American ports, terminals, ships, refineries and their support systems are vital components of our nation’s critical infrastructure, national security and economy. Port security risks exist on many fronts: physical security may be breached upon port facilities, vessels, cargo or through other channels, and cybersecurity breaches may aid adversaries. Security risks can stall port operations and inflict damage on a port, its people, its cargo and all the assets in it and transiting through it.
Shippers, vessel operators and all transportation stakeholders have a vested interest to protect against security risk and ensure that goods are able to flow through the nation’s supply chain.
Cybersecurity risk is a key concern in any discussion of port security, and one that will only grow in importance moving forward.
According to the United States Coast Guard, risks of many types exist; however, cyberattacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyberattack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country.
In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyberattack scenarios in the maritime sector could credibly lead to a Transportation Security Incident, all must identify and prioritize those risks, take this threat seriously and work together to improve our defenses.
Dr. Joan P. Mileski is the Department Head and Professor of Maritime Administration and Marine Sciences at Texas A&M University in Galveston, Texas. She explains that commencing in 2017 all commercial vessels are required to have connectivity to receive charts used for navigational purposes.
This requirement can add more risk of a cyberattack as there’s now a means for an adversary to enter the ship and its complex systems. If the local network onboard a ship is invaded, hackers can potentially disrupt and take over engine operations as well as navigation and other electronic systems. “This is a danger not only to the ship but to the port it enters,” says Mileski. “Furthermore, ships are becoming more automated with less and less crew. These concerns also impact cruise ships with thousands of lives at stake not just cargo.”
She adds that this concern as well as the potential consequences of their certification and insurance to operate as a commercial ship could be at risk. “The classification societies [such as the American Bureau of Shipping and Lloyds register who underwrite the safety of ships] are concerned about this development as they ensure the ship’s systems work properly,” Mileski says. “So they are working on this cybersecurity problem.”
Rivers, canals and inland navigable waterways are likely to be exempt from an Internet or connectivity requirement, as vessels that normally transit on them are smaller in size and tonnage for the connectivity mandate.
“They have other issues of risk and cyberattacks on systems,” says Mileski. “For example, the Port of Indiana is concerned about cyberattacks on its operational systems.”
The Jones Act is a law that requires, among many things, that cargo carried between U.S. ports domestically be transported on U.S. Flag ships. This means that fewer foreign flagged ships will be active in an around inland ports and waterways.
In July of 2016, a port security officer discovered a loaded magazine adjacent to a garbage can just before the X-ray machine near a Miami Seaport passenger terminal at Port Miami where Royal Caribbean Cruise Line vessel, Enchantment of the Seas, was docked. The vessel was disembarked by law enforcement officials who intervened; eventually all was well.
Such a scenario could have been much worse and only proves that the risk of a dangerous breach in physical security at any seaport is quite possible.
Jill Taylor is the Homeland Security Manager at the Port of Los Angeles – the leading container port in the United States. The Port has a large contingency of law enforcement personnel. In addition, the Port also has its own Port Police Department. They also team with the Los Angeles Police Department, the Los Angeles Sheriff’s Department, the Long Beach Police Department, the Long Beach Harbor Patrol and other Federal partners such as the U.S. Coast Guard, Customs and Border Protection and the FBI.
“My greatest concern in overall port security these days is the active shooter threat,” says Taylor. “We can’t turn on the television without hearing about another active shooter incident whether here or abroad. There are not enough fences, barricades or cameras to stop an individual wishing to cause harm to people or our economy. We also have regular security meetings with all public safety agencies to share information on threats and suspicious activity as well as plan for upcoming scheduled events.”
Many commercial ports are sinking sizeable investments into technology and investment to prevent cyberattacks. Such investments are smart moves to prevent any risk of a physical breach in security, similar to the close call at the Port of Miami, may present.
“The Port of Los Angeles has received more than $100 million in security grant funding since 2002,” explains Taylor. “With that funding, we purchased patrol vessels, security cameras, and video management and access control systems. We also built a state-of-the-art Department Operations Center, a Threat Detection Center and a Cyber Security Operations Center. As available grant funding began to decline in 2012, we are now investing in improving and maintaining the systems we already have in place. This includes creating redundancies for our access control and video management systems, hardening the security network and integrating new hardware and software to enhance our security posture.”
