Building cyber resilience in modern ports

By Joseph A. Bonventre, Senior Consultant, and William A. Smith, Director, Industrial Cybersecurity, 1898 & Co., part of Burns & McDonnell

Ports handle more than 80 percent of global trade by volume, moving billions of tons of cargo each year. Traditionally, port security has focused on physical threats, putting up defenses such as fencing and guards. While these measures remain vital, they are no longer singularly sufficient.

Modern ports depend on complex digital systems, from automated cranes and gate control systems to container tracking software and billing systems. These operational technology (OT) systems are increasingly networked, connected to informational technology (IT) systems and often to the internet. This connectivity brings efficiency; however, it also introduces new vulnerabilities.

Cyberthreats are not just an IT problem
Many operators think of cyberattacks as limited to office computers or billing systems. In reality, disruptions often originate in cyberattacks targeting OT environments.

Case in point: the 2017 NotPetya malware attack. It crippled one of the world’s largest shipping lines and terminal operators. In hours, the malware spread across the target’s global network, shutting down booking systems, gate operations and terminal controls.

Recent threat intelligence underscores that ports remain high-value targets:

• DP World Australia (November 2023): A cyberincident forced days-long terminal shutdowns, delaying over 30,000 containers.
• LockBit ransomware (2023-24): This prolific group has targeted global shipping and logistics companies.
• Volt Typhoon: A threat actor has been quietly infiltrating critical infrastructure sectors, including maritime systems. Ports should assume advanced adversaries may already be mapping (or already have mapped) their networks.
• Phishing and credential harvesting: Multiple ports reported waves of phishing attacks in recent years, with attacks targeting their billing systems and employee and vendor portals.
• These events show that cyber threats to ports are present, evolving and capable of causing operational, financial and reputational damage.

Beyond ISPS
The International Ship and Port Facility Security (ISPS) Code has been the foundation for port security since its adoption in 2004. It establishes standardized requirements for perimeter security, access control, threat assessments and physical security plans.

However, ISPS is largely silent on cybersecurity. It does not address how ports should secure digital systems, networks or connected OT. Many port facilities remain reliant on ISPS compliance alone, leaving critical gaps in overall risk and security. Adversaries can still exploit OT/IT vulnerabilities to gain footholds, pivot into OT networks and disrupt operations.

Closing the gap
To close this gap, port authorities and terminal operators need to adopt cybersecurity frameworks and integrate cybersecurity into their engineering and operational processes.

Standards to consider:

• NIST Cybersecurity Framework: Provides structured guidance for identifying, protecting, detecting, responding to and recovering from cyberthreats.
• ISO/IEC 27001: Establishes requirements for an information security management system to help ports manage IT risks systematically.
• IEC 62443: Designed for securing industrial automation and control systems, including port OT systems. It offers technical requirements and process guidance for:
  • Network segmentation and zones
  • Secure remote access management
  • User authentication and access controls
  • System hardening
  • Patch management
  • Continuous monitoring

Incident response
IEC 62443’s structured approach is especially valuable for ports because it covers the entire life cycle, from design to operations and maintenance.

Cyber-Informed Engineering (CIE) should also be considered. CIE is the practice of integrating cybersecurity throughout the life cycle of industrial systems, helping to engineer out cyber risks.

Applying CIE means:

• Performing threat modeling during system design to identify potential attack vectors and weak points, and to present engineering changes that make attack vectors irrelevant.
• Defining security requirements in procurement specifications for vendors.
• Designing systems with robust network segmentation and secure architecture upfront.
• Validating access control, authentication and encryption requirements before deployment.
• Designing recovery modes to maintain safety even under cyberattack.

By adopting cybersecurity standards and applying CIE practices, ports can manage and reduce cyber risks while fostering cyber resiliency. This approach helps avoid costly retrofits and reduces operational risk.

• Until ISPS is formally updated to include detailed cybersecurity guidance, ports should consider:
• Implementing CIE for all new capital projects and system upgrades.
• Using the IEC 62443 standard to guide cybersecurity in operations and maintenance activities.
• This approach will help ports close critical security gaps, protect vital infrastructure, and build more resilient, reliable operations.

Securing OT: A road map to better resiliency
OT systems in ports control critical physical processes (e.g., crane operations, RFID container tracking). Disruption of these systems can stop cargo flows, damage equipment or create a life safety hazard.

Securing ports and terminals from cyber disruptions not just about preventing attacks but confirming services continue in a contested environment. By incorporating cyber resilience measures, port operators enhance their ability to prepare, withstand, respond to, and recover from cyberattacks without disruption to operations.

A practical security program should include:

• Asset inventory
• Risk assessment
• Network segmentation
• Access controls
• Patch management
• Monitoring and detection
• Incident response planning
• Staff training

Port operators should treat OT cybersecurity as a mission-critical priority. By developing and executing an OT security road map, ports can better protect operations, reduce risk to supply chains, and promote safe, reliable service for trade.

If ports lack these components in current plans, or if they have not conducted a tabletop exercise in the last year, they should take action to address gaps.

Building resilience
Cybersecurity is not only about trying to prevent attacks. It includes cyber resilience, which means that even if an attack occurs, the port can continue to operate while the attack is ongoing.

Ports should implement these best practices:

1. Integrated risk assessments: Evaluate cyber and physical threats together to understand the interdependencies and potential cascading effects.
2. System backup and recovery plans.
3. Tabletop exercises: Practice coordinated responses to simulated cyberincidents, involving both IT and OT staff to improve readiness. Invite state and local agencies to the exercise and work with them to make the scenario more realistic.
4. Vendor and supply chain security: Require suppliers to follow cybersecurity best practices, validate their controls and evaluate third-party risks.
5. Continuous improvement: Regularly review and update security plans based on emerging threats, incidents and new technology.

One option for improving resilience planning is the use of a digital twin. A digital twin is a virtual model of a port’s infrastructure and operations that can simulate real-world scenarios. Ports can use digital twins to simulate cyberattacks or disruptions to see how operations would be impacted. The digital twin can also help ports identify bottlenecks and interdependencies before an incident occurs. Digital twins have other benefits, such as training staff in responding to threat scenarios and helping port management evaluate investment decisions by testing the effectiveness of proposed security upgrades. Digital twins have other benefits, such as training staff in responding to threat scenarios and helping port management evaluate investment decisions by testing the effectiveness of proposed security upgrades.

Using tools like digital twins, ports can move beyond static security plans and develop dynamic, data-driven approaches to managing risk. Operators must prioritize resilience in their OT infrastructure as a key part of comprehensive risk management, maintain operational continuity and safeguard supply chains.

Modern ports are complex, interconnected systems that enable global trade. As these systems become more digital, the risks from cyberattacks increase.

Securing ports is about building cyber resiliency into every layer of operations. It means going beyond ISPS compliance to address cybersecurity. That includes adopting standards like IEC 62443 and applying CIE to design secure systems from the ground up and investing in dynamic planning tools like digital twins to prepare for realistic scenarios.

Resilience is not just about prevention. It is about how ports can continue to operate safely, even in the face of cyberattacks, equipment failures or physical disruptions.

Learn more about Burns & McDonnell port services as well as cybersecurity services from 1898 & Co, part of Burns & McDonnell.