Listen to this Post
Introduction:
Port Waratah Coal Services (PWCS) operates the world’s largest coal export terminal in Newcastle, Australia, handling over 96.5 million tonnes of coal annually across more than 1,100 vessels. As a cornerstone of the Hunter Valley Coal Chain—spanning 450km and connecting 35 mines to global markets—PWCS faces unique cybersecurity challenges at the intersection of operational technology (OT), maritime security, and enterprise IT. Recent third-party security assessments have revealed critical vulnerabilities in PWCS’s external attack surface, including missing security headers and exposed technology stacks, while internal initiatives have demonstrated the power of grassroots IT innovation in solving industrial problems. This article examines the technical lessons learned from PWCS’s security posture, cloud migration journey, and workforce development programs, providing actionable guidance for securing critical infrastructure environments.
Learning Objectives:
- Understand the security vulnerabilities common in industrial control system (ICS) and critical infrastructure environments, using PWCS as a case study
- Learn how to implement web application security headers (CSP, X-Frame-Options, HSTS) to protect external-facing assets
- Master the fundamentals of secure cloud migration from legacy on-premises platforms (SharePoint 2013 to modern intranet solutions)
- Develop practical skills in API security, access control, and maritime cybersecurity compliance (MSIC, MTOFSA)
- Apply Lean IT and citizen development principles to solve operational challenges through custom application development
You Should Know:
- External Attack Surface Hardening: Securing Web Applications and APIs
Port Waratah’s external security posture, as monitored by UpGuard, reveals several common but critical misconfigurations that plague many industrial organisations. The security rating of 802/950 indicates room for improvement, with specific findings that serve as a blueprint for hardening any public-facing web application.
Vulnerabilities Identified:
- X-Powered-By header exposed: Reveals specific technology (e.g., ASP.NET, PHP) that attackers can use to target known vulnerabilities
- X-Frame-Options not set to deny or sameorigin: Enables clickjacking attacks where malicious sites can frame the application
- No Content Security Policy (CSP) implemented: Increases risk of cross-site scripting (XSS) and data injection attacks
- X-Content-Type-Options not set to nosniff: Allows MIME type confusion attacks where browsers misinterpret file types
Step-by-Step Hardening Guide (IIS/Windows Server):
Step 1: Remove X-Powered-By Header (IIS)
Using IIS Manager: Select site → HTTP Response Headers → Remove "X-Powered-By"
Or via PowerShell:
Remove-WebConfigurationProperty -Filter "system.webServer/httpProtocol/customHeaders" -1ame "." -AtElement @{name="X-Powered-By"}
Step 2: Implement Security Headers via web.config
<system.webServer> <httpProtocol> <customHeaders> <!-- Prevent clickjacking --> <add name="X-Frame-Options" value="DENY" /> <!-- Prevent MIME sniffing --> <add name="X-Content-Type-Options" value="nosniff" /> <!-- Enforce HTTPS --> <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" /> <!-- Content Security Policy --> <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://api.pwcs.com.au" /> </customHeaders> </httpProtocol> </system.webServer>
Step 3: Configure Secure Cookies
Require SSL for all cookies (IIS) In web.config: <system.web> <httpCookies requireSSL="true" httpOnlyCookies="true" /> </system.web>
Step 4: Implement DMARC, DKIM, and SPF for Email Security
PWCS has a DMARC policy that is not set to p=none, which is commendable. For organisations starting from scratch:
DNS TXT Record for SPF v=spf1 mx ip4:203.0.113.0/24 include:_spf.google.com ~all DNS TXT Record for DKIM (generated by email provider) v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ... DNS TXT Record for DMARC _dmarc.pwcs.com.au. TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"
Linux/Nginx Equivalent Commands:
Add security headers in Nginx configuration add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline';" always; Remove server tokens server_tokens off;
- Cloud Migration and Intranet Modernisation: From SharePoint 2013 to Secure Cloud
PWCS recently undertook a critical migration from a ten-year-old SharePoint 2013 platform that was no longer supported. The project, which evolved from a technical upgrade into a broader employee engagement initiative, highlights the security and operational benefits of moving from legacy on-premises systems to modern cloud-based solutions.
