National Maritime Cybersecurity Plan Bolsters Security Risk Management
By Marco (Marc) Ayala, 1898 & Co. and Chris Wolski, Port Houston
Over the last few years, it has become increasingly clear that the maritime industry is not immune to cyberattack. In 2017, A.P. Moller – Maersk suffered an organization-wide, crippling cyberattack that cost the company approximately $264 million to recover. In May 2020, the Shahid Rajaee port facility, the newest of two major shipping terminals in Bandar Abbas, fell victim to a cyberattack that brought down computers impacting vessel, cargo, and vehicle movement on the facility. These types of events, among others, have raised concerns regarding the cyber risks the U.S. maritime industry is facing.
Since 9/11 the focus of maritime security has been predominantly on physical security and had little in the way of computer security. For example, the Maritime Transportation Security Act (MTSA), written in 2002, only contains verbiage to protect communication as it relates to items such as “aids to navigation”. In mid-2010, new regulatory requirements in the form of 33 CFR parts 105 and 106 were written to further address security at facilities, including Outer Continental Shelf (OCS) facilities. This regulation made it a requirement to identify and assess radio and telecommunication equipment, including computer systems and networks, and to update or revise facility security assessments (FSAs) and facility security plans (FSPs) to address and mitigate any identified vulnerabilities.
Like the MTSA, the regulations made no specific reference to addressing cyber risks common in today’s environment. In 2017, the U.S. Coast Guard tasked the National Maritime Security Advisory Committee (NMSAC) with reviewing the draft Navigation and Vessel Inspection Circular (NVIC 05-17) on cybersecurity. This was the first document to address the aspects of “cyber” as part of maritime security. T he collaboration and commenting on NVIC 05-17 took several months. It was determined that a full rewrite of the verbiage in the MTSA and 33 CFR part 105 & 106 was not necessary. Subsequently, in March of 2020, the draft NVIC 05-17 was issued as NVIC 01-20, authorizing inspections use a cybersecurity checklist to begin on October 1, 2021.
Since the writing of the two guiding documents (MTSA and 33 CFR Parts 105 & 106) for maritime security, technology, enhancements have occurred leading to greater interconnectivity of industry organizations, more reliance on third-party suppliers, greater dependency on cloud computing, and the convergence with non-traditional IT equipment.
The National Maritime Cybersecurity Plan (“the Plan”), written in December 2020 and published early January 2021, stems from the need to address cyber risks that years of technological improvements have brought to the industry. The new Plan seeks to bring about changes that will bolster cybersecurity in the complete digital maritime domain ecosystem.
The Plan is set to unify maritime cybersecurity resources, its stakeholders, and initiatives as well as aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities. It identifies federal government priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years. The Plan’s priority actions will evolve as the public sector, private sector, and international partners mature maritime cybersecurity cooperation and initiatives.
The Plan further encourages MTSA-regulated facility owners to adopt a cybersecurity risk framework. Knowing the risks and providing recommended steps to address them will provide organizations of any size an improved resilient technology infrastructure. The framework has yet to be defined but will likely follow a similar theme as the National Institute of Standards & Technology’s (NIST) cybersecurity guide for the energy sector. Like that guide, it will likely pull from the current NIST cybersecurity standard-bearer for information technology, the NIST Cybersecurity Framework (CSF), and for operational technology, NIST 800-82, Guide to Industrial Control Systems (ICS) Security or the ANSI/IEC 62443 series of standards. The intent is to address cyber risk across the board by all maritime organizations to reduce the overall increased risk related to the inter-connection of systems and organizations.
Keys to the success of the National Maritime Cybersecurity Plan is the decree to deconflict reporting and compliance. There is a need for this as there are ‘many cooks in the kitchen’ per se when it comes to “who to call” and which regulatory area takes precedence. As an example, a terminal at a chemical facility may have MTSA and CFATS (Chemical Facilities Anti-Terrorism Standards) reporting requirements. It is hoped that deconflicting will place less burden on the asset owner/operators and provide better swim lanes for all in the maritime domain.
