Tag Archives: port security

Port Automation and Cyber Risk in the Shipping Industry

CIMSEC is committed to keeping our content FREE FOREVER. Please consider donating to our annual campaign now so we can continue to provide free content.

By Philipp Martin Dingeldey 

Introduction

To stay ahead of competing ports and technological developments, automation has been heralded as inevitable. Major transshipment hubs and aspiring ports bet their future on automation, which raises the impact  cyber risks could have in the long-run.

Singapore’s Port Modernization

One example of port modernization is Singapore’s Tuas Port Project. To stay ahead of competing ports in Southeast Asia, PSA International and the city state have bet their future on the fully automated port on the western side of the island. The project is set to almost double the port’s current throughput capacity of twenty-foot equivalent units (TEUs) and consolidate all its container operations by 2040.

Singapore’s port is ranked second, behind Shanghai’s mega port, by total TEUs handled. Nevertheless, Singapore’s port is the world’s busiest transshipment hub, and therefore immensely important to global supply chains. The port’s volume growth of 6.4 percent for the first half of 2017 indicates that its investments in modernized berths and joint ventures with liners paid off.

While this is great news for the short term, container vessels on Asia-Europe trade routes will inevitably increase in size, requiring higher handling efficiency to achieve fast turn-around times. By the end of 2018, ultra large container vessels (ULCVs) are expected to gain a share of 61 percent of total capacity, pushing established hubs like Singapore to automate its terminals to stay relevant.

At the same time, next generation container vessels will not only be bigger, but also increasingly automated and even autonomous. As ports and the shipping industry are integral parts of global and regional supply chains, their automation and technological modernization raises the impact and potential of cyber risk.

How Good is Automation?

For Singapore’s port, automation is seen to not only strengthen its position as a transshipment hub well into the future, but also helps it keep up with technological developments and industry trends.

The shipping industry has generally been slow in adapting new technologies, due to its conservative nature and the large number of players involved. Currently, only a fraction of global container volume is handled by fully automated container terminals. In 2016, it was estimated that only 4-5 percent of container volume will be handled by fully automated terminals once ongoing projects were completed. Nonetheless, industry pressure and competition have heightened the need for ports to invest and automate, indicating that the number of automated terminals will increase.

Automated terminals allow ports to handle containers more efficiently by using operating systems to plan storage in accordance with collection and transshipment times. This reduces unnecessary box moves, shortens cycle times, and enables consistent and predictable throughput numbers.

Fully-automated terminals have the advantage of low operating costs and reliable operations, but require higher upfront costs, longer development, offer only low productivity increases at peak times, and have the general difficulty to fully automate a working terminal. On the other hand, semi-automated terminals offer the possibility for greater productivity increases at peak times, are generally understood to have the best overall productivity with less upfront costs, but require higher operating costs and are inconsistent when it comes to handling ULCVs.

While full automation gives large ports like Singapore’s the advantage of reliable, full-time operations at low operating costs, it requires long development times to fix bugs and offers only gradual productivity increases at peak times. On top of that, full automation also increases their vulnerability to cyber risks. This is due to the use of technologically advanced and networked systems.

The investment threshold to enter automation for ports is high, while not necessarily offering major increases in productivity. What automation does offer major port hubs is better predictability and consistency of container moves per hour. Additionally, automation reduces the room for human error, making operations safer. At the same time, automation reduces the environmental impact since terminals are mostly electrified, giving ports an additional competitive edge in an industry increasingly focused on sustainability.

Cyber Risks

The shipping industry and ports are seen by many insiders as underprepared for cyber threats. Even though major players in the shipping industry have recognized and acted on the risks posed by cyber threats, the majority have been slow to recognize potential business risks. Even though awareness has grown, the need for better information sharing persists. Automation further increases the exposure and impact of cyber threats for ports, highlighting the importance of data and system integrity.

The reality of cyber threats to automated terminals was demonstrated in the “NotPetya” cyber-attack in June 2017. The attack forced Maersk to interrupt operations at multiple terminals worldwide, causing logistical havoc for weeks after the attack. Overall, it cost Maersk roughly US$300 million, even though the attack was not specifically directed at the company. The “lucky hit” against one of the industry leaders showcases that even well-prepared firms can suffer financial losses due to cyber threats.

