The Port of Nagoya’s Port Unified Terminal System responsible for “managing the loading of containers” was infected with LockBit 3.0 earlier this month. This caused the largest port in Japan to stop operations for 2.5 days, and had cascading effects on Toyota and other companies that relied on the port.
Is a 2.5-day port closure due to a cyber incident occurring once every 10 years a risk that the Port of Nagoya accepts?
Two-day port closures occur in Japan, China and other ports in areas subject to typhoons and hurricanes. On average 2.6 typhoons make landfall in Japan annually. While records are not easily found, Typhoon Hagibis in 2019 caused a 2-day closure of the Port of Nagoya.
There is an ongoing risk of even larger impact from weather events. The Isewan Typhoon in 1959 caused a total closure of the Port of Nagoya for 12 days and full operation wasn’t resumed for 35 days. The main factors leading to a difficult recovery weren’t damages to the port infrastructure. It was debris in the harbor and workers not being available.
Weather is treated differently as it is something we can’t control, but we can control protection and recovery of infrastructure that might be damaged or lost in a weather event. Spencer Wilcox of Nextera Energy proudly told the S4x23 audience that they lost no transmission structures during last year’s Cat 4 Hurricane Ian.
The Covid pandemic is another recent example of an event that caused degraded operations at most ports for over a year. Fires, labor issues, energy loss or shortage, safety incidents and cyber attacks are all potential events that could degrade or halt port operations.
Where does the Port of Nagoya spend money to reduce the risk of outage or degraded operations? Their expenditures to date reduced the impact of this recent cyber incident, in terms of outage time, to a major typhoon that made landfall near Nagoya.
The knee-jerk reaction is bad Port of Nagoya. How could you let this happen? You need to do better cybersecurity so this doesn’t happen again. Leadership will ask what they need to do so this never happens again. Putting security pro’s on the spot, since no one can guarantee that a cyber incident won’t shut down the Port again.
The after incident investigation may find some basic and efficient security controls that were missing or lacking. More security controls may be part of the answer, and they will never be able to guarantee a cyber incident won’t bring the Port down.
The more important question to ask is if the Port of Nagoya can accept a 2.5 day recovery time objective if the cyber assets required to operate the port at a minimal acceptable level are compromised and need to be rebuilt.
This appears to be the first cyber attack that has had a material impact on Port of Nagoya operations. Is one cyber incident per decade causing a 2.5 day closure acceptable? What would be the cost to reduce this to a 1 day closure, and how does this cost compare to the loss due to a 1.5 day closure? And how does this expected loss mitigation compare to other loss mitigation projects that could be accomplished at that same cost?
So many questions.
It’s likely that Port of Nagoya will be looking at these risk management questions. Asset owners don’t need to wait until they are hit to better understand and improve their OT cyber risk management.