Hack on Japanese Port Shows How Compromised Operational Technology Can Have a Widespread Impact

Paul Holland
Published 17 - July - 2023
isf expert opinionemerging threatstechnologypeople
Last week the port of Nagoya became the victim of a ransomware attack: the busiest port in Japan was unable to either load or unload shipping containers for more than 2 days. Operations have now returned to normal, but the incident highlights the risks that come with combining operations in the digital space with operational technology (OT).

The attack is reported to have been perpetrated by pro-Russian hacking group LockBit 3.0,which demanded a ransom after infecting a computer system that was part of the network that manages the loading of containers. Other parts of the port’s systems continued to operate. The port authorities reported that they have had no contact with LockBit 3.0 and have not paid a ransom.

Such incidents affect multiple facets around security and risk management and can have a huge impact –they are often referred to as extinction level attacks due to their severity. They also deeply affect the supply chain: in this instance, Toyota had to cease some of its operations due to the lack or movement at the port, which hindered the manufacturer’s ability to export from its production facility. The company would not have been the only ones affected. A company such as Toyota is likely to have cyber insurance, but would it cover them in this instance? Well, that would be down to the policy wording.

Protecting systems has been the challenge of security professionals for years and there is a realisation that nothing is ever 100% secure. However, for many of those working in OT environments, this is still a relatively new concept. OT was not originally designed to connect to the internet or corporate networks, so security was not thought to be required. This has changed dramatically and is increasingly becoming an issue that needs addressing. OT is heading towards being the target or choice for hackers, with OT environments on the whole lagging behind their IT counterparts in terms of security. OT has converged with IT systems organically rather than by design, which means that these systems have often been connected without the involvement of security teams or even sometimes the IT department. Security is now playing catch up.

There are lessons that can be learned from the experience of securing IT. The OT environment is a different beast, with safety being the core focus rather than protecting confidentiality, integrity or availability of information. So, we cannot just lift and shift all our technology, processes and procedures straight into the OT setup. This will need a nuanced approach. Both security professionals and engineers need to work closely together to understand each other’s needs and collaborate to get the best out of the security tools and processes, whilst not affecting operations or safety.

In the case of an extinction level attack, it is important to plan ahead. This is not just about backing up all your systems, but answering the key questions about how to get up and running again prior to an incident happening. There is nothing worse than having limited or no systems available as you attempt to gather all the relevant data required to be able to continue to operate or to try and recover. By putting in the leg work up front, organisations can greatly enhance their chances of a quick and successful recovery operation. The port of Nagoya seems to have performed backups and answered the vital questions, recovering within 72 hours: a quite remarkable achievement given the scale of the incident, showing what pre-planning can do. An OT environment would need some additional questions answered over and above what would be needed for an IT environment, and additional considerations such as, “can we safely shut down the OT environment in the case of a ransomware outbreak?” In some instances this could cause more damage, most likely to the land and people in the local area.

As happened here, cyber attacks can cause suffering throughout supply chains. It could be that your supplier has been compromised and then infects your network as well, but in this case, the attack stopped the port’s customers from being able to operate properly. Careful monitoring and pre-work with suppliers is important not just from a business and operating perspective but also from an IT and security perspective. Understanding the status and risk your suppliers pose to your organisation will help to assess what protections or plans need to be put in place to alleviate as much of that risk as possible.