Note: A version of this article originally appeared in Logistics Asia.
In late 2023, a breach forced Australia’s port operators to disconnect from the internet, taking key operational technologies like cranes and access gates offline. In March, U.S. officials discovered unanticipated communications equipment built into widely-used, Chinese-made cranes. Then, in late July, a group of security researchers identified a campaign by an allegedly state-sponsored hacking group targeting maritime infrastructure on the Indian Ocean and Mediterranean Sea.
Given ports’ strategic importance, ability to snarl the global economy, and tendency to be targeted by geopolitical rivals, governments and private corporations must step up efforts to secure their IT infrastructure, especially IoT and OT devices. Events like the Suez Canal incident of 2021, which cost the global economy an estimated $14-$15 million per day, have hinted at the disruption an outage at even one major global port could cause.
Infrastructure under attack
Today’s ports rely on an array of smart sensors, cameras, and SCADA systems for control, automation, maintenance, asset management and telemetry. According to IoT Analytics, the number of connected devices grew 16% to 16.7 billion in 2023.
This poses a challenge as IoT/OT deployments can lead to device sprawl, an expanded attack surface, and possible data leakage. Over the course of 2023, Zscaler’s ThreatLabz team charted a 400% rise in malware attacks against IoT devices. While it’s become a cliche to say that smart devices are not always designed with security in mind, it is grounded in truth. Default passwords, consumer grade operating systems which have not been hardened, firmware update vulnerabilities, and vague patching schedules are a few of the most common vulnerabilities.
Another concern is the source of the smart devices themselves. A single Chinese manufacturer of maritime cranes is responsible for 70 percent of all ship-to-shore cranes in use worldwide, according to The Maritime Executive. As the Australian government recently warned, Chinese APT groups prioritize espionage, often by living off the land, providing an excellent opportunity for embedding backdoors and eavesdropping on communications.
For some countries with advanced manufacturing capabilities, switching to home-grown infrastructure may be an option. But a great starting point for most is to begin removing externally facing assets, securing communications between connected devices and data analytics platforms, and securing their third-party party and administrator access. These are practical ways of ensuring port infrastructure is secure from snooping, being used to gain a foothold into an IT environment, or conducting malicious interference with the intent to disrupt the global economy.
Zero trust for IoT/OT infrastructure
Ports and other infrastructure authorities should also seriously consider adopting zero trust principles for securing IoT/OT systems. The data these devices provide feeds critical business processes for decision making, and inaccurate data has the ability to impact distribution supply chains, leading to significant economic repercussions. OT systems for control and safety drive the physical control of real devices which can impact safety and human lives if compromised.
When deployed properly, zero trust architecture can assist with device discovery, secure smart device communications, and enable secure third-party access for B2B partners as needed.
Here’s how:
- Device visibility and discovery – Routing traffic through a centralized security cloud allows admins to quickly uncover all smart devices connected to the network, including monitoring of all unauthenticated traffic. Once connected devices have been mapped, they can be categorized by type and managed from a centralized dashboard, eliminating IoT blind spots. Keeping close tabs on activity like resource consumption, apps used, and destinations visited can help tip security teams off to any unexpected activity.
- Secure communication – Thankfully, Zscaler researchers have found the majority (62%) of IoT device traffic is encrypted. Unfortunately, without inspecting that traffic, it is relatively easy to slip malicious payloads past security controls. This makes inline traffic inspection – a core zero trust principle – essential, especially in light of the rising prevalence of malware targeting these systems. Additionally, this traffic can be routed through a secure cloud, shielding devices from discovery and enforcing security policies determined by device owners.
- Secure third party access – Trusted partners and contractors have typically connected to OT devices via VPN for activities like preventative maintenance, an approach which both expands the attack surface and can enable lateral movement by threat actors in search of high-value data. The zero trust approach avoids the friction and security risk of the VPN experience by providing authorized and authenticated third parties to remotely connect with equipment via fully isolated RDP and SSH sessions.
- Secure IoT/OT with 5G zero trust SIMs – Not all connected devices are capable of running a client or edge forwarding services, inventory scanning guns or surveillance cameras, for example. The zero trust SIM creates a private service edge from the public telecom network, allowing for traffic forwarding without the need to backhaul traffic through a centralized security stack.
IoT/OT devices are simultaneously becoming more critical to the global economy and more thoroughly targeted by threat actors, especially state-sponsored groups. They deserve the most modern approach to cybersecurity available – one that has been endorsed by the governments of Australia, the United States, and others. That approach is zero trust, based on principles like device-level segmentation, least privilege access, and identity-as-perimeter.
It’s time to expedite the shipping of zero trust to the world’s ports.
What to read next