Smart ports rely on a combination of data, technology, and connectivity to provide their users with greater functionality and cost savings.
It is important to consider that new technologies introduce new threats to the port operators and their clients, and users that may not be considered during the design, construction, refit or ongoing management stages.
This can cause some hurdles to overcome on the simplest level and at a worst-case scenario it can cause loss or corruption of essential data and operational capabilities, all the way to the effective paralysis of port operations.
We sat down with David Nordell (Director of the cybersecurity consultancy Synapse Cyber Strategy) at Smart Ports Summit in London to discuss the impact which new technologies such as 5G and cloud computing could have on the security at smart ports, and what port infrastructure and services need to have in mind when mapping their assets to improve security.
Watch/ read the interview below.
Q: What are the 3 biggest factors in safeguarding logistics operations against cyberattacks?
David Nordell: There is a very interesting story from the shipping industry where a pirate group boarded a ship off the Horn of Africa a couple of years ago.
The pirates didn’t go to the captain and say they will sink the ship or harm the crew unless they received a certain sum of money, they went for one of the containers.
They knew exactly which container, where it was, and the loading pattern of the ship. They broke it open, went for one particular box in the container, took it away and left. No-one knew what was in the box as the loading manifest didn’t give any particular details.
Someone on behalf of the pirates has managed to hack the loading manifest of the ship. They knew what exactly was in it, where the high-value cargo was and that was all that interested them. This is exactly the type of thing that can happen where data is stolen from a hack.
You will more than likely find similar examples in shopping malls where a particular jeweller is rolled-over because there is particular information this shop has a high-value jewel or whatever it might be, it just happens that this is part of the maritime field and this was something that no-one had particularly thought about before.
As a result, we are going to see several unexpected crimes taking place as a result of data leakage. People just do not understand the value of the data they are holding. Ships have been made to collide by hacking, and there is a very large range of things that can go wrong and most of the people in the industry just don’t have a clue.
I saw a report about a week ago, written by a white-hat hacking company, that specialises in certain industries including maritime. I know these people and I know then to be reliable, and they discovered by analysing the cybersecurity of many expensive private yachts – worth many, many millions – that there was almost no security.
Essential systems were not protected by strong passwords, they were not protected with encryption, there was no separation of networks. So basically, once you got into any one place on the boats network, you had access to everything.
In some cases, you have people running very valuable businesses from these boats, in others you have the rulers of nations running their governments from their boats in the Mediterranean or the Caribbean. You don’t know how secure they are, and overall, they don’t know how secure they are. This is also a problem on some cruise ships.
This is a highly unprotected industry.
Q: What are the main factors which port infrastructure and services need to have in mind when mapping assets?
DN: They need to know what they have, not quite down to the last nut and bolt, but they need to have a clear idea of the systems they have, the data they have, what operations they have that rely on any kind of electronic surveillance or control.
They literally must go around their whole estate and go; we have these types of computers, we have these servers, we have these cameras, electronically controlled access gates, etc, at very least they need to start with that. They then need to break each one of these down and find out what is in it; what operating system, what software, what data or information passes through this device or system, and how are these interconnected?
It’s a lot of work but it has to be done, and one of the main reasons why it needs to be done is that if something goes wrong, they have no idea what the systems are about and they will not be able to recover them properly and they will waste an enormous amount of money rebuilding.
Incidentally, in the course of mapping their systems they will see that they will have a certain number of things which are not functioning anymore. From here they can take them out of service altogether and save some money. They will also see things that will need to be replaced simply because they are not working properly, and so they will become more efficient.
It’s a management process rather than a technology process, but then having done this they can start or examine the security of the networks, the software, and the hardware. It will probably require external services, but they will know at least what they have, and they can start to map out what needs to be strengthened. It’s going to take a certain amount of work and management time.
My attitude is that it’s not if you are going to get hacked, but rather when you are going to get hacked. If they don’t do it, eventually when they do get hit, they will not know what to do.
There are also other issues to do with regards to regulatory compliance, reputation loss, and if we are talking about a public company, then they will need to report to the stock exchange that they have been hacked, and they are going to have to deal with the media.
If a company is on top of things the damage will be a lot less and the truth is that the damage is greater because we are talking about people’s lives, but the processes are very much the same. If you want to be prepared for when you are hit by a hacker, they you need to go through a certain set of preparations, and it will make your life a great deal easier.
If you speak with any of the large financial institutions in Canary Wharf - with about 99% certainty - they will have these preparations in hand because they will have board directors who insist that certain things happen.
As the maritime industry is older, more traditional, and less accustomed to moving fast thinks differently. It’s got to start to learn from other industries.
Q: 5G has been a hot topic at Smart Ports Summit. Just because we can use this technology, does it mean we should?
DN: 5G is very sexy technology because it enables you to connect wirelessly without having complicated cabling, fibre optics, etc. It’s fast and supposedly very efficient but the problem is that it is very new, and it hasn’t really had all the bugs ironed out. I don’t really want to get into all the security questions which surround the main provider of 5G technology. I am in no way suggesting that this provider is in the business of spying on anyone or plotting to sabotage systems, as they do want to sell more boxes and therefore, they must do it very cleanly.
But, it is a relatively untested technology and if you start to investigate all of the security experts opinions on 5G – that combined with another technology called IPV6 (Internet Protocol Version 6), which is the way is everything is mapped out and addressed – you have two technologies that are not completely mature, secure and not everyone understands how to use them. This is a big problem.
It would be better to do more experimentation with 5G - and similar systems - and not actually have everything dependent on them until you resolve any bugs in advance.
Q: What are the different cyber security challenges for IoT devices and cloud platforms?
DN: Cloud is basically the code word for putting your information technology systems somewhere else – using someone else’s servers and using someone else’s connectivity. There is nothing inherently more secure about cloud technology, and there is nothing inherently less secure about cloud technology.
There are very well-known cloud providers who have had major disasters, and then there are smaller operations who keep everything in-house who are perfectly secure. The whole purpose of cloud is to give someone else the technical headaches and you just consume data and services – if it works well, it works very well.
With the context of IoT, what matters is that IoT has a lot of types of devices and data, and you are hoping that your cloud services provider has the know how to deal with all of this. You will probably be right, but there is no way to guarantee this. I think one of the things which we are still learning is how will cloud service companies are dealing with IoT given that pretty much every IoT device comes out of the box with a default password and the device is probably installed with the default password.
There are many other aspects with regards to IoT security which I have been directly involved with IoT security standards and from what I have learned, these are pretty lousy.