pilotonline.com
By Joy Vann
While driving across the Lesner Bridge recently and looking at the Chesapeake Bay, dotted with cargo ships from around the world piled high with containers, I wondered about the challenges maritime industries face regarding cybersecurity.
I reached out to Joe Harris, senior director of communications at the Port of Virginia, who joined me in a conversation with Darich Runyan, senior director of information security who leads the port’s cybersecurity team.
At the top of our conversation, Runyan said that unlike The Port of San Diego and The Port of Barcelona, both of which experienced cyberattacks last month, the Port of Virginia has not been attacked.
Harris attributes that success to the port’s strong approach to cybersecurity.
“We have a very robust system in place to protect ourselves from these threats and I think it’s important to note that on a daily basis we are always assessing and probing for our weaknesses in our own system. We’re trying to learn from that,” Harris said. “We’re well aware that there are outside players that we can fall victim to if we are not vigilant.”
Runyan said that as ports are considered critical infrastructure (along with gas, water and electric) and the port is a strategic seaport that may be used for recovery operations in large-scale national disasters and military movement, its cybersecurity plan identifies potential threats from adversarial nations that could disrupt the supply chain. Domestic and international crime syndicates that could compromise cybersecurity to move contraband also pose a threat.
He mentioned notable cyberattacks in the maritime industry including a malware attack that hit Maersk last year resulting in an estimated $300 million loss and a 2013 malware attack on the cargo management system at the Port of Antwerp in Belgium that allowed the shipment of more than 1,000 kilograms of cocaine.
“These are threats we take seriously, so we prepare for any eventuality. The threats are out there. The bad guys are out there constantly probing ways to get in,” Runyan said. “We have to constantly be aware of who our potential adversaries are, what the threats are, whether they are small, opportunistic things that can cause greater impact, or whether they are targeted campaigns run by nation states or organized crime.”
To combat those efforts, he said, the port works closely with partners including the Department of Homeland Security, the Coast Guard, the FBI, the United States Maritime Administration, NIST Cybersecurity Framework and United States Strategic Command.
The port’s cybersecurity teams tests itself and its systems by red-teaming, which is a cyberattack simulation or war game, designed to gauge how staff, networks, policies and procedures fare when attacked.
“We red-team against our systems regularly. We have the ability to do vulnerability scanning internally,” Runyan said. “ … We also regularly bring in external auditors to do the same things we do internally to provide vulnerability assessments and to provide black ops and red team types of operations.”
The port uses guidelines from the Cybersecurity Framework developed by The National Institute of Standards and Technology to provide a generic cyber-risk management program that can be adapted to any industry, along with draft guidelines released last year by the Coast Guard and the DHS.
“Every port has to have a facility security plan that deals with physical security for the port and they put out guidelines suggesting that we start to incorporate cyber into the facility security plan,” Runyan said. “So when we do our next facility security plan here at the Port we’ll be including our cyber efforts in that, as well as our physical.”
As for potential threats from vessels coming into the port, Runyan said they don’t pose a cyberthreat because they don’t connect to the port’s systems. Communication regarding arrival and departure times and cargo information is done via telephone or email. The latter is vigorously screened with a quarantine system that holds unknown emails for 24 hours before giving the recipient the opportunity to reject or accept them.
Physical security, auditing vessels and management of crew and cargo manifest documents is “out of the port’s wheelhouse,” he said. Those duties are carried out by the Coast Guard and Customs and Border Protection.
The port employs a People, Policy, Technology model in regard to staff training, making sure employees know they are the first line of defense against cyberattacks.
To create a culture of cybersecurity at the port, Runyan said opportunistic attacks like ransomware are avoided through in-house and online awareness training focusing on how to recognize potentially malicious emails and enforcing a “when in doubt, delete” policy.
If you do a bit of reading about the maritime industry, you’ll likely come across a number of articles about port automation with topics covering the pros, such as safety and efficiency, and cons such as the high cost, loss of jobs and increased risk of cyberattack when software does the work instead of humans.
The Port of Virginia seems to have struck a happy medium by being semi-automated, with what Harris described as joystick jobs where a person moves containers with a joystick instead of being on the ground.
“So it’s semi-automation, that’s part of a drive for efficiency and the ability to provide a very high level of safety,” Harris said. “It takes people out of the work area and puts them in a clean, safer environment.”
Runyan added, “We’ve done a nice job of mitigating some of the risk by being semi-automated. The more automated you get, the more technology becomes a priority and it’s much easier to hack into a system that is automated.”
Send questions or ideas for future columns to Joy Vann at firstname.lastname@example.org.
Article originally published at https://pilotonline.com/inside-business/news/columns/article_b8083398-d6d5-11e8-b03c-3fa958d2b048.html