The need for cyber Resilience in mainport Rotterdam
Do you have any idea just how dependent your organisation is on IT solutions in our highly digitised society? And how pressing the focus on information security and cyber resilience? In this showcase Rob Nijman of FERM provides insight into the need for cyber resilience in the Port of Rotterdam.
Because it is still very much on everyone’s mind how a major cyber-attack in 2017 struck Europe’s largest main port as well, with a subsidiary of logistics company Maersk being one of the bigger victims. A total loss of €300 million underlined the dependence on IT and the need to do something about security. Then.
Today, it is essential to keep developing and to always stay one step ahead. In 2022, cyberattacks are listed as a risk to the national security of the Netherlands, as our partner NCSC (the Dutch National Cyber Security Center) noted in their latest Cyber Security Assessment Netherlands. Bridging the gap to new threats as a result of geopolitical developments, we find the main vulnerability at the moment in the disruption of logistic processes. If you look at how disruptive it was for the world economy that one ship blocked the Suez Canal, then you can imagine what effect it has when part of the port is disrupted.
Cyber security throughout the value chain
The digital revolution has changed the way we work. It has made our world bigger, but also smaller. It brings new opportunities, but also new risks. Risks that could cost us money.
The port of Rotterdam is huge – both physically and in terms of gross domestic product, with its 6.2 percent share in the Dutch economy. It is a highly connected infrastructure and therefore vulnerable, from maritime and logistics to energy and chemicals. The impact is often significant – just look at the aforementioned example in 2017, but also far more recent incidents including the chaos for our 'neighbours' in Antwerp, Ghent, Terneuzen and Germany in February and March, and the impact on Colonial Pipeline in the US in 2021.
Cybersecurity is a very complex playing field consisting of actors, threats, vulnerabilities, interests, implications across various axes, system processes – and, of course, the people who ultimately do their work every day. What makes the port special is first of all the impact in the logistics chains. That also makes the state threat from the war in Ukraine more tangible than elsewhere. Within the Port Industrial Complex (HIC), companies are highly dependent on each other, and our processes are interconnected. Moreover, almost all of us depend on information technology (IT) and operational technology (OT).
Realistic threats
Criminal organisations are becoming increasingly active. The average ransom amount after a ransomware attack has risen to €150,000, while recovery costs have more than doubled in a year: from €631,000 to €1.5 million. Due to the pandemic, the rise of the cloud and the acceleration of digital transformation, both software (Saas) and products (PaaS) are experiencing tremendous growth. This allows users to purchase 'off-the-shelf' solutions that are developed or even managed by vendors from start to finish. Following the same model, groups of cybercriminals make their tools and techniques available to those who do not have the resources or sufficient technical knowledge. Tools to penetrate systems via spam emails sometimes come with a toolkit, a detailed user manual (either in writing or on video). It is hard to imagine an easier way to take your first steps into the lucrative world of cybercrime, which makes cyber-attacks extremely accessible.
This relatively low-threshold availability of ransomware via a RaaS model goes hand in hand with the worrying rise of organised gangs, which, as in the 'classic' underworld, are entering into far-reaching partnerships to roll out cybercrime as a serious business. It is partly because of this development that so many new forms of malware and ransomware have emerged in recent years, including the concept of "ransomware-as-a-service", where there are indications that the malware was distributed via online sales of partner programs.
In general, cybercriminals continue to scour the digital attack surface for new attack opportunities, such as Internet infrastructures and network communication protocols. A ransomware attack is usually not a rampage, but a painstaking process in which the perpetrators take several steps to make their money from your data. They know how to (1) gain access, e.g. via phishing (an employee clicks on an unfortunate link), after which they (2) move through the network unseen to quietly see what can be gained, or only then (3) proceed to steal, take hostage or render business-critical data unusable.
Storage Spoofing
A development that is very specific to the port of Rotterdam is (tank) storage spoofing, a collective term used by FERM for all sales of non-existing storage capacities and stocks of fuels in terminals in the port area. The target group of this type of fraud are the (inter)national companies that have or seek storage and all potential buyers of the trade that is offered under false pretences and turns out not to exist. It is estimated that the virtual supply is four times the actual storage capacity in the port.
“Evidence” such as websites, contact information, documentation and all kinds of other fake papers are produced. Then an initial invoice is sent, which of course has to be paid immediately. Amounts of 100,000 to 500,000 dollars are asked for deposits, first instalments, dipping tests, et cetera. The financial institutions used are obscure banks in foreign countries. And with this, the spoof is born: The buyers think they have made a super deal. With a small investment, they have cargo to offer on the market. But the physical product is nowhere to be found.
A project team within FERM deals with this unfortunately very persistent variant of fraud. A blacklist of false websites now contains over 650 domain names. Suspicious sites are added to this blacklist almost daily, while an opposing whitelist with legitimate organisations should lead the potential customer to legitimate parties. In addition, there are efforts by FERM and its partners in the network to constantly uncover new strategies used to target companies (by spoofing their websites) and entrepreneurs (by offering fake deals).
Awareness is key
As we often see, awareness is key to increasing digital resilience. The fact remains that these amounts are considerable for small companies. The loss of data acquired through theft can have far more serious consequences for SMEs than for a large multinational company that has sufficient resources to back up its data securely, has built up a sophisticated architecture or employs specialists in the fight against threats. Faced with the proliferation of threats and potential attackers, it is essential that both SMBs and smaller businesses understand that they too can be targeted by ransomware. And is there a plan B for when things inevitably go wrong?
FERM was recently invited by employers' organisation VNO-NCW (The Confederation of Netherlands Industry and Employers known as VNO-NCW) is the largest employers' organisation in the Netherlands) for a program on cooperation throughout the value chain. One of the striking parts – because there are also good examples! – was the presentation of the Dutch Pilotage about 'Plan B'. Very topical, the day after NS (Netherlands Railways) had to stop its service due to a breakdown. ‘Have you thought about it? What is your plan B? If control systems fail? If your internet is down? And is plan B known from the shop floor to the boardroom table?'
In the room, the link was made to a personal plan B. Bottles of water in the house for when the water supply is cut off. Cash. Jars of vegetables. You don't want to be too dependent on external factors. Risk is chance times consequence. One in five companies is hit by a ransomware attack each year. So that chance is twenty percent, but the consequence is often limited to one company, although that is of course terrible for the company itself. It also makes it clear that you have to defend yourself. You stand stronger with a plan B.
For individual companies, the biggest threats are forms of cybercrime such as phishing and ransomware, but for the entire port area, it might be an attack from Russia. These threats deserve our attention and call for courage and resilience. Even if you are not a direct target, you can easily be 'collateral damage'. Indeed, Maersk is often cited as the main victim with the EUR 300 million damage in the 2017 cyber-attack, but was not a direct target. This underlines the need for cyber resilience in the chain.
Read more about FERM