The Maritime Industry Has Unique Cybersecurity Challenges
With supply chain attacks on the rise, and nation-state attackers constantly looking for new ways to disrupt national security and economic stability, one of the most vulnerable areas is the security around our maritime operations. The Biden-Harris Administration's recent Executive Order to fortify the cybersecurity of U.S. ports underscores this concern, spotlighting the urgency of addressing vulnerabilities in a sector that drives over $5.4 trillion in economic activity annually. This initiative is not merely a legislative action but a clear and needed call to safeguard the backbone of global commerce against the consistently increasing threat of cyberattacks.
While every industry working toward cybersecurity maturity has challenges, the maritime industry faces a unique set of obstacles due to the complex nature of information technology (IT) and operational technology (OT) systems that need to work together to fulfill the wide array of its missions. Over time, the maritime industry's reliance on digital technologies has grown exponentially, integrating operations from navigation to cargo handling.
However, this digital transformation has also ushered in vulnerabilities, making maritime assets prime targets for cyber threats. These vulnerabilities are multifaceted, stemming from regulatory ambiguities, the complex integration of IT and OT, the implementation of cybersecurity measures and a pervasive shortage of cybersecurity professionals.
Add to that the idea that, historically, maritime security regulations have focused predominantly on physical threats, as evidenced by the post-9/11 security measures which emphasized "guns, gates, guards and identification cards." But as times have changed and attackers have become more sophisticated, there is a very real demand, both in the industry and the government, to pivot towards addressing non-physical threats that can have equally, if not more, devastating effects. The existing regulatory frameworks, while foundational, have not evolved in tandem with these digital threats, leaving gaps that could be exploited. The International Ship and Port Facility Security (ISPS) Code and the Maritime Transportation Security Act (MTSA) of 2002 exemplify this lag, as they were conceived in a pre-digital threat landscape.
The recent Executive Order aims to bridge these gaps by enhancing the Department of Homeland Security's authority to mitigate maritime cyber threats and signifies a proactive stance towards creating a resilient maritime infrastructure capable of withstanding cyber threats. Some of the action items included in this EO are:
- Authority Expansion for Homeland Security: The EO grants the Department of Homeland Security and the U.S. Coast Guard increased authority to directly manage maritime cyber threats. This includes setting cybersecurity standards to secure networks and systems at American ports.
- Cyber Incident Reporting: Entities are now required to report any actual or potential cyber incidents that could endanger vessels, harbors, ports or waterfront facilities. The Coast Guard, FBI and Cybersecurity and Infrastructure Security Agency (CISA) must be notified of such incidents.
- Maritime Security Directive: Specifically targeting ship-to-shore cranes manufactured by the People’s Republic of China located at U.S. Commercial Strategic Seaports, the directive demands actions to address vulnerabilities within these cranes and their associated IT and OT systems.
- Cybersecurity Requirements Establishment: The EO includes a Notice of Proposed Rulemaking to establish baseline cybersecurity requirements for the maritime sector, influenced by international and industry-recognized standards. These requirements aim to strengthen the digital systems of the Marine Transportation System against cyber threats.
- Investment in Infrastructure and Onshoring Manufacturing: The administration is committing over $20 billion towards U.S. port infrastructure over the next five years, including efforts to onshore manufacturing of port cranes to mitigate reliance on foreign-produced equipment that may pose security risks.
- Enhanced Collaboration and Security Measures: The EO also emphasizes the importance of adopting best practices for cybersecurity in the maritime sector. This includes monitoring for wireless threats, addressing vulnerabilities due to the integration of IT and OT and implementing rigorous cybersecurity plans.
Despite these directives, there are very real challenges that persist. Most notably is the current ambiguity surrounding cybersecurity regulations. The Coast Guard's NVIC 01-20, for example, attempts to address these challenges by providing guidance for incorporating cybersecurity into Facility Security Assessments (FSAs) and Facility Security Plans (FSPs), but that guidance falls short of mandating the implementation of these plans, underscoring a need for more explicit and enforceable regulations.
Moreover, as mentioned previously, the integration of IT and OT in maritime operations complicates cybersecurity efforts, as these systems often have different security needs and are managed by separate teams within an organization. Protecting these interconnected systems requires a holistic approach that considers both IT and OT vulnerabilities and allows for both teams to have visibility into how risk carries over into adjacent systems.
Lastly, and probably most critical, is the investment in human capital. The shortage of qualified cybersecurity professionals within the maritime sector can be mitigated through targeted training programs and partnerships with academic institutions to cultivate a new generation of maritime cybersecurity experts, as currently there is a very real lack of qualified professionals capable of addressing the growing cybersecurity across all sectors, not just maritime.
Addressing these challenges necessitates a multi-faceted strategy that includes updating and clarifying regulations, fostering a cybersecurity culture within maritime organizations and investing in cybersecurity training and resources. The Maritime Cybersecurity Methodology, which integrates the NIST Cybersecurity Framework and the ISA/IEC IACS Cybersecurity Lifecycle model, offers a structured approach for assessing, planning, implementing and monitoring cybersecurity measure, and with the new EO, even more clarity, resources and regulation are on the horizon to help.
With that said, collaboration between government agencies, industry stakeholders and international partners is going to be vital for enhancing cybersecurity standards and sharing best practices. Additionally, given the global nature of maritime operations, international cooperation is essential for establishing uniform cybersecurity standards and protocols that transcend national borders.
To this end, I believe the Biden-Harris Administration's Executive Order represents a pivotal stride towards understanding, aligning and remediating the gaps and challenges that the cybersecurity defenses of the U.S. maritime sector currently face. This initiative not only addresses current vulnerabilities but also lays the groundwork for a more resilient and secure maritime infrastructure capable of combating emerging cyber threats. Overcoming the hurdles of regulatory clarity, bridging the gap between IT and OT security needs and bolstering the workforce with skilled cybersecurity professionals are essential steps forward. Through collaborative efforts among government, industry and international entities, the maritime sector can navigate these digital waters more safely. Implementing these solutions will not only safeguard national security but also ensure the continuity and efficiency of global trade operations, making this initiative a beacon for future cybersecurity endeavors in critical infrastructures.