Posted on October 5, 2022
By Andrew R. Lee and James A. Kearns
Ninety percent of cargo moving throughout the United States is transported on water at some point in its journey. By the end of this decade, the volume of goods moving through U.S. marine facilities is expected to double.
At the same time, cyber attacks on coastal and inland ports and terminals in the United States are rising just as dramatically. With the largest port in the Western Hemisphere—Los Angeles—reporting that it is currently battling an average of 40 million cyber attacks per month, and ports in Houston, Long Beach, San Diego, Rotterdam, and Barcelona all suffering major cyber incidents within the past five years, it is becoming clear that every port in the country, no matter its size or location, is at risk.
It may come as something of a surprise, then, that in our most recent Jones Walker cybersecurity survey, 95% of senior U.S. port and maritime terminal executives reported that they believe their industry is prepared to withstand cybersecurity threats. Meanwhile, nine out of 10 said that their own companies are just as ready to prevent and respond to a cyber attack.
Misplaced optimism? Or a reflection of increased attention and resources being allocated to cybersecurity? The results of our survey shed light on this complex situation and direct industry participants toward immediate, practical steps they can take to protect their operations and data.
A deep dive into port and terminal cybersecurity readiness
For the past five years, Jones Walker has issued regular reports on the state of cybersecurity in key areas of the nation’s critical infrastructure. In 2018, we commissioned and published the results of a survey of the U.S. maritime industry. In 2020, we looked at the midstream sector of the U.S. energy industry. This year, we conducted a survey of 125 senior leaders at U.S. ports and terminals.
Across all three surveys, our goals have been to help executives gain a better sense of the state of cyber readiness within their industries and to encourage greater action to prevent and prepare for data breaches, ransomware attacks, and other cyber threats.
Among the key findings in our 2022 survey, we learned that:
- While confidence in their cybersecurity preparedness is high, 74% of respondents said that their systems or data had been the target of a breach attempt within the past year;
- Of those respondents who indicated that their facilities had suffered a data breach, only four in 10 engaged with law enforcement to investigate the incident. Even fewer (26%) made disclosures to parties (such as information sharing and analysis centers, or ISACs) other than law enforcement;
- Stakeholders rated supervisory control and data acquisition (SCADA) systems, enterprise resource planning (ERP) software, and Internet of Things (IoT) devices as the technologies of most concern. This was especially true among respondents who, in our survey, reported data breaches; and
- Planning was seen as a priority—73% of respondents indicated that they have a written incident response plan (IRP)—but follow-up was limited: only 21% said that their IRP had been updated within the past year.
These and other findings demonstrate that port and terminal executives and cybersecurity leaders have made strides in identifying and addressing cyber vulnerabilities. However, much work remains to be done.
Among recent efforts, by enacting the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in March 2022, Congress has imposed post-breach notification obligations that will directly impact ports and terminals. CIRCIA requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations requiring a facility operating in any of CISA’s 16 critical infrastructure sectors to report certain cyber incidents and ransomware payments to CISA within 72 and 24 hours, respectively, after they are discovered. CISA’s rulemaking process is currently underway.
Shoring up cybersecurity defenses
Our survey outlines a number of cost-effective best practices that facilities can implement to help prevent or withstand a cyber attack, including the following:
- Collaboration is key. No port or terminal needs to go it alone. Qualified information security experts, industry associations, skilled legal counsel, and government agencies can serve as information resources and help businesses improve their defensive measures;
- Develop and update a data-driven cybersecurity plan. Cybersecurity professionals can help port and terminal operators with the important and necessary work of building a cyber-resilient enterprise by identifying specific risks, developing an IRP based on a solid framework, and testing the plan regularly; and
- Prioritize people. Our survey revealed that only three in five blue-water facilities and one in four brown-water facilities required employees to engage in cybersecurity training annually or more frequently. Cybersecurity leaders should provide more effective training to minimize potential exposure via reckless employee behavior.
Cybersecurity challenges will increase at a rapid pace. With clear, committed leadership engagement, however, much can be done to address this ever-expanding threat.
Andy Lee chairs the privacy and data security team at Jones Walker LLP and holds the CIPP/US designation from the International Association of Privacy Professionals.
Jim Kearns is special counsel in the firm’s Maritime Practice Group, where he focuses on maritime transactions. Jim sits on the Board of Directors for Inland Rivers, Ports, and Terminals Inc.