Facing “very substantial threats against the maritime critical infrastructure every day,” the Coast Guard has operationalized cybersecurity and “made it part of our prevention and response framework to make sure that we’re getting after this threat at the speed and pace at which it demands,” USCG Assistant Commandant for Prevention Policy Rear Admiral John Mauger told the House Transportation and Infrastructure Committee during a hearing on cybersecurity last month.

The marine transportation system, or MTS, is an integrated network of 361 ports and 25,000 miles of waterways and supports one quarter of U.S. GDP and one in seven American jobs, and “any substantial disruption to marine transportation can cause cascading effects, to our economy and to our national security.”

“Cyberattacks are a significant threat to the maritime critical infrastructure, and while we must continue to work to prevent attacks, we must also be clear-eyed that attacks will occur, and we must ensure that the MTS is resilient,” Mauger said. “Protecting maritime critical infrastructure and ensuring resiliency is a shared responsibility.”

That has included establishing Coast Guard Cyber Command, with cyber forces that “are manned, trained, and equipped in accordance with joint DoD standards, but have a broad range of authorities to address complex issues, spanning national defense and homeland security, including protecting the MTS.” USCG stood up a maritime cyber readiness branch within Coast Guard Cyber Command “as a focal point for maritime threat monitoring, information sharing, and response coordination.”

“The Coast Guard’s approach to protecting the MTS leverages our proven prevention and response framework,” he said. “To prevent incidents, we leverage our authorities in the nation’s ports to set standards and conduct compliance. We refer to this as cyber risk management, and require accountability, assessments, mitigations, exercises, and incident reporting. To prepare for and respond to cyber incidents, Coast Guard sectors are leading field-level exercises with Area of Maritime Security committees, and have established unified commands with FBI and CISA to lead the federal response to cyberattacks in the ports.”

“Cyberattacks will increasingly have physical impacts, beyond computer networks. By incorporating cybersecurity into our prevention and response framework, we provide a comprehensive, all-hazards approach to this threat, but we cannot do this alone. As the co-sector risk management for transportation, we look to both TSA and CISA as key partners.”

Mauger stressed that cybersecurity is “a shared responsibility with the private sector” and “collaboration with the industry is paramount, and focused on information sharing and good governance.” USCG established the National Maritime Security Advisory Committee “to facilitate consultation with industry on standards development” and works with the International Maritime Organization to address the risks posed by foreign vessels. “We are committed to a transparent approach, as we balance the urgency of cyberthreats with informed rulemaking,” he added. “The cyberthreat is dynamic.”

Asked for an update to the Coast Guard’s efforts to improve its own IT systems, the assistant commandant noted that the USCG “approach to protecting the maritime transportation system relies on us having our own ability to defend and operate our networks.”

“Through investments in the CARES Act, with over $65 million in funding, we’ve been able to make significant investments to modernize our infrastructure, and push more information out to our mobile users out in the field, and our cutters underway,” Mauger said. “But all of this is premised, our security is premised, on it being an operational imperative. And so the key thing that’s really driven us forward is the establishment of Coast Guard Cyber Command as an operational command, under the purview of a two-star commander, that oversees our daily mission execution in the IT space. And then the coordination with our CIO, who is driving those investment and modernization projects forward.”

At the port level, Mauger said the Coast Guard is “really focused on working across the prevention and response framework to ensure that we have the ability to defend and then also respond resiliently from attacks.”

“This is a shared responsibility between the private sector and the federal agencies involved, and so we’re doing a number of different things,” he said. “First of all, we put in standards in place that require them to conduct assessments, have an accountable person, develop a plan, mitigate that plan, exercise it, and report incidents. All those pieces are really important. Through those assessments, we then have the opportunity to drive investments through the Port Security Grant Program, to update security posture in the ports. And so last year, $17 million was allocated from the Port Security Grant Program for Cybersecurity.”

“Which side is winning, the increased cyberthreats or increased digital-based safety operational enhancements?” asked Rep. Bob Gibbs (R-Ohio). “How are we doing in this fight, who’s winning?”

“Congressman, it’s not an either/or proposition for us, it’s really an all-of-the-above,” Mauger replied. “And so as the Assistant Commandant for Prevention Policy, we make sure that we bring together the best of our ability to secure private industry, but then be able to respond as well.”

“And so, leveraging our prevention and response framework, we’ve made sure that we’ve taken a multilayered approach to engaging with the industry, sharing information with them at the local level, through the Area Maritime Security Committees, and conducting compliance activities,” he added. “And then at the national level, engaging across the interagency with our National Maritime Security Advisory Committee, with the MTS ISAC, and then with other interagency partners, to make sure that we’re tied together, and providing a comprehensive network, and comprehensive approach to this problem.”

Mauger emphasized to lawmakers that “overall risk management approach, within both the private sector and the federal government” requires accountability.

“You have to have an accountable person; they have to be able to do an assessment and to understand the risks,” he said. “They have to be empowered to manage those risks. And then it also comes back to exercising and reporting. Where it comes to reporting right now, we have to change the paradigm from ‘what is the minimum I need to disclose’ to ‘how can I help protect others’… these incidents cut across so many different infrastructures, and reporting really helps us to make us all stronger.”

Asked how threats and risk-management assistance is communicated to individual ports and throughout the MTS, Mauger replied that “unity of effort within the Coast Guard is part of our DNA, and so we take a multi-level approach to share information at the speed of cyber here with the industry.”

“But this is a dynamic threat environment, and going forward we need to use a combination of both existing tools and new tools, or new methods, to get after the information sharing,” he added. “So for this multi-level approach at the local level, we work through our Area Maritime Security Committees; each of those have established cyber subcommittees that are responsible for that day-to-day sharing of information, for conducting the exercises, for reviewing best practices and understanding how to move forward. Those same people then are integral to response efforts when they occur in the ports. At the national level, we work through a number of different means. We’ve established a maritime cyber readiness branch within our Coast Guard Cyber that really becomes a focal point for threat information dissemination, technical assistance in the field, and connection to the interagency.”

“We’ve embedded folks in CISA, we meet regularly with the other Sector Risk Management Agencies. We engage with the MTS’s information sharing and analysis center. And we look for every opportunity to continue to share information and communicate threats, and understand the vulnerabilities in this industry, so we can protect the MTS.”

 

Source: hstoday