Ports Fight Security Breaches & Possible Funding Reductions
Cybersecurity is an increasing focus with seaports, especially after the 2017 attack on shipping giant Maersk
The nation’s seaports, which handle freight traffic as well as cruise and ferry passengers, continue to face physical threats like terrorism or active shooters as well as ever-increasing concerns about cyber warfare. Amidst all this, they have been doing battle on Capitol Hill to retain current levels of port security funding from U.S. Customs and Border Protection (CBP).
CBP staff serve as the first line of defense in checking freight and manning nuclear detection portals for containers, says John Young, surface transportation and freight legislation policy director for the American Association of Port Authorities (AAPA). AAPA estimates that U.S. ports annually handle 1.2 billion metric tons of foreign trade cargo, including millions of cargo containers, as well as 11 million international cruise passengers.
But CBP loses about 700 staff per year to attrition and is “constantly at least 500 short,” Young says. About two-thirds of prospective hires fail the required polygraph test, and protocol sends those who are hired to fill openings at the country’s southern border first and foremost. AAPA has noted that when CBP was funded to hire 2,000 staff in fiscal year 2015, only 20 were assigned to ports. “One of our strong recommendations to CBP is that they broaden the labor pool and make it more fungible in how they operate,” Young says.
The AAPA is also concerned about the funding level for port security, which was one as high as $400 million but has been only $100 million since 2012, and the draft budget on the Senate side for fiscal year 2018 was expected to be hashed out by the end of March. “We’re told that’s not because they’re not supportive, but other things came up, like the hurricanes,” Young says. “We’re continuing to work with them on getting levels to where they need to be.”
Although they represent potentially high-value targets, America’s seaports have become much safer since 9/11 and have not been the site of a coordinated physical attack, says Brian Harrell, president and chief security officer at The Cutlass Security Group and former facility security officer at HOVENSA Oil Refinery in St. Croix, U.S. Virgin Islands.
“In addition to guarding against cargo theft, drug shuffling, human trafficking and stowaways, ports and their law enforcement partners have added the protection of people and facilities from terrorism to their security plate,” Harrell says. “There’s no question that more investments in security equipment, infrastructure, technology, personnel and training will be needed. All parties – the ports, terminal operators, the various government agencies, the [Trump] Administration and Congress – must do their part.”
Harrell is concerned that lowered funding could compromise the ability for seaports to “be able to continue serving their vital functions as trade gateways, catalysts for economic prosperity, and important partners in our national defense,” he says. “While I understand the need for the administration to tighten the ‘budget belt,’ we have seen a positive return on investment when it comes to port security.”
Randy Parsons, director of security services at the Port of Long Beach, California, agrees that reductions in federal funding “would be a game-changer.” The Port of Long Beach has purchased $140 million worth of technical security equipment, and “you can imagine what the operations and maintenance costs are for systems like that. We have to look at triaging our physical security systems – CCTV cameras, access control, radar, sonar – and make some pretty tough decisions about what we’re going to operate and more importantly, tough decisions about what we can’t operate if grant funding doesn’t continue.”
But whatever happens, Parsons vows, “The security functions protecting the people and core operations of the port for deterrence, detection, response and recovery will remain intact.” Most ports are trying to wean themselves off federal funding, Parsons adds, and “that’s the right thing to do, but it’s challenging to do when we’ve built such an incredible capability.”
The Port of Los Angeles wants to see the $100 million allocation continue, says Jill Taylor, homeland security manager. “That funding is used to maintain all these systems that we’ve been putting in over the years and really does help, especially for some of the smaller ports and agencies to keep their training and exercises going and maintain their security systems,” she says.
“There’s an ongoing concern about how the federal government is going to fund homeland security grants in the future,” adds Mark Dubina, vice president, security for the Tampa Port Authority. “It’s a constant concern for ports. It’s a recurring theme.”
Physical Security Concerns
On the physical security side, AAPA sees ensuring the safe facilitation of freight as the key concern. “Having CBP staff there means having essential eyes on the cargo as it moves through,” Young says. “This is cargo that’s coming in from all around the world. They’re looking for anything that could be dangerous – whether it be explosives, whether it be drugs.”
Although port security personnel are always looking for the newest technology, physical security at ports is still largely a guns, guards and gates formula, Young says. “Technology is always getting better, getting faster,” he says. “But I don’t think there’s been that ‘iPhone moment.’ Security is still a boots-on-the-ground type of endeavor at ports.”
