Fueled by mounting concerns about the cybersecurity vulnerability of U.S. ports, President Joe Biden has signed an Executive Order aimed at shoring up defenses against cyberattacks.
Cybersecurity initiative
The cybersecurity initiative marks a significant shift in policy, empowering key agencies and outlining concrete actions to bolster defenses.
By empowering agencies, establishing clear standards, and fostering collaboration, the initiative aims to strengthen U.S. ports against the evolving threat of cyberattacks, safeguarding the nation's maritime economy and national security.
Expanded authority for DHS
The proactive approach aims to prevent incidents before they occur
The Executive Order grants expanded authority to the Department of Homeland Security (DHS) and the Coast Guard to address maritime cyber threats. DHS gains the power to directly tackle these challenges, while the Coast Guard receives specific tools.
The Coast Guard can compel vessels and waterfront facilities to address cyber vulnerabilities that endanger safety. The proactive approach aims to prevent incidents before they occur.
Real-time information sharing
Reporting any cyber threats or incidents targeting ports and harbors becomes mandatory. This real-time information sharing allows for swifter response and mitigation efforts.
The Coast Guard also gains the authority to restrict the movement of vessels suspected of posing cyber threats. Inspections can be conducted on vessels and facilities deemed risky.
Mandatory cybersecurity standards
The standardization aims to eliminate weak links in the chain and prevent attackers from exploiting
Beyond these broad powers, the Executive Order establishes foundational elements for improved cybersecurity. Mandatory cybersecurity standards will be implemented for U.S. ports' networks and systems, ensuring a baseline level of protection across the board.
This standardization aims to eliminate weak links in the chain and prevent attackers from exploiting individual vulnerabilities.
Importance of collaboration and transparency
Furthermore, the initiative emphasizes the importance of collaboration and information sharing. Mandatory reporting of cyber incidents fosters transparency and allows government agencies and private sector partners to work together in mitigating threats.
Additionally, the Executive Order encourages increased information sharing among all stakeholders, facilitating a unified response to potential attacks.
Maritime Security Directive
The Executive Order encourages investment in research and development for innovative cybersecurity solutions
To address specific concerns, the Coast Guard will issue a Maritime Security Directive targeting operators of Chinese-manufactured ship-to-shore cranes. This directive outlines risk management strategies to address identified vulnerabilities in these critical pieces of port infrastructure.
The long-term success of this initiative hinges on effective implementation. The Executive Order encourages investment in research and development for innovative cybersecurity solutions, recognizing the need for continuous improvement and adaptation to evolving threats.
Recognizing the urgency of cyber threats
The initiative has been met with widespread support from port authorities, industry stakeholders, and cybersecurity experts who recognize the urgency of addressing cyber threats. However, some concerns exist regarding the potential burden of complying with new regulations for smaller port operators.
Effective communication, resource allocation, and collaboration among all stakeholders will be crucial to ensure the successful implementation of this comprehensive plan.
Enhancing cybersecurity
The more impactful and noteworthy piece is the associated NPRM from the U.S. Coast Guard (USCG)
“This Executive Order is a positive move that will give the U.S. Coast Guard (USCG) additional authority to enhance cybersecurity within the marine transportation system and respond to cyber incidents,” comments Josh Kolleda, practice director, transport at NCC Group, a cybersecurity consulting firm.
The more impactful and noteworthy piece is the associated Notice of Proposed Rulemaking (NPRM) from the U.S. Coast Guard (USCG) on “Cybersecurity in the Marine Transportation System,” adds Kolleda. Portions of the notice of proposed rulemaking (NPRM) look similar to the Transportation Security Administration (TSA) Security Directive for the rail industry and the Emergency Amendment for the aviation industry.
Coordinating with TSA on lessons learned
The USCG should be coordinating with TSA on lessons learned and incorporating them into additional guidance to stakeholders and processes to review plans and overall compliance, says Kolleda.
“At first glance, the NPRM provides a great roadmap to increase cybersecurity posture across the various stakeholders, but it underestimates the cost to private companies in meeting the requirements, particularly in areas such as penetration testing,” says Kolleda.
Cyber espionage and threats
The focus is on PRC because nearly 80% of cranes operated at U.S. ports are manufactured there
“It is unclear if or how the federal government will provide support for compliance efforts. As this seems to be an unfunded mandate, many private companies will opt for the bare minimum in compliance.”
“Cyber espionage and threats have been reported by the Director of National Intelligence from multiple nation-states including China, Russia, and Iran,” adds Paul Kingsbury, principal security consultant & North America Maritime Lead at NCC Group. The focus here is on the People’s Republic of China (PRC) because nearly 80% of cranes operated at U.S. ports are manufactured there, he says.
Destructive malware
“The state-sponsored cyber actors’ goal is to disrupt critical functions by deploying destructive malware resulting in disruption to the U.S. supply chain,” says Kingsbury. “These threat actors do not only originate in China or other nation-states but also include advanced persistent threats (APTs) operated by criminal syndicates seeking financial gain from such disruptions."
"The threat actors don’t care where the crane was manufactured but rather seek targets with limited protections and defenses. The minimum cyber security requirements outlined within the NPRM should be adopted by all crane operators and all cranes, regardless of where they are manufactured.”
PRC-manufactured cranes
Kingsbury adds, “The pioneering risk outlined in the briefing is that these cranes (PRC manufactured) are controlled, serviced, and programmed from remote locations in China."
"While this is a valid concern and should be assessed, there are certainly instances where PRC-manufactured cranes do not have control systems manufactured in PRC. For example, there are situations in maritime transportation system facilities where older cranes have been retrofitted with control systems of European Union or Japanese origin.”
Monitoring wireless threats
“The Biden Administration’s recent Executive Order is a critical step forward in protecting U.S. ports from cyberattacks and securing America’s supply chains,” says Dr. Brett Walkenhorst, CTO at Bastille, a wireless threat intelligence technology company. “To ensure proper defense against malicious actors accessing port-side networks, attention must also be paid to common wireless vulnerabilities."
"Attacks leveraging Wi-Fi, Bluetooth, and IoT protocols may be used to access authorized infrastructure including IT and OT systems. Monitoring such wireless threats is an important element in a comprehensive approach to upgrading the defenses of our nation’s critical infrastructure.”
