In August 2021, the Coast Guard released an updated version of its Cyber Strategic Outlook.1 This document, along with Department of Homeland Security’s (DHS’s) newly released National Maritime Cybersecurity Plan, marks a shift from previous guidance.2 Most notably, the new Cyber Strategic Outlook places the onus squarely on the shoulders of shoreside commanders in the Coast Guard to “prevent and respond” to cyber incidents within the Marine Transportation System (MTS).
The Coast Guard’s new cyber strategy details lines of effort the service will take as the DHS “Sector Specific Agency” assigned with carrying out cyber-protection functions for the MTS. One major change from previous guidance states that the Coast Guard “will apply our existing framework for prevention and response activities to mitigate cyber risks.”3 This function fits nicely into the Captain of the Port (COTP) authority the service already holds, which allows operational commanders to prescribe conditions and restrictions for waterfront facilities and vessels to ensure critical safety and security measures are met.4 Moreover, COTP authority includes both preventative actions and oversight functions when a safety or security incident occurs to ensure the reconstitution of the port complex.
What is unclear is how operational commanders will hold maritime industry and malicious actors accountable. Current policies are a promising start but leave commanders with few options to choose from when facing ever-sophisticated cyber threats. The Coast Guard will need to equip its inspectors and field commanders with better tools to effectively prevent and respond to this escalating threat to achieve the goals of the 2021 strategic plan.
Current Cyber Policies Fall Short
The only existing policies on cyber measures for the MTS are a 2020 Navigation and Vessel Inspection Circular and a Commercial Vessel Compliance Work Instruction focused on educating the maritime industry about cyber threats.5 These policies lay out deadlines for vessels and waterfront facilities to incorporate cyber-protection activities into their security assessments and plans. However, neither policy contains minimum standards for Coast Guard inspectors to enforce, and both fall short of enabling inspectors to evaluate the strength and “hardness” of a cyber framework.
One of the few prescriptions under current policy requires waterfront facilities to conduct a risk assessment of cyber vulnerabilities and address those vulnerabilities in their Facility Security Plan. However, if the facility erroneously determines that no cyber vulnerabilities exist, the Coast Guard is left with few options for follow up; the only requirement dictated by current policy has technically been met.
Another issue is that no cumulative enforcement exists for cyber-related issues. To explain this more cogently, look at how the Coast Guard regulates a diesel engine on a commercial passenger vessel. The engine is safeguarded by multiple layers of policy and regulation governing everything from alarms and gauges to engine operating parameters and ventilation systems.6 Vessel inspectors have many avenues by which to check the suitability of the propulsion system. Consequences for not complying with the regulations vary in severity. Only in rare cases involving dire threats to passenger or port safety would a commander issue a “Captain of the Port Order” barring a vessel from movement. In contrast, if the same vessel were to have an unpatched computer system or lack the antimalware necessary to protect its cyber infrastructure, there would be no measures in place other than this drastic COTP action by which to hold the company accountable.
In addition, because of the expediency with which current cyber policies were enacted, no changes were made to the Code of Federal Regulations. Instead, these policies were created based on connections to regulations written in 2003, before today’s cyber incidents were a reality.7 Because the changes were not codified in law, they also missed the open comment period required before any major rule change.8 These comment periods afford the opportunity for the marine industry to work with the Coast Guard and clear any unforeseen roadblocks prior to a rule’s implementation.
Grave Risk to National Security
At its core, the maritime industry depends on automation. The complex electronic systems used by large vessels and terminals are vulnerable both for their complexity and for their interconnectedness to other supply chain systems.9 Large vessels have computerized networks governing ballast, stability, cargo, propulsion, power, and navigation systems, just to name a few. If compromised, these systems could be weaponized against the MTS and cause a major pollution incident or disrupt critical infrastructure.
