Attacks and Vulnerabilities
Critical infrastructure
Features
ICS Security Framework
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Secure Remote Access
Secure-by-Design
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Transportation

Escalating maritime cyber threats pushes federal government to take proactive steps, safeguard national security

March 23, 2024
Escalating maritime cyber threats pushes federal government to take proactive steps, safeguard national security

Amid escalating cybersecurity concerns within the maritime sector, U.S. President Joe Biden recently signed an Executive Order (EO) aimed at bolstering the Department of Homeland Security’s (DHS) capabilities to combat maritime cyber threats. The move aims to fortify defenses against maritime cyber threats, acknowledging the vulnerabilities within the sector. Highlighting the escalating sophistication and frequency of cyberattacks targeting maritime infrastructure, including ports, vessels, and supply chains, the order underscores the risks to national security, economic stability, and public safety.

The initiatives come as the maritime industry is experiencing a notable shift towards greater utilization of cyber-connected systems, accompanied by heightened targeting of these systems by nation-states and cybercriminals in ports and maritime assets. Ransomware attacks have impacted numerous ports and maritime assets worldwide, leading to significant operational disruptions. 

In response to this growing trend, the US government has introduced a set of regulatory measures aimed at addressing cyber threats in the maritime industry, focusing on US flag commercial vessels, waterfront facilities, and specific offshore facilities regulated by the U.S. Coast Guard (USCG). The EO empowers the USCG to address malicious cyber activity by requiring maritime vessels and facilities to enhance cybersecurity and report incidents. It focuses on managing cyber risks for ship-to-shore cranes from Chinese companies, targeting critical port infrastructure owners and operators to enhance security. 

The Coast Guard also proposed cybersecurity standards to combat cyber threats effectively. The EO mandates a comprehensive strategy to protect maritime infrastructure, emphasizing collaboration among government agencies, private sectors, and international partners for information sharing and incident response. It highlights the importance of cybersecurity awareness, system resilience, risk assessments, and clear incident reporting protocols within the maritime industry.

Overall, the EO reflects a proactive stance by the federal government to protect the maritime sector from evolving cyber threats, underscoring the imperative of addressing cybersecurity issues in the increasingly interconnected and digital maritime landscape.

Industrial Cyber interviewed maritime cyber executives to assess how the recent US Executive Order, aimed at safeguarding vessels, harbors, ports, and waterfront facilities, enhances defenses against maritime cyber threats.

Marco (Marc) Ayala president of the Houston InfraGard Members Alliance
Marco (Marc) Ayala president of the Houston InfraGard Members Alliance

The Coast Guard’s Captain of the Port (COTP) Authority is broad, however there was some doubt as to whether or not cybersecurity vulnerabilities in ports and across maritime operations could be mitigated using COTP authority, Marco (Marc) Ayala, president of the Houston InfraGard Members Alliance, told Industrial Cyber. “A unique part of COTP Authority is that it can be amended by EO under the Magnusson Act where national security threats have been identified (as opposed to the longer regulatory process that relies on lawmakers).”  

He noted that the EO removed that doubt and now Coast Guard COTPs have clearer authority to act in order to: Identify, Protect, Detect, Respond, and Recover; when it comes to cyber threats in the maritime environment.

Blake Benson, senior director for cybersecurity practice lead at ABS Group
Blake Benson, senior director for cybersecurity practice lead at ABS Group

“It’s a good first step,” Blake Benson, senior director for cybersecurity practice lead at ABS Consulting, told Industrial Cyber. “First and foremost, it fixes an archaic gap in USCG law enforcement authorities. Secondly, it’s setting aside $20B to invest in US-produced container cranes, which are the cranes you see at ports that lift shipping containers on and off ships across the nation.”

When discussing the Executive Order’s detailed cybersecurity measures for the maritime sector and their impact on enhancing cybersecurity within the industry, Ayala said that not so much in the EO itself, but in one of the first actions after the EO, the issuance of a Maritime Security (MARSEC) directive 105-4. “That Directive was focused on ensuring that common cybersecurity vulnerabilities for Ship to Shore cranes manufactured in the PRC were addressed and mitigated,” he added.

