The economic vitality and national security of the United States depends on a vast array of interdependent and critical networks, systems, services, and resources that constitute, in part, cyber space. It’s far too easy to take for granted how we communicate, travel, power our homes, bank, run our economy, and manage our integration into the larger “cyber ecosystem.” To better understand future implications and challenges for the Coast Guard and the marine transportation system (MTS), writ large, Sector New York developed a cyber program with three main goals:
- Increase corporate knowledge of cyber security efforts within the Port of New York and vessels calling on the port complex.
- Partner with world-class entities to look for the “best-in-class” cyber practices, then evaluate and harvest those concepts that show promise for applicability to the broader MTS.
- Develop an exercise system that tests and evaluates cyber resiliency, just as we would prepare to respond to any other reasonably likely scenario with the potential to produce severe consequences.
As an operational commander considering where and how best to invest effort, the calculus of risk management makes it essential to consider both the impacts and return on investment in the allocation of scarce resources. It would be relatively easy and benign to wait for somebody else to frame the cyber issues. As U.S. Coast Guard Commandant Admiral Paul Zukunft pointed out at a Center for Strategic and International Studies (CSIS) forum in Washington, D.C., on June 17, 2015, if government agencies can share best practices and establish voluntary standards in cyber security, then enlightened self-interest will prompt private companies to adopt them.1 Discussing cyber vulnerabilities and how a cooperative cyber engagement strategy may mitigate them and allow for a quicker response has been deemed a worthwhile investment.
Yogi Berra once famously opined that “The future ain’t what it used to be.” So, too, the future of cyber security won’t be what it is today. The only foreseeable constant is that it will likely remain difficult to accurately define; it will potentially be unbounded, as cyber intersects across virtually all aspects of politics, society, and the economy, among other aspects of everyday life.
We urge each of you reading this article to consider what resources you have available and how you might con- tribute to the larger dialogue as we think about the future. The cyber issue is not going away—if anything, the challenges will follow an exponential curve as technologies and threats evolve. That makes it an imperative for each of us to continue to understand the threats and mitigate their impacts so we can learn how to better operate within the cyber ecosystem.
High Stakes, High Regard
According to the Lloyd’s (of Lon-don) City Risk Index, cyber attacks outweigh physical terrorism in the amount of gross domestic product (GDP) at risk: $294.15 billion, compared to $98.2 billion. Of the 301 cities analyzed world- wide, New York ranked number one at risk for loss of GDP by way of cyber attack, with a potential vulnerability of $14.08 billion.
The U.S. Coast Guard released its national cyber strategy in June 2015 to emphasize the importance of making cyber security a critical operational domain. As a result, Sector New York and its industry port partners have elevated cyber security to the highest level of importance. Elevating cyber defense culture and status in this regard is the rst line of defense in reducing the vulnerability public and private entities face. Information, operations, and public perception are all equally at risk. However, the development and collaboration surrounding pertinent cyber security protocols within the MTS remains limited.
Port Partner Outreach—and Beyond
In a completely voluntary environment, Sector New York started the conversation by inviting MTS port partners, port operators, critical infrastructure/utility personnel, local and federal authorities, academia, and various subject matter experts from dissimilar institutions to discuss potential cyber risks within the maritime domain.
In an unusual move, we also reached out to representatives of the financial services industry. It’s really not that strange, though, considering the current state of cyber security and which market segment best epitomizes the need for it. Taking advantage of their close proximity, Sector New York reached out to Wall Street firms to help shape the cyber narrative. The ability to partner with non-traditional Coast Guard actors like Goldman Sachs, Con Edison, NASDAQ, and American Express, as well as the robust maritime port community, enabled us to make a more comprehensive and nuanced assessment of cyber vulnerabilities, informing us about what to expect in terms of various market segment response posture.
Leveraging the Coast Guard’s Area Maritime Security Committee (AMSC), Sector New York laid the foundation to facilitate quarterly, semi-annual, and annual meetings to bolster awareness of cyber issues within the port. The beginning phase of these meetings helped establish proper personnel, definitions, and common understandings pertaining to vulnerabilities from an industry perspective.
