A Sh300 million computer vessel tracking system implemented by the ports authority nine years ago has collapsed.
According to a KPMG audit commissioned by the Kenya Ports Authority (KPA), the system collapsed in March last year and by November most of Vessel Tracking Management System (VTMS) functions were crippled.
The VTMS system functions were being duplicated by another system called Kilindi Waterfront Automated Terminals System or KWATOS Marine, which was implemented in 2005.
Although the contract allowing implementation of VTMS required establishment of an interface between the two systems, this had not happened when KPMG wrote its report last November.
READ MORE
Mombasa port cargo up 12 per cent as Dar, Durban hit by congestion
KPA boss put to task over Sh1.4 billion tax waivers
Kisumu port records increase in cargo
Mombasa port cargo volume up as Dar es Salaam, Djibouti hit by congestion
KWATOS Marine was implemented in 2005 to support marine and terminal operations of the port, as well as tracking and monitoring movement of vessels and payment of charges. On the other hand, VTMS was designed to aid tracking movement of vessels.
"VTMS main server housed at the KPA control tower crashed on March 21, 2015 and to date it has not been restored," said the report, which added that after the disabling of most of its functions, the "system is being used for view-only purposes and most of the system capabilities are not functional".
As a result, vehicle traffic services in the port's marine department have reverted "to the use of manual processes that were in place before VTMS implementation".
KPA hired KPMG last year to audit its computer-based security and cargo tracking systems used to monitor vessels, movement of cargo and access to key installations by staff and contractors.
Sunday, KPA Chairman Marsden Madoka said KPA commissioned KPMG to audit its IT security systems "to help us improve on some of the IT issues which are new and changing very fast" adding that "we are implementing the report gradually".
The audit exposed loopholes that enable hackers to infiltrate KPA's databases with ease and manipulate data, outdated cipher software, weak password policies and other weaknesses that render KPA's computer-based security and tracking system vulnerable to manipulation, cyber attacks and the threat of being disabled.
The audit also found that lack of a central office to manage project planning and procurement have made it possible for KPA's different departments to implement competing and overlapping security systems, which often collapse together or one-by-one.
The audit also found that information technology systems, including those implemented to improve security, movement of containers and monitor personnel and visitor access, often break down or are not manned.
Loading lists
This has forced KPA to resort to manual systems that are slow and vulnerable to manipulation and expose the port to financial loss. The audit also found that shipping lines often do not submit their loading lists to the port and as vessels enter the port and leave without paying navigational, security and other charges.
KPMG's audit dwells extensively on the port's procurement and management of the KWATOS Marine VTMS and found that the two systems were basically serving the same purpose and argued that procurement happened because there was no central office in charge of procurement of IT projects.
The auditor found that despite performing similar functions, KWATOS Marine and VTMS each had independent server rooms, separate disaster recovery centres, application support teams and independent budgets.
The auditor found that when the main VTMS server at the control tower crashed, authorities resorted to a secondary redundancy server but which KPMG found to have deficiencies, including lack of a biometric system to ensure individual accountability, lack of CCTV cameras to monitor who entered the server room and that the secondary server lacks humidity, temperature and alarm and fire detection sensors.
"...Unauthorised persons may gain access to the server room and cause intended/not intended process disruptions which may cause loss or manipulation of financial data and/or loss of business time".