Managing Cyber Risk With USCG’s New Maritime Security Directive
In this article Michael DeVolld, Maritime Transportation System (MTS) Cybersecurity Lead at ABS Consulting looks at the potential implications to vessel owners, operators and port authorities impacted by the new directive, the importance of acting now to prepare for the implementation of the regulations and some of the key steps that should be taken.
n February 22, 2024, the United States Coast Guard (USCG) published a Notice of Proposed Rulemaking (NPRM) in the Federal Register, updating maritime security regulations and introducing new regulations establishing minimum cybersecurity requirements for US-flagged vessels, facilities on the Outer Continental Shelf and US facilities subject to regulations under the Maritime Transportation Security Act of 2002(1).
The USCG’s proposed rule followed an Executive Order from the Biden-Harris Administration(2) that directed it: “to respond to malicious cyber activity in the nation’s Maritime Transportation System (MTS) by requiring vessels and waterfront facilities to mitigate cyber conditions that may endanger the safety of a vessel, facility, or harbor.” The new proposal also mandated the reporting of cyber incidents – or active cyber threats – endangering any vessel, harbor, port or waterfront facility.
In addition, USCG also issued a Maritime Security Directive on cyber risk management actions for the owners and operators of ship-to-shore cranes manufactured by the People’s Republic of China that are located at US Commercial Strategic Seaports. Under it, owners and operators will be required to take a series of actions on these cranes and associated Information Technology (IT) and Operational Technology (OT) systems, to safeguard against cyber risk.
In publishing the Executive Order, the White House highlighted that:
“America’s prosperity is directly linked to maritime trade and the integrated network of ports, terminals, vessels, waterways and land-side connections that constitute the Nation’s Marine Transportation System (MTS). This complex system supports $5.4 trillion worth of economic activity each year, contributes to the employment of more than 31 million Americans, and supports nearly 95% of cargo entering the US.”
With the maritime industry increasingly reliant on digital systems – revolutionizing how it operates – increased digital interconnectedness comes with increased risk of external cyber threats.
Rising Maritime Cyber-Threats
In its 2023 Cyber Trends and Insights in the Marine Environment (CTIME) report(3) the United States Coast Guard noted:
- Ransomware attacks increased 80% in 2023. These attacks encrypt systems with the goal of locking users out, then extorting the victim and demanding ransom for a decryption key. Perpetrators are becoming more sophisticated and requested ransoms have tripled.
- Maritime shipping companies, logistics and technology service providers; liquid natural gas processors (LNGP) and distributors; and petrochemical companies are common targets.
- Very basic cyber deficiencies persist. Patching and updating software, limiting network access and implementing multi-factor authentication are foundational cybersecurity measures and would go a long way towards safeguarding systems.
- Network-connected operational technology (OT) in port facilities and shore-side are being targeted. These systems are particularly vulnerable to attack as they often rely on outdated software and network protocols, and insufficient access controls.
An example of the impact a cyberattack can have, was the July 4th, 2023 attack at the Port of Nagoya, the largest and busiest port in Japan, which was targeted in a ransomware attack that impacted the operation of its container terminals.
The attack affected the “Nagoya Port Unified Terminal System” (NUTS) causing all container loading and unloading operations at the terminals using trailers to be cancelled, which resulted in massive financial losses to the port and severe disruption to the circulation of goods to and from Japan(4).
And while the new Regulations are designed to ultimately help safeguard the US’ Maritime infrastructure and supply chain, they come with significant challenges to the industry at large, requiring large-scale, transformational change in the approach to cyber security; covering key areas including account and device security, data security, governance, training, risk management, supply chain management, cyber resilience, secure network architecture, reporting and cyber-physical security.
Who is Included in the Proposed New Regulations?
The new regulations apply to all US flagged vessels over 500 gross tonnes and carrying more than 12 passengers.
On the facility side, any Maritime Transportation Security Act (MTSA) facility – container ports, oil and gas port facilities and cruise and ferry terminals, covering both inland and deep-water operations.
