There’s No Margin for Error in Port Cyber Security

With the global shipping industry already under pressure, Joel Snape, Security Researcher at Nettitude, explains why addressing the risk to port infrastructure from cyber-attack has never been more critical.

In early November 2020, the 20,400 TEU Ever Grade was forced to skip its scheduled call at the UK’s Felixstowe port, instead heading straight to Rotterdam and unloading UK-bound containers there for onward transport via London Thamesport. Similarly, the first call of CMA CGM’s new ultra-large container vessel to Southampton was cut short with around a thousand containers staying aboard until a later visit.

The UK’s port infrastructure has never before been under such strain – the double challenges of COVID-19 and Brexit mean that freight volumes are at an all-time high. This has caused significant backlog with importers struggling to obtain their goods and factories pausing manufacturing lines due to a shortage of component parts.

Although this is not the result of any kind of malicious activity, it has sharply highlighted the significant impact that port disruptions can have on the wider economy. With the global shipping industry already under pressure, and the UK facing new challenges in 2021 as the Brexit transition period has ended, addressing the risk to port infrastructure from cyber-attack has never been more critical.

The risk is not just academic – 2020 has seen the IMO, MSC and CMA CGM both attacked, and port infrastructure in the USA targeted by ransomware. In Iran a cyber-attack on the Shahi Rajaee port, allegedly carried out by Israel, cased significant disruption to both land and sea traffic while systems were restored.

Why would ports be a target?

Different classes of attackers have different motivations, depending on their objectives, and these can vary both between groups and over time. However, some of the key motivations we see today are:

Direct financial gain: Criminal groups have realized that there is money to be made from targeting a company or organization, stealing data and/or disabling key systems and demanding a ransom payment to restore operation or prevent further disclosure of sensitive information. By causing huge disruption they hope to pressure their victims into paying out to quickly restore operations. Due to the critical nature of ports, and the publicity and knock-on effects of disruption, ports are an attractive target, and may be viewed as being more likely to pay up.

Criminal: Ports play a significant role in the regulation of the flow of people and goods into and out of a country, something smuggling groups need to evade. By getting access to data and systems within the port, they can get information on goods movements, or attempt to amend records to evade taxes and excise duties.

Espionage: Nation states are continuously looking to further their own aims. Information held by ports such as passenger movements, goods flows or operational techniques can be hugely revealing to help build a better picture of activity in a country or region. Additionally, nation-states may also carry out active/destructive activity to disrupt the flow of goods into a country in the event of a diplomatic dispute or even war.

How do attacks take place?

Attackers will use whatever mechanism gets them to their goals as easily as possible, within the constraints of their capabilities. However, there are some key attack classes that have been recently seen in attacks on ports:

Phishing: By sending emails containing malicious attachments or links, attackers hope to get a “foothold” within an organization, which they can then leverage to carry out further attacks. Phishing is attractive for attackers because many messages can be sent out to hundreds or thousands of potential targets for little or no cost. Ports are especially exposed as they typically have to interact with a large number of stakeholders on a daily basis, which can give attackers a wide range of opportunities to attempt to impersonate legitimate entities.

Exposed services: Every organization has services connected to the internet – whether it’s a website, email logins or VPN gateways to allow remote access. Attackers are constantly scanning the internet for services that might give them access, and probing for weaknesses and vulnerabilities.

Physical security: By gaining unauthorized access to a port facility, attackers can get direct access to their target computers and systems. This can let them attach their own equipment capable of modifying records or giving them further unauthorized remote access.

Onward movement: It’s rare that an attacker will ever get access to their target in one step. Much more commonly it will take a “chain” of vulnerabilities to allow them to move from how they got initial access (e.g. a user’s desktop computer) to the system or data of interest. 

How to respond?

The ways in which technology and automation have been rapidly adopted to improve port operations and efficiency can only be a good thing. However, it is important that as it is adopted, the risks that it might introduce are considered in a holistic, and realistic way, commensurate with the threats present in the environment you operate in.

By doing this, risks can be mitigated in an appropriate and proportionate way through the introduction of risk controls. There are three key areas to consider for controls to ensure that organizations are prepared for the threats that they are facing:

Organizational practices: How the business functions have the biggest impact on the effectiveness of other controls.

Procedural: Defining the ways in which tasks should be carried out helps to enshrine best practice.

Technical: Implementing technical controls can help mitigate risks present in the systems and technologies used.

It’s important to stay up to date with the latest threats to your business and Nettitude provides independent assurance and threat-led maritime cyber security services to marine and offshore organizations around the globe.