Cyber Security Subcommittee and Liaison Program
Executing these meetings under the umbrella of the AMSC, Sector New York developed the nation’s first regional-level cyber security subcommittee. This subcommittee strives to identify opportunities for MTS port partners to share information and work in an environment of training and learning. As a result, cyber security measures are hardened, new threat analyses are developed, and time and money are saved. Through the AMSC cyber security subcommittee and the MTS port partner/USCG relationship, Sector New York established a cyber security liaison outreach program under the commandant’s strategy to “leverage partnerships to build knowledge, resource capacity, and an understanding of MTS cyber vulnerabilities.” The Cyber Security Liaison Program consists of a member of the local Coast Guard unit, dressed in civilian business attire, meeting with facility security of officers and information technology (IT) management to conduct an overview of a respective business from management and operational perspectives.
Once a liaison officer achieves a relative understanding of the business’ cyber operations, he or she begins an in-depth cyber security conversation with IT management. The officer directs the discussion toward learning IT and industry best practices to identify common ideas and perspectives on cyber defense within the industry. These conversations have become especially beneficial to understanding what each terminal or agency identifies as the most important cyber security vulnerabilities.
The Cyber Security Liaison Program also has provided company anonymity. The Coast Guard meets with MTS port partners in their offices or agency offices—as their cyber protocol allows—to openly discuss a normally sensitive/ guarded topic. This offers a comfortable environment for operations and management to discuss currently unregulated and publicly sensitive items within the company’s cyber program.
Sector New York has included its parent units, the First Coast Guard District and Coast Guard headquarters, to bolster the cyber security discussion within the port. In May 2016, Admiral Paul Zukunft and members of his staff were the keynote guests at the first cyber security luncheon hosted by the AMSC cyber security subcommittee. In conjunction with Con Edison, Sector New York hosted two separate meetings with the commandant at this event.
The first meeting consisted of roughly 20–25 influential partners within the Port of New York/New Jersey. This provided an intimate environment with the commandant and lead USCG cyber security staff officers. Questions and conversations revolved around Coast Guard cyber security involvement in public and private industry, law enforcement, budgeting, and advancement for educational institutions. The second meeting was a luncheon that involved more than 90 vital maritime port partners engaging in an open-forum Q&A discussion on how and what the Coast Guard’s role should be within the cyber realm.
This was an impressive turnout for an AMSC cyber security subcommittee event, which further highlighted the community’s concern surrounding this issue. Sector New York’s ability to get the most influential leaders from the Port of New York/New Jersey under one roof to focus on maritime cyber security and provide Coast Guard leadership with real concerns and issues demonstrated a high level of portwide buy-in toward defending against cyber breaches.
Sector New York has devoted itself to championing a cohesive cyber security subcommittee, developing a strong foundation through the unit’s area maritime security committee. The ability to get the right people in the same room to ask very dif cult questions regarding cyber security has given local experts the capability to put theoretical discussions into physical practice. The subcommittee has notably been able to leverage partners from MTS ports, academia, companies from separate industries with more robust and articulated cyber programs—financial institutions and utility companies among them—and local state and federal authorities such as the New York Police Department, New Jersey State Department of Homeland Security, and the Federal Bureau of Investigation.
Tabletop Exercise “Cyber Intrusion”
Most recently, Sector New York and the cyber security sub- committee continued its outreach to port partners through the Coast Guard Exercise Support Team. The exercise support team specializes in developing potential workshops, tabletop exercises, and eventual full-scale exercises to simulate cyber vulnerabilities. In addition, the team sets a foundation for positive communications between industry partners and the authorities that would provide aid in the event of a marine transportation system cyber compromise.
The tabletop exercise “Cyber Intrusion” was brought to life in August 2016. Developed by the AMSC cyber security subcommittee, USCG Exercise Support Team, Stevens Institute of Technology’s Maritime Security Center, Louisiana State University – Stephenson Disaster Management Institute, and the New Jersey Office of Homeland Security and Preparedness, the exercise focused on hypothetical cyber scenarios, with an emphasis on discussing realistic reactions and expectations in the event of a cyber attack.
Day one was held at the Stevens Institute of Technology in Hoboken, New Jersey, and hosted more than 60 participants from oil and gas terminal operations. Day two was held at Maher Terminals in Elizabeth, New Jersey, and hosted over 60 participants from container terminal operations. Day three was held at the New York City Office of Emergency Management, and hosted more than 50 participants from passenger and ferry operations.
Many private companies were initially guarded, unwilling to openly discuss their proprietary business operations and true vulnerabilities. But once they realized the benefits of combating cyber threats as a community, the exercise began to stimulate discussions for best practices, the domino effects of a cyber breach, training scenarios, possibilities for grant funding, avenues for information sharing, and eventual investigations and prosecutions against cyber offenders. Overall, participants finished the exercise feeling encouraged to discuss the unknown and unregulated side of cyber security, pledging to play a larger role in the development of cyber security within the port.