Helping Ports Help Themselves
Like Los Angeles, ports around the world seek technology to help them be safe. It is much in the interest of regulatory bodies in the United States to help them with such investments. Such regulatory bodies and authorities include State and local agencies, the U.S. Department of Homeland Security, the U.S. Coast Guard and others such as The Federal Emergency Management Agency (FEMA).
FEMA plans to aid ports throughout the United States build security through their Port Security Grant Program (PSGP). According to FEMA, the program is intended to directly support maritime transportation infrastructure security activities. Specifically, the program is part of a portfolio of measures authorized by Congress to strengthen against potential terrorist attacks.
“The vast majority of U.S. maritime critical infrastructure is owned and operated by state, local and private sector maritime industry partners,” according to FEMA’s description of the program. “PSGP funds available to these entities are intended to improve port-wide maritime security risk management; enhance maritime domain awareness; support maritime security training and exercises; and to maintain or reestablish maritime security mitigation protocols that support port recovery and resiliency capabilities. PSGP investments must address Coast Guard and Area Maritime Security Committee identified vulnerabilities in port security and support the prevention, detection, response and/or recovery from attacks involving improvised explosive devices (IED) and other non-conventional weapons.”
At present, FEMA has $100 million available to port authorities, facility operators and state or local governments that are mandated to provide security for maritime ports. Funding will support their planned initiatives to mitigate port security risks. However, individual port authorities must match 25 percent of project’s total costs. Thus, if a port authority applies for a $500,000 grant to fund a port security project, it must take care of $125,000 of the costs.
Understanding Risk Now and into the Future
When it comes to overall port security, however, there are many common misunderstandings regarding the challenges they face in building a secure perimeter around the port around the physical perimeter as well as their information technology boundaries.
“The most common misunderstanding about port security that a non-maritime security professional would not be aware of is the importance of organized labor,” says Taylor. “Folks come to the port to plan various training exercises and they talk about an earthquake or a ship scuttled in the main channel or a cyber-attack shutting now the Vessel Traffic Service. The idea that labor keeps the Port’s blood flowing does not occur to them. Labor issues in our region in 2002 and 2015 stopped the flow of cargo and cost hundreds of millions of dollars to our Nation’s economy. We can plan and exercise for a myriad of natural and man-made incidents, but labor is the anomaly. We depend on the longshore workers to unload and reload vessels and truck drivers to move cargo on and off the port. Without labor, we’re done.”
Labor relations are key to ensure safety in and around ports of all sizes and capacities. But so are all partnerships between a port and its stakeholders as ports look to future concerns and plan accordingly.
“As a region we depend on each other as public safety partners to keep each other informed of emerging security threats and or trends,” says Michael Hillman, Assistant Chief of Police, Los Angeles Port Police. “Daily we share information on a personal basis with each other to include participating in numerous emergency preparedness exercises. The threatscape within the region and industry changes constantly depending on intelligence and or work events. The most important issue we are faced with within POLA is the challenge to keep commerce flowing and keep the port operating. Currently, we are concerned about non-kinetic type attacks that involve cybersecurity issues for example, hactivisim, denial of service, malicious codes and web defacement type attacks, and more. Kinetic attacks might include Homegrown Violent Extremists (HVEs), critical infrastructure attacks, vessel immobilization and sub-surface threats, active shooters and complex style attacks involving large populated areas. Finally, we are very concerned about natural disasters to include earthquakes, fires and tsunamis, as well as environmental spills.
Hillman says that where resources will most likely be dedicated in the near future is based on the maritime industry itself and shipping channels to include the Panama Canal, the increased size and capacity of container ships, terminal automation and velocity of goods movement.
“Maritime ports are considered the backbone of the nation’s economy and any disruption to commerce and operations due to labor disputes, natural disasters, terrorism or criminal incidents impacts the nation,” says Hillman. Labor is significantly impacted when you consider the move to automated terminals and much will need to be done with increasing of skilled labor. Natural disasters, criminal and terrorist threats and cyberattacks will only increase in sophistication. These issues being the case, port security and emergency preparedness need to forecast and analyze the future and prepare for the future and not prepare for what just occurred.”