“Cyber security deserves top priority”
In our digital society, almost everything seems connected. The increasing integration of ICT systems and networks offers many advantages but, at the same time, makes the world as we know it more and more vulnerable to computer criminals. They also see the logistics sector as a lucrative target; this was made painfully clear with the recent hack into the port of Rotterdam. What can the industry do to protect itself against cyber attacks and reduce the damage from them? Marit Bakker, security advisor at Dutch Customs, has clear ideas about this.
When we talk to Bakker, she has just had a very busy week. With a group of colleagues, she was closely involved on behalf of Dutch Customs with ISIDOOR II, a national ICT crisis exercise organized by the National Coordinator for Terrorism and Security (NCTV). For four days, intensive research was conducted on how communication and collaboration works among dozens of public and private parties in the event of a large-scale cyber incident threatening entire industries. The scenario provided Customs with a software virus in the scan street on the Maasvlakte – plus a malware contamination of workstations, so that all kinds of business-critical systems failed to work. An extensive evaluation of the exercise is still to come but, in the meanwhile, Bakker is looking forward to a next serious test: FERM, a practical investigation of the digital resilience of the port of Rotterdam (see box). With all these initiatives, it seems that the awareness of e-security in government and the business community is right on track. But does this mean that organizations are doing enough to guard against cyber attacks? “If you look at the most recent Cyber Security Assessment Netherlands by the NCTV, that is manifestly not the case”, says Bakker. “It states bluntly that the cyber threat in our country is growing sharply and that the security level is generally lagging behind.”
As strong as the weakest link
For the latter, Bakker – who has been working at the NCTV herself for years, including at the National Cyber Security Center – adds a number of statements. And one of the issues is that many organizations still mainly approach the subject on an individual level, while a more joint approach would be more appropriate. “Working together seems logical and worthwhile, given the large ICT chain dependence in virtually every industry. A chain is only as strong as its weakest link; the vulnerability of one can cause incidents with another. That turned out to be true with the sophisticated global ransomware attack last summer, in which a shipping company and quite a few terminals in mainport Rotterdam were affected. This caused major problems with a whole range of businesses, from transport companies to food producers. And also, Customs was confronted with the consequences. Because we have to deal more frequently with calamities – including disruptions of our own systems – and were able to add additional capacity, we could contain the damage somewhat. But still ... From the affected terminals, no more automated declarations were sent, so that declerations came in as Excel files and had to be entered manually. And, out of necessity, risk assessments had to be done in the old fashioned way – monitoring at the gate had to be instigated again. Because of all of this, the progress of discharging declarations was jeopardized, a process that Customs is required to carry out according to statutory European regulations. If declarations are not discharged in a timely manner, this may result in hefty fines from Brussels for the service. But we are not only an enforcement agency but also a service organization; there is a deeply-rooted responsibility to support the business community. Nevertheless, there was a real risk that the handling of containers at the relevant terminals would have to be shut down – with all the inherent consequences. This bad case scenario shows how great the shared interest is to prevent such cyber crisis in the future."
Integral approach required
Within Dutch Customs, in any case, there is a great deal of attention to the safety and security of its own systems, says Bakker. Thus, there is ongoing cooperation with the Security Operations Center of the Tax and Customs Administration, of which Customs is a part. The SOC monitors and guards the vital ICT infrastructure of the group 24/7, is responsible for the data security of all business units and serves as the computer emergency response team (CERT). It always uses the most stringent safety requirements. Bakker: “The emphasis here is fully on the technical side of things – firewalls, penetration testing, etc. That is essential, but, as a company, you should not focus exclusively on this. The issue of cyber security is much broader, and requires a comprehensive approach. You must also not lose sight of, for example, the human and organisational aspects within your processes. Such as: do employees make safe and responsible use of the available automated means? In order to focus on this, this year, for the first time, Customs took part in the nationwide Alert Online-weeks, with an extensive internal awareness campaign. In this way, we want to make it clear that the issue really deserves everyone’s attention.”
Strengthening AEO criteria
Bakker stresses that no one is responsible for the security of an organization other than the organization itself. Not even the government. “However, this does not mean that we cannot help each other in this area; the idea is that, together, we can become more resilient against threats from outside. I always advise, for example, that companies lift the topic of e-security above the operational and tactical level. Place the priority at the highest strategic level, I say. Place the file at the top of the hierarchy; make an MT member responsible. Then you are sure that the issue will rise to the top of the agenda and that budget and manpower will be made available.”
“We think about how Customs, as a key player in the logistics industry, could contribute to strengthening the complete digital chain”, adds Bakker. “One of the options is the tightening and expanding of cyber security criteria for the AEO safety & security permit – set up after 9/11 to make the transport of goods to and from the EU safer. As is well known, these conditions were determined at the European level. Of course, in Brussels they are also thinking about how digital security can be given a more prominent place within the certification system. It would be nice if the Netherlands could be the driver for this process.”
“Of course, a number of players in the logistics and transport sectors are also working on stricter ICT safety guidelines”, concludes Baker. “One of these is the Port of Rotterdam Authority that has set up all kinds of measures based on the international ISPS Code – a framework of rules for the protection of ships and port facilities. We are pleased to be working together with such parties on an overarching cyber security strategy. The possibilities for this are going to be discussed within the Customs-Business Consultation forum. There may also be individual businesses that want to enter into discussion with us about this topic. We are certainly open to this.”
The FERM programme was established in 2016 out of the Crime Control Platform Rotterdam-Rijnmond. The goal is to stimulate cooperation between companies and government authorities in the port of Rotterdam and to increase awareness of cyber risks. In early November, there was an exercise under the flag of FERM, by which, on the basis of a simulated malware attack, it was assessed how a local nautical crisis team can achieve the best incident response. Customs was one of the participants.