Key Takeaways
- TOS platforms (Navis N4, OPUS Terminal, CyberLogitec, KALEIDO and others) are the central nervous system of a port. A compromise affects yard moves, gate flow and customs declarations.
- Crane and equipment PLC security sits at the IT/OT boundary. Modern terminals increasingly network these controllers for performance telemetry, exposing them to IT-side threats.
- RFID gate systems often use cleartext UIDs that are trivially clonable. Replay attacks and gate-relay logic abuse are recurring findings.
- Port community systems and customs integration carry sensitive cargo data and are commonly accessed by many external parties (carriers, agents, brokers, terminals) with mixed cyber maturity.
- The ISPS Code increasingly has a cyber dimension. India's Major Port Authorities and most international peers expect cyber evidence as part of port security planning.
The Port Digital Landscape
A modern container terminal runs a tightly coupled digital stack: the Terminal Operating System (TOS) that plans and executes every yard move, the gate system that manages truck and rail access, the crane and equipment control layer (PLCs, telematics, sometimes remote-operated cranes), the cargo manifest and EDI system that exchanges data with shipping lines and customs, the port community system (PCS) that integrates the broader port ecosystem, and the layer of carrier portals, freight forwarder integrations and customs declaration channels that connects the port to its external counterparts.
Each of these is networked. Many were originally designed as IT systems running on enterprise networks; their integration with crane controllers, RFID readers and PLC-based equipment puts them on an IT/OT boundary where the threat models of both worlds apply. A port is, in 2026, a digital factory with the physical consequences of a cargo terminal.
Recent high-impact incidents internationally (port operators hit by ransomware causing terminal closure, terminal operating system disruptions causing days of yard backlog, gate system outages causing kilometres of truck queue) show that cyber events at ports translate directly to physical and economic consequences fast.
TOS Vulnerabilities and Hardening
The TOS is the centre of gravity. Common platforms in India and the wider region include Navis N4, Octopi, CyberLogitec OPUS Terminal, KALEIDO Logistics, and several smaller proprietary systems. They are typically web-based or thick-client applications backed by enterprise databases, integrated with the PCS, customs, gate, crane and equipment layers through a mix of standards (EDI 315, EDI 322, UN/EDIFACT) and vendor-proprietary APIs.
Recurring TOS findings in our engagements: default or rotating-but-shared vendor support credentials retained on production, missing role-based access enforcement allowing operator-level users to perform supervisor-level actions, BOLA (Broken Object Level Authorization) across terminal IDs in multi-tenant TOS deployments where one shipping line can query another line's cargo, weak segregation between the TOS database and the PCS database, and a history of unpatched CVEs in the application server stack underneath the TOS.
Hardening priorities: rotate and uniquely scope all vendor support credentials with rotation logging, enforce role-based access with quarterly review, segment the TOS database from peripheral integration databases, run an annual TOS-specific pentest (Codesecure does this with vendor-aware test plans), and put the TOS on a managed patch programme even where the vendor releases patches on an unfamiliar cadence.
Need Maritime Cyber Assessment?
Codesecure runs IMO 2021 and BIMCO-aligned cyber risk assessments and OT pentests for shipowners, managers, ports and terminals. ISO/IEC 27001:2022 certified, named consultants with OSCP and ICS credentials, fixed-price proposals and free retest within 90 days.
See Maritime Services →Crane and Equipment Control Security
Quay cranes (STS), yard cranes (RTG, RMG), straddle carriers, reach stackers and terminal tractors are increasingly equipped with networked control systems and telemetry. Modern STS cranes have PLC-based control loops, vendor remote diagnostic access for the OEM, and operational telemetry sent to the TOS for productivity monitoring. Remote-operated cranes (in use at some Asian ports) take this further, with the operator console physically remote from the crane itself.
The OT threat model applies. Crane PLCs were not designed against a hostile internet, vendor remote access creates a persistent inbound path, and the convergence point with TOS is a typical attack surface. A compromise of crane control has direct safety consequences (load swing, collision with stack, drop of container) and operational consequences (forced stop of all crane moves on the affected berth).
Recommended controls follow IEC 62443 zones-and-conduits methodology: place crane control in its own zone, gate vendor remote access through a controlled jump host with session recording, restrict telemetry to one-way flow where the architecture allows, and run independent verification of vendor patch claims.
RFID Gate Systems
Gate systems control truck and rail access to the terminal. They typically combine RFID tags or proximity cards (for vehicle or driver identification), optical character recognition for licence plates and container numbers, weighbridge integration, and gate-operator workflow that issues entry permits and routes vehicles within the terminal.
Common gate system findings: RFID tags using cleartext UIDs that can be cloned with a low-cost Proxmark or similar reader, allowing one truck to impersonate another at the gate; replay attacks on the gate workflow that authorise a vehicle for entry without a valid permit; weak coupling between the gate authorisation and the cargo manifest check, allowing edge-case manifest manipulations; and gate-operator terminals with shared accounts and weak logging that defeat after-the-fact attribution.
Hardening: migrate RFID to authenticated tag formats (MIFARE DESFire with diversified keys, or similar) on a phased replacement cycle, harden gate operator workstation accounts, integrate gate events into the SIEM, and run a targeted gate-system pentest as part of any annual port engagement.
