GAO: USCG needs to up its MTS cybersecurity game

Written by Nick Blenkey
GAO report looks at MARAD staff shortages

Image: GAO

The more the maritime industry relies on digitalization and tech to increase its efficiency, the more it becomes vulnerable to cyber threats and a new report from the Government Accountability Office says that the cybersecurity risks facing thr U.S. Maritime Transportation System (MTS) are significant and increasing with China, Iran, North Korea, Russia, and transnational criminal organizations posing the greatest threats.

Technologies used in MTS

GAO says that, according to federal and nonfederal officials, cyber incidents have already affected port operations, and the potential impacts of future incidents could be severe.

The Coast Guard assists MTS owners and operators through offering direct technical assistance, providing voluntary guidelines for implementing cybersecurity practices, and sharing cyber threat information. The service also provides oversight through facility and vessel inspections, including the identification and documentation of cybersecurity-related deficiencies. However, says the GAO, the Coast Guard cannot readily access complete information on inspection results specific to cybersecurity from its system of record (Marine Information for Safety and Law Enforcement). Updating its system to provide ready access to complete information on all cybersecurity-related deficiencies would help the Coast Guard better provide oversight of owners and operators and help position the service to prevent cyberattacks that could impact the MTS.

Although the Coast Guard developed a cyber strategy to address MTS cybersecurity risks, it did not, says GAO, fully address all of the key characteristics needed for an effective national strategy. Specifically, the cyber strategy fully addressed the key characteristic related to purpose, scope, and methodology, but did not fully address the other four characteristics, as shown in the table below. Addressing all of the key characteristics would better position the Coast Guard to ensure its actions and resources are addressing the highest cybersecurity risks.

cybersecurity

Further, says GAO, the Coast Guard has not fully addressed leading practices to ensure its cyber workforce has the competencies needed to address MTS cybersecurity risks. Specifically, the Coast Guard has not fully developed competency requirements. In addition, the Coast Guard has not fully assessed and addressed competency gaps for its cyber workforce. Until it does, the Coast Guard will not have assurance it is effectively mitigating cybersecurity risks to the MTS.

GAO reviewed federal and industry reports on MTS cybersecurity risks; federal statutes and regulations; and Coast Guard documentation and inspection data from fiscal year 2019 through June 2024. GAO also interviewed federal and non-federal stakeholders at four ports based on volume of trade, geographic dispersion, and other factors.

GAO is making five recommendations, including that Coast Guard (1) update its system of record to provide ready access to complete cyber deficiency data, (2) ensure its cyber strategy and plans align with all key characteristics of a national strategy, and (3) analyze, assess, and address workforce competency gaps. The Department of Homeland Security concurred with GAO’s recommendations.

  • The Commandant of the Coast Guard should develop and implement documented procedures to ensure the accuracy of cybersecurity incident information that the service identifies and tracks. (Recommendation 1)
  • The Commandant of the Coast Guard should ensure that its case management system for facility and vessel security inspections provides ready access to complete data on specific cybersecurity deficiencies identified during those inspections. (Recommendation 2)
  • The Commandant of the Coast Guard should ensure its cybersecurity strategy and plans address the key characteristics of an effective national strategy, including a full assessment of cybersecurity risks to the MTS. (Recommendation 3)
  • The Commandant of the Coast Guard should develop future competency needs for all of the service’s personnel with MTS cyber responsibilities for mitigating cyber risks to the MTS and analyze the gaps between current competencies and future needs.
  • The Commandant of the Coast Guard should, using the gap analysis of current and future competency needs for personnel with MTS cyber risk mitigation responsibilities, address any gaps in competencies, such as through training.

Download the full GAO report HERE

Categories: News, Safety and Security Tags: , ,

RELATED ARTICLES