For example, more than 450 million tons of cargo travel annually from the mouth of the Mississippi River to Baton Rouge, Louisiana.10 A targeted attack from a cyber-compromised vessel on that portion of the river could leave the nation economically crippled for months. Waterfront facilities possess electronic networks that are just as interconnected as, if not more than, the average vessel system. If malicious cyber actors were to gain access to a container terminal, they could leave the port authority in the dark as to where containers were located inside the facility, including containers housing hazardous materials. If released, materials inside these containers would pose a major biological hazard to the surrounding community.
In both hypothetical cases, the Coast Guard is practiced in responding to the immediate impacts of the event. However, consider a hypothetical scenario that includes a ransomware attack or a zero-day exploit that requires immediate patching of critical software. In both instances, operational commanders would invoke COTP authority. But even under the guise of that authority, it is not clear whether private companies would be obligated to release proprietary software information to the Coast Guard. If the company fought back, even COTP authority could be rendered meaningless. Commanders would be left issuing orders for industry to comply and take back control of their own cyber infrastructure, only to find their orders mired in legal battles.
Keep Momentum Going
This is not to say the Coast Guard has made no progress in addressing cyber threats to the MTS. The service has engaged governmental partners, including the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), to provide resources to the maritime industry. Private companies can use tools such as the NIST cybersecurity framework to evaluate and harden their current networks against cyberattacks.11 The Coast Guard has also filled “cybersecurity specialist” positions at many district offices, and sector offices are slated to receive fast-tracked billets for similar positions in 2022. The Coast Guard Cyber Command (CGCyber) has also created three cyber protection teams (CPTs), based out of Washington, DC. Operational commanders can call on these teams in the event of a cyberincident in their area of jurisdiction.12
The Coast Guard needs to build on this momentum to push for additional regulatory tools for cyber compliance. It must highlight the dire need for additional measures to be placed into the arsenal of operational commanders.13 Creating specific requirements within the Code of Federal Regulations as part of a new regulatory package would be the best option. This would give inspectors the freedom to use a cumulative approach to cyber requirements rather than jumping straight to COTP control actions. Although the complexity of cyber networks varies greatly, even generic regulations that require running a supported version of Windows, patching software, or providing proof of compliance with the NIST cyber framework would be a giant stride forward.
In addition, regulated vessels and facilities should be required to staff a chief information security officer (CISO) position. Currently, CISO positions are combined with other security-related duties—if they exist at all. Making this position a regulatory requirement would clarify cyber responsibilities and ensure oversight and networking among maritime industry partners.
The Coast Guard should also consider collaborating with the maritime industry to rework national-level policy to identify this threat and collaborate on specific actions to harden networks. Creating a mutual working group, such as the Towing Vessel Safety Advisory Committee, which the Coast Guard created to address issues in the towing vessel community, would be invaluable for moving the needle forward on this shared threat.14
In the world of cybersecurity, every link in the supply chain is a potential entry point for malicious actors. Whatever guidance is created should address specific actions that Coast Guard inspectors can take if minimum standards are not met. If an inspector identifies a cyber issue with a vessel or facility, policy should dictate steps that can be taken to ensure this issue does not repeat itself on follow-on inspections.
The service should also consider the value of placing future CPTs within district offices throughout the Coast Guard. This will allow teams to fully understand the operational battle rhythm of each Coast Guard zone and learn nuances of the maritime industry within each area. As a bonus, the CPTs can train regular field inspectors on cyber-protection actions. Current policies mandate this type of training, but there are no avenues by which to obtain it. Increased availability from CPTs will ensure that rank-and-file inspectors are also trained to notice and respond to cyber vulnerabilities.
Cyber Threats Are Already Impacting Maritime Operations
In 2017, the shipping giant Maersk was one target of a global malware attack. The company reported that the threat affected all operations, including container shipping, port and tug boat operations, and oil and gas production. The attack also crippled 17 of APM Maersk’s container terminals throughout the world. Maersk was able to rebuild its network, but only through the sheer luck of having a port offline at the time of the attack because of a power outage.15
More recently, two NATO ships were viewed on the Automatic Identification System (AIS) crossing within two miles of a port that housed Russia’s Black Sea Fleet during a 2021 international exercise. If verified, this action would have been viewed as major escalation of tension in the region. However, eyewitness accounts and webcams showed that both ships were moored in Ukraine, 180 miles away.16 Both “ghost ships” were attributed to AIS and GPS spoofing technology, which displayed the presence of vessels where none existed. Similar AIS and GPS spoofing events have begun to occur with enough frequency that the U.S. military has contemplated reinstating long-range navigation (LORAN) stations to act as a fail-safe in the case of a large-scale cyberattack to global positioning systems.17 LORAN stations use low-frequency radio waves and are not as easily integrated into portable technology—and thus harder to spoof or jam.