Cargo Manifest Data and PCS
Cargo manifest data is high-value and high-sensitivity. It identifies shippers, consignees, commodities, values, vessel and voyage, and routing detail that is commercially sensitive and (for certain commodities) regulator-sensitive. Manifest data flows between the shipping line, the terminal TOS, the port community system, the customs declaration channel, the port authority, and downstream partners.
Port community systems (PCS) are the integration backbone. In India, several major ports operate PCS instances (often through the Indian Ports Association PCS or terminal-specific equivalents); internationally PortNet (Singapore), Portbase (Netherlands), MIC (Germany), Tradenet (UK), and many others are dominant. PCS platforms expose APIs to dozens of external parties of varying cyber maturity. BOLA across organisations, API key reuse, weak authentication on legacy endpoints, and over-permissive role assignments are recurring findings.
Mitigations: API-level authentication and authorisation review, BOLA testing per organisation boundary, key rotation and audit, integration with terminal SIEM for cross-system event correlation, and tabletop exercises that include a PCS-originated incident as a scenario.
Flag State Audit or Customer Questionnaire?
Whether you need cyber evidence for a flag state, P&I club query, charterer security questionnaire or BIMCO gap closure, our maritime cyber lead is available for a 30-minute free scoping call.
Talk to a Maritime Lead →IT/OT Convergence in the Terminal
The defining architectural challenge for port cyber in 2026 is IT/OT convergence. The TOS is an IT system. The cranes and equipment are OT systems. The integrations between them, plus the shared use of vendor remote access, plus operator workstations that have visibility into both, create a single security domain in practice even when the org chart pretends they are separate.
Recommended approach: apply IEC 62443 zones-and-conduits across the entire terminal, treat the TOS plus IT environment as one zone tier, the crane and equipment control as a separate zone tier, and gate the conduits between them with documented allow-lists and logging. Vendor remote access (TOS vendor, crane OEM, gate vendor, RFID vendor, satcom vendor for any ship-side integration) goes through a single hardened jump host with session recording. Terminal SIEM ingests events from both sides so cross-boundary attacks are visible. This is exactly what BIMCO recommends for vessel networks; the same model applies to terminals.
ISPS Code and Supply-Chain Risk
The ISPS Code (International Ship and Port Facility Security Code) traditionally focuses on physical security at ports, but the cyber dimension has been increasingly integrated through national interpretations and IMO guidance. India's Major Port Authorities Act 2021 and subsequent guidance have introduced cyber expectations into port security planning. Internationally, the IMO is working on more explicit cyber integration into ISPS in coming revision cycles.
Beyond regulatory drivers, supply-chain risk is now operational. A compromise at a port has cascading effects on shipping lines, freight forwarders, customs brokers, importers and exporters. Pre-arrival cyber assurance from carriers, vendor cyber attestation from major TOS and equipment suppliers, and incident-sharing across the port community are emerging as standard practice in mature port ecosystems.
Codesecure works with port authorities and terminal operators to deliver ISPS-aligned cyber programmes, integrate cyber into the port security plan, and structure supply-chain assurance for upstream and downstream partners. Engagements range from a single-terminal cyber assessment to a multi-terminal port-wide programme.
Frequently Asked Questions
How does port cyber differ from vessel cyber?
Ports are fixed infrastructure with always-on connectivity, deeper IT/OT integration in a single physical site, and a wider set of external partners. Vessels are mobile, intermittent in connectivity, and operate with smaller on-scene response teams. The technical methods overlap; the operational realities differ significantly.
Are the BIMCO Guidelines applicable to ports?
BIMCO Guidelines are written for shipping companies, not ports. However, the principles (risk assessment, segmentation, vendor management, response and recovery) translate well. Port operators often adapt BIMCO for their own use or combine it with IEC 62443 and the IAPH cyber security guidelines for ports.
Do you do TOS-specific penetration testing?
Yes. Codesecure runs Navis N4, OPUS Terminal, KALEIDO, Octopi and other TOS-specific pentest engagements with vendor-aware test plans. We test the application surface, the database layer, the role-based access enforcement, and the integration boundaries with PCS and customs. Reports map findings to ISO 27001 Annex A and IEC 62443 where OT components are in scope.
What about port community system risk?
PCS platforms are tested as multi-tenant API-driven applications. Standard OWASP API Top 10 methodology applies, with explicit attention to BOLA across organisation boundaries, key rotation and audit, and the trust assumptions between PCS and the customs declaration channel. We also test the integration patterns used by carriers and forwarders.
Are Indian Major Port Authorities subject to cyber requirements?
Yes. The Major Port Authorities Act 2021 and subsequent guidance from the Ministry of Ports, Shipping and Waterways have introduced cyber expectations into port security planning. NCIIPC may classify certain port operators or systems as critical infrastructure, triggering additional obligations. Codesecure supports Indian ports through assessment, gap closure and audit preparation.
How long does a port cyber assessment take?
A single-terminal cyber assessment typically runs 4 to 8 weeks including stakeholder workshops, system inventory, technical testing of TOS, gate and PCS, OT walkthrough on crane and equipment control, and reporting. Multi-terminal port-wide programmes run as phased engagements over 3 to 9 months.
Secure Your Port Before The Next Ransomware Headline
Codesecure delivers port and terminal cyber assessments, TOS pentests, OT walkthroughs and ISPS-aligned programmes for port authorities and terminal operators across India and the Middle East. ISO/IEC 27001:2022 certified delivery, named consultants, fixed-price proposals.