Key Security Considerations for Cloud Migration:
Step 1: Assess the Legacy Environment
- Inventory all custom code, web parts, and third-party integrations
- Identify sensitive data stored in the intranet (PII, financial data, operational procedures)
- Document current access controls and permission structures
Step 2: Evaluate Cloud Platform Options
PWCS initially explored SharePoint Online but found it lacking in user experience and branding capabilities. They ultimately selected the Elcom solution because it met all requirements for design, integration, and most importantly, cybersecurity compliance.
Step 3: Implement Zero-Trust Architecture for Intranet Access
Azure AD Conditional Access Policy (PowerShell)
Require MFA for all intranet access
New-AzureADMSConditionalAccessPolicy -DisplayName "Require MFA for Intranet" -State "enabled" -Conditions @{
Applications = @{ IncludeApplications = @("all") }
Users = @{ IncludeUsers = @("all") }
Locations = @{ IncludeLocations = @("all") }
} -GrantControls @{
BuiltInControls = @("mfa")
}
Step 4: Implement Single Sign-On (SSO)
PWCS’s new intranet features SSO integration, allowing seamless access to other applications. This reduces password fatigue and improves security by centralising authentication.
Azure AD SSO Configuration - PowerShell
Register application
New-AzureADApplication -DisplayName "PWCS Intranet" -ReplyUrls @("https://intranet.pwcs.com.au/signin-oidc")
Assign users
Add-AzureADApplicationOwner -ObjectId <app-id> -RefObjectId <user-id>
Step 5: Secure the CMS Publishing Workflow
PWCS’s solution allows publishers to manage content from the frontend without accessing the backend CMS, reducing the attack surface. This is a best practice for content management:
// Example: Frontend-only content publishing API (Node.js/Express)
app.post('/api/publish-1ews', authenticateJWT, authorizeRole('publisher'), (req, res) => {
const { title, content, category } = req.body;
// Validate input to prevent XSS
const sanitizedContent = sanitizeHtml(content, {
allowedTags: ['p', 'strong', 'em', 'ul', 'li', 'a'],
allowedAttributes: { 'a': ['href'] }
});
// Publish to headless CMS via secure API
cmsClient.publish({
title: title,
content: sanitizedContent,
category: category,
publishedBy: req.user.email,
timestamp: new Date().toISOString()
}).then(() => res.json({ success: true }));
});
- Maritime Security and Access Control: MSIC, MTOFSA, and Physical-Cyber Convergence
As both an industrial site and an international port, PWCS operates under Federal Security Legislation and has developed an Access Control system to manage these requirements. The Maritime Transport and Offshore Facilities Security Act 2003 (MTOFSA) establishes strict security measures for ports, requiring personnel working in restricted areas to hold Maritime Security Identification Cards (MSIC).