The difficulty with protecting automated terminals from cyber risks lies with their complexity. These terminals use industrial control systems that translate sensorial data and commands into mechanical actions. The network links between mechanical equipment and sensors are exposed to the same threats as data networks. The complexity is further increased by the months and years it can take to figure out and fix bugs and weaknesses in automated systems. In an automated system, different system components have to effectively work together as one, stretching the time needed to figure out and fix bugs. This involves mainly software issues that have to be fixed while also moving boxes of cargo at the terminal.

While ports have to secure themselves from a broad range of risks, cybercriminals can choose from a number of entry points. For example, external vendors, terminal operating systems, and unaware employees may be vulnerable to phishing attacks. Operational systems and data networks are not always up-to-date or properly secured, allowing criminals to gain comparatively easy access to information. To prevent the ports and shipping industry from most attacks, regular operating system updates, stronger passwords, secure satellite connections, resilience exercises, information sharing, and employee awareness campaigns should be practiced.

On top of that, modern ships bear the risk of spreading viruses onto port systems simply via Wi-Fi or other data networks. Industrial control systems are not designed with cyber risks or active network monitoring in mind. This is especially true for ships’ control systems, but can also affect the system components of ports.

Nevertheless, this is only addressing the technical side. The human factor still plays a major role in mitigating cyber risks. Personal details of ship crews can still be easily accessed, making them more vulnerable to social engineering via phishing or other techniques, unknowingly granting access to systems.

Human factors can take the form of criminals, terrorists, competitors, disgruntled employees, and more. Workers at mostly manual terminals, for example, generally do not like automation because it makes their jobs largely redundant. To reduce the chance for cyber threats stemming from or aided by disgruntled employees, ports can offer training and job guarantees to their workforce to make the transition to automation more incremental.

Port authorities, registries, and all major organizations in the shipping industry are increasingly aware of cyber threats and are responding through raising awareness or offering training courses. These are simple steps to better protect information and navigation systems on board ships. For example, BIMCO, the world’s largest international shipping association, made cyber security an important issue for the shipping industry three years ago via an awareness initiative. The association has further advocated the need for guidelines to evolve with the threats, launching the “Guidelines for Cyber Security Onboard Ships” in July 2017, which was endorsed and supported across the industry.

In addition, the Liberian ship registry started a computer-based two-hour cybersecurity training program in October 2017, offering a comprehensive overview of cybersecurity issues aboard ships. Nevertheless, it is unlikely that these courses and campaigns are enough to protect the industry. While it is a step in the right direction, more needs to be done through regulations.

Conclusion and Policy Recommendations

Since 2016, the International Maritime Organization (IMO) has put forward voluntary guidelines regarding cyber risks. Only after 2021 does the IMO plan to enforce a set of binding regulations on cybersecurity. This might be too late for many companies in the industry. Shipping companies should not wait until 2021, but should begin now to implement simple measures, like using firewalls and stronger passwords, to deter criminals from trying to exploit current weaknesses.

Further, even though the IMO adopted guidelines on maritime cyber risk management into the International Safety Management Code this year, ports and the shipping industry still need to establish a stronger culture on cybersecurity.

Major shipping hubs are part of large and less resilient supply chains, which are essential for regional and international trade. These supply chains depend on a small number of key ports, which are vulnerable to shocks from other ports. To make supply chains and port hubs more resilient to cyber risks, the shipping industry as a whole will have to adjust and prepare.

Companies will have to work together and share information on previous or ongoing attacks, so that experiences and best practices can be shared directly. Unfortunately, this has been difficult to achieve due to worries about how competitors may use the shared information. Singapore has set up the Port Authorities Focal Point Correspondence Network to further the exchange of information on past and current incidents. It remains to be seen if this network has worked to encourage the sharing of information.

Ports are logistical hubs where many companies compete for business, making information sharing naturally difficult. Currently, port security is based on the International Ship and Port Facility Security (ISPS) Code, which is heavily focused on the physical aspects of security. In order to make cyber risks a much more important issue for port security, the whole sector needs to step up and make it a priority.