Closer to home, a ransomware attack crippled the Port of Kennewick, Washington, on 16 November 2020. The military-grade hack placed an encryption on the port’s servers and demanded a $200,000 ransom to restore the network. The port refused to pay, and it took more than a month to restore its servers.18
Act Now Before Tragedy Strikes
To date, cyber incidents have not culminated in any major maritime disaster. However, the impact of this waiting game could be tragic. The stakes are too high to wait for a crisis before more stringent regulations or policies are enacted.
The disconnect between the responsibilities that the 2021 Cyber Strategic Outlook places on field commanders and the paucity of actual tools they have to prevent or respond to cyberattacks leaves the MTS vulnerable. Field commanders and inspectors need minimum standards and policies to effectively evaluate the maritime industry’s cyber posture and take enforcement action if gaps are found. Only then will the Coast Guard be able to prevent cyberattacks against the MTS and protect maritime commerce and the nation.
1. United States Coast Guard Cyber Strategic Outlook (Washington, DC: Coast Guard Headquarters, August 2021).
2. National Maritime Cyber Security Plan (Washington, DC: The White House, December 2020).
3. United States Coast Guard Cyber Strategic Outlook, 28.
4. “Security of Waterfront Facilities and Vessels in Port,” 33 C.F.R. § 6.1-1 (2016).
5. “Vessel Cyber Risk Management Work Instruction,” USCG Office of Commercial Vessel Compliance Mission Management System Work Instruction, CVC-WI-027(2), 18 February 2021; Navigation and Vessel Inspection Circular No. 01-20, “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MSTA) Regulated Facilities,” COMDTPUB P16700.4, 20 February 2020.
6. “Diesel engine installations,” 46 C.F.R. § 58.10-10.
7. United States Coast Guard, Facility Security Assessment (FSA), vol. 68 no. 204 Fed. Reg. 60542 (22 October 2003).
8. “A Guide to the Rulemaking Process,” prepared by the Office of the Federal Register.
9. Gary Kessler, and Steven Shepard, Maritime Cybersecurity: A Guide for Leaders and Managers (Iself-published, 2020).
10. U.S. Army Corps of Engineers, “Waterborne Commerce Cargo Data, 1 Year Cargo Report, 2019,” www.iwr.usace.army.mil/.
11. “Cybersecurity Framework,” National Institute of Standards and Technology (NIST).
12. “Cyber Protection Team,” Maritime Cyber Readiness Branch, U.S. Coast Guard, www.dco.uscg.mil/Our-Organizations/CNCYBER/Maritime-Cyber-Readiness-Branch.
13. “Executive Order on Improving the Nation’s Cybersecurity,” WH.gov, 21 May 2021, www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-bations-cybersecurity.
14. “National Towing Safety Advisory Committee,” U.S. Coast Guard DCO, Assistant-Commandant-for-Prevention-Policy-CG-5P/Commercial-Regulations-standards-CG-5PS/Office-of-Operating-and-Environmental-Standards/vfos/TSAC.
15. Maritime Cybersecurity: A Guide for Leaders and Managers, 69-71.
16. H.I. Sutton, “Positions of Two NATO Ships Were Falsified Near Russian Black Sea Naval Base,” USNI News, 21 June 2021
17. Sean Gallagher, “Radio Navigation Set to Make a Global Return as GPS Backup, Because Cyber,” ARSTechnica, 7 August 2012.
18. “Cyberattack Hobbles Port of Kennewick,” Tri-Cities Area Journal of Business, December 2020.