DHS Secretary: Cyberattacks are the most significant threat to port infrastructure

The Secretary of the U.S. Department of Homeland Security (DHS) said the most significant threat to U.S. ports are cyberattacks.

During a U.S. Senate hearing on “Threats to the Homeland,” Senator Jon Ossoff (D-GA) asked DHS Secretary Alejandro Mayorkas what the most significant threat to port infrastructure is.

“One of the concerns that we have is the cybersecurity threat to ports. We are increasing the level of technology by which our ports operate and that is why not only Customs and Border Protection have a focus on cybersecurity but so does the United States Coast Guard,” Mayorkas said. 

“I would identify, with respect to our ports, cybersecurity, as a significant threat stream and we are of course very focused on defending against it and strengthening our cybersecurity.” 

Mayorkas did not elaborate on what kind of threats ports may be facing or whether U.S. ports have dealt with any attacks this year, but several cybersecurity experts said ports are ripe targets for cybercriminals and nation-states interested in causing disruption and harm. 

Nozomi Networks’ Chris Grove said there are over 900 sea ports in the U.S. that need cybersecurity protections and many of them are critical to the country’s energy infrastructure. 

Josh Lospinoso, CEO of Shift5, added that from his perspective, a "universe" of operational technology (OT) risks exists within the maritime industry and at U.S. ports due to the maritime industry’s technological footprint making it unique from other infrastructure environments.

Maintenance tools used on vessels in U.S. ports are a vector for malicious activity that bridge maritime IT and operational technology, which could give attackers root access to systems without physical access to the ships or ports themselves, he explained.

When ships come into port, maintenance and IT teams first board the ship and connect a laptop into the vessel to download all data created during its last voyage. This is to understand if any maintenance or cybersecurity action is needed by identifying any anomalous data patterns, he said.

"But the problem is, it is way too easy for a bad actor to compromise the maintenance laptop, and use the connection created by unwitting staff, to move from back-office IT to the ship’s OT systems," he told The Record.

"This access would provide in-depth knowledge of vessel operations and systems to external cyber actors. It could also allow the actor to upload or modify a configuration file or software on the vessel to cause subsequent operational disruptions or worse, safety issues."

Bryan Ware, former Assistant Director of Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), told The Record that any cyber-related disruption that slows down U.S. ports can have a significant trickle-down effect. 

He pointed back to the significant supply chain issues during the COVID-19 pandemic that had tremendous impact across the U.S. and global economy. 

“There are constant threats to our ports in the form of vulnerabilities, ransomware and more that can cause hours if not days of impact, but ultimately, the ripple effect from these can cause significant effects to companies, consumers, whole industries and more, which is the key issue here,” said Ware, who is now CEO of threat intelligence company LookingGlass. 

Eric Byres and Ron Brash from cybersecurity firm aDolus Technology pointed to several attacks on ports worldwide as evidence backing up Mayorkas’ assertion, including the NotPetya attacks and even an incident on Wednesday where a Maersk port in Guatemala was hit with ransomware. 

Byres added that cyberattacks are a stealthier way for nation states like Russia to cause disruption without the kind of attribution that typically comes from kinetic attacks. 

Brash explained that ports are relatively easy targets because so much of their staffing is outsourced.

“There are so many entries in from a supply chain perspective, from software but also you could use a contractor's laptop. You have these big integrated databases like what we saw with Colonial Pipeline,” Brash said, listing several systems including GPS that could be damaged by a cyberattack. 

“We just keep pushing automation technology and that's where I suspect that the director was saying that cybersecurity is a clear security concern because of the way we've built these industries up to be.”

According to Byres, most hackers will target IT systems connected to the business operations of ports because they are typically easier to compromise through the software supply chain. 

Operational systems are tougher to breach but nation states do have the capability to attack these systems, he explained. 

“The unfortunate reality is that ports have very poor visibility into their network, meaning once hackers are in they can really do what they please and the IT guys won’t see them,” Byres said. 

Several other experts, including Tenable’s Marty Edwards said Mayorkas is correct to call out the heightened cybersecurity risk to all critical infrastructures – and specifically pointing out the risk to maritime and ports.

SynSaber CTO Ron Fabela said ports and maritime operations have unique attributes that are attractive to threats: global footprints, high frequency of contact, and an amplified impact of loss.

Like Byres, he cited the NotPetya attack in 2017 as an example of the losses that can be caused by cyberattacks on ports, noting that Maersk reported losses of up to $300 million.

“For industrial control systems, specifically ports and maritime, drive-by ransomware events will continue as we move into 2023,” he said.  

This year, there were several cyberattacks on ports across Europe that caused massive issues. In February, European prosecutors and cybersecurity officials began investigating a ransomware attack affecting several major oil port terminals that targeted organizations in Belgium, the Netherlands, and Germany, including some of the largest ports in the region.

Oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls, suffered a cyberattack that crippled their loading and unloading systems in February. Oiltanking said it “declared force majeure” due to the attacks. 

The attacks forced Shell to reroute oil supplies to other depots. German newspaper Handelsblatt said 233 gas stations across Germany now have to run some processes manually because of the attack.

Blake Benson, senior cyber advisor at ABS Group said the diversity of stakeholders and industry present at any given port can create scenarios that make it difficult to remediate cybersecurity issues. 

Several regulatory authorities overlap in port environments from a cyber perspective creating an additional layer of difficulty when restoring operations after a cyber event. 

“Instead of looking at threats to a single petrochemical facility, for example, you might be looking at how a cyber attack on a vessel or other MTS-related asset causes secondary or tertiary impacts to shoreside assets,” he said. 

“These are the types of scenarios that CISA’s cyber performance goals are designed to benefit—when there’s unclear cyber regulatory authority, or overlap from multiple sectors, adhering to the redefined ‘common baseline’ of cybersecurity maturity better ensures everyone is operating at the same benchmark.”