1. Home
  2. articles
  3. interview about cybersecurity and it jan waas hutchison ports

Interview about Cybersecurity and IT with Jan Waas (Hutchison Ports)

This Interview is with Jan Waas, CIO at Hutchison Ports

Portrait J. Waas

Could you introduce yourself and explain what your role is as CIO at Hutchison Ports?

I am Jan Waas. I started working in the container terminal industry in the 1990s in Rotterdam, at the terminal called ECT. I started there at, you could say, one of the predecessors of AI, called Operation Research Department, which was a mathematical department working on the automation of the terminal. ECT was one of the first terminals that automated the terminal to what they call full automated terminal in the 1990s. From there, I always worked in the IT mostly developing new terminals and when ECT was acquired in 2000 by Hutchison Ports, I started reporting to the CIO here in Hong Kong. When he retired, I took over his role. So, since then I'm the Group CIO responsible for the overall Hutchison Ports IT.

Hutchison ports is part of CK Hutchison Holdings. CK Hutchison Holdings owns different companies like Watson, Kruidvat, ICI Paris but also Telco business. So therefore, very well known in Asia and Hong Kong, but also in other countries.

Hutchison Ports itself operates, in 24 countries, where we have 53 terminals. Currently we're mostly developing terminals in the Middle East including Egypt and Saudi Arabia, but we also have terminals in Europe, Mexico, Australia and around Asia. So we are a global operator. Of course with that, a lot of IT is involved. We have a strategy to automate our terminals, by moving the physical work to office work. We are introducing a lot of remote control for our big harbor cranes, but also autonomous trucks.

What is the biggest challenge that you are encountering with IT and automation of your processes? And how are you trying to tackle this?

Well, the IT matured significantly over time. I recall in the old days when we did projects, IT was always on the critical path, and it was always costing two, three times more and delivering less. But I think that's changed the last 10 years, IT is now less of a concern. The IT is always ready before the terminal is operating, and within the set budget and timeline. So that's one of the things that, matured a lot in the recent years.

One of the big challenges that we encounter is the integration of different systems. We have a lot of emerging systems including those from vendors, such as autonomous trucks. The biggest challenge is ensuring that all the components from end-to-end work together simultaneously. We see that moving a container from A to B smoothly still contains some challenges when looking at the exceptions. So basically, running a normal process isn’t an issue. But what if something happens? So something goes wrong, wrong information, something breaks down. Most of our effort and time is on the development of the exception in the system itself. So, one of our strategies is to standardize and to make sure that the exception is is basically managed in a standard manner.

What kind of backup plans do you have in case your standard system fails or doesn't work?

There are two different levels of backup processes. The first is the regular backup, which is very known in the IT industry. For instance, if your data center breaks down or there is a flooding or a fire, your data is backed up every 24 hours. However, with the emerging cyber risks and malware, we created a recovery program, which entitles that we can recover within 24 hours with only 15 minutes data loss. This is completely different from the old days when there was an average loss of 12 hours of data - too much for an automated terminal handling thousands of transactions.

Do you encounter a lot of digital threats like malware attacks?

We had some issues over time, where in one case a terminal was hacked. This was an opportunity to test our strategy. It took a little bit longer in real life, but we recovered from it according to plan. For most countries, we are part of the strategic infrastructure of country, because the ports that ensure the flow of goods, is one of the things that needs to keep on running. Therefore, we fall in the high cyber security risk entities of a country. So that's why we have close contact with most governments and they request us to comply with different standards that actually is part of our strategy.

As you must comply with different standards for every government, do you keep a global strategy or does the strategy differ per country?

In general, most governments follow the same standards, So we try to also standardize that as much as possible. I think the biggest difference, is that sometimes countries want their data to be kept in the country itself. But it's a little bit hard for us, because the question is, what's your own data? If I put my mail server in the country, but I still send emails around the world, it goes through so many hubs and it gets stored at so many places that it's almost not always clear what your own data is. In general, we could say, everybody uses the same standards, but there are some nuances.