Technical Implementation of Maritime Security Access Control:
Step 1: Integrate MSIC Verification with Physical Access Control Systems (PACS)
Example: MSIC validation API integration (Python)
import requests
import hashlib
def validate_msic(msic_number, card_holder_name):
Query national MSIC database (simplified)
response = requests.post(
'https://api.maritime.gov.au/msic/verify',
json={'msic': msic_number, 'name': card_holder_name},
headers={'Authorization': f'Bearer {os.environ["MSIC_API_KEY"]}'}
)
if response.status_code == 200:
data = response.json()
return data.get('valid', False)
return False
def grant_access(msic_number, facility_zone):
if validate_msic(msic_number, get_card_holder_name()):
Grant access to specific zone (e.g., Carrington Terminal)
pacs_grant_access(facility_zone, msic_number)
log_access_event(msic_number, facility_zone, 'GRANTED')
return True
else:
log_access_event(msic_number, facility_zone, 'DENIED')
return False
Step 2: Implement Role-Based Access Control (RBAC) for Digital Systems
-- Database schema for maritime security RBAC CREATE TABLE security_zones ( zone_id INT PRIMARY KEY, zone_name VARCHAR(100) NOT NULL, -- 'Carrington', 'Kooragang', 'Wharf' security_level INT NOT NULL -- 1-5, where 5 is highest ); CREATE TABLE msic_clearances ( clearance_id INT PRIMARY KEY, msic_number VARCHAR(20) UNIQUE NOT NULL, zone_id INT, expiry_date DATE, FOREIGN KEY (zone_id) REFERENCES security_zones(zone_id) ); CREATE TABLE access_logs ( log_id INT PRIMARY KEY AUTO_INCREMENT, msic_number VARCHAR(20), zone_id INT, access_time DATETIME DEFAULT CURRENT_TIMESTAMP, action VARCHAR(20), -- 'GRANTED', 'DENIED' reason VARCHAR(255) ); -- Query: Find all personnel with access to high-security zones SELECT c.msic_number, z.zone_name, c.expiry_date FROM msic_clearances c JOIN security_zones z ON c.zone_id = z.zone_id WHERE c.expiry_date > CURDATE() AND z.security_level >= 4;
Step 3: Audit and Compliance Reporting
PowerShell script to generate weekly security compliance report
$report = @()
$expiring_clearances = Invoke-Sqlcmd -Query "SELECT FROM msic_clearances WHERE expiry_date < DATEADD(day, 30, GETDATE())"
foreach ($clearance in $expiring_clearances) {
$report += [bash]@{
MSIC = $clearance.msic_number
Zone = $clearance.zone_name
Expiry = $clearance.expiry_date
Status = "RENEWAL_REQUIRED"
}
}
$report | Export-Csv -Path "weekly_security_report.csv" -1oTypeInformation
- Lean IT and Citizen Development: The Spare Material Tracking App
One of PWCS’s most innovative IT initiatives came from a 26-year-old IT Graduate, Rebecca Harmes, who developed a Spare Material Tracking App that won the NSW Minerals Council’s ‘The Pitch’. This project exemplifies how Lean IT principles and citizen development can solve operational challenges without massive enterprise software investments.
Problem Statement: At the end of work orders, materials were often left over with no way to track them or return them to inventory. Maintenance teams carried iPads, but there was no system to log spare materials.
Solution Architecture:
Step 1: Define the MVP (Minimum Viable Product)
- Map items with location and metadata
- Place corresponding identification stickers on stock
- Enable search functionality
- Simple CRUD (Create, Read, Update, Delete) operations
Step 2: Build the Application Backend (Node.js + Express + PostgreSQL)
// models/SpareMaterial.js
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
return sequelize.define('SpareMaterial', {
id: { type: DataTypes.UUID, defaultValue: DataTypes.UUIDV4, primaryKey: true },
name: { type: DataTypes.STRING, allowNull: false },
description: { type: DataTypes.TEXT },
location: { type: DataTypes.STRING, allowNull: false }, // e.g., "Wharf Area B-12"
category: { type: DataTypes.STRING }, // e.g., "Electrical", "Mechanical", "Structural"
