Maritime transportation systems increasingly rely on IT and OT, which can create vulnerabilities, the plan notes.
“The proliferation of IT across the maritime sector is introducing previously unknown risks, as evidenced by the June 2017 NotPetya cyberattack, which crippled the global maritime industry for more than a few days,” the plan states.
The U.S. relies on ocean-based commerce for about 25% of its gross national product. The plan is designed to help protect the nation’s network of 25,000 miles of coastal and inland waterways, 361 ports, 124 shipyards, more than 3,500 maritime facilities, 20,000 bridges, 50,000 federal navigation aids and 95,000 miles of shoreline.
“The National Maritime Cybersecurity Plan unifies maritime cybersecurity resources, stakeholders and initiatives to aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security,” says National Security Adviser Robert O’Brien .
The plan, which is designed to unify maritime cybersecurity resources and close defensive gaps, will be reassessed every five years.
Citing a lack of specialists in this field, the plan calls for investing in the training of maritime cybersecurity specialists in port and vessel systems. This will include developing career paths for those who choose this profession along with continuing education and retention incentives.
A top priority, according to the plan, is for the government to encourage the use of uniform cybersecurity standards by the 20 federal agencies that have a role in maritime security. These agencies are responsible for vessel and personnel safety, transportation standards, physical security and other maritime industry activities.
“The NSC staff, through the policy coordination process, will identify gaps in legal authorities and identify efficiencies to de-conflict roles and responsibilities for MTS cybersecurity standards,” the plan states.
The plan also calls for the U.S. Coast Guard to analyze and clarify the 2016 and 2020 cybersecurity reporting guidance for maritime stakeholders. The Coast Guard also should collect maritime cyber incident reports to identify trends and attack vectors and then share that information with others, the plan says.
The Department of Defense and Homeland Security should work together to examine whether critical port operational technology systems have cybersecurity vulnerabilities, the plan states. Because a framework for conducting such an assessment does not exist, the plan calls for basing maritime audits on practices in other sectors.
“For example, the Department of Energy conducts small-scale vulnerability testing to protect electrical power generation and distribution OT systems. Similarly, maritime OT systems would benefit from vulnerability inspections. Findings from these audits may inform cybersecurity mitigation and remediation for MTS users,” the plan says.
Information and Intelligence Sharing
The plan also calls for the Coast Guard, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI to work together to create a list of cybersecurity issues that can then be shared with domestic and international partners in the maritime industry.
It also calls for the creation of a mechanism for government agencies to share unclassified, and when possible, classified information to protect maritime IT and OT networks with all those in the maritime industry.