Today, cyberattacks are escalating in number and severity. The risks are especially grave for critical infrastructure. The attack on the Colonial Pipeline in May 2021, for example highlighted the inextricable link between U.S. critical infrastructure and national interests. A disruption to or destruction of any portion of U.S. energy infrastructure would have debilitating effects. However, the energy sector is not unique. That same year, the transportation sector had more than twice as many cybersecurity incidents as in 2020.
The United States is, at its core, a maritime nation, and the Marine Transportation System (MTS) is its lifeblood. The MTS supports more than 30 million U.S. jobs and a quarter of the nation’s $5.4 trillion gross domestic product. This interconnected system depends on physical assets, underlying data, and industrial controls, and is essential to the nation’s prosperity and security. Cybersecurity vulnerabilities unfortunately permeate this system, stemming from a lack of cybersecurity regulations, standards, and controls in the MTS.
Security Planning
The Maritime Transportation Security Act (MTSA) of 2002 was enacted to address security in the maritime environment in the wake of 9/11. This legislation requires the Coast Guard to regulate and enforce security planning across almost 600 ports, 470,000 facilities, and 780,000 vessels. In cooperation with the maritime industry, the Coast Guard has enacted MTSA mandates for physical security measures and procedures to mitigate vulnerabilities.
The Coast Guard approaches MTS management in alignment with its operational principles: unity of effort, clear objectives, on-scene initiative, effective presence, managed risk, flexibility, and restraint. However, because more than 95 percent of the MTS is owned and operated by private industry, restraint is at the forefront. The Coast Guard’s industry partners are professional mariners who could face significant losses from a security incident, so highly prescriptive regulations are unnecessary and rare. Instead, the Coast Guard has cooperatively developed standards and manages compliance without punitive measures. Committees for harbor safety and area maritime security maintain this cooperation and work to manage risk and promote a whole-of-nation approach.
The Coast Guard has forward-leaning leaders, extensive federal authorities, and an overarching cyber strategy. At first glance, this seems like a viable recipe for supporting national security interests. However, the Coast Guard has longstanding organizational challenges, as the Government Accountability Office (GAO) highlighted in a series of 2020 reports. Workforce capacity and capability gaps have constrained the service’s ability to adapt to the accelerating pace of technology and its corresponding threat vectors.
GAO also has called out the exclusion of the Coast Guard’s cybersecurity requirements from port plans, known as area maritime security plans. It has been seven years since GAO drew attention to this issue, but the Coast Guard has not yet included cybersecurity requirements in all three types of area maritime security plans. These plans are necessary to secure the waterways, ports, and other types of connections that allow people and goods to move to, from, and on the water.
Challenges to Regulating Cybersecurity
Within the MTS, there are four primary targets of cyberattacks. The most lucrative is data in the terminal headquarters. This information can be ransomed or can be manipulated to enable smuggling or cargo theft. The second target is physical access to port facilities, which can lead to disruption of operations. The third is control of the operational technology that is interconnected with information technology, which can lead to potential loss of life or destruction of property. The final target is the control or navigation systems of vessels, which could disrupt the flow of maritime traffic.
While the MTS lacks comprehensive cybersecurity regulation, this does not mean the Coast Guard is not making progress on the issue. Nor does it mean the Coast Guard should implement highly prescriptive regulations. Ultimately, there are four cybersecurity problems the service faces with regulating the MTS:
1. There needs to be more consistency in implementing cybersecurity regulations for critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) has provided overarching guidance; however, all 16 federal agencies—collectively called Sector Risk Management Agencies—that CISA has designated to coordinate and implement regulation across the various critical infrastructure sectors are managed differently. This is incredibly challenging for industry partners, especially since many private companies span multiple sectors.
The lack of consistent standardization has left all the Sector Risk Management Agencies, including the Coast Guard, doing the best they can. The Coast Guard’s initial approach was to provide guidance incorporating references published by the National Institute of Standards and Technology (NIST), which speak to controls. However, this guidance did not list which controls were applicable.
2. The critical infrastructure of the MTS includes more than what the MTSA covers. The act addresses key terrain across 361 ports and select vessel types but is not all-inclusive. This leaves an almost 40 percent gap in cybersecurity coverage across the 600 ports nationwide. As a result, while MTSA-regulated facilities receive guidance and review, non-MTSA facilities receive no oversight from the Coast Guard.
