The Cybersecurity and Infrastructure Security Agency and the U.S. Army Corps of Engineers released a new guide to bring together private and public stakeholders in assessing risk and enhancing resilience to better protect ports and other critical maritime infrastructure from potentially crippling effects of myriad adverse events from natural disasters to physical and cyber attacks or pandemics.
The agencies co-developed the Marine Transportation System Resilience Assessment Guide (MTS Guide) to map out resilience assessments so that decision makers in industry, federal agencies, and local governments can operate from a shared understanding and have access to planning tools and important data.
“The Maritime Transportation System Resilience Assessment Guide is integral to the development of a unified approach to address resilience indicators for port infrastructure systems, and functions that assess the key dimensions of critical infrastructure in the maritime domain,” Executive Assistant Director for Infrastructure Security Dr. David Mussington said.
The new guide is tailored to foster more efficient relationships between stakeholders who might not usually be involved in assessing the cyber resilience of port infrastructure, while helping “produce a holistic understanding of system vulnerabilities and functions, expand awareness of the dependencies and interdependencies within a specific port system, and identify practices or investments that can enhance resilience and inform risk mitigation decision-making,” CISA said.
The guide is based on the resilience cycle: preparing and anticipating adverse events, absorbing and withstanding events should they occur, recovering and bouncing back after the event, and adapting and evolving by using lessons learned to prepare for the next event.
The MTS Guide integrates data and methodologies not just from CISA and the USACE Engineer Research and Development Center but the U.S. Committee on the Marine Transportation System and academic partners from the DHS Coastal Resilience Center of Excellence. The document was also reviewed by the Argonne National Laboratory and Idaho National Laboratory before being presented to the Port of the Futures Conference last April.
The guide’s methodology is based on the CISA Regional Resilience Assessment Methodology and Infrastructure Resilience Planning Framework principles tailored to maritime domain operators; it can be implemented as either a standalone document or supplement either.
“The Methodology for Assessing Regional Infrastructure Resilience articulates core elements of a general, scalable methodology for assessing the resilience of critical infrastructure, and defining key processes and analytical techniques that can yield tangible and actionable options for enhancing resilience through voluntary, collaborative partnerships,” the guide states. “Second, the IRPF provides an approach for localities, regions, and the private sector to work together to plan for the security and resilience of critical infrastructure services in the face of multiple threats and changes. Finally, the MTS Guide integrates these information sources, methodology and experiences into a repeatable, step-by-step framework by supplementing and improving existing processes to conduct resilience assessments and incorporate resilience enhancements into planning and investment activities.”
The key resilience assessment objectives consist of defining functions and characterizing the system, analyzing critical infrastructure and dependencies, understanding the impacts of disruptive events, and developing and evaluating alternatives.
The guide uses three scopes to present examples and case studies: a single port, “including the navigation systems, intermodal connections, and communities that support its ability to move goods”; an MTS port network “which embodies the connectivity of a group of ports and their ability to meet supply chain demands”; and an inland waterway “and the physical infrastructure located along the waterway to support navigation and intermodal transportation.”
It walks users through the pre-assessment phase, which includes identifying stakeholders, challenges, and goals; the design assessment phase, which involves focusing the assessment, developing a data collection strategy, and developing a stakeholder engagement strategy; connecting with resources, or the tools needed to assess; executing the assessment plan; and implementing the findings — communicating the results, assessing contradictory findings, and implementing resilience alternatives.
The guide emphasizes using assessments “to enhance the resilience of a function rather than any one infrastructure system or asset,” taking into account physical, cyber, geographical, and logical dependencies.
“Lifeline services such as power, water, fuel, communications, and emergency response are essential to MTS operations and vice versa,” the guide notes. “Navigation systems, port terminals, and intermodal nodes all rely on a complex web of power, communications, and water systems to operate, but they also provide transportation of equipment and critical products for those sectors. These four functions are linked, and disruptions to one function can have cascading consequences for others.”
The new MTS Guide comes on the heels of the Maritime Cybersecurity Assessment & Annex Guide released by the Coast Guard in January to help Maritime Transportation Security Act (MTSA)-regulated facilities in meeting the Facility Security Assessments (FSA) and Facility Security Plans (FSP) required by MTSA.
A cyber attack on the port environment can compromise physical facility access control systems, manipulate terminal and gate operating systems for the purpose of leaking sensitive supply chain data or facilitating smuggling or cargo theft, stop port operations by compromising the terminal headquarters, compromise operational technology systems such as cranes in a way that leads to loss of life or property, tamper with PNT so that vessels cannot safely navigate a port, and compromise shipboard systems with impacts to safety or cargo.
A U.S. Coast Guard Cyber Command report released in August on cybersecurity trends in the maritime environment said the significance of cyber hygiene, detection, and response “grew exponentially” in 2021 due to a 68 percent increase in reported maritime cyber incidents and USCG efforts to ensure maritime facilities are complying with cyber regulations.