From Conversation to Implementation: Maritime and Port Cybersecurity

In recent years, headlines have been littered with the words “cyberattack” and “data breach.” From the world’s largest companies and governments, to the average online shopper, we all must face the reality that motivated, capable, and persistent cyber threats exist; and the potential for theft, damage, and disruption on a global scale is real.

Running parallel with technological innovation, the global maritime transportation system is going through its own period of growth and change. A clear example of this was witnessed by onlookers on December 31, 2015, as the container ship Benjamin Franklin cleared the Golden Gate Bridge on its way to the Port of Oakland, CA. With a draft of 52’ and just 20’ to spare from the Golden Gate, the Benjamin Franklin, along with its 18,000 containers, became the largest container ship to ever call upon a U.S. Port. Accommodating larger vessels means expanding not only the waterways, but also the capabilities and capacities of the terminals and people tasked with handling the cargo.

“Among the greatest concerns that impacts both military and civilian realms is cybersecurity. Today, we have a billion devices that are accessing the Internet. Our economies are entangled in this Internet sea, and it’s an outlaw sea… At some point, there needs to be a very global conversation on this challenge.” – James G. Stavridis, Navy Adm., NATO’s supreme allied commander for Europe and Commander of U.S. European Command

Coupled with brick and mortar type infrastructure projects, port facility and vessel owners/operators are increasingly turning to and relying on technology to meet supply chain demands. As technology enhances efficiency, cyber-related vulnerabilities in the maritime transportation system continue to be exposed. In response to this evolving cyber risk landscape, governments and maritime-related authorities/organizations worldwide are working to develop strategies and legislation in support of a common approach to cybersecurity and network preparedness.

The U.S. Government’s Approach to Maritime Cybersecurity
In June 2015, the U.S. Coast Guard (USCG) published its vision for operating in the cyber domain. With the below mission statement, the USCG officially outlined a strategy for defending cyberspace that both enables operations and protects infrastructure.

“We will ensure the safety of our cyberspace, maintain superiority over our adversaries, and safeguard our Nation’s critical maritime infrastructure.”

In October 2015, congressional members of the House Homeland Security Committee, Subcommittee on Border and Maritime Security, held a hearing to discuss the USCG’s cybersecurity strategy and the current status of cybersecurity at U.S. ports. Witnesses included representatives from the USCG, the U.S. Government Accountability Office; the Port of Long Beach, California; and the Ports of Brownsville and Harlingen, Texas. Witness testimonies revealed cybersecurity challenges faced by ports and maritime facilities related to cyberattack reporting, information sharing, and mitigation planning.

On the heels of the Border and Maritime Security Subcommittee Hearing, the House of Representatives unanimously approved a port cybersecurity bill (H.R 3878) on December 18, 2015. Dubbed the “Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015,” the bill solidifies the USCG as the lead agency charged with managing port-wide cybersecurity, and establishes requirements for integrating cybersecurity with port security activities currently in place as a result of the Maritime Transportation Security Act (MTSA) and International Ship and Port Security (ISPS) code. Although stopping short of imposing new regulations, the three sections of H.R. 3878, the titles of which are provided below, echo the internationally common themes of risk-based decision making and enhanced information sharing in its approach to cyber risk management.

• Section 1 – Improving Cybersecurity Risk Assessments, Information Sharing, and Coordination
• Section 2 – Cybersecurity Enhancements to Maritime Security Activities
• Section 3 – Vulnerability Assessments and Security Plans

The Global Conversation
Published in 2011, the first report on port cybersecurity prepared by the European Union Agency for Network and Information Security (ENISA) sought to gauge current capabilities and establish a baseline for maritime cybersecurity amongst its members. Key findings included a lack of maritime cybersecurity awareness and related policies as well as a need for a common cybersecurity strategy and best management practices.

The ENISA report strongly recommends a risk-based approach and assessment of maritime-specific cyber risks; expanding maritime regulations and policies beyond just physical aspects of security and safety; as well as better information exchange and statistics on cybersecurity.

While more prescriptive than the U.S. approach, the general adherence to information sharing and risk-based decision making highlights Europe’s contextual alignment with strategies, frameworks, and legislation both in the U.S. and international maritime communities.

From Conversation to Implementation
If conversation was the leading factor in determining network preparedness, we would be well on our way to securing critical infrastructure worldwide. Unfortunately, this is not the case. The challenge for many organizations is not identifying the cybersecurity problem, but rather determining the most advantageous solution to addressing their competing needs for system protection, system accessibility, and systems reliability and resiliency. To help facilitate the planning process and ensure its effectiveness, an organization must fully understand and base decisions on their cyber risk profile.

In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order required the development of a voluntary, risk-based Cybersecurity Framework to include a set of existing standards, guidelines, and practices to help organizations manage their cyber risks. The resulting framework for improving critical infrastructure cybersecurity, created by the National Institute of Standards and Technology (NIST), provides a structure that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cybersecurity programs. Created through public-private collaboration, the framework provides a common approach to cyber risk management that is both cost-effective and grounded in addressing the business needs of an organization. Adherence to the NIST cybersecurity framework is increasingly becoming a requirement for organizations who wish to do business with or receive funding from the United States Government.

Given the interdependencies that exist within the maritime community, the process of hardening cyber defenses and creating resiliency cannot end at any one fence line or network perimeter. Organizations can no longer view their information technology groups as separate support mechanisms, and should instead integrate them more broadly with operations, business development and emergency/crisis management teams.

Collaboration and information sharing is a must, and as such, entities like the U.S. Coast Guard, FBI, and U.S. Cyber Emergency Response Team (US-CERT) provide multiple platforms and tools to aid in not only conducting assessments, but facilitating collaboration between public and private sector representatives across the United States. Groups such as InfraGard (FBI) and U.S. Coast Guardß Sector Area Maritime Security Committees are currently engaging with members of the maritime community to address cybersecurity realities and develop partnerships forged by mutual benefit.

As this trend continues to evolve the maritime industry must stay active in the conversation. With recent cyberattacks allegedly targeting GPS-based navigation and communications systems, the necessity for confronting cyber vulnerabilities as one industry, rather than as separate entities is clear.