quantity: { type: DataTypes.INTEGER, defaultValue: 1 },
unit: { type: DataTypes.STRING, defaultValue: 'each' }, // each, kg, m
identification_sticker: { type: DataTypes.STRING, unique: true },
work_order_id: { type: DataTypes.STRING },
status: { type: DataTypes.ENUM('available', 'reserved', 'scrapped'), defaultValue: 'available' },
created_by: { type: DataTypes.STRING },
created_at: { type: DataTypes.DATE, defaultValue: DataTypes.NOW },
updated_at: { type: DataTypes.DATE, defaultValue: DataTypes.NOW }
});
};
// routes/spareMaterials.js - API endpoints
router.get('/api/materials', authenticate, async (req, res) => {
const materials = await SpareMaterial.findAll({
where: { status: 'available' },
order: [['created_at', 'DESC']]
});
res.json(materials);
});
router.post('/api/materials', authenticate, async (req, res) => {
const { name, description, location, category, quantity, work_order_id } = req.body;
// Generate unique sticker ID
const sticker = <code>PWCS-${Date.now()}-${Math.random().toString(36).substring(2, 8)}</code>;
const material = await SpareMaterial.create({
name, description, location, category, quantity,
work_order_id, identification_sticker: sticker,
created_by: req.user.email
});
res.status(201).json(material);
});
router.get('/api/materials/search', authenticate, async (req, res) => {
const { q } = req.query;
const materials = await SpareMaterial.findAll({
where: {
{ name: { [Op.iLike]: `%${q}%` } },
{ description: { [Op.iLike]: `%${q}%` } },
{ location: { [Op.iLike]: `%${q}%` } },
{ identification_sticker: { [Op.iLike]: `%${q}%` } }
]
}
});
res.json(materials);
});
Step 3: Build the Mobile-First Frontend (React Native / Flutter for iPad)
// React Native component for material scanning
import { Camera, useCameraDevice } from 'react-1ative-vision-camera';
function ScanMaterialScreen({ navigation }) {
const device = useCameraDevice('back');
const [scanning, setScanning] = useState(false);
const handleBarcodeScan = async (barcode) => {
setScanning(true);
try {
const response = await fetch(`https://api.pwcs.com.au/materials/search?q=${barcode}`);
const material = await response.json();
if (material.length > 0) {
navigation.navigate('MaterialDetail', { material: material[bash] });
} else {
Alert.alert('Not Found', 'No material found with this sticker ID.');
}
} catch (error) {
Alert.alert('Error', 'Failed to search material.');
}
setScanning(false);
};
return (
<View style={styles.container}>
<Camera
style={StyleSheet.absoluteFill}
device={device}
isActive={true}
onCodeScanned={handleBarcodeScan}
/>
<View style={styles.overlay}>
<Text style={styles.instruction}>Scan material sticker</Text>
</View>
</View>
);
}
Step 4: Deploy with CI/CD Pipeline (GitHub Actions)
.github/workflows/deploy.yml
name: Deploy Spare Material App
on:
push:
branches: [bash]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker image
run: docker build -t pwcs/spare-material-app:${{ github.sha }} .
- name: Push to Azure Container Registry
run: |
az acr login --1ame pwcsacr
docker tag pwcs/spare-material-app:${{ github.sha }} pwcsacr.azurecr.io/spare-material-app:latest
docker push pwcsacr.azurecr.io/spare-material-app:latest
- name: Deploy to AKS
run: |
kubectl set image deployment/spare-material-app app=pwcsacr.azurecr.io/spare-material-app:latest
kubectl rollout status deployment/spare-material-app
- Operational Technology (OT) Security and Industrial Control Systems
While the public-facing security assessment provides visibility into PWCS’s IT security posture, the real crown jewels lie in the OT environment: the conveyor systems, rail receival stations, stockpile blending equipment, and ship loaders that move 145 million tonnes of coal annually. Securing these ICS/SCADA systems requires a different approach.
