Posted on November 14, 2022
Good news for the Port of South Louisiana: The Federal Emergency Management Agency (FEMA) has awarded the Port nearly $700,000 to upgrade its cybersecurity framework in the face of the ever-evolving threat landscape. Together with the Port’s 25% funding match, this means that nearly a million dollars will be earmarked for new, updated, and ongoing technologies, processes, testing, and advanced training aimed at protecting against threats from cyber terrorists and other bad actors.
The need for such an investment in one of the United States’ largest ports, by tonnage, is underscored by the results of a recent public audit that revealed the Port lost nearly $420 million as a result of a 2021 cyber attack.
Now, the Port faces the challenge of determining how to allocate these funds to best defend against a potential future attack. Although the grant provides funding for a broad range of cybersecurity tools — from 24/7, real-time vulnerability monitoring, management, scanning, and detection, to regular penetration testing, encryption/decryption technology, and related functions — not all solutions are created equal, nor do they deliver the same return on investment.
Earlier this year, our firm, Jones Walker, conducted a survey on the current state of cybersecurity at US ports and maritime terminals. Drawing on the responses of 125 senior executives in the industry, in October 2022 we published a report that lays out our findings and provides insights into key areas in which ports and terminals can shore up their cybersecurity defenses.
Ports and terminals: a tempting target for cyber criminals
The vast majority — 90% — of cargo moving to and within the United States is transported on water at some point. By 2030, it is expected that the volume of goods moving through US marine facilities will have doubled.
Just as cargo volume is on the rise, so are cyberattacks on coastal and inland ports and terminals in the United States. For example, the Port of Los Angeles, the largest port in the western hemisphere, recently reported that it is battling an average of 40 million cyber attacks per month. (You read that correctly: 40 million.) Ports in Long Beach, San Diego, and Houston — as well as overseas ports such as Barcelona and Rotterdam — have all been subject to cyber incidents within the past five years.
The message is clear: Every port, no matter its size or location, is at risk.
Despite the volume and scope of these attacks, 95% of senior US port and maritime terminal executives who participated in our survey reported that they believe their industry is prepared to withstand cybersecurity threats. Further, nine out of ten said that their own companies are equally prepared to prevent and respond to a cyber attack.
How does this high level of cybersecurity confidence square with the increasing volume of cyber attacks and dollar value of ransomware incidents? We believe that the results of our survey shed light on this complex situation. Equally important, they offer industry participants — including the Port of South Louisiana — information on immediate, practical steps that they can take to protect their operations, data, personnel, and customers.
An ongoing process: understanding emerging cybersecurity issues facing the nation’s infrastructure
Since 2018, Jones Walker LLP has issued regular reports on the state of cybersecurity in important sectors within the nation’s critical infrastructure. For our first report, we commissioned and published the results of a survey of the US maritime industry. Two years later, in 2020, we examined these issues with respect to the midstream sector of the US energy industry. And, as noted above, this year we conducted a survey of senior leaders at US ports and terminals.
The underlying goals of each of these surveys and reports have been to help executives better understand the state of cyber readiness within their industries and to foster greater attention to and action against the risks — all with an eye to preventing and preparing for data breaches, denial of service events, ransomware attacks, and other cyber threats.
Our 2022 survey delivered a number of key findings, including the following:
- Despite high confidence in their cybersecurity preparedness, 74% of respondents acknowledged that their systems or data had been the target of a breach attempt within the prior 12 months.
- Only four in ten respondents who indicated that their facilities or operations had suffered an actual data breach engaged with law enforcement to investigate the incident. An even smaller number (26%) disclosed such incidents to parties other than law enforcement (which, importantly, include information sharing and analysis centers, or ISACs, that have been created for the purpose of collecting and providing data that can help prevent and respond to future attacks).
- Our respondents — especially those who reported data breaches — named supervisory control and data acquisition (SCADA) systems, enterprise resource planning (ERP) software, and Internet of Things (IoT) devices among the most vulnerable technologies.
- Although planning was considered paramount, with 73% of respondents indicating that they have a written incident response plan (IRP), few revisited these plans regularly. Less than a quarter (21%) reported that their IRP had been updated within the past year.
The results of our survey make it clear that port and terminal executives and cybersecurity leaders have made progress toward identifying and addressing cyber vulnerabilities, but the task ahead remains somewhat daunting.
In addition to providing grants, such as that provided by FEMA to the Port of South Louisiana, the federal government is taking action. In March 2022, Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which imposes post-breach notification obligations that will directly affect ports and terminals. CIRCIA requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations that require an entity operating in any of CISA’s 16 critical infrastructure sectors to report covered cyber incidents and ransomware payments to CISA within 72 and 24 hours, respectively, after they are discovered. As of this writing, CISA is soliciting public input as it develops regulations implementing CIRCIA.
Strengthening cybersecurity defense: near-term and long-term options
In our report, we describe a number of best practices that are both cost-effective and can help facilities prevent or withstand a cyber attack:
- Collaborate to achieve competency. While any organization’s data may be highly proprietary, the steps a business takes to protect such information need not be. In fact, with the help of qualified information security experts, industry associations, skilled legal counsel, and government agencies that are expressly designed to serve as information resources, businesses can work together to improve their defensive measures.
- Create data-driven cybersecurity plans. Just as information drives business success, the creation, implementation, and assessment of IRPs requires a clear-eyed view of the facts. Cybersecurity professionals can help port and terminal operators build a cyber-resilient enterprise by identifying specific risks, establishing a solid data protection and monitoring framework, and testing the plan regularly.
- Prioritize personnel. In our latest survey, we found that only three in five blue-water facilities and one in four brown-water facilities required employees to participate in cybersecurity training on, at the least, an annual basis. In general, businesses must provide more effective training to minimize potential exposure via reckless employee behavior.
With FEMA’s latest grant, the Port of South Louisiana has an important opportunity to address the cybersecurity challenges it faces today and well into the future. The economy of greater New Orleans may depend upon their next steps.
Hansford (Ford) P. Wogan is a partner and Ilsa H. Luther is an associate in Maritime Practice Group in the New Orleans office of Jones Walker.