The new five-year National Maritime Cybersecurity Plan released by the White House this week focuses on new standards for port owners, shippers, and operators and forthcoming mandates that contractors meet cyber standards.
National Security Advisor Robert O’Brien said Tuesday that the plan “articulates how the United States government can buy down the potential catastrophic risks to our national security and economic prosperity created by technology innovations to strengthen maritime commerce efficiency and reliability.”
Cybersecurity of the Maritime Transportation System (MTS) was listed as a top priority for national defense, homeland security, and economic competitiveness in the 2017 National Security Strategy.
“The National Maritime Cybersecurity Plan unifies maritime cybersecurity resources, stakeholders, and initiatives to aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security,” O’Brien said. “The Plan identifies government priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years.”
As more than 20 federal government organizations currently have a role in maritime security, the strategy says one of the first priorities will be identifying gaps in legal authorities and efficiencies “to de-conflict roles and responsibilities for MTS cybersecurity standards.”
The U.S. will construct an “internationally accepted, outcome-focused, threat-informed risk framework for port OT systems” at the National Institute of Standards and Technology (NIST) and the U.S. Coast Guard will “analyze and clarify the 2016 and 2020 cybersecurity reporting guidance for maritime stakeholders and collect maritime cyber incident reports to identify trends and attack vectors to increase maritime sector situational awareness and decrease maritime cyber risk.”
Applicable contracts will be required to include “specific language addressing cyber risk to the MTS” as “revised federal government contracting language is needed to protect federal departments and agencies from the increased pace of technology proliferation,” the plan states.
“Federal agencies will work with the GSA to develop and implement mandatory contractual cybersecurity language for maritime critical infrastructure owned, leased, or regulated by the United States government to decrease cybersecurity risk to the Nation,” it adds.
The U.S. will also develop procedures to identify, prioritize, mitigate, and investigate cybersecurity risks in critical ship and port systems.
“For example, the Department of Energy conducts small-scale vulnerability testing to protect electrical power generation and distribution OT systems. Similarly, maritime OT systems would benefit from vulnerability inspections,” the plan says. “Findings from these audits may inform cybersecurity mitigation and remediation for MTS users.”
The departments of Homeland Security and Defense will be conducting maritime cybersecurity assessments of port facilities, vessels, and infrastructure and will design a framework for port cybersecurity assessments. DHS will also “promote cybersecurity grants and initiatives to protect maritime critical infrastructure.”
“Developing and deploying cyber forensics for all major marine casualties and mishaps, when a maritime cyber effect cannot be ruled out, is paramount,” the strategy continues. “The United States will establish a cyber-forensics process for maritime investigations.”
DHS, through the Coast Guard and the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and the intelligence community, will “promote domestic and international engagement to facilitate information sharing and best practices to build a coalition of maritime cybersecurity advocates” and will will “establish procedures and policies that govern the receipt and processing of maritime reports of industry cybersecurity incidents to build a coalition of maritime cybersecurity advocates.”
The plan emphasizes the need to share cybersecurity intelligence “with appropriate nongovernment entities” and says DHS will “identify avenues to share maritime cybersecurity information and intelligence, as applicable, with the international community.”
Maritime cybersecurity intelligence collection will also be prioritized with the development of “maritime cyber intelligence requirements, including assessments of partners’ cybersecurity needs and capabilities, broadly sharing with MTS stakeholders, to the extent allowable, to guide risk modeling and adversary cyber risk assessments.”
Finally, the plan stresses that a properly trained workforce is essential, and “developing cybersecurity training standards across the maritime sector will close gaps across all components of the MTS.”
DHS, through the Coast Guard, “in coordination with other applicable departments and agencies, will develop cybersecurity career paths, incentives, continuing education requirements, and retention incentives to build a competent maritime cyber workforce,” the strategy says. “…The Department of Defense and DHS, through the United States Navy and United States Coast Guard will pursue and encourage cybersecurity personnel exchanges with industry and national laboratories, with an approach towards port and vessel cybersecurity research and application.”
The plan notes that “federal maritime cybersecurity forces exist, but are not sufficiently staffed, resourced, and trained to monitor, protect, and mitigate cyber threats across the maritime sector.”
“Domestic and foreign ports present risks to vessels, both civilian and military. Ports present the opportunity for adversaries to control commerce and delay force projection. The United States Coast Guard will field cyber protection teams to support federal maritime security coordination of MTSA-regulated facilities and aid in marine investigations, as required.”