Cyber Defense and Cyber Posture Lessons Learned
Through the cyber security subcommittee’s extensive commitment, consistency, and hard work, Sector New York has gained a greater understanding of the cyber environment within the MTS. The broad spectrum of cyber defenses range from large, multi-national corporations with dedicated staff and resources to the smaller, privately owned operators who treat cyber security as more of a collateral duty.
One challenge within the port community is the threat of information theft. Larger companies are often able to allocate a greater budget for the more highly sophisticated, intricate cyber postures they employ, as well as abundant resources to protect their information. When these large corporations interact with and share this protected information with smaller port operators as part of their normal business practices, the smaller companies may not have the same level of cyber protocols and defense, which could leave such highly valuable information more susceptible to theft.
Another challenge is communication. A large percentage of MTS port partners understand that cyber security is increasingly critical, with definite vulnerabilities. However, the communication among private port partners is limited.
In the event of a cyber breach, for example, affected organizations may be reluctant to report it to authorities for fear it may negatively affect their business operations, reputation, or stock value. The distress of hurting the company’s public perception and bottom line is the main concern for all parties involved. Some larger MTS port partners tend to focus on rectifying the breach internally and resuming operations as soon as possible rather than reporting a cyber security breach to the public or the appropriate authorities. The fear of being labeled as a company that has been “hacked” often outweighs the benefit of reporting potentially helpful information to authorities.
Though growth is limited, more MTS port partners are making cyber security education a priority, and their knowledge and understanding of standards at other companies and institutions is beginning to expand.
Information Technology Lessons Learned
In spite of their pride in the industry’s blue collar, physical roots, those employed in the maritime domain must interact with the technology that makes it possible to keep up with today’s demanding business world. The mariners, longshoremen, truck drivers, and terminal operators cannot bypass the applications and devices integrated into daily terminal operations. These operations and workers act as the hands to the logistical mind for getting a container from origin to destination in preparation for the holiday inventory, for the 300,000 barrels of oil imported every other day from the Middle East to fuel our economy, or to a ferry system that transports 60 million commuters around the New York metro area every year.
The “all-in-one” approach is common for handling our MTS port partners’ IT divisions and staffing issues. Their funding, staffing, and locations are often set up to share responsibilities within a single IT staff. Current cyber postures allow them to maintain a help desk or hotline for immediate IT help, network and hardware set-up for physical equipment, and analytics of cyber threats. In reality, this is merely ciphering through potential cyber threats and deciding whether or not they are legitimate contacts, emails, or less. These problems and questions are often assigned to one staff under one roof.
Our counterparts at top financial institutions, considered the industry standard when it comes to cyber security, do not have a “one-stop” IT shop. These branches within the IT staff—help desk/hotline, network and hardware set-up, cyber defense—are segmented and responsible for their own area of expertise.
In fact, the cyber defense branch is further segmented to augment investigation and response in the areas of cyber defense and cyber forensics. The cyber defense division focuses on hardening the company’s cyber posture and strengthening its preventative measures. The cyber forensics division concentrates on analyzing incoming threats and breaches, where the threats came from, what the threats were seeking, potential dwell time, and other various informative trends.
What we also find vital to the citadel of cyber security for our financial institutions are some essential information technology practices and processes. Though they may not apply to the overall demands of the maritime domain, understanding the financial industry’s tactics in cyber security can better inform the maritime industry in building its own fortress and standards for cyber security. These introductory practices and processes implemented by a wide number of financial firms have much in common with the practices implemented by the Coast Guard for incident response—a process very familiar to the Coast Guard’s port partners. The process of identification, coordination, response, and resolution can be directly correlated to the cyber domain. In broad strokes, port partners from the maritime domain can use these four foundational practices to better harden their own cyber security programs.
Through the AMSC cyber security subcommittee’s implementation, the cyber security conversation has begun among Port of New York/New Jersey MTS port partners. Continuing this open line of communication by way of CG Homeport pushing constant information and bulletins, regularly scheduled meetings, and hosting various workshops and tabletop exercises led to a successful two-day Cyber Game & Workshop held in Brooklyn, NY on August 15th and 16th, 2017. Approximately 65 participants each day represented over 50 different public and private sector organizations from the Port of New York/New Jersey.
Day one’s Cyber Game provided a venue for discussion, training, and competition aimed at better informing port partners of the current vulnerabilities that lie within cyber security and the MTS. To participate, entities were requested to bring one “Cyber Technician” for technical assistance, and one “Decision Maker” for holistic assessments with a business perspective.
