AAPA Seaports
It may be idealistic, but total port security is the goal. Ports aim to reduce vulnerabilities and mitigate intrusions and impacts of every type. It is an ever-changing challenge, as threats come in new and different forms. Fortunately, best practices can help a port navigate the changes.
From Physical to Cyber
Today’s ports recognize that they operate in both a physical and cyber realm, with extensive interdependencies across domains. Port security is always improved when there is situational awareness of both realms and their overlaps: Vulnerabilities don’t stop at locked doors or firewalls.
Port security was ramped up in the U.S. following the tragic events of September 11, 2001, but at the time, many of the improvements were related to physical security. Less than two decades later, the focus shifted toward cybersecurity. Security budgets for fencing and cameras and boots on the ground are still foundational, but more ports are deploying digital technology, artificial intelligence, and cybersecurity methods.
A Strategic Imperative
Max Bobys is vice president and practice leader for HudsonCyber. He said cybersecurity is an imperative for ports because cyber risks “can impact a port’s reputation, its operations, financial performance, and its legal and/or compliance posture.”
The same can be said of physical security. That means executive management and board members often have inherent legal and regulatory oversight obligations to manage all a port’s security risks.
“Since a port’s board is accountable to investors, and/or taxpayers, for its overall financial and operational viability, it’s incumbent on the Board to ensure that adequate resources are provided to appropriately manage a wide range of cyber [and other security]risks,” Bobys said. He recommends that port boards and commissions take responsibility to provide the necessary oversight and governance to ensure that security is effectively integrated into the organization’s overall risk management framework.
Top-level validation can help drive the success of physical and cyber port security initiatives.
The Intersection of Physical and Cyber Security
Physical and cyber security are not mutually exclusive. Mark Dubina is incoming chair of the AAPA Security Committee and vice president of security for Port Tampa Bay. He said the best port security addresses physical security and cybersecurity, as well as their convergence.
Dubina said that the current proposed U.S. Coast Guard rulemaking on the topic of cybersecurity, if adopted, calls for significant changes in the way many port authorities promulgate and implement security plans.
These changes begin with the professionals that manage these threats. “There are few instances where the [port’s] physical security manager and cybersecurity manager are one and the same person. In most cases these roles rest with different people within an organization,” said Dubina. The solution to disconnected silos of security knowledge, is to connect them.
“One best practice for encouraging this convergence is utilizing a joint assessment methodology,” said Dubina.
A port’s Facility Security Plan is based on assessments of its ability to deter and mitigate threats. The joint assessment methodology defines responsibilities and highlights the interdependencies of the disciplines. Rules for access to sensitive IT areas may be defined by IT/cyber management, but enforcement of those rules typically relies on physical security infrastructure. And the reporting of possible criminal activity almost always requires pre-planning between the facility security officer and IT/cyber manager.
At Port Tampa Bay, joint assessments were required to achieve accreditation from the National Maritime Law Enforcement Academy. “The program was supported by the CEO, Paul Anderson, and implemented by the IT and Security departments working together,” said Dubina.
Enhancing All Types of Port Security
The U.S. government supports port security in a multitude of ways. Federal agencies, like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, have developed products to assist stakeholders across critical infrastructure.
The U.S. Coast Guard is the go-to agency. It takes the lead in developing regulations, guidance, and policy, seeking to enhance maritime security and to update resources. Each year, the Coast Guard conducts annual inspections of cyber and physical security at all ports.
Those inspections are important in identifying weak spots and celebrating achievements. In January 2024, the Maryland Port Administration’s Port of Baltimore announced that, for the 15th consecutive year, it received a top U.S. Coast Guard security assessment for its six state-owned, public marine terminals: Dundalk, Seagirt, North Locust Point, South Locust Point (including the cruise passenger terminal), Fairfield, and Masonville marine terminals.
