A joint effort is needed to prevent the unprecedented attack on Transnet's port operating systems becoming the new normal.
On 22 July, the first reports emerged that Transnet, a South African state-owned enterprise, was experiencing problems with its information technology (IT) networks. Transnet manages the nation's rail, port and pipeline infrastructure. The disruption primarily affected operations in several container terminals, interrupting cargo movement. Four days later, Transnet confirmed it had suffered a cyber attack.
This attack is unprecedented. Since the start of the COVID-19 pandemic, the number of cyber attacks has been increasing worldwide and in South Africa, inflicting financial losses across the manufacturing, banking and energy sectors. South Africa's critical infrastructure has been targeted before, with minor impact. The recent incident was the first time the operational integrity of the country's critical maritime infrastructure has suffered a severe disruption.
Transnet is yet to provide details on the exact scope of the intrusion, but the impact seems widespread. Media reports indicated that the container terminals at Cape Town's harbour stopped functioning and that port authorities were manually recording the movement of vessels in and out of the ports.
Most importantly, the container-handling facilities at Durban's port were affected, significantly increasing logistical congestion. Durban hosts the busiest container port in sub-Saharan Africa, handling around 60% of the country's container traffic. The port is also a vital logistics hub for the region, moving raw material exports from Zambia and the Democratic Republic of the Congo.
This is the first time the integrity of SA's critical maritime infrastructure has been severely disrupted
The cumulative impact of the attack will surely cause long-lasting damage to the economy, further undermining South Africa's economic recovery from the COVID-19 pandemic. Yet the actual severity of the incident is hard to estimate, leaving experts to speculate about its nature, scope and consequences.
Two impediments may prevent Transnet from openly sharing the details about what happened. First, the fact that this attack targeted critical infrastructure elevates it to a matter of national security, so public information would be limited. Second, it may be a matter of legal responsibility. It's common for companies affected by cyber attacks to either limit information about the incident or conceal it if possible to avoid reputational damage.
Increasingly, customers now also seek compensation for losses from service providers whose businesses are disrupted by cyber attacks. A few days after the incident, Transnet declared force majeure across all its container terminals in a move probably taken to absolve itself of liability in line with these concerns.
The number of similar incidents across Africa will probably increase as maritime ports seek to increase efficiency and effectiveness through digitalisation. In this instance, transport infrastructure, especially a harbour, present lucrative targets for cyber criminals or other hostile actors due to the scope of operations and the many stakeholders involved.
Ports are lucrative cyber crime targets due to their scope of operations and the many stakeholders involved
For instance, Kennewick's port in the United States was hit with a ransomware attack in 2020, disrupting its operations. Hackers accessed the port's server and demanded a ransom of US$200 000 to restore access to data, which the port refused to pay. Criminals may also exploit vulnerabilities to steal or conceal cargo. In 2011, the Port of Antwerp in Belgium was targeted to carry out and conceal a drug trafficking operation.
Harbours can also endure collateral damage as part of other assaults. In 2017, NotPetya malware - an attack that initially targeted Ukraine's critical infrastructure - ended up infecting the IT systems of Maersk and other companies across all sectors. In the case of Maersk alone, the functioning of 76 Maersk port terminals worldwide was affected.
In the Transnet instance, it seems the attack has disrupted the Navis container operating system, which helped optimise the releasing and accepting of containers. A manual process that was put in place requires a shipper to submit a physical copy of necessary documents instead, which must be checked and processed. This inevitably limits the efficiency of port operations and extends the cargo dwell time and backlog.
The attack comes at the worst possible time for South Africa. The country is recovering from the impact of widespread politically-driven unrest in July that paralysed port operations at Durban and Richard's Bay for over a week. The timing of the attack raises suspicions that it may be linked to insurrection, although authorities believe the two events aren't connected.
Attacks on critical infrastructure, including ports, are likely to increase in severity and quantity
The longer-term consequences of the disruption will be more damaging. Transnet and South Africa cannot afford a prolonged crisis or a slowdown in port operations. A 2020 decision to close harbours due to COVID-19 lockdowns was promptly overturned by the Department of Transport when regional exporters considered alternative export routes. South Africa is responsible for delivering goods to many of its neighbours, so the regional impact and national interests of other states are also factors.
The disruption also undermines President Cyril Ramaphosa's commitment in May 2021 to a R100 billion infrastructure development project to make Durban the best functioning port in Africa. With some ships already diverting from Durban to other ports, South Africa will have to contend with growing competition from more attractive regional hubs such as Walvis Bay in Namibia.
Attacks on critical infrastructure, including maritime ports, are likely to increase in severity and quantity. The economic toll for African states will inevitably be high, which means that measures to boost cyber security and protect infrastructure are vital.
South Africa's recent Cybercrimes Act is an excellent first step to mitigating digital attacks and intrusions. The law identifies the South African Police Service (SAPS) as the leading agency to coordinate investigations, and it now needs to be adequately capacitated to do so. Implementation also requires the Department of Transport, SAPS, Transnet, private stakeholders and cyber experts to work together. And South Africa's future National Maritime Security Strategy also needs to cover cyber security.
In short, ports are attractive targets that are vulnerable to cyber attacks. Unless South Africa urgently improves its port cyber infrastructure security, economic disruptions of this sort may become the new normal.
Denys Reva, Research Officer, Peace Operations and Peacebuilding Programme, ISS Pretoria
This article is funded by the government of Norway.