Cyber risks are not just a technological matter, but require adequate awareness and planning to strengthen a port’s resilience. Training employees actively in security protocols and procedures with information systems is one way of achieving this. At the same time, ports need to engage in contingency and scenario planning to be better prepared should an attack occur. On top of all this, national bodies (e.g. institutes of standards) need to give better guidance on security testing and planning for ports, which should be supplemented by binding guidelines on reporting and information sharing mandated by global bodies like the IMO.

Philipp Martin Dingeldey is a Research Analyst with the Maritime Security Programme at the Institute of Defence and Strategic Studies (IDSS), S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. For questions and follow-ups he can be reached at research.pmdingeldey@gmail.com.

Featured Image: Port of Singapore (XPacifica/Gettyimages)

Interview with Zoha Waseem: Pakistani Navy Remains Committed to Karachi

By Alex Calvo

In the Second World War, Karachi was a key component in the long logistics chain connecting unoccupied China with the United States. After decolonization and partition, the city retained her significance, at both the economic and political level. Among others, it was and still is the main base for the Pakistani Navy, as well as a shipbuilding centre. Often in the news due to a challenging security situation, no look at naval developments in the Indo-Pacific Ocean Region is complete without Karachi. We have thus interviewed Zoha Waseem, an expert in policing and counterterrorism and PhD candidate at King’s College London.

Calvo.- Is the situation in Karachi considered by the Pakistani Navy as a reason to push for further diversification away from the city, in terms of naval basing and construction?

Waseem.- The situation in Karachi in terms of the ongoing operation is linked with the need of the Military to keep investing in Karachi. The construction of military bases, infrastructure and training centres and accommodation does not appear to be decreasing. Karachi is an ATM machine, and a prime location for any stakeholder to have its assets here. Karachi is an important port, being connected to the Arabian Sea, connecting the city by water to Iran and India. That said, there does exist an alternative Naval base 200 kilometres away from Karachi (Jinnah Naval Base in Ormara, Balochistan). Heavy investments have been made into this base since the Navy came under threat in Karachi.

Railway (Karachi Port)
Railway (Karachi Port).

Calvo.- Are the demands of internal security preventing Pakistan from devoting enough funds and political attention to military modernization?

Waseem.- Military modernization is generally regarded not as falling within the domain of political actors but of the military. The Armed Forces appear to be devoting enough funds to military modernisation. Internal security operations take manpower away from the armed forces but their budgetary allocations come from different departments.

Calvo.- Are the Armed Forces, to the detriment of civilian police, seen by most citizens as the mainstay of security?

Waseem.- The general public appears to have bought into the narrative that armed forces are the only bodies capable of dealing with security issues. This is taking focus away from the police, especially in areas where armed forces have acquired policing powers of search and arrest. Nevertheless, there are voices on ground that call for the strengthening of police forces for internal security, law and order.

Karachi Port
Karachi Port.

Calvo.- What are the prospects for police reform in the mid-term? What are its main aspects, and most significant obstacles?

Waseem.- There were police reforms in 2002 which were reversed in 2011 in Sindh and Balochistan. No serious initiatives appear to be in place at the moment. Main obstacles for this are: political interferences, weak leadership, and corruption. Policing falls under the domain of the provincial governments and there will be no serious reforms implemented till the will of these governments is not present.

Calvo.- Does Beijing trust Islamabad’s promises to severely prosecute groups assisting Xinjiang activists? What about guarantees of better protection of Chinese nationals in Pakistan?

I’m not sure what Beijing is thinking at the moment, but Pakistan seems to be making efforts to curb any apprehensions on their part. For instance, both the armed forces and civilian government has decided to strengthen security measures of the Chinese in Gwadar, Balochistan. Plans for deploying 10,000 army personnel for their security and deweaponisation of Gwadar are underway too. Much of the reason for the escalation in the internal security operation in Karachi is the China Pakistan Economic Corridor (CPEC).

Zoha Waseem got her LLB from SOAS (School of Oriental and African Studies) and her MA in Terrorism, Security and Society from King’s College London. She has studied in Karachi, Chicago, and Washington DC, and interned at different Pakistani news channels. From 2012 to 2013 she was an intern at Interpol’s Public Safety and Terrorism Sub-Directorate, in Lyon (France). She is currently working on her PhD thesis, at King’s College, on “Enforcement, Encounters and the Everyday: Contemporary Policing in Karachi, Pakistan”. Waseem’s research interests include Pakistan, policing and security, urban violence, counterterrorism, and police culture. She tweets at @ZohaWaseem and recently wrote “Darkness in the city of light” on Paris’ terror attacks.

