How ports can protect themselves against cyber and physical security threats
Security threats in ports increasingly come not only in physical form but also as cyber-attacks on critical communications systems. As the recent WannaCry and Petya attacks have shown, cyber-attacks can have profound consequences for ports, shipping and the entire maritime supply chain. In this guest editorial ahead of the ICHCA International conference, Rafael Company argues that it is time for a new holistic approach to port security
The numbers 9/11 strike a chord with us all, marking a ‘before’ and ‘after’ watershed in our views on security. From that time on, we have all become increasingly aware of the threat of terrorism and many of our nations have witnessed a sea-change in the human and technological resources dedicated to detecting, preventing and countering acts of terrorism.
In the maritime field, ports are key nodes where many parties and activities come together at the ship-shore interface. Not surprisingly, they therefore find themselves on the frontline of managing security to counter the multiple — and often interwoven — threats of terrorism, illegal immigration and people smuggling, trafficking in drugs, contraband and counterfeit goods and theft.
Numerous directives and legislation already in force attest to this. The International Ship and Port Facility Security Code (ISPS), which was implemented as part of the Safety of Life at Sea (SOLAS) Convention by the International Maritime Organization (IMO), aims to prevent the risks arising from terrorist threats against international maritime transport. Other port security regulations driven by US Customs and Border Protection include the Container Security Initiative (CSI) and the Customs-Trade Partnership Against Terrorism (C-TPAT), an anti-terrorist initiative which encourages the industry to take joint measures to prevent commercial freight from being contaminated with illegal substances, such as weapons, drugs or explosives.
But while we continue striving to ensure the physical security of people, cargo, equipment and assets within the port, in recent years we have also seen a significant increase in risks that affect not only the physical dimension, but also organizations’ communication systems. The rapid development of information and communication technologies (ICT) has unfortunately also spawned an exponential increase in virtual threats in the shape of cyber-attacks, which are no less dangerous for being intangible.
From 2011–2013, a group of drug dealers introduced drugs and weapons into Europe via two port facilities in Antwerp and Rotterdam. They did so by working in collusion with hackers, manipulating the systems that manage the location and movement of containers. Both Interpol and the European Network and Information Security Agency (ENISA) acknowledged in their respective reports that their knowledge of the situation regarding cybersecurity needs in the port maritime sector left a lot to be desired.
This May, the ransomware attack WannaCry, or WanaCrypt0r 2.0, affected more than 150 countries and shut down activity in some commercial ports, with resulting economic losses. Then on Tuesday 27 June, shipping giant A.P. Moller-Maersk announced a global IT breakdown caused by the Petya ransomware. Maersk IT systems went down across multiple sites and business units, including Maersk Line and APM Terminals, and the recovery is still ongoing.
This assessment of the need to improve protection is the subject of European Council Directive 2008/114/EC on the identification and designation of European Critical Infrastructures (ECIs). Ports are considered to be one of the main ECIs and their protection to be a key issue for the European Union.
Due to the progressive reliance of the industrial sector and many critical infrastructures such as ports on ICT systems, the impact of a coordinated physical attack, a deliberate disruption of critical automation systems, or even a combined scenario including both physical and cyber-attacks, could have disastrous consequences for the European Member States’ regions and social wellbeing in general.
Given all of the above, the need to guarantee the security and protection of port infrastructures -by defining them, analysing their vulnerabilities and their interdependence — must be tackled holistically, combining and interlinking physical and cyber security systems. This will help provide operators with the best technological tools to detect and identify in advance any incident, attack and/or threat to their facilities.
Responding to this new situation, Valenciaport Foundation has developed the SAURON project (Scalable multidimensional situation awareness solution for protecting European ports) proposing a holistic situation awareness concept as an integrated, scalable and yet installation-specific solution for protecting EU ports and their surroundings.
This solution combines the more advanced physical security features with the newest techniques in prevention, detection and mitigation of cyber-threats, including synthetic cyberspace aspects through the use of new visualization techniques such as immersive interfaces and cyber 3D models. In addition, a Hybrid Situation Awareness (HSA) application capable of determining the potential consequences of any threat will show the potential cascading effect of a detected threat both in the physical and cyber domains.
SAURON can be used to engage with the public in surrounding areas and rescue/security teams will be able to communicate any potential event or situation that could put their safety at risk.
Thus, SAURON proposes as a main objective to ensure an adequate level of both physical and cyber protection for EU ports and to limit, as far as possible, the detrimental effects for society and citizens of a potential combined physical and cyber-attack.
Rafael Company is SAURON Project Coordinator, Security Project Manager at the Valenciaport Foundation and General Secretary and Technical Director of the European Economic Association EUROPHAR, a group formed by port authorities, institutions and private organizations. He joins the Physical and Cyber Security session on 4 October at the ICHCA International Conference in Las Palmas, Gran Canaria, Spain.