Cyberspace Solarium Commission makes four recommendations to Congress to enhance maritime cybersecurity

Cyberspace Solarium Commission published Tuesday a report providing additional analysis of cyberattacks against the maritime transportation system (MTS) with recommendations to the U.S. Congress to resource the subsector’s cybersecurity more fully. It also highlights the need for better government-industry cybersecurity collaboration and better resourcing of government efforts to support the private sector. 

The four recommendations proposed in the Cyberspace Solarium Commission report include mandating increased resources for the U.S. Coast Guard to support its responsibilities as a Sector Risk Management Agency (SRMA) and establishing an operational technology (OT) testbed within the Cybersecurity and Infrastructure Security Agency (CISA) to identify potential cybersecurity vulnerabilities for critical systems used within the MTS. It also requires U.S. Coast Guard participation in grant programs that will ensure sufficient funding for mitigating MTS cyber risk and directing the U.S. Coast Guard to develop cybersecurity education and workforce programs.

Earlier this month, the CISA partnered with the U.S. Army Corps of Engineers’ Engineer Research and Development Center (USACE-ERDC) to develop the Marine Transportation System Resilience Assessment Guide (MTS Guide). The document will be used by federal agencies, local governments, and industry decision-makers that manage risk and enhance resilience to critical infrastructure systems and functions through conducting resilience assessments. The MTS Guide also organizes multiple methodologies and port resilience assessment tools to support resilience planning.

Divided into three sections, the 24-page report initially looks at how the cyber threat to the MTS has evolved in recent years. The next section discusses U.S. government efforts to address cyber issues affecting the MTS. Last is a section with recommendations for Congress to ensure uninterrupted commerce and the movement of goods and people across U.S. borders. 

The report points to its March 2020 final report, the congressionally mandated Cyberspace Solarium Commission repeatedly highlighted the need for better government-industry cybersecurity collaboration and better resourcing of government efforts to support the private sector. 

“Cyber threats against the MTS have intensified alongside the growing interconnectedness of the industry to the global economy, security, and trade. In June 2017, Russia’s NotPetya malware attack on Ukraine spread around the world, infecting global shipping giant Maersk, which is responsible for 76 ports globally and hundreds of vessels carrying tens of millions of tons of cargo at any moment,” the report identified. “Port operations halted, container ships could not unload, and trucks could not enter ports to move cargo. Weeks later, after hundreds of millions of dollars in damages, operations returned to normal. While no single cyber incident since 2017 has dramatically affected global shipping, the MTS has remained under constant attack.”

Last February, a ransomware attack hit oil storage and loading facilities at the Amsterdam-Rotterdam-Antwerp port, disrupting operations. Days earlier, Oiltanking GmbH and Mabanaft GmbH, two subsidiaries of German logistics firm Marquard & Bahls, suffered a ransomware attack, disrupting energy terminals in Germany. Together, the two unrelated incidents caused delays in the movement of energy products, including heating oil, diesel, jet fuel, gasoline, and fuel oil in Europe.

On Dec. 25, the Port of Lisbon announced it had suffered a ransomware attack affecting its website but reassured the public that the attack did not compromise operational activities. “Ransomware group LockBit threatened to leak stolen confidential data if the port refused to pay a $1.5 million ransom. Two weeks later, on January 7, 2023, an Oslo-based ship classification society, DNV, suffered a ransomware cyberattack, affecting approximately 15 percent of its vessels in operation, or 1,000 vessels, and 70 customers. The hackers targeted DNV’s maritime fleet management software, forcing it to shut down servers.

“To date, the damage from cyberattacks against ports and shipping companies has been localized and contained,” the Cyberspace Solarium Commission reported. “While the attacks are significant, none has had cascading effects across other sectors of the global economy. Had any of the victims been less resilient or less able to pay a ransom, the effects of the attacks would likely have been more severe.”

The report suggests that the Department of Homeland Security (DHS) should request, and Congress should mandate, increased funding for the USCG to support its SRMA responsibilities, including building out a cybersecurity program under the USCG’s SRMA office. “While only 2.8 percent of the USCG’s operations and support budget funds cyber and intelligence operations, in the fiscal year 2022, the USCG saw the largest funding reductions from previous years in areas supporting cyber missions.” 

Once funding is increased, the USCG should use the additional resources to enhance collaboration with organizations like the MTS-ISAC and to leverage MTS-ISAC’s existing capabilities to ensure all industry stakeholders receive timely and actionable threat information and have the information they need to implement cybersecurity best practices and requirements. 

It also called for the CISA, in close partnership with the USCG and maritime private sector partners, to establish a maritime OT supply chain testing capability to test the cyber resilience of critical maritime OT, like the Department of Energy’s Cyber Testing for Resilient Industrial Control Systems program (CyTRICS). 

Similarly, the USCG’s collaboration with CISA’s National Infrastructure Simulation and Analysis Center could facilitate an OT test bed program to identify potential cybersecurity vulnerabilities in existing infrastructure, the report prescribes. “CISA would provide the USCG with a strategic partnership with national laboratories to conduct OT test bed programs for maritime components. The program can begin by testing for cybersecurity vulnerabilities in foreign-manufactured cranes used in U.S. ports — as mandated by the National Defense Authorization Act (NDAA) of the fiscal year 2023 — and then expand into broader, systemically important maritime OT.” 

The Cyberspace Solarium Commission report also called upon DHS to ensure there is sufficient grant funding to mitigate cyber risk in the MTS by requiring USCG participation in the Port Infrastructure Development Program (PIDP) and the Port Security Grant Program. The bipartisan Infrastructure Investment and Jobs Act of 2021 will provide $450 million annually through 2026 to improve America’s ports and waterways through the PIDP. The PIPD provides competitive grants for port modernization and expansion to improve ports’ resiliency, including technologies and cybersecurity supporting the OT of port systems. 

