The Department of Homeland Security (DHS) has “partially addressed two” port cybersecurity-related recommendations made in a Government Accountability Office (GAO) audit report in June 2014, Gregory C. Wilshusen, director of GAO Information Security Issues, told the House Committee on Homeland Security Subcommittee on Border and Maritime Security at a recent hearing.
At the time it issued the results of its audit, GAO “recommended that the US Coast Guard include cyber-risks in its updated risk assessment for the maritime environment, address cyber-risks in its guidance for port security plans and consider reestablishing the sector coordinating council.”
GAO also recommended “the Federal Emergency Management Agency (FEMA) ensure funding decisions for its port security grant program are informed by subject matter expertise and a comprehensive risk assessment.”
GAO reported at the time that it “concluded that until DHS and other stakeholders take additional steps to address cybersecurity in the maritime environment—particularly by conducting a comprehensive risk assessment that includes cyber threats, vulnerabilities and potential impacts—their efforts to help secure the maritime environment may be hindered. This in turn could increase the risk of a cyber-based disruption with potentially serious consequences.”
“While DHS, through the Coast Guard and FEMA, has taken steps to address cyber threats … they have been limited and more remains to be done to ensure that federal and nonfederal stakeholders are working together effectively to mitigate cyber-based threats to the ports,” Wilshusen told lawmakers, noting, “Until DHS fully implements our recommendations, the nation’s maritime ports will remain susceptible to cyber risks.”
Continuing, he stated, “protecting the nation’s ports from cyber-based threats is of increasing importance, not only because of the prevalence of such threats, but because of the ports’ role as conduits of over a trillion dollars in cargo each year. Ports provide a tempting target for criminals seeking monetary gain, and successful attacks could potentially wreak havoc on the national economy. The increasing dependence of port activities on computerized information and communications systems makes them vulnerable to many of the same threats facing other cyber-reliant critical infrastructures, and federal agencies play a key role by working with port facility owners and operators to secure the maritime environment.”
Wilshusen said that, “Similar to other critical infrastructures, the nation’s ports face an evolving array of cyber-based threats. These can come from insiders, criminals, terrorists or other hostile sources and may employ a variety of techniques or exploits, such as denial-of-service attacks and malicious software. By exploiting vulnerabilities in information and communications technologies supporting port operations, cyber-attacks can potentially disrupt the flow of commerce, endanger public safety, and facilitate the theft of valuable cargo.”
In its June 2014 audit, GAO determined that:
- The Coast Guard had not included cyber-related risks in its biennial assessment of risks to the maritime environment, as called for by federal policy. Specifically, the inputs into the 2012 risk assessment did not include cyber-related threats and vulnerabilities. Officials stated they planned to address this gap in the 2014 revision of the assessment. However, when GAO recently reviewed the updated risk assessment, it noted the assessments did not identify vulnerabilities of cyber-related assets, although it identified some cyber threats and their potential impacts.
- The Coast Guard also did not address cyber-related risks in its guidance for developing port area and port facility security plans. As a result, port and facility security plans GAO reviewed generally did not include cyber threats or vulnerabilities. While Coast Guard officials noted they planned to update the security plan guidance to include cyber-related elements, without a comprehensive risk assessment for the maritime environment, the plans may not address all relevant cyber-threats and vulnerabilities.
- The Coast Guard had helped to establish information-sharing mechanisms called for by federal policy, including a sector coordinating council, made up of private-sector stakeholders and a government coordinating council with representation from relevant federal agencies, but these bodies shared cybersecurity-related information to a limited extent, and the sector coordinating council was disbanded in 2011. Thus, maritime stakeholders lacked a national-level forum for information sharing and coordination.
- FEMA identified enhancing cybersecurity capabilities as a priority for its port security grant program, which is to defray the costs of implementing security measures. However, FEMA’s grant review process was not informed by Coast Guard cybersecurity subject matter expertise or a comprehensive assessment of cyber-related risks for the port environment. Consequently, there was an increased risk that grants were not allocated to projects that would most effectively enhance security at the nation’s ports.
“Threats to the maritime environment include hacking, jamming, phishing, spoofing, malicious programs, taking control and denial of service. On average, the Port of Long Beach’s Information Management staff reports thwarting one million hacking attempts a day,” said Port of Long Beach Security Services Director Randy D. Parsons.
Parsons explained that, “Some of the motivating factors for cyber criminal activities may involve smuggling, cyber extortion, gaining business advantage, intellectual property theft and disrupting or destroying a national critical infrastructure. In addition to manmade cyber threats, the maritime sector is also susceptible to natural hazards such as earthquakes, hurricanes and tsunamis.”
He further noted that, “Cyber threats do not necessarily target people to cause injuries and/or death, as with more traditional forms of terrorism. However, threats to ports are dangerous to the large number of workers, travelers and visitors in and around the port community. Coupled with the potential catastrophic economic impacts, maritime cyber events could impact our national well-being as much, if not more than other types of attacks. Large scale, multi-pronged attacks in the cyber world will require certain level of technical knowledge. Howeverthe logistics involved in cyber-attacks may not rise to the level that was required for the September 11 attacks. Cyber-attacks on such a large scale would create fear, instability, disrupt the normal way of life and business, and generate a lack of confidence in our government’s ability to protect us. These are some of the same goals of more ‘traditional’ terrorist acts.”
And, “As a result,” he stated, “the maritime sector must adapt to a new threat environment as we have done constantly since the September 11attacks.”
