The U.S. released its National Maritime Cybersecurity Plan, which aims to defend the American economy through enhanced cybersecurity coordination, policies and practices, aimed at mitigating risks to the maritime sub-sector. The intent of the plan is to promote prosperity through information and intelligence sharing, and preserving and increasing the nation’s cyber workforce.
The Maritime Transportation System (MTS) is made up of a complex network of waterways, ports, shipyards, and bridges, which interconnect with critical highways, railways, airports, and pipelines. MTS operators are increasingly reliant on information technology (IT) and operational technology (OT) to maximize the reliability and efficiency of maritime commerce. The plan aims to highlight the critical role of the MTS in both national security and the supply chain and increase awareness around the need to improve its cyber resiliency.
The MTS accounts for a quarter of the country’s gross domestic product, or approximately $5.4 trillion. U.S. President Donald Trump has in the new plan designated cybersecurity of the MTS a top priority for national defense, homeland security, and economic competitiveness.
The National Maritime Cybersecurity Plan unifies maritime cybersecurity resources, stakeholders, and initiatives to aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the existing National Strategy for Maritime Security, Robert C. O’Brien, National Security Advisor, said in a statement.
The plan identifies government priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years, and articulates how the U.S. government can best reduce the potential catastrophic risks to national security and economic prosperity caused by MTS operators’ increasing reliance on IT and OT, while still promoting maritime commerce efficiency and reliability.
As no single entity owns, controls, manages, or regulates businesses or networks used throughout the maritime domain, MTS stakeholders rely on IT and OT systems to communicate with various transportation nodes to facilitate the movement of goods, illuminating the interdependencies that support economic prosperity. This leads a large part of the MTS to rely on outdated telecommunication infrastructure, threatening the ability of MTS stakeholders to protect digital information, the network, and to detect when malign actors are attempting to access protected systems.
To correct and mitigate these threats, the U.S. will remove government roles and responsibilities. The NSC staff, through the policy coordination process, will identify gaps in legal authorities and identify efficiencies to ‘de-conflict’ roles and responsibilities for MTS cybersecurity standards.
The U.S. will strengthen cybersecurity requirements in port services contracts and leasing. The U.S. Coast Guard will analyze and clarify the 2016 and 2020 cybersecurity reporting guidance for maritime stakeholders and collect maritime cyber incident reports to identify trends and attack vectors to increase maritime sector situational awareness and decrease maritime cyber risk.
The National Institute of Standards and Technology (NIST) will construct an internationally accepted, outcome-focused, threat-informed risk framework for port OT systems. Currently, no standard exists for assessing risk in OT networks. An OT risk framework will allow maritime stakeholders, including insurers, facility and/or vessel owners and shippers, to share a common risk language and develop common OT risk metrics for self-assessments.
To mitigate this, the plan proposes that the NIST create an international risk framework for port OT systems based on input from the industry and promote this framework internationally. This will lead to an internationally accepted, outcome-focused, threat-informed risk framework for port OT systems. Currently, no standard exists for assessing risk in OT networks.
Industrial Defender, an OT security company, recommends that companies operating in the MTS study the current NIST Cybersecurity Framework (CSF), as well as the Navigation and Vessel Inspection Circular (NVIC) 01-20 to build an understanding of what this new framework might look like and how they can get a head start on applying cyber risk management practices.
“You’ll notice that the first step in the NIST CSF is to create an accurate inventory of all your physical devices, systems, software platforms, and applications,” wrote Erin Anderson, an Industrial Defender executive, in a blog post. “Without good data on what you have in your cyber-physical environment, the other functions in the framework won’t work. Applying the right mix of people, process, and security technology will be critical for the MTS moving forward.”
The National Maritime Cybersecurity Plan states that the United States “will promote domestic and international engagement to facilitate information sharing and best practices to build a coalition of maritime cybersecurity advocates”.
To prepare for this, Industrial Defender says that it should begin by engaging with entities like the MTS-ISAC, which has become a go-to source for information on emerging cyber threats and serves as a centralized point of daily cyber threat intelligence sharing and coordination of best practices for both IT and OT system cybersecurity, Anderson said. In addition, the MTS-ISAC shared 70 maritime cybersecurity advisories in 2020 and holds numerous educational webinars throughout the year, she added.
Building on existing international frameworks, such as the International Ship and Port Facility Security Code, provides an opportunity to incorporate a maritime cybersecurity component into foreign port assessments that would protect the country from maritime cyber threats, as well as its partners and allies. The U.S. will also design a framework for port cybersecurity assessments.
The growing dependence on technology demands a maritime cyber-workforce equipped to support investigations into major marine casualties and mishaps. Ship and port system vulnerabilities present adversaries with opportunities to masquerade cyber-attacks as accidents, the government agency added.