3. Cybersecurity controls in MTSA-regulated facilities lack specificity. The Coast Guard has precise requirements for physical security, backed by twice-annual inspections. However, it stipulates only that MTSA-regulated facilities produce a cybersecurity annex in their planning documents, with no specified technologies, requirements, or associated security controls. This means private industry must perform its own risk identification and necessary mitigations. While this approach meets the call to not be overly prescriptive, it fails to support the development of good cybersecurity habits.
4. There currently are no cybersecurity regulations for either MTSA-regulated vessels or outer continental shelf facilities. These gaps present a significant security threat to ports and waterways. The first detected and reported attack against a vessel occurred in March 2019 aboard a 1,000-plus-foot U.S.-flagged container ship within the Port of New York. This incident could have caused tremendous damage at a significant cost.
Recommendations
The Coast Guard must develop strategic plans of action to shore up cybersecurity norms and best practices for the MTS. It also must establish and reinforce good cybersecurity hygiene—such as using multifactor authentication, regular software updates, intrusion detection and antivirus software, and personnel education—to deter adversaries from destructive behaviors. To jumpstart this effort, the Coast Guard can take the following six steps:
Organize international symposiums to shift thinking. The Coast Guard is an internationally esteemed organization. It should use its position to organize international symposiums with joint and interagency partners to garner consensus on cybersecurity in the global maritime environment. Beyond just presenting information, the service should flex its diplomatic muscles and foster an understanding of the new paradigm and a sense of urgency to act on it.
Build a coalition of public and private stakeholders. The Coast Guard should build a coalition of stakeholders from both public and private spaces to influence this paradigm shift on cybersecurity. Associated stakeholders should include federal agencies that regulate other facets of the maritime environment and industry partners that are not regulated under the MTSA. Other stakeholders should include international partners, other Sector Risk Management Agencies, NIST, and the Department of Defense. Constant and transparent communication with all stakeholders will be critical to keep such a coalition engaged.
Promote a unified vision. The Coast Guard must make it clear that protecting critical assets within the MTS is the highest priority. A unified vision for how to deny adversaries opportunities to attack could build consensus. Further, a shared set of concerns and goals could encourage continued participation and compliance from industry partners.
Formulate appropriate cybersecurity controls. Armed with a shared vision, the Coast Guard should lead an effort among all stakeholders to identify and formulate appropriate cybersecurity controls. This collaborative effort would use the expertise and guidance of NIST standards and determine the process for validating their implementation. The Coast Guard should be responsible for both disseminating these new MTS cybersecurity standards and promoting their adoption among MTSA-regulated industry partners.
MTSA-regulated partners should share responsibility with the Coast Guard to promote these standards to the broader non-MTSA-regulated industry. The MTS will become more secure from cyberattacks only when there is assimilation beyond MTSA industry partners. These new controls also must flow down to the nonessential underlying systems of MTS assets—for example, environmental controls and monitoring systems, energy management systems, inventory, maitenance, and asset management systems, and access control and survailence systems.
Consolidate formal standards into baseline regulations. To shepherd the MTS toward implementing these controls, the Coast Guard must consolidate formal standards into common-sense baseline regulations. The service should create and disseminate to MTSA-regulated vessels and facilities a timeline for incorporating regulations in their security plans and for their subsequent implementation.
Institute an enforcement mechanism. The Coast Guard also should institute a comprehensive verification and enforcement mechanism. Evaluations should be conducted on an annual basis and should include spot checks. The service should verify that cybersecurity plans for physical infrastructure, systems, and controls exist and are compliant with baseline regulations. While this evaluation process should not be punitive, the Coast Guard could implement incentives such as certifications to encourage additional assessments and faster implementation.
Changing Maritime Industry Culture
Strategic planning for an effort of this magnitude will require the Coast Guard to work with all stakeholders throughout the process. The Coast Guard must balance suitability, feasibility, and acceptability for all stakeholders. Until the changes are institutionalized, the Coast Guard must be an anchor under what is to be accomplished and why it is necessary. Furthermore, the Coast Guard must also address deterrence. A consistent means to deny potential attackers is essential. The Coast Guard can do this by utilizing intelligence gathering to improve decision advantage, conducting preemptive annual and spot-check assessments, and expanding defensive and offensive response capabilities against adversaries.
