A Story about Security

When I came to Houston 25 years ago, one of my first jobs (I had quite a few in those days!) was working at a local hospital as a security guard. It was a great gig for me as a college student since I could work shifts in the evenings, nights and weekends – plus I could often study while at work (although I rarely did!) And even though I didn’t fully understand it then, it was the start of a career in which security mindedness would be a principal concern.

There, security meant something very different to me than it does today. The hospital was a level 1 trauma center which meant it was where all the especially serious medical cases came: gunshot victims, drownings, major accidents, you name it – it all came there from across Houston. The hospital had one of the biggest Labor & Delivery units in the city which meant it also had a large infant nursery which was a ripe target for kidnapping (something which had occurred there on a few occasions.) It even had a psych ward complete with multiple layers of entry and padded rooms for the most special patients. Of course, it also had a huge pharmacy internally which was a viable concern as well.

All that simply means we had lots of security. Armed guards stationed at doors plus roving patrols via vehicle, bike and foot – we were focused on security. Except we had plenty of vulnerabilities as well. For example, it was easy to get an ID for access to places you may not need to be but we lacked multiple authentications, partly by design as a hospital must also be customer friendly since it has hundreds of guests daily, most of which are honest people simply there to see loved ones. Balance is clearly key there.

I went from working there to the refineries on the Houston Ship Channel, a place where visitors weren’t as common nor security as lax. We were checked multiple times in our way into those facilities and rightfully so since bad actors there can cause serious problems very quickly. My job there was part of the instrumentation team tasked with the installation of industrial process control devices – the gadgets that open and close valves remotely via computer technology – another security concern since those devices can be hacked by nefarious means. We placed great emphasis on ensuring everything was in order although, in fairness, the cybersecurity side of things we see today for ICS wasn’t as great a concern then.

While working in one of those refineries, standing high in the “racks” of a petcoke unit we were building, I pointed out toward the ship channel where a crude tanker was moored alongside the berth and told a coworker, “See those ships? I’m going to work on them!” With a cautious gaze and a curious drawl, he replied, “What are you going to do on them?” to which I said, “I don’t know but something!”

He laughed, and rightfully so considering how I had no clue what I was talking about, but sure enough a few months later I was hired into the maritime shipping agency business as an agent, something I have now been doing for over 23 years. And little did I know then how much more intricately involved in security I would become. 

As agents, we play a pivotal role in every port call for ships calling berths to perform cargo operations, part of which includes being the gatekeeper for access to those vessels. Every person seeking to visit the ship must go through the agent for permission to do so – that includes vendors, technicians, surveyors and even the owners of the ship itself – all are vetted and approved by the agent before gaining access to the ship. The agent is the trusted stakeholder who communicates with the United States Coast Guard, Customs officials, the terminal security department and any other regulatory authority tasked with protecting that vessel and the facility at which she is calling. 

While that job has always been important, it became even more so after 9/11 when we saw how vulnerable our trusting nation had been. In short order we saw a massive shift in policies dictating how persons could gain access to critical infrastructure, which includes all marine and energy facilities on our waterways. Overnight, agents were tasked with an ever more vital responsibility of ensuring any visitors had been thoroughly vetted as known persons with needful attendance for that particular vessel. It wasn’t enough that I knew you as a legitimate participant of the maritime community, rather I needed evidence that you had an approved purpose for being on that ship. No more going on board a ship to say hello to the Master and eat lunch, if he was not expressly expecting you for known business, then you weren’t getting on the gatelist! New day, new rules!

Everybody didn’t like it. I didn’t like it either. Way more work for me and our agents. But it was requisite to comply with a higher standard of security. We couldn’t have random people getting through the gates and onto the ships. Or even people we knew really well randomly doing so.  Because once you got to the ship gangway, there was another list you had to be on and if the Master didn’t know you were coming, you’d get turned around and kicked out!

And this really brings about one of the first principles of security (and cybersecurity) which is the element now known as social engineering, that being this means of using deception to manipulate people into giving someone access or information that they shouldn’t have. Some crafty individual could easily exploit the vulnerabilities of the “old way” and get put on just about any gatelist for any ship anywhere – it wasn’t rocket science! 

Today even, lots of people could still gain access to many such places because of weaknesses in multiple systems but it isn’t nearly as easy as it once was. With the advent of TWIC cards and advanced levels of authentication, it’s arguably a lot more work to sneak onboard that it once was. And even if you do, nowadays the ship’s captain may have you arrested if he doesn’t recognize your legitimacy for being onboard his vessel – something he can do with a single phone call and rest assured, you won’t be able to escape unless you came quite prepared to swim a great distance very quickly!

So the industry has come a long way in the last 20 years and but we’re now seeing a new wave of security concerns, these are far more disingenuous and genius than their predecessors from yesteryear. We regularly get phishing attempts from would-be hackers that can penetrate our systems for underhanded efforts, some more cunning than others. No doubt the more bonafide con artists are using old-school methods to talk their way through checkpoints. But more concerning are the elusive and vile mechanisms used by the crafty pros who weave their way though firewalls and logins to gain control of computers and the systems they control. Those guys are our biggest concerns.

Today’s maritime industry faces a new wave of threats unseen by previous generations. A new type of pirate, one armed not with a sword but with supercomputers. Not identified by a storied eye-patch and a peg leg but instead unidentified because he looks like someone you know and trust. He doesn’t show up with a parrot on his shoulder but instead with an innocent looking USB thumb-drive. And when he takes over your ship, his attack won’t be by cannon but instead by cyber.

So my advice to the industry partners I know so well is this: respect him even if you don’t fear him. Know that he is real. Be certain that he is watching you even if you aren’t paying attention to him. He could be a few keystrokes away from taking command of your vessel. You may not have gold aboard for him to steal but he’s content with less calculated treasures; pride alone is sufficient for his pleasure. It’s a game to him but it’s reality for you.