The Cyber Game identified top functions, services or assets, and potential adversaries as well as a hypothetical “Red Team” vs. “Blue Team” timeline to develop threats and cautionary reactions.
During the Cyber Game, participants conducted risk assessments to identify the port’s most critical cyber infrastructure. The game highlighted the interconnectivity of the port, the potential cascading effects of a cyber breach, and the resultant importance of collaboration in responding to cyber threats, setting the stage for the workshop on day two.
Various presenters across the public and private sector presented information on the following topics during the workshop:
- Legal Issues and Ramifications of Cyber Breaches/ Attacks within the Maritime Domain,
- Current State of the Maritime Cyber Security Landscape
- Vulnerability Management, Risk Assessment, and IT Systems Improvement,
- Exercise Methodology and Available Exercise Tools, and
- Operational Technologies Systems Improvement.
The two-day event highlighted two important themes: First, cyber security requires collaboration. Because of the interconnected nature of the port, cyber resilience must be a shared goal.
Second, to respond to the cyber threat, we should shift the discussion from “cyber security” to “cyber risk management.” Threats come in all forms, from individual hackers, to foreign governments, to outdated technology and to employees with poor “cyber hygiene.” With such a diverse set of threats, we may not be able to reach absolute cyber security. We can, however, conduct risk and vulnerability assessments, quantify our risk, focus on our critical infrastructure, and take responsible steps to mitigate and respond to threats.
Importantly, concluding the two-day event, participants were willing and eager to collaborate by sharing vital information on cyber threats, and to work together to produce regional-level guidance on cyber security best practices as part of a continuing effort to make the Port of New York and New Jersey more cyber resilient. This was a positive shift in attitude compared to just a year before.
The AMSC cyber security subcommittee will continue to promote the ideas and lessons learned from its commandant luncheon, tabletop exercise “Cyber Intrusion,” and continued interaction with port partners through the Cyber Security Liaison Project. These ideas and lessons learned have been shared with MTS port partners as well as local, state, and federal authorities.
For our MTS port partners, the ideas and lessons learned include using and bolstering the Maritime Information Sharing Analysis Center, continuing to gain company buy-in for sharing information amongst industry partners, and educating port partners on the use of FBI Infraguard/Cyberhood, an FBI forum for cyber attack reporting and analysis. This integration with FBI capabilities will help to push vital notifications and more efficiently engage in investigations in the event of a cyber breach, leading to a potential increase in the prosecution of cyber offenders.
For local, state, and federal authorities, the ideas and lessons learned deal heavily with the sensitivity and discretion demonstrated in information reporting. As a bridge between industry and government, the AMSC cyber security subcommittee stresses to similar Port of New York/ New Jersey law enforcement entities an understanding that detailed information sharing is detrimental to a company’s bottom line and stock prices.
The sharing of a company’s name, specific data stolen, or any association with the label “hacked” can cripple a company. The lack of discretion in gathering and dispersing self-reported information will deter companies from reporting breaches and defeat the purpose of information sharing. Sector New York aims to foster productive information sharing and encourage self-reporting in the event of a possible cyber breach.
Coast Guard Sector New York has embraced its role within the cyber ecosystem through the professional relationships it has forged through its AMSC cyber security subcommittee and the numerous resources it has developed outside of typical maritime actors.
We will strive to increase corporate knowledge of cyber security efforts within the Port of New York/New Jersey and the vessels calling on its port complexes, and partner with world-class entities to look for the “best in class” cyber practices. We will evaluate and harvest the concepts that show promise for applicability to the broader MTS. We will develop an exercise system that tests and evaluates cyber resiliency. We will do this as part of Sector New York’s ever-evolving mission to better understand future implications and challenges for the Coast Guard and the MTS in this rapidly evolving cyber domain.
Our success in achieving these three main goals will depend upon the adaptability of the men and women engaged in the larger dialogue. This cyber issue and the steps we take to operate within, understand, and mitigate impacts to the cyber ecosystem begin with a forward-leaning Coast Guard that is engaged and leveraging its unique role in the maritime industry.
Sector New York has heavily committed to gaining a better understanding of cyber challenges, and the return in terms of knowledge and new partnerships has proven to be a worthwhile investment.
This article was originally published in Coast Guard Proceedings, published in the interest of safety at sea under the auspices of the Marine Safety & Security Council. The views expressed by the authors do not necessarily represent those of the U.S. Coast Guard or the Department of Homeland Security or represent official policy.