The White House unveiled a National Maritime Cybersecurity Plan meant to set standards for the U.S. maritime transportation system (MTS), including guidelines around threat information sharing, creating a cybersecurity workforce and establishing a risk framework for operational technology (OT) in ports.
Noting that “technology innovation develops at a pace faster than that which global maritime security can maintain, creating low-cost opportunities for malicious actors,” the plan put forth by the National Security Council, called on “all levels of government, the private sector, and international partners” to “collaborate through recognized forums, interagency bodies, and communities to develop, refine, and implement maritime cybersecurity standards, share best practices, and protect the maritime domain” to protect the U.S. economy and national security.
Mark Kedgley, chief technology at New Net Technologies (NNT), said expanding the awareness of critical infrastructure threats from energy generation and distribution to include both transport and supply chain is overdue. “The rules are the same in that vulnerability management and change control are the most effective security best practices to defend against attacks and provide early breach detection,” Kedgley said.
The MTS contributes $5.4 trillion to the U.S. economy, or one quarter of the total. Given that, it’s critical that the nation “address the specifics of the MTS subsector in a coherent way, aligned with those of the other CNI,” said Kedgley’s colleague, Dirk Schrader, global vice president at NNT.
“Ports themselves operate like small cities, and bringing one to a halt through a cyberattack could be devastating to international travel and trade,” said Hank Schless, senior manager, security solutions, at Lookout.
Nothing magnified the value and vulnerability of the U.S. maritime industry like the NotPetya attacks of 2017 that crippled shipping companies like Maersk, which was forced to replace tens of thousands of servers and computers in the aftermath of the ransomware attack.
Referring to a ship at sea as “a 1,500-foot computer weighing about half a million tons,” Schrader points to the array of digitized components such as navigation, engine operations and monitoring, rudder, radar and weather control, all of which are critical to easing ship operations.
The government’s plan offers priority actions around risks and standards, information and intelligence sharing and creating a maritime cybersecurity workforce. For instance, it calls for the U.S. to deconflict government roles and responsibilities; develop risk modeling to inform maritime cybersecurity standards and best practices; strengthen cybersecurity requirements in port services contracts and leasing; and develop procedures to identify, prioritize, mitigate, and investigate cybersecurity risks in critical ship and port systems.
The strategy seeks to strengthen the exchange of information between the government and the maritime industry as well as with non-governmental organizations. It also calls for the “prioritization of maritime intelligence collection to protect United States interests domestically and abroad.”
Building a maritime cybersecurity workforce would require expansion of cybersecurity specialists in port and on vessels and collaborating with the private sector to increase maritime cybersecurity expertise before deployment.
Schless would like to see a premium placed on mobile devices. “As with other logistics-based industries, maritime organizations are relying more heavily on smartphones and tablets,” said Schless. “These mobile devices are traveling all over the world with the vessels they’re on, which means IT and security teams need to have constant visibility into their risk profile.”
If a mobile device aboard a ship is breached, it “could give an adversary access to a treasure trove of enterprise data,” such as “sensitive shipping documents, financial value of the cargo on board, and information about shipping routes around the world,” Schless said.
Crews coming into port in a foreign country might be required to hand over their mobile devices, he said, which presents a “perfect opportunity for border agents to physically install malware on a device that tracks the owner and also has access to all data on the device.”