The White House has released cybersecurity guidance for securing the Maritime Transportation System (MTS), which operates along 25,000 miles of coastal and inland waterways in the United States.
The document points out that the MTS encompasses “361 ports, 124 shipyards, more than 3,500 maritime facilities, 20,000 bridges, 50,000 Federal aids to navigation, and 95,000 miles of shoreline that interconnect with critical highways, railways, airports and pipelines.” In addition, there are more than 20 Federal government organizations that currently have a role in maritime security of all stripes, ranging from vessel and personnel safety to transportation standards and logistics.
In all, this footprint contributes one quarter of all United States gross domestic product, or approximately $5.4 trillion, according to the Feds.
Maritime Challenges
Applying good cybersecurity to the seagoing sector is a complex process plagued with challenges. The report enumerates several of these, starting with the fact that it’s a diverse ecosystem “with businesses of all sizes leveraging IT and [operational technology] OT systems that interconnect with larger maritime systems. Users across the maritime sector access key data and management systems daily for business purposes, making secure access control and user monitoring difficult.”
To boot, different public and private entities own and operate these interconnected systems, and common cybersecurity standards do not exist across facilities. Some of the entities also lack appropriate resources or expertise to implement appropriate cybersecurity frameworks even if a common approach were defined.
“Cybersecurity within some ports and facilities is situational, ad-hoc and often driven by profit margins and efficiency,” reads the report. “Unless the private sector has a clear understanding of current and future maritime cybersecurity threats and a financial incentive to invest in maritime cybersecurity measures, some private sector entities may not be inclined to align with maritime partners or allies.”
Additionally, some of the MTS footprint relies on outdated telecommunication infrastructure, threatening the ability for MTS stakeholders to “protect digital information, the network and to detect when malign actors are attempting to access protected systems,” the report warned.
The danger here is real; researchers have previously identified the prevalence of Windows XP and Windows NT within critical ship control systems, including IP-to-serial converters, GPS receivers or the Voyage Data Recorder (VDR), which thus tend to be easily compromised. Researchers at Pen Test Partners found that with the ability to infiltrate networks on-board shipping vessels (think satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, etc.), capsizing a ship with a cyberattack is a relatively low-skill enterprise.
Previous research has shown that other concerning attacks are possible as well, such as forcing a ship off-course or causing collisions. The issue with remediating the dismal state of maritime security is a lack of clearly defined responsibility for security, according to the researcher.
Maritime Cybersecurity Mitigations
To correct and mitigate maritime cybersecurity threats going forward, the report advocates the implementation of standardized risk frameworks across the MTS, security requirements for suppliers and contractors, vulnerability audits, information-sharing policies and more.
The recommendations start with establishing an OT risk framework that provides a standard for “insurers, facility and/or vessel owners and shippers to share a common risk language and develop common OT risk metrics for self-assessments.” This is a framework that the Feds will provide guidance on, and the report said that will include an international port OT risk framework based on the input from domestic and international partners, according to the advisory.
It also addressed third parties, and said that “the United States will strengthen cybersecurity requirements in port services contracts and leasing. To limit adversarial opportunity, contracts or leases binding the United States Government and private entities must contain specific language addressing cyber risk to the MTS. The private sector owns and operates the majority of port infrastructure.”
The report added, “Port services such as, but not limited to, loading, unloading, stacking, ferrying or warehousing Federal cargo requires cybersecurity contracting clauses to safeguard the flow of maritime commerce, MTS users and our economic prosperity.”
In addition, the report prescribes an examination of critical port OT systems for cyber vulnerabilities, but it doesn’t specify a role for the federal government. Instead, the report noted that the maritime sector should glean cybersecurity best practices from other critical infrastructure sectors.
The Feds will, however, establish a cyber-forensics process for maritime investigations.
“The United States will design a framework for port cybersecurity assessments,” according to the report. “Developing and deploying cyber-forensics for all major marine casualties and mishaps, when a maritime cyber-effect cannot be ruled out, is paramount.”
And finally, the report addresses the cybersecurity skills gap.
“DHS, through the United States Coast Guard, in coordination with other applicable departments and agencies, will develop cybersecurity career paths, incentives, continuing education requirements and retention incentives to build a competent maritime cyber-workforce,” the report reads, “…and will encourage cybersecurity personnel exchanges with industry and national laboratories, with an approach towards port and vessel cybersecurity research and application.”
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar — Jan. 20, 2 p.m. ET.