ICS Security Best Practices for Port and Terminal Operations:
Step 1: Network Segmentation (Purdue Model)
Level 5 (Enterprise Network): Corporate IT, Email, Intranet Level 4 (Site Business Planning): Terminal management systems, ERP Level 3 (Site Operations): Manufacturing Execution Systems (MES), Historians Level 2 (Area Supervisory Control): SCADA servers, HMI workstations Level 1 (Basic Control): PLCs, RTUs, DCS controllers Level 0 (Physical Process): Conveyor motors, stackers, reclaimers, ship loaders
Step 2: Implement Industrial DMZ (iDMZ)
Linux iptables rules for iDMZ firewall Allow only specific protocols between Levels iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 502 -j ACCEPT Modbus TCP iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 44818 -j ACCEPT CIP iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 2222 -j ACCEPT DNP3 iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j DROP Block HTTP to OT iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j DROP Block HTTPS to OT
Step 3: Asset Inventory and Vulnerability Management
PowerShell: Scan for OT devices using Nmap (install via Chocolatey)
choco install nmap -y
nmap -sP 10.0.0.0/24 Discover all devices on OT network
nmap -sT -p 502,44818,2222,102,2404 10.0.0.0/24 Scan for common OT ports
Export to CSV for asset management
nmap -oG - 10.0.0.0/24 | awk '/Up$/{print $2}' | while read ip; do
echo "$(date),$ip,$(nmap -sT -p 502 $ip | grep open)" >> ot_asset_inventory.csv
done
Step 4: Implement Secure Remote Access (Jump Hosts / Bastion Hosts)
AWS/Azure: Deploy a bastion host with MFA for OT access SSH configuration for bastion host /etc/ssh/sshd_config PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes AllowUsers [email protected] Force command for session logging ForceCommand /usr/bin/script -q -c "/bin/bash" /var/log/ot-sessions/$USER-$(date +%Y%m%d).log
What Undercode Say:
- Key Takeaway 1: Port Waratah’s security rating of 802/950 and the identified header vulnerabilities (X-Powered-By, X-Frame-Options, CSP) serve as a wake-up call for all critical infrastructure operators. Even world-class facilities with ISO 14001 and ISO 45001 certifications can have gaps in their external attack surface. The lesson is clear: compliance with operational standards does not equate to cybersecurity maturity.
-
Key Takeaway 2: The migration from SharePoint 2013 to a secure cloud-based intranet demonstrates that cybersecurity compliance is not a barrier to innovation—it’s an enabler. By moving to a modern, supported platform with SSO, mobile responsiveness, and frontend-only content publishing, PWCS reduced its attack surface while improving employee engagement.
-
Key Takeaway 3: The Spare Material Tracking App, developed by a graduate IT trainee, exemplifies the power of Lean IT and citizen development in industrial settings. By empowering frontline employees to solve operational problems with simple, mobile-first applications, organisations can achieve rapid innovation without the overhead of traditional enterprise software procurement.
Analysis:
The convergence of IT and OT in critical infrastructure creates a complex threat landscape that demands a multi-layered defence strategy. Port Waratah’s public-facing vulnerabilities—while relatively minor—highlight the importance of basic web application security hygiene. The exposed X-Powered-By header and missing CSP are low-hanging fruit that attackers routinely exploit in reconnaissance phases. However, PWCS’s strengths are equally notable: a DMARC policy not set to `p=none` indicates strong email security awareness, and the secure cookie configuration shows attention to session protection. The company’s investment in intranet modernisation and grassroots IT innovation suggests a security-aware culture that values both technical controls and human capital. For organisations in the mining and maritime sectors, the path forward involves not only patching web application vulnerabilities but also embracing zero-trust architecture, OT network segmentation, and continuous security monitoring. The integration of physical security (MSIC) with cyber access controls is particularly critical for ports, where a compromise could have cascading effects on supply chains and national security.
Prediction:
- +1 The adoption of mobile-first, citizen-developed applications like the Spare Material Tracking App will accelerate across the mining and logistics sectors, reducing waste and improving operational efficiency by 15-20% within three years.
- +1 Cloud migration from legacy on-premises platforms will become the default strategy for critical infrastructure operators, driven by the need for supported, secure, and scalable solutions that alleviate on-premises security obligations.
- -1 The convergence of IT and OT will expose critical infrastructure to more sophisticated ransomware attacks, as threat actors increasingly target industrial control systems. Operators without robust network segmentation and incident response plans will face significant operational disruptions.
- -1 Regulatory frameworks like MTOFSA will evolve to mandate stricter cybersecurity requirements for maritime and port facilities, including mandatory external security assessments and real-time threat intelligence sharing.
- +1 AI-powered security monitoring and automated patch management will become essential tools for industrial organisations, enabling them to detect and remediate vulnerabilities faster than human-led teams alone.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Portwaratah Communitysupport – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