How do you mitigate the risk of malware attacks?

In IT security, we focus on three levels. There is the preventive side of it, meaning that we work hard on keeping our systems up to date through batch and vulnerability management. With a big entity, there's a lot of systems to keep it running, so that's almost a daily task for everybody. Then the other part is that we phase out end of life systems which are not supported anymore, , which sometimes from bigger systems, can be a challenge due to many legacy that you need to take care of. Then, in terms of architecture, we do a lot in what we call secure by design. So if we develop new terminals, we implement security from the ground up to protect against vulnerabilities present in older, more open systems.

More on the control side is that what they call the SIEM, which is basically a process that looks at all the log files and makes sure that you proactively see and act on abnormalities in your system. So if somebody knocks on your door, somebody tries to break in, that you can actually see it in your log files. And then on top of that, depending on the size of the terminal, we also have a SOC (security operation center), that monitors the networks and the systems in real life.

Finally, the recovery part is crucial. So, if an incident occurs, we must make sure that we can recover quickly.

How does Hutchison Ports use AI to make operations more efficient?

AI, for us, is a new definition of something that, to a certain extent, was already there. And then I mean the machine learning, the more mathematical part of the AI. We already had systems that specialize in tasks such as reading data, contain the numbers, scan for damage, and our autonomous truck uses AI. Generative AI is based on probability but in our industry, we require a 10 out of 10 accuracy. As we operate in a B2B market with ‘well-defined’ processes, the potential benefits of generative AI are different compared to the consumer side for businesses.

So, Gen AI to certain aspects of our business can be very helpful, like in chat bots, reporting, testing, training, and any other document heavy process. In that sense, the AI, will be used more on the administrative side, where there is an improvement to be gained, more convenience. Of course, we use it in our software development as well because you can generate a lot of work with the AI in that sense.

Could you explain how you use machine learning for your automation processes?

Mostly it's still used for improving documentation processes in our outer gates, where we use it for recognizing license plates and container numbers. In addition, almost 80% of the communication relies on electronic data interchange (EDI), a message protocol which is used in the industry for years. On top of that, there's also email communication for updating information and there we use machine learning to understand the email better and to get the data out of the PDF. So it's basically pretty standard stuff, just understanding documents, understanding information that's sent to you, and try to automate that in a manner such that people only have to focus on the exceptions rather than routine tasks.

Do you see a future with AI in your operations?

Yes, we're looking at it. One of course, is the autonomous trucks which they run themselves, and basically use AI to navigate around the terminal. And what we also look at is to find a way to use the more the mathematical part of AI for routing and stacking. We try to solve questions like How do we stack containers? How do we maximize our output with minimal resourcing (also supporting our EGS targets to lower energy consumption)? So, AI can be used as a supportive system.

Are you surprised by the launch of Deep Seek?

No, I am not. If it's DeepSeek or somebody else, it was bound to happen. If a company has a high margin other companies will jump in and try also to get a piece of the pie and do it cheaper. In my 35 years in IT, it always starts with a high pricing, and then it will go down because it’s very scalable and easy to gain your market. The moment you put something in App Store, you have billions of users so that's why this industry is also flourishing. Look at Netflix for example, if you just ask a small amount of money, you gain a lot of consumers. The network effects of these kind of things are huge. So the price will go down. It will be faster and more free. It's almost an automatic given.

What advice would you give to small and medium enterprises that want to enhance their cybersecurity but have not yet implemented a system or lack a clear understanding of how to start?

Well, I have analyzed many incidents in the world, specifically the non-Pattaya attack in 2017 which attacked one of our biggest liners in the industry as well as others. It comes down to the fact that to a certain extend organizations are aware of the need for updates and security measures but because of time constraints are not able to undertake the necessary actions to protect themselves.

