Cooperation between industry and government is absolutely essential to confront cyber threats in the maritime sector and mount an adequate strategy to protect the critical supply chain, said Mark Buzby, administrator of the U.S. Maritime Administration.
“It’s easy for us just to kind of cast it off to the IT folks and say, go fix it. And I think what has become quite apparent over the past several years is that this truly needs an operational focus, truly needs a strategic approach to a very vexing and growing problem,” he said last week at a virtual Atlantic Council event on maritime cybersecurity.
Buzby said the COVID-19 pandemic has “accelerated” awareness of the importance of the critical supply chain and the interconnected port ecosystem that provides opportunities for “bad actors to integrate into those systems in a bad way and cause chaos.”
“It’s happening — it’s not a maybe, it’s not a ‘I-wonder-if,’ it’s a reality,” he said. “And getting after this is absolutely vital not only to our economic security but really to our national security” as the maritime industry facilitates the movement of military forces as well as goods needed by civilians.
“That can be so easily disabled through some very simple keystrokes by some bad actors that introduces some true vulnerabilities into our national defense,” Buzby continued. “So our industry partners — having you all a part of this is very, very critical. The information-sharing aspects of it that clearly need to be better developed. And I fully understand the business sensitivities of sharing information but it’s been done in other parts of business and we clearly need to kind of get after it here and build that trust, quite frankly, between the government and industry — such that we can build a good, solid defense to enable the maritime industry to continue to grow, to go forward and operate in that very dangerous neighborhood that’s out there.”
U.S. Coast Guard Capt. Jason Tama, sector commander at the Port of New York and New Jersey and the Port of Albany, said those in charge of port security have “learned a lot over the past several years” about cyber vulnerabilities, “but much more certainly needs to be done in this space, for all of us, I think.”
“The Coast Guard has very unique authorities in this space,” Tama said. “We are an armed force, we’re a regulatory agency, we’re a law enforcement agency, and we’re a member of the intelligence community which gives us very unique capabilities and authorities that I think offer an opportunity for us to contribute and lead in the cyber domain. And we’re starting to do that in places all over the country, but as I said, much more work needs to be done.”
One-third of the nation’s GDP is generated within about 250 miles of the Port of New York and New Jersey, and nearly a quarter of the nation’s gross domestic product — about $5 trillion — is related to maritime transportation, he noted.
With 360 ports, more than 20,000 bridges, 50,000 aids to navigation, and 95,000 miles of shoreline, “we are indeed a maritime nation,” the captain added.
“Maritime is as important as other sectors that are recognized as key sectors for security in the cyber domain — as important as the financial sector, as important as the energy sector, as important as the communications sector, when we look at reach and impact,” Tama said. Partners in New York’s financial sector aid the port in its cybersecurity because “a disruption to the maritime supply chain is a significant market mover.”
Kathy Metcalf, president and CEO at the Chamber of Shipping of America, stressed that “the system will only be as good as its weakest link.”
“Collaboration has got to be pursued for us all to get as healthy as we possibly can,” she said.
Xavier Bellekens, a lecturer and chancellor’s fellow at the Institute for Signal Sensors and Communications at the University of Strathclyde, said a focus on maritime cybersecurity is crucial “because nowadays we’ve got communities tracking ships, we’ve got communities tracking port operations, we’ve got many ways to gather open-source intelligence, and it can either be done for the good of the people or for bad.”
Kevin Stine, chief of the applied cybersecurity division at the National Institute of Standards and Technology, said it’s important to use a risk-based approach and “take cybersecurity experiences, standards, guides, and tools and really apply them in the context of the maritime environment.”
“Trust is especially critical in this space given there’s many areas of interconnectivities and really the convergence, if you will, from so many domains,” Stine said. “We’ve heard this is a national security issue as well as an economic security issue. You have diverse public and private stakeholders that are involved and play key roles across the entire maritime space.”
“…You’ve got IT professionals and security folks, you’ve got the operational technology experts that really understand the maritime space and how those things are applied. How do we bring these communities together and bridge communications and technology gaps in some ways or bridge those areas of potential disconnect really to align around a common goal and really cultivating trust in these types of environments?”
Tama noted that it’s “very challenging when you’ re deploying a capital asset that may navigate the sea for 30 years and to maintain that IT and OT integration and the network segmentation.”
“Recognizing that you have that diversity of technology, you have that diversity of the operational environments, whether it’s on ship or at port in the port technologies and that mix of the legacy and kind of the newer and highly connected environments is going to be very important,” Stine said.
Metcalf said she thinks upper management in the maritime industry along with onboard crew members grasp the cyber risks, and “with every incident, we get much, much closer to people realizing what can happen.”
People in the industry have looked at a dangerous cyber attack in terms of somebody remotely taking control of a ship’s navigation — “the ultimate concern” — but crews and management can be better educated on the fact that “it doesn’t have to be quite that dynamic for it to have a significant impact on a shipping company and the marine transportation system, such as an economic impact,” she said.
“If I’m in the middle of the ocean and I lose a system, my first question is not going to be ‘is this a cyber problem.’ My first question is going to be how can I restore my operational capability to make sure I’m safe and not an environmental risk,” Metcalf noted. “The cyber question comes after that initial response is under control.”