Interview by CIMSEC member Alex Calvo.

Maritime Security: Fact or Fallacy? The View from Gibraltar

By Michael Sanchez

The recent global maritime security scenario has been deeply affected by several factors that have by necessity, changed the way of approaching and dealing with individual problems at sea. Piracy, drugs smuggling, weapon trafficking and the repugnant trade in human lives have reemerged with particular virulence but of paramount concern and indeed priority is the ominous threat of seaborne terrorism. Most of us witnessed to our horror the murder of innocent tourists in a beach at Tunisia. The execution of this attack came from what appears to be a well coordinated plan that took everyone by surprise. The proliferation of fast RHIBs (Rigid Hull Inflatable Boats) and jet ski type vessels have given terrorists flexibility of speed and the ability of evasion that gives them a distinct advantage as they are able to mix and mingle with other craft and raise less suspicion when choosing their targets Not only are these fast vessels in the inventory of terrorists but they are the preferred method of transport by drug smuggling gangs

In the case of Gibraltar it can be said with  concern that by the nature of our geographical position we are exposed to the threats of terrorism. It’s no use hiding behind the fact that North Africa lies 14 miles across the Strait of Gibraltar (STROG) and pretending it will not affect us sooner or later, directly or indirectly. Morocco has been subjected to attacks within its territory but has been successful in thwarting seaborne assaults against shipping in the strait including warships but they cannot do it all on their own. The Spanish enclave of Ceuta has been the recruiting ground for potential jihadist recruits that consequently find their way to Syria and/or Iraq. The North African coastline opposite Gibraltar can be considered a launch pad for vessels that trade in drugs, humans and other illicit activities. All stakeholders in the vicinity, Gibraltar, Morocco, and Spain have a duty to ensure that the malignant barbarity of present day terrorism does not cross the Strait of Gibraltar into Europe via this vulnerable route. To repulse any sort of seaborne attacks everyone must be prepared and not fall into one of mankind’s many weakness Complacency

As far as Gibraltar is concerned the responsibility for the maritime security of Gibraltar Territorial Waters falls under very awkward operational procedures and tasking. The MOD through the Royal Navy Gibraltar Squadron is tasked with, according to its mission statement “To contribute to the maritime defence and security of Gibraltar and when necessary, the prosecution of offensive maritime operations in order to allow BFG to support military ops as directed by HMG.” Quite a mouthful and perhaps ambiguous but it’s not the intention to assess the political ramifications of such a broad statement. Bearing all this in mind, the security of HM Naval Base Gibraltar falls into question. Every time a naval vessel is berthed alongside South Mole or “The Tower” a boom is placed across the harbour from South Mole to the old Gun wharf site. It consists of small orange buoys held in position by floaters and strung across with rope. This is to prevent unauthorised craft from entering the security cordon. The security boom is totally inadequate and useless. Any determine driver of a jet ski or RHIB can “jump” this boom and instantly find itself within a restricted area.

The MOD should invest in purpose built security booms that protect warships, particularly submarines in naval bases around the world. It has not gone unnoticed that since 2013 there has been an increase of RN nuclear power submarines visiting the naval base. Various operational tasks have been carried out including transfer of weaponry that demand the highest levels of security. This cannot be guaranteed with a weak protective boom that can be easily penetrated. On the fifth of July a drug smuggling jet ski entered the harbour through the southern entrance whilst HMS Ambush was alongside South Mole. Luckily, the intruder turned left and not right. The inadequacy of this security boom is a glaring capability gap that can be exploited by the enemy. Within this boom the task of protecting these warships is carried out efficiently by the GDP (Gibraltar Defence Police). Despite being equipped with 2 slow and aging ex Range Safety craft that are not fit for purpose they stick to their duty of affording port force protection but their response time to a fast intruder is minimal. GDP were to be equipped with modern patrol craft some time ago but it was decided otherwise to renege on it, another UK base benefitting from these new craft. For years there has been a succession of UK politicians and high ranking military officers trumpeting and touting the importance of Gibraltar as a base for UK ops. It’s time they put their money where their mouths are and transmit their thoughts into deeds.

