Following a number of unprecedented cyber-attacks on the shipping sector during the last few years, Hutchison Ports has introduced its own Cyber Security Recovery Programme, to improve the group’s overall readiness and protection from cybercrimes.
These cyber-attacks exposed the vulnerability of the shipping industry to cyber criminals and also highlighted the inadequate protection in place to combat future threats.
“Following Wannacry and Notpetya, ransomware outbreaks are now very widespread in the shipping sector with one major player suffering a crippling shut down for days, with losses reported up to US$300 million,” said Epsilon Ip, General Manager-Enterprise Architecture & IT Security, Information Technology at Hutchison Ports.
More recently COSCO Americas IT network was compromised by a ransomware attack that affected some aspects of its business, such as project cargo, in a number of countries across Latin America and the United States.
IT leaders from around the world began developing plans to protect valuable data and IT resources by equipping themselves with adequate defenses, such as proper incident response programmes and recovery capabilities in the event of a cyber breach.
Hutchison Ports for its part, is launching its own cyber-security programme to improve the group’s overall security preparedness.
The programme is designed on two levels, for the Corporate Centre there will be improved corporate governance and awareness as well as visibility in key security metrics such as vulnerabilities that may affect the group’s network of ports.
“For individual business units essential security controls will be introduced such as network segregation and protection, backup solutions, endpoint security as well as incident response and recovery capabilities,” said Ip.
Other ports and governments around the world have responded to the threat including the Port of Rotterdam. Since 11 June 2018, 170 companies that fall under the Port Security Act in the Netherlands or have a port security certificate have a mandatory duty to report cyber incidents. In the future, these companies are obliged to report large-scale IT disruptions to the Port Cyber Hotline.
The Port of Rotterdam is highly dependent on information technology for the secure and smooth handling of shipping traffic, road traffic and other modalities. IT incidents in the port area can result in risks for business operation continuity and security in the Port of Rotterdam.
“The establishment of the Port Cyber Hotline is one of the measures that contributes to strengthening the Port of Rotterdam’s digital defence and security. Early reporting of IT malfunctions enables the Port Authority to determine whether measures are required to support security in the port area. That is why, starting from June, companies located along the port area must report large-scale IT incidents to this hotline,” stated René de Vries, Harbour Master and Port Security Officer.
Such is the concern about data security breaches that Canada is the latest country to introduce federal private-sector data breach reporting regulations which will take effect in November 2018.
Following recent amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), private-sector organizations or companies in Canada must report the breach to the Privacy Commissioner and, generally, notify customers if there is a risk of significant harm resulting from a data security breach. Additionally, most states in the United States also have breach notification laws on the books.
One of the drivers behind the cyber breach legislation is that many companies do not disclose cyber threats or attacks in the past for fear of alarming customers and potentially damaging their own business and reputation. This opens the way for cyber-attacks to spread to customers, business partners and associates.
Back at Hutchison Ports, the company is also heavily reliant on digital technology to run its critical business processes according to Herman Chiu, General Manager-Terminal Development, Group Operations at Hutchison Ports.
“During the last decade, efficiency enhancements have been our primary focus to meet increasing market demand and improve customers services. However, the use of advanced technologies has inevitably introduced new opportunities that malicious users can exploit,” said Chiu.
The cyber-attack recovery programme aims to strengthen Hutchison Ports digital resilience and recovery capabilities against harmful cyber-attacks and other technology related risks.
“The programme assists business units within the group to understand their critical processes, identify potential digital vulnerabilities and develop their own ‘Incident Response Playbook’, which will be updated and revised regularly to maintain its effectiveness against the latest cyber-security threats,” added Chiu.
The first phase of the Cyber Security Recovery Programme will be rolled out to twenty-two selected business units and the rest will follow.
In today’s cyber world, information is power, and part of the cyber security programme is to raise awareness among Hutchison Ports business unit managers and IT staff. To this aim the group has organised a series of workshops around the world, explaining the importance of the programme.
“The Cyber Recovery Training will focus on disaster recovery and business continuity. Our Information Security team will also launch general cyber security awareness including training and drills to all business units,” said Chiu.
The key to mitigating cyber-attacks is being vigilant to future threats and every department in the supply chain has to prepare for the worst by introducing their own cyber security response programme, which includes regular training and updates.