Op-Ed: IRPT takes its own pulse on cybersecurity
Written byby James A. Kearns, Jones Walker LLP
For cyber bad actors, especially those for whom ransomware is just another business model, no target is too small. This flies in the face of frequently seen, front-page discussions of cybersecurity for maritime facilities, which typically cite examples of cyberattacks on large infrastructure elements, such as the highly publicized breach of Colonial Pipeline’s network. Strikes on smaller infrastructure components, however, including last year’s ransomware attack on the ferry between Martha’s Vineyard and Nantucket, are also on the rise and often underreported.
Consider the following: Naval Dome reported that cyberattacks on the maritime transportation system (MTS) increased 900% in a three-year period ending in 2020, with a whopping 400% increase occurring between February and June 2020. For its part, the U.S. Coast Guard noted in its August 2021 Cyber Strategic Outlook that more than 500 major operational technology cyberattacks occurred in the maritime industry in 2020. Once all the data for 2021 is collected and reported, it is more than likely that the volume and intensity of maritime cyberattacks will have continued to grow.
The effects of these cyber threats expand well beyond those companies targeted directly by bad actors. According to Gallagher, a global insurance brokerage, risk management and consulting firm, insurers in 2022 are taking action to reduce the financial costs of cyberattacks on their own businesses by increasing rates, limiting coverage, constricting capacity, and increasing underwriting scrutiny.
To help smaller and mid-sized companies better understand the threat, earlier this year Inland Rivers, Ports & Terminals (IRPT) conducted discussions on cybersecurity protocols with members that own or operate maritime facilities. The conversations elicited feedback from entities across the United States and of all sizes, and were intended to learn about how cybersecurity is being addressed by ports and terminals on the inland waterways and by the smaller coastal facilities.
Another goal was to help these facilities become aware of and meet the requirements for facilities regulated under the Maritime Transportation Security Act (MTSA). The regulations issued by the US Coast Guard under the MTSA apply to any facility that receives US cargo vessels over 100 gross registered tons, which includes nearly every cargo-handling facility on the inland waterways or on the coasts. These regulations, found at 33 CFR Part 105, require such facilities to prepare a facility security assessment, followed by a Coast Guard-approved facility security plan to address the vulnerabilities identified in the assessment.
A key driver of the discussions was the impact of resources — or the lack thereof — on members’ cybersecurity initiatives. Many of the facilities contacted are significantly more constrained in their financial and personnel assets than their deepwater counterparts.
Companies contacted by IRPT included maritime facilities whose staff sizes ranged from one to five individuals to more than 50 (with six to 20 persons constituting the average number of personnel). Perhaps unsurprising, there was a small but direct correlation between the size of the facility’s staff and whether it has an existing security plan of any kind. But even among facilities with a staff of 50 or more, the existence of a facility security plan was not universal.
An even greater concern was the age of these security plans. Of the facilities that have an existing security plan, many of their owners and operators acknowledged that their plans were more than five years old. Given the rate at which security threats, and especially cyber threats, are continuing to evolve, an out-of-date security plan could provide a false sense of comfort to those responsible for protecting the facility.
Another area of interest is the low rate of ongoing workforce cybersecurity training. In this vein, the first line of defense in cyber risk management is what might be called “cyber hygiene.” This includes — at its most basic — ongoing, effective password management. (Note that the above-mentioned Colonial Pipeline attack was the result of a single, compromised VPN password for a then-unused account, according to a cybersecurity consultant who testified before the U.S. House Committee on Homeland Security on June 8, 2021.)
A strong password-management program is both low cost and simple to maintain. It includes using different passwords for different systems or applications, changing those passwords frequently, ensuring that a password is sufficiently long and complex, and limiting the number of users who have administrative-level access. Despite the ease of establishing these protocols, in their discussions with IRPT relatively few facilities with a staff of less than 50 persons noted that they required passwords for accessing the facility’s network and systems to be changed at least every 90 days. Such inaction can and should be addressed immediately — particularly in the face of today’s highly mobile workforce — by adhering to this simple adage: When you change the locks, change the password!
Another key to defending against cyberattacks is educating the facility’s workforce to identify and avoid malicious emails, especially spoofing and phishing emails. Besides providing guidance on the telltale signs of such emails, companies can illustrate the dangers and provide learning opportunities by sending “decoy” spoofing or phishing emails to facility employees. Those who take the bait might suffer embarrassment, but the experience can go a long way in driving home a point.
Ultimately, the weakest link in the cybersecurity chain of defense is often at the keyboard. As such, the steps that can be taken to strengthen that defense are, quite literally, within arm’s reach. These conversations with IRPT members make it clear that their facilities could benefit from good password management, increased caution in email use, and other straightforward preventive actions, all of which can be implemented at little or no cost to the facility. Through their membership in IRPT, businesses can also take advantage of consulting services provided by cybersecurity firms and partnerships. Whatever expenses might be involved, in terms of employee time and other resources, will certainly be less than the cost of dealing with a ransomware attack or some other cybersecurity breach.