Leaving aside the MOD estates we come to the protection of the civilian population which is by and large entrusted to the marine section of the Royal Gibraltar Police. This service boasts the most modern and fast craft to carry out their duties. There is a certain overlapping of responsibilities with the RN that due to constitutional obligations muddies the waters as to who is responsible for what when and how. This is rather unhelpful when it comes to tackling a potential terrorist threat. We are led to believe that there is coordination when it comes to security matters at sea but to a plain simple observer it does not appear to be so. A more robust communication environment should be encouraged to interchange ideas thoughts and indeed intelligence on a regular basis, not on ad hoc terms. To use a well worn phase everyone should be “singing from the same hymn sheet” instead of tearing out pages so that the other sings out of tune.

Gibraltar-body

Gibraltar’s important maritime security infrastructure requires overhauling and redesigning. Our hugely important cruise liner industry can sometimes walk a tight rope when it comes to passenger and owner satisfaction. Cruise liners are vulnerable and a tempting target. On very few occasions are cruise ships escorted to and from the liner terminal by law enforcement craft and there is no seaward protection whilst alongside North Mole. This would prevent any unwanted or inquisitive boats from getting too close for comfort. We must bear in mind that although Cruise liners companies might be satisfied with ashore security arrangements any incident no matter how small or insignificant at sea could cause them to leave and this would destroy an important pillar of our economy. Why not go the extra mile and provide seaside security to such an important gem in our crown? It will enhance our reputation amongst cruise line companies as a serious port of call in which to do business with.

What cannot be allowed to happen again is a situation similar to that of the theft of one our reef blocks from under our noses. This was a highly embarrassing event that exposed a certain lack of supervision of Gibraltar Territorial Waters. It highlighted the absence of coordination in patrolling our waters. Each to their own without knowing who was doing what and where. Naturally there were local law enforcement craft swarming over the area next day but the horse had bolted and the stable was empty

These are but a few of the more noticeable flaws in the protection of our little country. I accept the fact that security cannot be 100% guaranteed but it can be made extremely difficult for anyone attempting to threaten our peace and stability. It serves no purpose to find faults and criticize without offering suggestions and ideas in which to improve the protection of our waters from dynamic situations that confront our day to day lives. With the expansion of yachting facilities at Ocean Village and the proposed reclamation at the Eastside there will be an increase in the load factor for law enforcement agencies in maintaining a safe maritime picture. A maritime surveillance system similar to the Spanish SIVE (Systema Integrado de Vigilancia Exterior) should be considered as an aid to combating illegal activities close to our shores This system comprises of radars, infrared cameras and other surveillance equipment placed at strategic sites and controlled by an operations room. Any information gathered by this system can be transmitted to civilian law enforcement vessels (RGP HM Customs Port Authority) in real time via video link. It will make the task of intercepting suspect vessels easier and with ample time. The introduction of a joint maritime control centre is  of vital importance. It is of huge value that all incidents be controlled “under one roof” thereby improving response times and rapid interventions. Everyone working together instead of pulling away from each should be encouraged. Pooling of resource can be an effective method of dealing with certain events/actions whilst each law enforcement agency maintaining their independence and freedom of movement in their particular field of responsibilities. Joint training exercises whether live or in tabletop format can be useful in honing particular skills and at the same time exchanging operational experiences. Of course the major stumbling block is finance as all these suggestions do not come cheaply, but in the long term it is an investment that will pay dividends by ensuring the adequate protection of life and property.

I am by no means advocating a “Fortress Gibraltar” bristling with guns missiles and military hardware. Life must go on as normal. In the present climate of economic prosperity and physical expansion it has to be top priority that to accommodate a thriving yacht industry, the protection of bunkering facilities, the secure operations of cruise liners and importantly the safety of local seafarers fishermen and pleasure boat owners the necessary infrastructure to enable Gibraltar to maintain its reputation as a competitive serious and reliable player in the maritime industry must be in place so that we hopefully never become an easy target for our foes whoever they may be

Michael Sanchez is a naval observer and commentator for Gibraltar & STROG. He is the founder of OpWest and the promoter of Gibraltar Coast Watchers, and explained the former’s operation in an interview with CIMSEC. Born in the Rock, he served as a police officer for 33 years before retiring. He tweets at @key2med