Cargo Security: Defining threats, finding solutions for cyber attacks

While physical threats to international sea and air cargo gateways have been top of mind ever since the events of 9/11, security analysts say that more attention should be given to reduce exposure to Internet penetration and attacks by hackers. Should existing cyber security processes be compromised, they add, a cascading effect might be created, thereby disrupting huge segments of any given supply chain.

Ocean carrier cyber security is “full of holes,” says Lars Jensen, founding CEO of CyberKeel, a Danish consultancy focused on maritime risk mitigation. “We conducted a very basic review of cyber-security on carrier Websites and found indications that 16 of 20 carriers have serious security gaps,” he adds.

A new report issued by CyberKeel titled Maritime Cyber Risk provides details on what Jensen sees as the three main motivations for recent attacks: money, cargo, and exclusive market intelligence.

“Most shipping stakeholders still feel that this is almost an invisible industry,” says Jensen. “Furthermore, those who do not live near a major port facility may not be aware of just how vulnerable our sector is in regard to threats and actual violations of a very fragile safety net.”

Jensen explains that because there’s a crucial need for exchanging information across multiple platforms, the exposure to risk is significant. For example, a single shipment of a container will likely involve data transfer between five to 10 different stakeholders, including the shipping line, origin port, destination port, shipper, consignee, customs authorities, trucking company, data portal intermediary, and banks.

“These stakeholders will have different back-end systems offering various levels of protection,” says Jensen. “So, it’s important to realize that the information will be quite detailed and hold value to a number of criminals or terrorists should they be able to access it.”

Jensen observes that large monetary transfers take place involving a number of players in the supply chain. Typically, these could be payments by shipping lines to bunker companies, shipyards, or vessel owning companies as well as freight payments from shippers to liners and vessel owners.

“Many shippers who are involved in the financial and operational chain are scattered across multiple different countries and time zones,” Jensen adds. “This means that parties often act ‘asynchronous’ without necessarily having real-time conversations. As a consequence, any duplicity will thus take some time to discover.”

Ports are listening
Fortunately, port information technology leaders—along with their counterparts in private industry and other critical infrastructure—have listened to Jensen’s warnings and have been confronting the threat of cyber security for some time.

According to the American Association of Port Authorities (AAPA), cyber threats continue to grow in prominence and are evolving rapidly. As a consequence, there’s a need for clarity in communication about goals, strategies, objectives, and tactics.

“Several ports have participated in the General Accountability Office’s cyber security review of ports, and others are working with local and federal law enforcement as well as academic institutions to identify and develop best practices on cyber security,” says Kurt Nagle, AAPA president and CEO. “At the federal agency level, there’s a need for common standards and a clear delineation of roles and responsibilities for critical infrastructure, including ports.”

While AAPA acknowledges that creating systems to prevent cyber breaches is not easy or intuitive, it has given its member ports a framework comprising “tiers” of risk-based implementation. “Just as annual physical security exercises are conducted to ensure good working processes, annual cyber-security drills are recommended,” says Nagle.

During that check up, the port’s law enforcement partners should ensure that appropriate notifications, forensics preservation, and investigation processes meet their needs. They should also validate the U.S. Coast Guard’s (USCG) role in the process.

Another challenge, says Nagle, is to see that the USCG can meet the demands of cyber-security while not compromising its own limited resources. “Tasking the USCG with responsibilities for cyber security within ports is logical, but will strain an agency that has already seen its mission and responsibilities expand greatly since 9/11,” he says.

Collective awareness needed
The need for airlines to adopt a solid information security framework is also clear, observe senior analysts at Boeing. They say that cyber attacks are increasing in number and sophistication, while software vulnerabilities expose intellectual property to unauthorized users.

Furthermore, insider threats to IT infrastructure and proprietary information are also increasing. “The ideal airline information security framework addresses airplanes in flight, ground operations, and threat management and consists of three major functions: prevention, detection, and response,” says Stephen Whitlock, Boeing’s chief information security strategist.

“An airline IT security framework should also ensure that managing information system-related security risks is consistent with the organization’s mission, business objectives, and overall risk strategy established by the airline’s senior leadership,” says Whitlock, adding that IT security requirements, including necessary security controls, should also be integrated into the airline’s enterprise architecture and system development lifecycle processes.

Information security threats to commercial aviation present some unique challenges. For example, threats can manifest themselves as internal security deficiencies or attacks from external sources, such as the supply chain and network connections within the industry. The existing fleet of cargo airplanes contains computerized systems, software parts, software control of devices, and off-board communication capabilities that all require an effective security solution.

Faye Francy, a security expert from Boeing’s Aviation Information Sharing and Analysis Center (AISAC), says that some “advanced persistent threats” are able to hack many of these systems for six to nine months before any IT expert could detect a problem—and by then it’s far too late.

“We want to move cyber security away from being just an afterthought,” says Francy, adding that by attending Webinars and other courses on real-time threat intelligence, many air cargo operations can eliminate some risks just by understanding their vulnerabilities. “Situational awareness is quite powerful,” she adds.

An even better course of action is to gain “collective awareness” by banding together with other companies—even with competitors—and setting up information-sharing committees, Francy says. For those concerned about sharing sensitive data, she adds that it’s possible to “anonymize” the data and either share with private-sector partners or give it to the government to disseminate.

Shippers to arms
Suzanne Richer, director of the trade advisory practice at global trade management software provider Amber Road, says that air and ocean cargo shippers can also play a proactive role in the war against cyber crime and terrorism. At the same time, she says, logistics managers can protect themselves and their supply chains.

“Ensuring electronic data is accurate is critical to ensuring on-time delivery,” says Richer. “You can’t get anything in or out of a country without data.” She notes that Customs and Border Protection (CBP) captures data on importers and exporters today that can trigger a compliance or cargo security review down the road.

The information shared electronically through carriers, forwarders, and customs brokers is evaluated based on CBP’s risk model, and anomalies may result in a shipper’s air or ocean cargo being held. “Our greatest security issues revolve around understanding that terrorism evolves and changes, and acts of future terrorism are undeterminable,” says Richer.

One of the difficulties in all cargo security programs, adds Richer, is that government validations of a company’s security program are infrequent—at a minimum once every three or four years. “Most people let things go until the next validation. In turn, the program becomes ineffective, unmanaged, and not part of the key metrics of validation. To improve this, shippers need to make sure this is an ongoing process.”

Richer maintains that shippers aggregate a number of programs at once, including role-playing. This will enable the entire shipping staff to identify and react to a cyber attack.

“For example, when reporting an incident, a trained person will look at the time, where they are, document who was involved, and what happened,” says Richer. “At the same time, importers, exporters and service providers must work diligently to see that their programs are current and continuous.”

Meanwhile, cargo security programs such as C-TPAT, AEO, PIP, J-AEO, C-AEO have collectively worked to reduce the risk of terrorism occurring in the supply chain. However, Richer says that these programs are useless unless shippers actually comply and their data has meaning.

“All these programs have effectively addressed improving transparency in the supply chain and reducing the risk of attack,” adds Richer, “But the new world of cyber attacks adds to the complexity of remaining secure.”