The first thing is to always know what you have running. It’s a very simple question, but sometimes hard to answer. How many systems do you have? What software are you running?  Secondly, is to keep your systems up to date and keep it up to date!

Then the other thing is, to protect your system. First it is important to focus on network segmentation. You can compare it with entering this building. You need a key pass to get in here, but you can't access the other floors. In IT, sometimes all the floors are open, and everybody can access everything. By implementing network segmentation, you can protect different levels of data.

Second, I would advise lowering your attack surface, which means your exposure to the outside world. Sometimes, for old running systems, they even don't know which systems are running and what is open. So you need to first make sure that this process is running, because you can put a lot of protection outside and put a lot of locks on your door, but if your window to the backside is still open it doesn’t protect you. If you have a complete view of what you're doing and keep your things up to date, then you're already at 80% of where you should be.

Ofcourse, it also comes with good password protection, MFA, that is for most of the companies already good enough. On top of that, you can introduce endpoint security, which might be the most important part of your protection if you're a small business unit, as most attacks will come via the individual employee, and it is relatively affordable.

What is endpoint security?

Endpoint protection is protection on the machine itself, so on your laptop, your PC, or on this device. We know that the attack mostly comes from the outside to you as an individual via phishing or social engineering. For example, they find your email somewhere on the dark web where you use a password which you reused for your company.

How do you make sure that all the employees are aware of this risk?

Nowadays we receive attacks through bulk emails where someone pretends to be our CIO or CEO and try to get some money. Still many people click on these kinds of links. So, we give risk awareness training. Once every year, they must do a compliance training, which includes IT and cyber risk awareness. We also conduct phishing test ourselves by sending simulated phishing emails containing nice offers or alarming message to test employee reactions. If an employee clicks on a phishing link, they are automatically signed up for a retraining.

How do you see the industry in 5 to 10 years?

Our industry relies heavily on physical infrastructure like ports, where buildings new facilities is time consuming and complex. On top of that, is the equipment itself, which has evolved from purely mechanical to highly computerized systems. A crane nowadays is almost a computer with some physical aspects on it. This means that the engineering department needs to adapt as well as a greater focus on the Operational Technology (OT) security. More and more IT will be on the machine, and people will move remotely, as they can operate these machines from distance. The whole industry will also become more sustainable due to the use of electric vehicles.

However, we still deal with legacy systems which requires us to have an evolutionary approach. You can’t just change the whole terminal in one go. There's a lot of money involved and we run 24 hours, 365 days a year. I always say, if we have to change something, we have to change the engines during flight. How do you maintain the engine during flight? It's a different way of looking at things. So that's why we do a small steps evolutionary approach. Eventually, the industry will be more efficient, sustainable industry and remains a part of the supply chain.

Do you experience a lot of competition in the industry to innovate and become more efficient?

The market operates on a business-to-business basis and given the limited ports in the world it takes time to enter. You can't just start a new terminal tomorrow. But of course, there is significant potential for improving productivity, developing more service-oriented processes and improving end-to-end logistics, like tracking the container throughout the entire supply chain.

We collaborate with partners like Global Shipping Business Network to interchange information and transactional data on the blockchain, automating these that process. For instance, some physical documents are still required for customs and tax authorities. Digitalizing the entire end-to-end process is the next step in our industry.

Do you have some last advice you want to give the readers?

The biggest challenge in the IT industry is to embrace change. Change is essential to move forward and keep growing. The other thing I always tell it's not so much to forsee the future, but more to enable it. With the latest technology, sometimes the opportunities arise along the way, and you can't always predict it. We were an early adaptor of the cloud and O365 which in these early years wasn’t easy, but then COVID happened, and we were ready for work from home and Zoom/Teams meetings which are now common ground. The same for the use of the AI capabilities, if we hadn’t made that move years earlier, we would have faced significant challenges. Ultimately, it’s all about adopting change, taking small steps and keep an open mind.