Parsons said, “It may seem overdramatic to make a comparison to the September 11th attacks, but one similarity may be in the number of cyberattacks that have taken place internationally and within the US, as well as our responses, or lack of, to those warnings. As a result, business resiliency has become a critical part of our ongoing cybersecurity plan. Reducing the potential for single point failure, building redundancy into systems, and developing back-up processes are vital to ensuring ports remain viable and resume operations as swiftly as possible in the event of an incident. Response and recovery are critical to successful mitigation and business resumption. Protocols must be clear on how to best contain an incident to prevent further interruption.”
He further noted that, “Response teams must have specialized training and be prepared to engage 24/7. Protocols should include who receives notice of the event and what additional assets are available to assist. In a port environment, resiliency involves the ability of the logistics chain (public or private) to absorb the impact of business interruption caused by stress to the system (natural or manmade) and continue to provide an acceptable level of goods movement. In order to develop a comprehensive resiliency plan to address cyber security, factors that should be addressed include infrastructure needs and protection, transportation systems and development of business continuity plans.”
Parsons told the subcommittee that there are numerous “challenges that must be addressed to enhance cybersecurity in maritime environments,” and that there isn’t “a one-size-fits-all solution because ports are diverse in how their business is modeled.”
He warned that, “A lack of awareness about an organization’s own systems creates opportunities for exploitation at a basic level. Systems themselves can be a patch work of legacy systems, some integrated with newer technologies. Cyber systems can be administered by operators with different purposes and a myopic focus on only their required function (i.e. engineers, information technology, trade, human resources and security). This creates a lack of an enterprise view of operations, which can lead to the ‘siloing’ effect,” which isn’t an information technology problem, but rather a “culture think” problem “that takes effort to divest and generate a unified and collaborative perspective.”
Parsons additionally pointed out that, “In the maritime industry, there is a notable reluctance to share information about cybersecurity issues. To acknowledge that a cyber-event has taken place could potentially diminish business reputation and public trust. Maritime stakeholders have deemed much of their information as proprietary to the degree that dissemination could create business disadvantages. Although this is a valid concern, it must be measured against the national security impact to a port complex like the San Pedro Bay.”
By not sharing cyber security information, he said, it makes it very difficult to identify the nature of threats or establish lessons learned and best practices to mitigate them.
“There is not a clear or defined role and scope of responsibilities for the various government agencies on the cyber security team,” he stated, noting, “It is generally understood that, in substantial criminal cyber activity and terrorism matters, the FBI is the lead agency. However, the ports of Long Beach and LosAngeles along with some of the tenants have been contacted by, and have also worked with the US Coast Guard, the Secret Service and multiple entities of [the] Department of Homeland Security on cyber matters.”
“Port authorities are willing partners in the fight against cyber-attacks,” he said, but there are requests for access to data from more than one agency which makes it very challenging to understand what type of cyber information is reported to which agency. Consequently, “duplicate requests for reporting often occur.” And, “This can be especially disconcerting for the private sector entities whose proprietary concerns are heightened when multiple releases create more opportunity for compromise.”
Also testifying before the subcommittee was Coast Guard Assistant Commandant, Prevention Policy, Rear Admiral Paul Thomas, who said, “Similar to other sectors, emerging cyber threats in the port environment are diverse and complex. Cyber risks manifest themselves as both safety and security concerns. As such, the Coast Guard is emphasizing the term ‘cyber risk management,’ which also addresses how much the maritime transportation system (MTS) relies on information technology systems to connect to the global supply chain. Vessel and facility operators use computers and cyber dependent systems for navigation, communications, engineering, cargo, ballast, safety, environmental control and emergency systems such as security monitoring, fire detection and alarm systems.”
Collectively, Thomas told lawmakers, “these systems enable the MTS to operate with an impressive record of efficiency and reliability.” But, “While these information technology systems create benefits, they also introduce potential risks. Exploitation, misuse or simple failure of information technology systems can cause injury or death, harm the marine environment or disrupt vital trade activity.”
Thomas said “the complexity of cyber technology, and the fast pace of change, suggest that any requirements will need to be risk and performance based. That is, rather than mandate a specific technical solution, the Coast Guard believes that facility and vessel operators should identify and evaluate the vulnerabilities and consequences associated with their cyber systems, and put in place an appropriate suite of mitigating measures sufficient to achieve an acceptablelevel of security."
“This approach,” he said, “has served the industry and public well in conventional safety and security risks,” pointing out that, “Our challenge is to devise a methodology suited to the nuances of cyber risk. Of course it must produce meaningful results in a way that the vessel or facility operators can demonstrate an acceptable level of security to the Coast Guard and other interested parties.”
In addition to policy development, Thomas said the Coast Guard also recognizes “the need to develop our own workforce and take other measures to ensure we have the capacity and skills necessary to carry out those policies.”
He said the Coast Guard’s Cyber Strategy identifies several factors to this end, including training, education, organizational structure and partnerships.
The Coast Guard’s recently developed Cyber Strategy proposes three strategic priorities for the service — defending its own cyberspace, enabling Coast Guard operations and protecting maritime critical infrastructure.
“Cybersecurity in US ports is a key goal of this strategy,” he stated.
In conclusion, he said, “As port facilities and vessels continue to incorporate information technology systems into their operations, the Coast Guard must adapt its regulatory regime accordingly. Regardless of whether an incident is a cyber-attack, or a cyber accident, we must recognize the potential consequences to mariners, port workers, the public and the marine environment. With approximately 360 sea and river ports that handle more than $1.3 trillion in annual cargo, our nation is critically dependent on a safe, secure and efficient MTS.”
