Between 2014 and 2023 cyber-attacks against the Port of Los Angeles increased from 7 million attacks per month in 2014 to 60 million monthly attacks in 2023, according to Tony Zhong, Chief Information Security Officer, Port of Los Angeles.
Zhong was speaking to the Propeller Club of Northern California on July 15, 2024 and explained that the Port had established a Cyber Operations Center to protect the Port’s digital infrastructure in 2014.
In 2021, IBM was selected to manage the CRC which began operations in 2022.
The establishment of the Cyber Resilience Center has made the Port of Los Angeles a leader in cyber security defense among US ports. As Zhong explained the CRC operates with an executive committee that oversees its operations and a technical committee that collaborates among the stakeholders (and the Port of LA is among them) focusing on technical issues. And when it comes to cyber security, as Zhong notes this is a case where defense has to be much better than offense as it takes only a single attack to be successful generating damage, whereas the defenders need to be able to successfully defend 100% of the time.
Zhong explained that when an attack occurs, it is reported by the stakeholder but transmitted to the other stakeholders anonymously. If another stakeholder also reports a similar attack, then those attacks will be reported to all of the stakeholders again anonymously so that they can evaluate whether they, too, have been under attack. This system preserves anonymity and proprietary information but also allows for the real time exchange of information in the event of a cyber-attack.
In his presentation to the Propeller Club of Northern California, Zhong outlined CRC goals, responsibilities and main functions:
Cyber Resilience Center Goals:
- Reduce cyber risks that could disrupt the flow of cargo
- Improve quality, quantity and speed of available analysis of port ecosystem cyber risks
- Create new collaboration with stakeholders to increase cyber resilience
- Information for stakeholders to improve their cybersecurity posture
- Maintain privacy and anonymity
- High fidelity actionable cybersecurity information
Cyber Resilience Center Partners:
- Railroads
- Law enforcement
- Shipping lines
- Chassis providers
- Terminal operators
- Port of Los Angeles
- Marine Exchange
- Cyber intelligence services
- Trucking companies
Cyber Resilience Center Facts:
- State of the art facility completed in 2022
- Processes ISO 27001 certification information security management system
- CRC team includes management by IBM and Port of LA and full-time cybersecurity analysts
- Costs $0 to the stakeholder
Zhong also explained the limitations of the Cyber Resilience Center citing what it will not do:
- Not a replacement for stakeholders’ own cybersecurity efforts
- Not intended to take responsibility for whether stakeholders act on what risks are shared with them
- Not designed to intrude on stakeholders’ current system
- Will not share information beyond the designated list of Port of LA stakeholders
- No sensitive information
- Not intended to expose stakeholders’ cyber vulnerabilities.
- Not an elimination of stakeholders’ cyber risks
Digitization
Zhong said that digitization has had many benefits in improving data flow but also makes it easier to mount cyber-attacks: “With the digitalization nowadays, it's definitely easier for the bad guys to launch an attack anywhere around the world … They can just sit behind the keyboard. And then with some programming skills (and) with some I would say technical skills, they could potentially disrupt an organization that does not have proper security controls and say policies and procedures in place. So, it makes it very easy to compromise organizations … We are seeing over 60 million monthly … attack attempts that has been the most recorded ever in the existence of our 10 years of operations.”
Cyber attackers also focus on companies that have low levels of cyber defenses:
“What we usually see is the threat actors using older known vulnerabilities … that are available to test those systems. So basically, it's like … try to compromise the organization with the lowest … hanging fruit there so we don't have to deploy these sophisticated malware that they have in the arsenal. So, … the bad guys all also have a specific tool set. So, … they want to get in the easiest way without doing too much work. And then if that doesn't work, they implement more sophisticated techniques.”
Ron Brown, Maritime Marketing and Commodities Representative, Port of Oakland asked Zhong about what the top priority of cyber attackers is. Zhong replied: “Ransom attacks … shut a system down and then force you to pay to get it back up and operating. So, ransomware is ranked up there.”
Zhong noted that a less sophisticated attack utilizes “some type of email attack vector (that) is also very common, because those are the easiest ways to get into an organization … I would say one of the weakest links in the chain in security, … is the human factor, … because humans tend to click or open an email with an attachment. And that's how threat actors get into organizations.”
Challenges Recruiting
Zhong said that recruiting young people is a major priority: “So as a port authority … we have internships yearly during the summer in the different divisions within our organization … We have a law enforcement division, we have real estate, we have engineering and cybersecurity that is in… my area. So, I usually have interns for the cybersecurity division … to help us out and then also get them educated to see if cyber is the right career for them.”
Scott Conrad, a Northern California-based IT consultant, has run the IT department at several community colleges. He commented that it has been difficult certifying students for cybersecurity work because they find the course work challenging and so: “Unfortunately, we are not seeing as many people qualifying for cybersecurity as much as we need … We offer a Cisco certification for cybersecurity at a number of our colleges that do most of the work actually online. And ironically, we're seeing a decline in enrollment because of the strict standards. A lot of the students aren't willing to stick with it. Those that do can graduate with it, in less than two years (can) be making six figures, and they're in high demand.”
Chris Hanna, Information Technology Security Manager, Port of Oakland agreed there is a problem with recruitment:” So, to the extent we can, and I know we can't fix everything, we do need to try to ... act a little bit more like a business to try to get folks in and try … to expedite some of those … frustration points and … make the environment better for them.”
Robert Butchart, Ports and Harbor Emergency Services Coordinator at the California Office of Emergency Services (Cal OES), says the manpower demand for cyber security with the State of California is growing: “but you could imagine Sacramento (California state capital) looking at the cyber threats to Silicon Valley agriculture, everyday economics … And that's growing, you know, within Cal OES … it's really growing to be one of the larger branches at OES. “
The Role of Ai
Zhong noted that Artificial Intelligence (Ai) is now amplifying on the possibilities of ‘bad actors” increasing cybersecurity attacks because they can:
- Mimic a human actor
- Mimic the human ability of an actor to automate attacks
He adds: “Ai is the next frontier. I think even the most secure mature organization out there … knows … it is a race against time. It's like a cat and mouse game. We are looking at security solutions with Ai on how to make things more efficient. Try to detect if … threat actors are using Ai capabilities or technologies also to perform exploitation and reconnaissance to our environment as well.”
“The challenge for us,” says Zhong, “is always to stay one step ahead and that is getting harder and harder for us. Ai can amplify the different patterns and techniques involved in cybersecurity attacks and it is being weaponized.”