Ports Need to Rethink Criminal Activity
As the marine industry grows more automated, ports and related industries are increasingly vulnerable to cyber disruptions.
In the past, criminals would steal a container on the dock and drive away before anyone noticed. Today’s criminals are global. They don’t have to be in the same country to learn when a container arrives, when it clears inspection, what’s inside it, where it’s stored and when it’s moving out.
Computer networks changed how ports are run. Ports now use fewer workers on the ground because computers can operate vehicles remotely and GPS-based systems track and move containers semi-autonomously.
The systems may have changed, but criminals continue to try to steal containers, smuggle drugs or engage in espionage.
Ports are the economic engine that drives the economy, said Jayson Ahern, principal at The Chertoff Group and former deputy commissioner of U.S. Customs and Border Protection.
He said they need to be better protected.
“Port operators need to be looking at security in real time and rethink the risks – not just meet the minimum requirement of their governing agencies – and that’s where port operators often fall short,” said Ahern.
“Criminal activity is going to continue. Every time we plug one gap and vulnerability, they go back and adapt and diversify their approach.”
Billions in Losses
About 95 percent of world trade is transported via ship each year, according to the U.S. Department of Homeland Security.
“When we saw the impact of closing ports right after 9/11,” Ahern said, “I saw firsthand what happens when you shut down trade at our borders.”
Following the 2001 attacks, container shipping lost $1 billion each day for months after the United States closed all ports and airports, Ahern said.
More recently, a months-long labor dispute at 29 West Coast ports resulted in work slowdowns and caused billions in losses, according to Vice News. U.S. agriculture lost about $2.5 billion, while manufacturers reported an aggregate of nearly $400 million in losses for each month of the dispute.
A cyber attack could cause the same type of economic damage.
In 2013, computer problems – caused by error, not sabotage – resulted in weeks of problems at the Maher Terminal serving the port of New York and New Jersey, including closing the terminal for up to six hours at a time, according to the “Consequences to Seaport Operations from Malicious Cyber Activity” a report by DHS.
DHS also reported that an organized crime group used hackers to control the movement and location of containers at the Port of Antwerp in Belgium between 2011 and 2013; and crime syndicates penetrated the cargo systems used by Australian Customs and Border Protection in 2012.
Not only are ports vital to the economy, they are a national security issue, said Matthew McCabe, senior vice president for network security and data privacy group with the FINPRO practice at Marsh.
“We need to see more cyber security assessments,” Ahern said. “We’re not seeing it happening sufficiently enough around the world. People need to always be asking: ‘What type of monitoring and disruptions of attacks are we seeing?’ ”
A comprehensive plan needs to encompass three areas: physical security, insider threats and cyber risks, Ahern said.
Putting Plans in Place
When Martin McCluney, managing director, U.S. hull and liability practice leader at Marsh, talks to marine clients about cyber risk, he says they weigh whether to retain, manage or transfer risk into the market.
“We are in conversations with several operators now,” said McCluney.
“We are assisting them in their internal process to evaluate the cost/benefit of any additional insurance that may be necessary.”
Just the mere act of applying for cyber risk insurance normally sets the wheels in motion for businesses to begin a risk assessment of cyber controls, McCabe said.
There is value in going through the planning process and identifying who you would turn to in a time of crisis.
The insurance market is keen to not just provide pure risk transfer but to also provide loss prevention and post-loss advice, McCluney said.
“We ask, ‘How do you recover? What systems do they have in place to prevent and deter attacks?’ And, if systems have been compromised, what is the contingency plan once an attack has impacted them?”
Insureds should review in detail the way their existing marine and property casualty policies would respond to a cyber attack. The task can be complicated because port operators work with many third parties that ship and receive the goods on either side, so operators need to establish minimum codes of compliance with all additional parties.
Marine market policies that cover stevedoring (loading and unloading of vessels in terminal operation) do not consistently include a cyber risk solution.
The client is very likely exposed to risks that are outside the coverage, McCluney said.
For example, if handling equipment shuts down due to a computer problem but hasn’t suffered physical damage, the economic losses may not be covered under a property policy.
To prevent losses in a case like this, operators should consider a cyber program that would be in excess to a property program, or a difference-in-conditions policy that would fill gaps in the coverage, McCluney said.
The core benefit to cyber insurance is you are able to transfer some of the financial damage and coordinate your response plan, so there’s a mechanism ready at a time of crisis, McCabe said.
The growth of cyber insurance over the last three years bears that out. The number of U.S.-based Marsh clients purchasing stand-alone cyber insurance increased 27 percent last year compared with 2014. That followed a 32 percent increase in 2014 over 2013.
Cyber insurance growth is expected to continue apace as port operators understand the potential cyber risks they face, and conduct risk assessments in conjunction with the Maritime Transportation Security Act. The act was written after 9/11 to shore up port protections by requiring vessels and cargo-handling facilities to conduct vulnerability assessments and develop security plans.
The U.S. Coast Guard made additional cyber strategy recommendations in a June 2015 report.
In that report, the USCG recommended organizations view cyber security as an ongoing process, and regularly re-evaluate mitigation measures and ensure personnel understand and follow good cyber practices.
Organizations should strive to incorporate cyber security into an existing culture of safety, security, and risk management, it said, and identify a senior person responsible for cyber risk management.