It is particularly important that the maritime industry identify its operational technology (OT) assets as it does contain safety implications from engine room to dynamic positioning to automated terminal cranes to motor control centers to emergency shutdown systems along with scheduling systems that work together in the vision of the Port of the Future. We must not only identify the assets but also the protection and detection schemes for the OT architecture. We will need to add technology to the cyber mission but will need to do so carefully and not to impact integrity and operational performance. Furthermore, we must be prepared in our cyber incident response capabilities at the asset-owner level and at a national response level. Simultaneously, recovery and operational restoration must be a primary function with forensics and investigation set in tandem so that it works efficiently but keeps safety and real-time operations first and foremost.
It is especially important that the maritime domain workforce is adequately trained in cybersecurity and captures all those that interface with the systems from port terminal operators, maintenance, contractors, physical security personnel, and scheduling up to the enterprise business staff. Cybersecurity today includes the traditional information technology (IT) and is truly relevant to operational technology as these systems have further intertwined in the last decade. Many training programs and curriculum are offered that can be useful to employers and their employees, such as the SANS Institute and International Society of Automation (ISA) among others, to help prepare the workforce in this mission. It is good to see that the Area Maritime Security Committees are especially focusing on cybersecurity, but that local area InfraGard Chapters are also engaged in awareness and training topics as well. As a maritime community, we must further our collaboration. It also needs to be reciprocal with our federal partner
With the growing dependence on cloud and outsourced information and technology services, understanding the level of security employed by the service organization is a small token of due diligence. Maritime organizations will be pressed to ensure that cybersecurity due diligence is being adhered to by third parties providing information and operational technology services via contract clauses. Additionally, the Plan calls for stronger requirements via U.S. General Services Administration (GSA) guidance to protect federal usage of maritime facilities. The guidance may impose restrictions on purchase of technology infrastructure from certain countries or companies, as determined by the federal government, that pose a threat to the United States’ ability to retain full capability of maritime infrastructure.
In order to improve resiliency within the industry, it is critical that information be shared regarding attack methods. Often the flow of information is up to the National Response Center, CISA, or National Cybersecurity and Communications Integration Center (NCICC) with very little to no feedback returned. If information is returned from the federal agencies, it is often late and lacks actionable information. The Plan seeks to improve the sharing of information. There is a commonality in cyberattacks that is discovered during analysis of the incident in the form of indicators or digital fingerprints. The timely sharing of information from federal sources can help cybersecurity and information technology practitioners to identify and mitigate the threats in their own organization.
Implementing cybersecurity controls presents an additional cost burden to organizations of all sizes in any industry. The expense is disproportionate in small and medium size organizations which find their bottom lines are already tight. To make it easier for maritime organizations, the Plan seeks to improve grant funding availability for improving cybersecurity within the industry. This could potentially mean that a new grant avenue will be created solely for addressing cybersecurity projects - and not general port security which is provided for by a Port Security Grant.
The maritime industry is made up of organizations of all sizes, and it is imperative to implement an appropriate level of cybersecurity. Increased demand for - and connectivity of - information technology and operational technology presents as the Achille's heel for just about every industry. The attacks on IT and OT infrastructure around the world in different industries demonstrates that there are attackers in the world that have the potential for severely impacting imports and exports. The attack may not necessarily be on one’s own organization; it could be on another in the industry that has the potential for impacting the movement of ships and cargo. It is for that reason that this Plan was put together so that organizations of all sizes will have a clear goal to meet, the resources needed to achieve that goal, and the ability to maintain it to ensure that they are not the cause or victim of an industry-wide attack on the maritime industry.
Marco (Marc) Ayala
Director, ICS Cybersecurity & Sector Lead
1898 & Co., a division of Burns & McDonnell
Chris Wolski, CISSP, GICSP
Director, Information Security Officer