Jones Walker Releases Cybersecurity Preparedness Report

Jones Walker LLP has released its biennial cybersecurity survey, which this year focused on the cybersecurity preparedness of ports and terminals in the United States. Andy Lee, a partner at Jones Walker and head of the law firm’s privacy and data security team, and Jim Kearns, special counsel in Jones Walker’s maritime practice group, announced the results of the 2022 Ports and Terminals Cybersecurity Survey at the annual conference of Inland Rivers, Ports & Terminals Inc., held October 3–5 in Tulsa, Okla.

Jones Walker’s survey garnered responses from 125 senior executives from ports and maritime terminals, both blue-water and brown-water. The 2022 survey was conducted in a time of geopolitical unrest, particularly with regard to the Russian invasion of Ukraine, energy supply issues, inflation and extreme weather—all of which makes maritime facilities an attractive target for cyber attacks.

The survey identified four main takeaways regarding cybersecurity readiness at ports and terminals.

First, the survey made clear that “confidence is high in a threat-rich environment.” More than 95 percent of respondents said they believe their industry is well-prepared for cyber threats, while 90 percent said they believed their particular facility or organization was prepared to weather a cyber attack or breach. The report, though, questioned whether respondents were being overconfident, since 74 percent said their organization’s IT systems or data had been the target of a breach within the past year.

“Perception is important, but it doesn’t prove readiness,” Lee said.

The trend for cybersecurity attacks against maritime interests has exploded in the past four years. Just for respondents to Jones Walker’s surveys, reported cyber attacks within the past year went from 43 percent of respondents in 2018 to almost three quarters in 2022.

“It’s really a reflection of the critical importance of our ports and terminals infrastructure,” Lee said. “The volume and traffic to these facilities has grown exponentially, and they are increasingly using automated operational technology (OT) systems to augment information technology (IT) and to communicate data, operate equipment, track cargo and containers, and manage commercial operations.”

“Even what we know about it is bad,” Kearns said, “and it’s probably worse than that.”

Second, the survey recommended that companies and organizations “take a clear-eyed view of potential threats.” Overall, of the companies that reported a cyber attack within the past year, 64 percent of those attacks were by a solo threat actor or hacker, 32 percent were by organized crime groups, 22 percent were by activists, 13 percent by nation-state actors, and 12 percent were by internal actors or employees. Two percent of respondents were unsure.

Forty-five percent of respondents said ransomware attacks were what worried them most. However, only 20 percent of respondents who experienced a cyber attack last year said it was a ransomware attack.

The leading vectors for cyber attacks were remote desktop protocol (38 percent), malware (26 percent), hacking (24 percent), and social engineering attacks like phishing (22 percent).

The extent and potential ramifications of ransomware attacks, though, may highlight why they’re so concerning.

“Ransom attacks, especially of late, not only lock down your equipment, but also extract your data and hold it hostage, under threat of releasing your secrets,” Lee said.

Third, the Jones Walker team stressed the importance of making a plan, testing that plan and updating the plan in order to retain a robust level of protection.

“One thing that’s not part of the recommendation is ‘go out and spend a lot of money on equipment,’” Kearns said. “A lot can be done simply at the keyboard. Be aware, alert, and recognize problems when they show up on the screen. What you’re trying to do is the possible with the available.”

Organizations must first assess, evaluate and mitigate cyber risks. Procedures and best practices—or “cyber hygiene”—should be written into policies and regularly reviewed and taught. Because personnel changes throughout the year, an organization’s cyber plan ought to be updated, tested and taught throughout the year, the report concluded.

“Sadly, only 21 percent reported even updating their plan during the past year, while a full half (50 percent) said that their facility did not or irregularly conducted [incident response plan] tabletop exercises,” Lee said. “If we dig deeper into the data, it gets a bit worse, not better. Only 57 percent of the blue-water respondents and only 25 percent of the brown-water respondents tested their plans on an annual basis.”

Lee added that older equipment does tend to be more vulnerable for cyber attacks, so keeping software up to date and replacing older machines and systems is important.

“That is a budget allocation folks should be thinking about,” he said.

Finally, the survey said people and communication, both within the organization and externally, are key. Encryption, both end-to-end and stored information, is a “low-cost, high-impact” tool, the report stated. Less than half of respondents, though, said their organizations always use end-to-end encryption or encrypt information at rest (45 percent for both).

The report also said it’s important to communicate cyber attacks to law enforcement agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the Cyber Command of the U.S. Coast Guard, and local law enforcement. CISA even offers to assess an organization’s cyber security readiness and make recommendations for free.

This is the third cybersecurity survey Jones Walker has done. The first, published in 2018, looked at cybersecurity in the maritime industry in general. The second, released in 2020, focused on companies in the midstream oil and gas industry. The results of the surveys are available online at www.joneswalker.com.