The Port of Long Beach continues to focus on terrorism, although as former federal security director at Los Angeles International Airport, Parsons says the tens of thousands of people who work at the port do not present the kind of fat target that the hundreds of thousands at LAX might. On other fronts, ports need to be concerned about the cargo coming in – and potentially, the people delivering it, Parsons says, adding that Long Beach and the adjacent Port of Los Angeles see 16 million containers per year between them.
“Ports, particularly the size of Long Beach and L.A., are replete with all kinds of hazardous material related to cargo,” he says. “Vessel crews can be very interesting in terms of where they’ve been. On the traditional criminal side of the house, it’s a pretty broad spectrum,” including human trafficking, narcotics, high-end electronics and vehicles.
Port of Long Beach has developed, with about $10 million in federal funding, the Virtual Port Project, a domain awareness tool “for everything going on in the port complex – the region, the coastline, international waters,” Parsons says. The port is also looking at upgrading equipment, from CCTV to advanced megapixel cameras, Parsons says. “We’ve got to keep our eye on those, see what makes sense and see what is fiscally responsible to do,” he says.
Training will be crucial going forward as ports implement new technologies, Parsons notes. “We need to keep on the cutting edge of what’s happening with risks and mitigation strategies. With camera replacement, radar, sonar – humans have a big part in that. We need their input,” he says. “We can’t rock back on our heels and say, ‘We’ve got this.’ ”
The Port of Los Angeles has a cruise terminal in its port and conducts training with all tenants around active shooter incidents, keeping in mind that every incident plays out differently, Taylor says. “We have a special operations team in port police that’s at the cruise terminal,” she says. “We ramp up our posture with K-9s and with dive sweeps. … You’ve got to look at locations in the proximity of the cruise terminal. If someone is high up on a building or a crane, what would their view be when you have mass amounts of people coming and going from a cruise ship.”
The Port of Los Angeles is a landlord port with individual tenants. As a result, the port is wide open, lacking a single gate that everyone enters and exits, so “every terminal is responsible for their own physical security,” Taylor says. “We actively assist them by providing security information and assessments, but they are ultimately regulated by the Coast Guard. Even so, we regularly engage with our terminals to make sure they are doing everything they can to harden their security.”
In early 2018, the port opened a new threat detection center using Port Security Grant Program funding, that provides 24/7/365 monitoring of more than 400 cameras and more than 225 access control points, Taylor says. “The center provides better maritime awareness with additional software to set up geo-fencing and alerts to monitor critical infrastructure and be more proactive,” she says. “It’s very hard for one person to stare at 400 cameras, but if you have assistance with software [sending out alerts] that can be a force multiplier.”
A monthly joint port dive operations group brings together port police, the Los Angeles County sheriff’s office and police departments from both Los Angeles and Long Beach to conduct a training dive and become more familiar with one another’s best practices, Taylor says. “They check for any sort of IED or other unknown device and train for arrival from the water onto a terminal, in addition to other emergency incidents, like a jumper on our main bridge,” she says.
At Port Fourchon, Louisiana, about 100 miles due south of New Orleans, 17 officers led by Chief Jon Callais handle all physical threats, although two of them are on loan to the information technology department as liaisons. “We have guys who are on the water patrolling in and out of docks, looking for pollution and anything that could happen on the water, like search-and-rescue,” he says. “We’re constantly looking for any type of sheen on the water, an oil spill or fuel spill that could contaminate an area.”
When Callais first became chief, given the influx of drugs into ports, he insisted that his officers be outfitted with bulletproof vests. But given the steamy summer weather, the port found a vendor who makes a vest that sits on top of the uniform and can be taken off in a safer environment so officers can cool down. “We’re having to do interdictions with different agencies to try to stop [drug traffickers],” he says.
Dubina says Tampa and ports in general face threats from lone individuals who might see them as easy targets. “We’re not seeing the types of sophisticated attacks we’re used to,” he says. “It’s more people who are acting on their own. The main objective is to create as much injury and death as possible.”
To combat such threats, Dubina and his team study events that have occurred elsewhere and ask whether the Tampa port would have been vulnerable to the strategies and tactics used. “We’re plugged into people who can give us in-depth evaluations of events that have occurred and learn better ways to protect ourselves,” he says. “It goes back to having relationships with the right people, making sure we’re trusted in law enforcement and the security world so we have access to the latest briefings.” That helps harden security whenever possible, he adds.
Another physical challenge that ports face is unmanned aerial vehicles (UAVs), Dubina says. “The people who operate them have a lot of rights, and the people they look at can’t always control what they’re doing,” he says. “There’s a huge competing interest between these commercial UAV operators, and their potential profit and the privacy rights of critical infrastructure operators. … Anything that would lend itself to being able to compromise a facility by better understanding how it operators is something we should worry about.”