Benson pointed out that he did not see a specific mention of increasing the funding to the USCG in particular. “Adjusting the USCG authorities to include cyber incidents is great—and a no-brainer based on their recent investments in capabilities in the space to address cyber risks at Maritime Transportation Security Act (MTSA) regulated facilities, specifically.” 

However, he added that without a coordinated and credible federal response, this is certainly primed to be an industry-led effort.

The executives delve into the factors that led to the issuance of the EO, highlighting the perceived risks linked to maritime cyber threats. They also examine the potential challenges in implementing the order’s measures and discuss strategies to overcome these obstacles.

Ayala said that part of the reason for the action was to remove ambiguity. “The need to remove that ambiguity has been there for several years, but as attacks become more common and threat actors become more sophisticated in light of the current state of global affairs, no further delay could be allowed,” he added.

“The challenge with issuing any control action is proof that something is/has happened that requires COTP intervention,” according to Ayala. “This is especially difficult with cybersecurity due to timing of the victim’s awareness of an attack and often a lack of visible indications in the physical realm.”

Benson pointed out that on the heels of the Volt Typhoon revelations and the uproar surrounding the port crane vulnerabilities highlighted in the latest news cycle, the timing of the release of this EO might seem reactionary, but it was not. 

“The USCG has been evaluating and studying cyber risk to the Maritime Transportation System (MTS) while simultaneously developing capabilities to assist industry stakeholders via USCG Cyber Protection Teams (CPTs) for several years now,” Benson added. “If resourced adequately, the USCG could be in an excellent position to create value with their operational cyber teams and leverage their unique capabilities to assist industry—but only if industry lets them and only if they have adequate capacity to enforce.”

The executives discuss how the implementation of the EO may impact different stakeholders in the maritime industry, such as shipping companies, port authorities, and maritime workers.

Ayala assesses that for the most part, if owners/operators are already taking actions to mitigate cybersecurity threats and build resilience, it won’t impact them. “However, in instances where those same stakeholders have been slow to act then they may find themselves the subject of control actions by the COTP. “

“The additional reporting requirements for industry are going to be the biggest pain point in the interim,” Benson said. “The USCG already released NVIC 02-24 to provide guidance on reporting breaches of security, suspicious activity, transportation security incidents, and cyber incidents to MTS stakeholders. The NVIC cites the National Response Center as the initial reporting mechanism.” 

However, Benson added that the FBI, CISA, and Captain of the Port (COTP) are cited immediately thereafter. In an already extremely convoluted reporting environment, laden with overlapping authorities regarding critical infrastructure both on the cyber front and the safety front, adding more federal agencies could create more confusion and hinder collaboration with the industry to respond to and manage cyber incidents effectively.

The executives elaborated on how the EO aligns with current cybersecurity initiatives and regulations in the maritime sector.

“It becomes a tool for the Coast Guard to utilize when they receive reports of cybersecurity incidents required to be reported under MTSA and explained further in NVIC 2-24,” Ayala said. “Once the NPRM update to MTSA is finalized and vessels/facilities have a clearer picture of what the standards are, then the COTP will have a clearer path to enforcement of those standards and regulations.”

Benson said that there’s not much to align it with or compare it to because of how disparate the stakeholder environment at any given port might be. 

“At a single port, you might have an LNG facility or refinery, cruise ships/passenger terminals, ferries, freight forwarders, food and beverage, or other manufacturing stakeholders all represented in one port environment,” he detailed. “These stakeholders all have specific cyber guidelines and best practices, and there’s certainly overlap, but there is no true ‘one size fits all’ approach for these environments—just another testament to the USCG as being the right federal vehicle (if we’re choosing regulation as the option) to address cyber risks for the MTS; they simply know these environments best and there’s no magic bullet to replace that experience.”

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems