Sunday, April 09, 2017

Critical Infrastructure: Maritime Cyber Resilience...

The Maritime Cyber Resilience evolution continues in the United States.  Strategic ports for commerce and our Transportation Command (TRANSCOM) of the Department of Defense, are adapting to the threat.  The Critical Infrastructure Protection domains and the Operational Risk Management professionals are continuously on alert.

The resilience standards for protecting the Critical Infrastructure of U.S. ports and the Cyber domain, traditionally would fall to U.S. Homeland Security and then the United States Coast Guard (USCG).  TRANSCOM also has its own Cyber components that may interface with the seaport maritime infrastructure including our commercial ports.

There is significant collaboration that must be coordinated with commercial private sector carriers and companies:

Military Sealift Command (MSC) provides high-quality, efficient and cost-effective ocean transportation for the Department of Defense and other federal agencies during peacetime and war.

USTC will execute sealift movements through Military Sealift Command (MSC) and Surface Deployment and Distribution Command (SDDC). Planners within these organizations will work together to provide optimal transportation solutions that are cost efficient and operationally effective and are within policy and law.

  • Surface Deployment and Distribution Command (SDDC) provides commercial sealift for customers through Liner Service.
  • Charter vs. Liner Vs Organic: By policy USTRANSCOM must consider commercial assets before organic assets. Charter and Liner services are commercial methods of moving cargo with different benefits.
How vast is the Cyber landscape for the U.S. Coast Guard's mission regarding Homeland Security across the maritime facilities across the nation?
The U.S. Coast Guard (USCG) oversees approximately 800 waterfront facilities that, among other activities, transfer hazardous liquids between marine vessels and land-based pipelines, tanks or vehicles. These “maritime bulk liquid transfers” increasingly rely on computers to operate valves and pumps, monitor sensors, and perform many other vital safety and security functions. This makes the whole system more vulnerable to cybersecurity issues ranging from malware to human error, and is the reason behind a new voluntary cybersecurity guide for the industry.
 So what?

The current cyber threat environment for TRANSCOM is a parallel focus with the USCG, as they are both operating at commercial maritime facilities and seaports.  The single set of standards they rely on for establishing, maintaining and testing their respective Cyber Domain readiness, is the NIST Cybersecurity Framework:

Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order "Improving Critical Infrastructure Cybersecurity" has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.

TRANSCOM and the USCG are both operating in maritime domains, in concert with private commercial enterprises.  The growing interdependent systems being utilized for cargo logistics, navigation and other computer automation systems, provides some insight into the vulnerability landscape from a Cyber perspective.

Still to this day, other Critical Infrastructure sectors that are far more advanced in their defense of their Cyber domains, are trying to increase their resilience.  The current nation state adversaries who are operating within the Financial and Commercial Facilities sector alone, gives us some degree of awareness on the magnitude of the current problem-set.

Utilizing the NIST standard across Critical Infrastructure sectors as the baseline is only the start.  Raising the bar of Cybersecurity Readiness and Defense across the maritime and seaport domains adds tremendous new challenges.

As the U.S. Department of Defense moves personnel, supplies and utilizes commercial port facilities they will be constantly interacting with private sector entities and assets they have little control over. The Cyber domain vulnerabilities that may occur with these commercial enterprises is unknown.  The U.S. Coast Guard does not regulate the commercial companies and their state of Cyber readiness directly:

American ports, terminals, ships, refineries, and support systems are vital components of our nation’s critical infrastructure, national security, and economy. Cyber attacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyber attack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country.

In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyber attack scenarios in the maritime sector could credibly lead to a Transportation Security Incident, we must identify and prioritize those risks, take this threat seriously, and work together to improve our defenses.


The Maritime Cyber Resilience challenges are similar to other Critical Infrastructure sectors, yet how mature is the collaboration with Defense, Homeland Security and Commercial Private Sector organizations?