Cybersecurity is where the AAPA sees ports ramping up their defenses most dramatically. The Maersk hack in the Port of Los Angeles last year, in which cyber thieves were able to pull information from manifests, serves as a warning of what could happen, says Aaron Ellis, public affairs director for the association.
“Who knows what they could have done?” he says. “Rerouted ships? It just shows the vulnerability of these systems, and how they need to be protected. There’s so much sensitive information – volumes, values, owners, where cargo is going to or coming from. If any of that gets messed up, you can imagine the chaos it would create.”
Worst-case scenario, such hacks could lead to a complete breakdown of the supply chain, Ellis says. “That’s a fairly frightening concept of what would happen if suddenly all the wonderful logistics that go into the supply chain are compromised,” he says. “You wouldn’t know where goods are coming from or going to. It could turn the whole international trade industry on its head. You’d have a broken system.”
To combat cyber threats, ports increasingly have been bringing together guards and information technology specialists. “Ports are involved in a competition for the best and brightest in the world of digital,” Ellis says. “Ports are trying to train that next generation of maritime people with skills needed for this kind of industry.”
The economic impact of a successful cyber-attack on ports like Long Beach and Los Angeles could be “catastrophic,” with an estimated $1 billion to $2 billion in direct costs and close to $6 billion overall, Parsons says. “The cascading effects happen quickly,” he says. “We need information-sharing to act as a force multiplier. But there’s an integration issue because you’ve got all these different kinds of systems out there. There’s a reluctance, too, because, a trusted environment for the data is required.”
The ports of Long Beach and Los Angeles are partnering to examine a “very robust effort” to collect and share data pertaining to the global supply chain, Parsons notes. “That balance gets really interesting, when you’re balancing throughput and safety,” he says. “To the ‘IT brains’ anything you share can be a vulnerability, and to ‘security brains,’ we’re thinking our strength is that we share. There’s a lot of thought and effort being put into finding compatible ground.”
Long Beach works to ensure that its servers and systems are updated and patched to ensure they don’t become a vulnerability in and of themselves, and the port is aggressively educating employees on cybersecurity practices. While insider threats are always a concern, Parsons says, “a great many intrusions are caused by accident, mistakes by employees clicking on something they shouldn’t have, that lets the bad stuff in.”
Cybersecurity is top of mind at the Port of Los Angeles, which gets approximately three million internal and external firewall attacks per week on its business network, Taylor says. “Our cybersecurity operations center is able to thwart those attacks and further bolster our business network,” she says. “We’re as good as you can be, but you can never be 100 percent perfect.”
The port sends messages to its tenants to make sure their cyber hygiene is up to date and trains employees to notice suspicious activities, Taylor says. Employees receive a monthly cyber newsletter to update them on the latest security issues as well as regular e-mails warning them about phishing attempts.
“Whether it’s an innocent employee who accidentally clicks on a link, or a malicious employee who’s an inside threat, the main idea is to be as prepared as you possibly can be,” she says. “These cyber attackers are trying to get into get financial information, or place some sort of malware to get money from the port and hold us hostage, or see what our business is like.”
April Danos, director of information technology at Port Fourchon, is most concerned about phishing scams and ransomware. “Keeping our end users trained is key and critical,” she says. “It’s really important that everybody have a good patch management system in place.” The Maersk incident raised everyone’s awareness, including the fact that intrusions could come unwittingly through a third-party vendor, she adds.
Ports also need to implement typical hardware like firewalls and put into place an incident response plan to manage potential threats. “You can’t just throw technology at it,” Danos says. “It’s a constant thing – you should do a vulnerability assessment at least once a year. Ports in general are struggling with pulling all this together. It’s happening so fast.”
The Port Fourchon police dedicated two officers to the IT department and has created a joint technology platform that takes all datasets from equipment like cameras and radar systems, and puts it into a shared dashboard, Danos says. This maritime domain awareness system “provides mapping capabilities – where cameras are, where vessels are – and they can respond to incidents.” This is shared with the sheriff’s office and nearby police and fire departments.
As vice president of security, Dubina works closely with Tampa’s vice president of information technology/chief information officer because both see overlap. Physical security leaders need to gain a working understanding of what the cyber side involves, as well as common terms and common practices, and vice versa, he says.
“We have a lot of interdependability,” he says. “My organization has encouraged that specific overlap between the traditional duties of CIO and the traditional duties of physical security manager. I don’t think that [need for cooperation] can be emphasized enough. There are still a lot of port organizations where there is not that kind of relationship.”