Furthermore, the fiscal year 2022 Appropriations Act allocated an additional $234.3 million for the PIDP, for a total of $684.3 million in funding for the fiscal year 2022, the highest level of investment since the program’s inception, the report identified. 

Meanwhile, in August 2022, the DHS announced that its Port Security Grant Program would provide $100 million to protect and safeguard America’s critical port infrastructure. The program emphasizes improving cybersecurity and identifies it as a priority area but does not set a minimum spending requirement. Congress should take steps to ensure that a minimum of 8 percent of the Port Security Grant Program’s funding goes toward investments in cyber risk mitigation and that a minimum of 5 percent of the PIDP’s funding goes toward the same.

The report also recommends that Congress should direct the USCG to develop a program to enhance MTS cybersecurity education and workforce programs, including a public-private workforce rotational program with portable credentialing. These programs can help build the needed pipeline of sector-specific cybersecurity expertise for both the civilian and military cybersecurity workforce. 

“Effective cybersecurity education and workforce programs will provide training that delineates between mission operations and support functions,” the report said. “The programs should also make federal cybersecurity positions competitive with those of the private sector, if not directly through salary, then through professional development opportunities. These programs should be designed to increase sector and subsector cybersecurity training.” 

The Cyberspace Solarium Commission report identifies that in this vital sub-sector of U.S. transportation – operators rely on technologies and industrial control systems (ICS) to navigate, communicate, and control various aspects of maritime operations vital to national security and prosperity. It is a highly distributed, diverse subsector composed of subsystems, each of which represents a network of systems on its own. A cyberattack against a complex maritime ecosystem could be devastating to the stability of the global economy. U.S. government and industry efforts to protect against such attacks, however, are lagging.

The report also pointed out that interagency efforts have evolved over several decades to address not only the physical security of the MTS but also the growing cybersecurity challenges. This section reviews the Maritime Transportation Security Act of 2002, how it evolved to address cybersecurity challenges, the role of the USCG in protecting the MTS, and ongoing interagency policy efforts to build the cyber resilience of the MTS. 

The USCG is also making ongoing efforts to build external cybersecurity partnerships, especially with CISA. CISA and the USCG coordinate the release of alerts and advisories for the MTS. For instance, CISA and USCG Cyber Command released a joint advisory in June 2022 detailing the continued exploitation of the Log4Shell vulnerability by malicious cyber actors. CISA and USCG utilized USCG intelligence operations and collaborated with private sector partners in the MTS and technology industries to provide specific information and technical analysis detailing indicators of compromises in two incidents.

Last October, CISA issued its Cybersecurity Performance Goals for all critical infrastructure as required by the July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. These are voluntary baseline measures that CISA urges all critical infrastructure owners and operators to adopt to improve their cybersecurity. As a next step, CISA is working with SRMAs, including the USCG, to develop sector-specific guidance. It is also working with government partners to harmonize cyber incident reporting requirements and structures for all critical infrastructure.

In February, Presidential Policy Directive 21 (PPD-21) designated the transportation sector and 15 other sectors of the economy as critical infrastructure, assigning each a federal sector-specific agency, later named a SRMA. Under federal law, SRMAs are responsible for supporting sector risk management, assessing sector risk, leading sector coordination, facilitating information and intelligence sharing, supporting incident management, and contributing to emergency preparedness efforts.

The transportation sector has co-SRMAs, DHS, and the Department of Transportation (DOT). DHS has delegated its SRMA duties for the MTS to the USCG. The Coast Guard and Maritime Transportation Act of 2012, meanwhile, established the U.S. Committee on the Marine Transportation System within DOT to serve as the federal interagency coordinating committee.

The current U.S. administration, for its part, has attempted to improve the cyber resilience of all critical infrastructure and specifically the MTS. In August 2021, the USCG issued an updated Cyber Strategic Outlook, which centers on three lines of effort: to defend and operate USCG networks, identify and manage cyber risks to the MTS, and ‘fight and win’ in cyberspace. The strategy details the USCG’s roles and responsibilities as an SRMA in protecting MTS from cyber risks. 

The 2021 strategy is a culmination of the USCG’s efforts to develop the prevention and response framework. It emphasizes the USCG’s commitment to carry out its SRMA responsibilities, which includes supporting incident management. It also highlights the valuable role played by the captain of the port (COTP). Designated by the Coast Guard commandant, the COTP serves as a port’s federal maritime security coordinator and ensures its safety. COTPs also execute prevention and response frameworks for critical incidents and mission needs.

In January 2021, the U.S. released its National Maritime Cybersecurity Plan, which aimed to defend the American economy through enhanced cybersecurity coordination, policies, and practices, aimed at mitigating risks to the maritime sub-sector. The plan intends to promote prosperity through information and intelligence sharing and preserve and increase the nation’s cyber workforce.

In conclusion, the Cyberspace Solarium Commission report identified that the maritime ecosystem and its supporting infrastructure are critical to U.S. national security, energy security, and economic stability. While government and industry partners have resources and knowledge, congressional action can expand pre-existing cybersecurity programs, foster new capabilities, and create a more secure ecosystem. 

The U.K. government released last August the National Strategy for Maritime Security which enhances capabilities in technology, innovation, and cybersecurity. Among other objectives, the five-year strategy seeks to support the maritime sector to be resilient against cyber attacks and other threats, with a focus on building resilient systems and networks to protect data.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.