Such inspections ensure compliance with federal security regulations and thoroughly review the port’s Facility Security Plan and its Cyber Security Annex. Recent installations of high mast lighting and fencing, stronger gate and fenceline conditions, additional signage, and other physical security equipment, coupled with heightened cyber security and access control initiatives, and the MPA’s closed-circuit television network have added to the MPA’s robust and effective security program. “Safely securing a major port is a team effort and we’ve got a great one at the Maryland Port Administration,” said MPA Director of Security Kathleen M. Pickett. She added, “We work in close collaboration with the Maryland Transportation Authority Police and Allied Universal to seamlessly ensure the safety of all who work at and visit the Port of Baltimore.”
The All-Hands-on-Deck Approach
Without collaboration, port security forces would be hard-pressed.
Kathleen Pickett took on the job of Director of Security for the MPA in mid-2023. After a three-decade career in policing, military policing, and corrections, she sees great value in collaboration, but not just with other law enforcement and first responders.
“There is something to be said about building good relationships with your port partners and tenants. Sometimes it means staying after work to go to their graduations or award ceremonies. Maybe it’s answering your phone on a Saturday to listen to their frustrations about another tenant or a process/procedure,” said Pickett.
She is a firm believer in being there for people in any capacity. “You can’t see everything, and you can’t be in several places at one time. Having loyal partners all over your port community, willing to let you know when something isn’t right, is a huge asset. I truly believe if you show up for people, they will show up for you,” she said.
Ports are built on relationships between members of supply chains and many other stakeholders. Security depends on those same relationships.
The All-Hazards Approach
Each year, the individuals and organizations that comprise a port encounter a variety of accidental and intentional threats. The purview of port security does not stop with physical and cyber security and their overlap. According to Dubina, it should encompass all the hazards the port community faces.
For example, “Weather events that endanger port facilities and dangerous cargoes all require security planning,” said Dubina. Coordination with other first responders assures that port personnel are aware of local capabilities and limitations. “While security professionals will not actually put out a large fire or contain a hazardous spill, they may be responsible for securing the scene in a manner that protects both security personnel and port users,” said Dubina.
In Florida, he gives a great deal of credit to Florida’s statutorily mandated Regional Domestic Security Task Forces for actively and effectively facilitating engagement between law enforcement, fire, emergency management, health agencies and key public and private sector partners.
Gearing Up for Emerging Threats
It is especially helpful to have a range of agencies and services and their diverse security-related skill sets and assets when untraditional threats pop up.
For example, a new concern for many ports is drone mitigation planning. While unmanned aerial surveillance platforms are used by many ports for surveys, photos, and other field work, “outside” drones are also entering port spaces. Unfortunately, their capacity for aerial surveillance and ability to attack or deliver payloads make them a potential threat to ports, as well as to any critical infrastructure. Drones are capable of accidentally or intentionally compromising physical security barriers.
Port Authorities and other critical infrastructure operators are discovering that their authority in combatting drone activity within their “air space” may be limited by law.
Dubina said that it is important that each port consider “planning internally for detection capabilities and/or partnering with other government agencies to develop an understanding” of the authorities and responsibilities related to drones of various local, state, and federal agencies.
Clarity is key in dealing with new threats and allowing “port security managers to begin the process of developing strategies for reporting and mitigating,” said Dubina.
Seeing the Whole Picture
The threat landscape continues to evolve. Security forces around the world are bombarded by new and different types of threats every day. Hubs of industry and people, like ports, will always need to be on their toes, whether faced with physical intrusions, cyber meddling, or other unsavory encounters.
There will always be those who will try to do harm, but port security skills and tools are advancing.
Working hard to see the whole picture is a good way forward. Pickett said, “I try hard not to jump to conclusions. I want to hear the whole story and gather all the facts before I sit down with my team and decide about a path moving forward.”
Port security threats come in different shapes and sizes, and while they may be ever-changing, they can be addressed and eliminated when best practices are in place.
