Cybersecurity at Ports and Terminals: It's not a product you can buy

In an increasingly complex industry in which digitalisation and automation are built into the very core of operations and business processes, cybersecurity has become more crucial than ever. In addition to being key links in tightly connected global logistics chains, ports and terminals are critical infrastructure that attracts a wide range of potential threats, from ransomware exploits to organized crime and hybrid attacks by nation states.

"It's safe to say that the companies that are Kalmar's customers tend to be of great interest for many different kinds of malicious actors," says Jouni Auer, Chief Information Security Officer, Kalmar. Ports and terminals are almost always time-critical in their operations, so the potential losses from any disruption are significant. As a result, the types of threats that companies in this field face are also unusually diverse.

It's safe to say that the companies that are Kalmar's customers tend to be of great interest for many different kinds of malicious actors

Moving target

A fundamental characteristic of cybersecurity is that new threats are always evolving, either through the adoption of new solutions and technologies, or from vulnerabilities discovered in existing systems. "A common maxim among cybersecurity professionals is 'if it's smart, it's vulnerable'," says Auer. "All systems with smart features or connectivity will inevitably have some potential for vulnerabilities, and even if they are secure today, the situation might be very different a year from now. This means that all smart systems will, by definition, need to be looked after and updated when necessary."

A common maxim among cybersecurity professionals is 'if it's smart, it's vulnerable'

Accidental backdoors

Many Internet-connected consumer devices such as webcams and routers are notorious for poor security controls, with vulnerabilities that include open control panels and hard-coded administrator passwords that allow easy access for attackers. The same vulnerabilities become even more critical when such devices are added to industrial networks, either accidentally or intentionally.

"A basic principle of cybersecurity design is that security controls need to keep people from doing what they are not supposed to do, whether by accident or on purpose," says Henri Kettunen, Cyber Security Lead, Kalmar. "If you have an Internet-facing and insecure device in your network, you can be sure that sooner or later someone will discover and exploit it. Unpatched and sometimes even unauthorized devices can endanger networks that should be fully locked down."

A basic principle of cybersecurity design is that security controls need to keep people from doing what they are not supposed to do, whether by accident or on purpose

The whole and the parts

The complexity of cybersecurity management is compounded by the fact that individual machines and devices include numerous components and subsystems that may each have separate vulnerabilities in their software or firmware.

"Even if our own software is 100% secure, there might still be an issue with a third-party hardware component that needs updating," notes Timo Alho, Director, Product Management & Business Development, Kalmar. "Manufacturers need to be ready to ensure and maintain the security of their offering over the entire expected lifetime of the product, while keeping their customers informed of any newly discovered vulnerabilities that may affect their systems. This is no small task, but it's the responsibility that we as system providers need to take on in order to keep our customers secure, both now and in the future."

Alho notes that the field of cybersecurity contains an inherent paradox. "On one hand, security is not something you can just buy as a product or service and be done with. Yet at the same time, it's crucial that all your systems have some type of service offering in place for security updates and patches. In fact, if someone tries to sell you a solution that does not have some kind of service or security update component, some alarm bells should definitely be going off."

On one hand, security is not something you can just buy as a product or service and be done with

In part 2 of the series, we examine the benefits of cybersecurity standards and certification. Why are standards important, and how can they not only help ensure the security of systems and processes, but also streamline communication between vendors and customers?