Challenges Adapting to Change
From a maritime perspective, cyber is challenging to regulate. A lot of the existing maritime regulations are black and white and rely on judgement calls from extremely experienced marine engineers and operators. Complex tasks, such as validating a vessel stability test or verifying that an electrical installation meets applicable standards for a vessel’s route and service, are vastly different to validating cyber risk management and controls considering the integration of heterogeneous and legacy systems, diversity of data sources, and the cybersecurity risks associated with increased digital connectivity, onboarding of digital technologies, and the push for autonomous vessel and facility operations.
Adapting to the new rule may be tricky and potentially expensive for the maritime industry if it is not approached properly. And while some of the larger operators are further along the cybersecurity-maturity curve – for example the Port of Los Angeles in 2021 was the first seaport in the world to establish a Cyber Resilience Center (CRC) – the new regulations will impact much of the industry on a fundamental level.
Physical and Financial Impact
From an executive management perspective – any organization with an immature cyber security posture may not only be challenged with understanding the practicalities of implementation but may also struggle to find skilled workers with the necessary combination of cyber and maritime expertise on which to assess and create an effective internal cyber infrastructure.
Added to this will be the cost implications that will have to be factored in. From small port facilities and vessel operators to larger operations, a myriad of new costs will be associated with the regulations. And as the complexities grow (depending on the size of the organization) the costs could grow exponentially.
The Importance of Managing the IT/OT Convergence of the new Regulations
While in recent years IT security has been a focal point of any organization using digital systems, the OT risk is a real and present danger that organizations in the maritime industry will also need to mitigate against under the new rule.
The MTS is one of the largest of the 16 critical infrastructure sectors in the United States. With over 900 ports and countless terminals and facilities, it includes vessels within the commercial, civilian, government and military sectors. As a result, it contains many thousands of OT systems that control anything from port cranes to a ship’s engine or navigation system.
Additionally, each port will have different OT systems due to its particular purpose – a cargo port for example will have more OT systems supporting the movement of shipping containers, whereas a cruise terminal will be focused on supporting the movement of people and will be mainly IT based.
As new technologies are developed, they are often added as enhanced ‘bolt-on’ functionality to legacy OT systems built in the late 1990s or early 2000s; the beginning stages of automation.
In more recent years, these legacy OT systems have been connected to the internet to provide stakeholders with remote access to control and monitor the systems. And while the increasing digitalization and automation of systems and processes may deliver the prospect of greater efficiency and competitiveness within organizations, it can also create the opportunity for greater cyber risk exposure through increased potential ‘attack surfaces’ – the ways in which cyber-attackers can penetrate systems.
Organizations impacted by the new rule will need to demonstrate their ‘Cyber Resilience’ by being prepared, ready and able to defend and recover from any cyber incident that could threaten safety, security and productivity.
The IT/OT convergence can however cause boundaries to blur between IT network functions and OT critical control functions, making it more challenging for operators to fully understand how their systems interact with one another.
In a worst-case scenario, this misunderstanding could prevent the quick restoration of operations in the event of a cyber incident within a ship or facility network.
Key Steps to Improved Cyber Resilience
So how do you develop a more resilient Cybersecurity Program? There are four key areas an organization should consider – asset management, configuration management, vulnerability management and detection and response management. It can achieve this through:
- Securing what you know
- Assessing criticality
- Committing to continuous improvement
- Evaluating manual versus automated options
A key success factor is the collaboration between OT and IT operations to identify and bridge any gaps. All too often, OT and IT have worked in silo and have competing priorities in terms of availability and security. To create a robust cybersecurity program, these areas must work in harmony and be viewed holistically.
Equally important is the engagement of Original Equipment Manufacturers (OEMs) and vendors in the cybersecurity program. Developing key relationships with these stakeholders is essential to ensure that cybersecurity measures are comprehensive and effective. By collaborating with OEMs and vendors, organizations can gain valuable insights and support in securing maritime operations.
Contracts with OEMs and vendors should be revisited and modified to include specific cybersecurity requirements. This involves defining roles and responsibilities, setting security standards, and establishing protocols for incident response and information sharing. By embedding these considerations into contractual agreements, organizations can facilitate each step required to enhance their cybersecurity posture.
