A June report completed by the GAO has determined that maritime cybersecurity is one item that has not yet received sufficient attention by the US Coast Guard, the Department of Homeland Security (DHS), or Port Owners and Operators.
Information and communications systems in ports rely on a variety of technologies. Without a standardized and coordinated system, the GAO’s opinion is that this creates a dangerous vulnerability in the US maritime port environment. There are approximately 360 US commercial ports, both sea and river, which handle cargo valued over $1.3 trillion each year. The emphasis on speeding cargo through the ports and the reliance on increasingly sophisticated technology, combined with the diverse systems mentioned above, creates vulnerabilities to outside threats.
Interruption of the operations of the nation’s ports could be devastating to the economy. The GAO report concludes that risk assessments, correction of vulnerabilities, and understanding the consequences of cyber attacks is a national priority.
Three port areas were visited in the course of the 2013-2014 GAO investigation: Houston, Los Angeles/Long Beach, and New Orleans. All three were chosen based on their identification as a high risk port and as national leaders in calls by varied vessels -- oil and natural gas, containers, and dry bulk.
The report focuses on the following technological areas, covering most of the activities carried out at all ports, that can be attacked by cyber terrorists, hackers, organized criminal groups, and similar individuals/groups:
Terminal operating systems. These are the systems utilized by terminal operators to monitor and control container movements and cargo storage.
Industrial control systems. These systems move goods throughout marine terminals with, for example, conveyor belts and pipelines.
Business operations systems. Information and communications systems that provide planning, customer communication, phones, networks and file servers.
Access control and monitoring systems. These systems support physical security using cameras and remote monitoring. In some cases, monitoring takes place at a location far removed from the actual port site.
A 2013 incident at a foreign port (not identified in the report) in which a criminal organization hacked into the terminal operating system to gain access to security and container location information in order to steal those containers is one example of the impetus for the GAO analysis.
The Maritime Transportation Security Act of 2002 (MTSA) and the Security and Accountability for Every Port Act of 2006 (SAFE Port Act) indicate that the Coast Guard (part of the DHS) is empowered to implement regulations to carry out these two laws. Forty-three geographically defined port areas have been identified and security committees established by the Coast Guard. These committees focus on infrastructure risk plans in port areas to ensure continued operation of critical goods movements. Facility owners and operators are heavily involved in creating and updating these plans. They are updated on a 5-year cycle. 2014 is an update year.
However, the GAO report has discovered that although plans to protect the physical infrastructure have been put into place as per these laws, little attention has been given to cybersecurity. This has been, in part, because until recently the dangers of cyber attacks were not understood. The report, therefore, now addresses this vulnerability.
Several activities are recommended: identification of possible threats to cyber infrastructure; reduction of vulnerabilities; and mitigation of damage should cyber attacks occur. Every two years, the Coast Guard completes a National Maritime Strategic Risk Assessment. The last one was issued in 2012. No cyber risks were identified or addressed during the assessment, according to the GAO report. The next assessment is scheduled for completion in September and it is expected to include cybersecurity considerations.
A FEMA Port Security Grant Program has been set up to provide general guidance on cyber security proposals and plans that are seen as a priority in the near future. Funds from the program may be used to invest in support and enhancement of port infrastructure, both physical and cyberspace-related. The GAO report indicates that more needs to be done to assist port owners and operators with these proposals and plans.
PortVision regularly provides platforms and systems to support port authorities and government agencies with their maritime domain awareness (MDA) initiatives. Additional details of how AIS and vessel tracking can support such initiatives can be found here.