Driverless vehicles transporting cargo containers, automated loading and unloading operations, and drones making inspections and deliveries is not a port scene out of a science fiction film, it is how our ports tomorrow would look like. But such a wide scale adoption of the Internet of Things (IoT) brings security loopholes – both physical and technological. How then can we secure our ports for the future?
In the movie Pacific Rim: Uprising, drone Jaegers were backdoored to turn rogue. And that didn’t just happen in the movie. Case in point, earlier this year, Business Insider1 reported that hackers stole a casino’s high-roller database through a thermometer in the lobby fish tank. Hackers had leveraged the production network using a smart device as innocuous as a thermometer to launch their attack
RECOGNISE LURKING THREATS
As the transformation blueprint of PSA, Container Port 4.0™ (CP4.0™)2 unfolds, IoT is expected to play a prominent role alongside other emerging technologies like blockchain and machine learning. In addition, its promise of being self-configurable, adjustable, self-optimising-and-healing, suggests increasing emphasis and reliance on IoT in the future.
However, most viable devices in the market currently are not designed with security in mind. As compared to an ideal IoT architecture which allows patches to be installed and orchestrated from a centralised system, supports host-based firewalls, and facilitates full audit trails, it is not uncommon for IoT setups today to have devices come installed with hardcoded and publicly-known passwords. Further complicating the IoT architecture is a heavy reliance on sensors which makes uptime imperative for availability and safety. It opens up the system to risks, including massive outages from rogue patches and anti-virus updates.
ADOPT A SECURITY-BY-DESIGN APPROACH
These challenges evidence the importance of adopting a Security-byDesign (SbD) approach. For instance, through conducting vulnerability assessments and penetration tests, risky security backdoors can be uncovered and defences can be put in place to mitigate exposure and security risks. This was the methodology PSA adopted when trialling a vendor’s automated guided vehicles (AGVs), which led to the discovery of undeclared security backdoors serious enough to warrant vulnerability disclosures to the United States Computer Emergency Readiness Team (US-CERT).
A viable alternative to the lack of built-in SbD in products is to deploy a “diamond ring” network segregation approach. Just like how a diamond ring only allows some bits of light to pass through, SbD can be pushed outwards to entry points by securing both physical and network entry points. Other than restricting removable devices to operational technology (OT), a secure jump-host should also be run with a full audit trail, comprising privileged account management (PAM) and privileged session management (PSM). Firewalls are also essential for isolating incidents.
Click here to view larger image.
For SbD to be effective at the corporate level, it has to be supported by three key underlying principles. First, it must be aligned to the risk deemed acceptable by the organisation. A profit-driven company should not only integrate cybersecurity into its strategy to get ahead, but also make an effort to fully appreciate its role as a business enabler. Second, the principle of least privilege should be observed by conferring user privileges based on necessity. This ensures minimum network exposure.
Third, worst-case scenarios should be assumed and planned for. An effective Business Continuity Plan (BCP) – outlining threat detection and response, incident and Business Continuity Management (BCM) processes and drills, as well as incident escalation and crisis management – empowers the business to recover to a Minimum Business Continuity Objective (MBCO) in the event of an incident.
It is a given that our technology landscape will be different tomorrow. And while there is no one foolproof way to future-proof our ports, I am quietly confident that as long as the industry continues to embrace the same cybersecurity principles, the future will be bright.
2The name Container Port 4.0™ (CP4.0™) is a nod to Industry 4.0, which relates to the real-time communication and cooperation among cyber-physical systems and humans. It envisions technology-driven container ports underpinned by six key pillars