In summary, a resilient cybersecurity program is built on the foundation of collaboration—both internally between OT and IT, and externally with OEMs and vendors. This integrated approach ensures a unified and proactive defense against cyber threats.
Step 1 – Visibility and control – securing known assets
Securing assets begins with comprehensive documentation. Conduct an audit of your IT and OT networks to identify all hardware and software, gaining a deeper understanding of potential vulnerabilities and attack vectors. Consider how assets interact across the network, such as those that routinely leverage USBs for data transfer or those accessed during third-party vendor maintenance.
Step 2 – Assessing Criticality
Criticality looks at which assets within an organization are most critical to mission priorities and operations. This will be unique to every organization and will take the collective effort of engineers, operators and business operations to truly define. Understanding the crown jewels of your network infrastructure and business applications can allow organizations to focus their effort and funding toward securing the most critical assets first.
Step 3 – Committing to the Process
The process should be dynamic, with criticality at its core. Implement a Management of Change (MOC) process to evaluate, identify and manage risks before making significant changes. This helps to ensure that updates are documented, tested and implemented with minimal disruption to operations. Emphasize traceability, accountability and risk mitigation.
Cultural openness to change is essential for integration. OT risk management should be considered as important as IT risk management. This approach can help bridge the gap between IT and OT silos, helping to improve safety, security and compliance with new regulations.
Consider whether your processes are documented and followed. Are you training your workforce and involving vendors, operators and technicians? Vendors control much of the equipment on ships and some facilities, and thus should be part of any cybersecurity plan.
Step 4 – Manual vs Automated Approaches
Choose the best methods for your organization, helping to ensure that OT and IT are working together for more effective cyber resilience. Data-driven decision-making should be part of the organizational culture. This step is ongoing and includes:
- Network monitoring and alert management
- Asset management
- Vulnerability scanning and patch management
- Configuration management
Governance is crucial, as cybersecurity is ultimately a business decision. Each organisation will have a different risk appetite and establishing a clear and repeatable process is vital for an effective cybersecurity plan.
Things To Consider in Your Cyber Security Plan
Critical considerations in developing an effective cyber security plan should include:
- Cybersecurity Organization and Identity: Formalize your cybersecurity management structure and clearly document leadership (for accountability) and the responsible teams.
- Training: Include role-based training for engineering IT security processes, awareness and preparedness and cyber resilience. Conduct drills and exercises with port partners or ship-to-shore operations to simulate events across critical business and operational areas.
- Records and Documentation: Document training, drills, exercises, incidents, audits and risk assessments. Have a risk register that clearly defines threats and vulnerabilities and defines a timeline for mitigation and the responsible business/engineering departments for execution.
- Communication Plan: Have a plan for communication during outages, including out-of-band methods to communicate in case of an active breach of security.
- Physical Security Controls: Identify gaps in your vessel or facility security plan for restricting access to sensitive network equipment and have a plan to remediate them.
- Cybersecurity Measures: Implement cost effective measures to better identify risks, detect threats and vulnerabilities, protect critical systems and recover from cyber incidents.
- Audits and Amendments: Conduct annual audits with evidence-based inspections. Hold security teams and system owners accountable to remediate findings and strive for continuous improvement.
- Cyber Incident Reporting Procedures: Develop a methodology for self-assessment and ensure compliance with current and emerging requirements. Consider joining information sharing networks to help others in the maritime transportation system from suffering similar consequences. We are all in this together.
In Conclusion
The proposed maritime security regulations present significant challenges to the U.S. maritime industry. Given the increased threat landscape, these regulations are necessary and should be welcomed. However, adapting and implementing them can be challenging and potentially very costly. The industry will require a substantial transition and, in some cases, a complete transformation from a cyber risk management perspective.
The key message is: start now. The cybersecurity plan is essential, and its core tenents will not likely change much with the Final Rule. Initiating the process early helps avoid costly last-minute activities and potentially ineffective applications of people, processes and technology, helping to ensure that the organization meets new requirements and remains secure.
Michael DeVolld is Maritime Transportation System (MTS) Cybersecurity Lead at ABS Consulting.