U.S. President Joe Biden has signed an Executive Order aimed at shoring up the cybersecurity of U.S. ports, a move fuelled by mounting concerns about the vulnerability of this critical infrastructure to cyberattacks. This initiative marks a significant shift in policy, empowering key agencies and outlining concrete actions to bolster defences.
By empowering key agencies, establishing clear standards, and fostering collaboration, the initiative aims to strengthen U.S. ports against the evolving threat of cyberattacks, safeguarding the nation's maritime economy and national security.
Expanded authority for DHS
The core of the Executive Order lies in granting the Department of Homeland Security (DHS) and the Coast Guard expanded authority to address maritime cyber threats. DHS gains the power to directly tackle these challenges, while the Coast Guard receives specific tools:
- Mandating Action: The Coast Guard can now compel vessels and waterfront facilities to address cyber vulnerabilities that endanger safety. This proactive approach aims to prevent incidents before they occur.
- Enhanced Visibility: Mandatory reporting of any cyber threats or incidents targeting ports and harbours becomes mandatory. This real-time information sharing allows for swifter response and mitigation efforts.
- Control and Inspection: The Coast Guard gains the authority to restrict the movement of vessels suspected of posing cyber threats. Additionally, inspections of vessels and facilities deemed risky can be conducted.
Mandatory cybersecurity standards
Furthermore, the initiative emphasises the importance of collaboration and information sharing
Beyond these broad powers, the Executive Order establishes foundational elements for improved cybersecurity. Mandatory cybersecurity standards will be implemented for U.S. ports' networks and systems, ensuring a baseline level of protection across the board. This standardisation aims to eliminate weak links in the chain and prevent attackers from exploiting individual vulnerabilities.
Furthermore, the initiative emphasises the importance of collaboration and information sharing. Mandatory reporting of cyber incidents fosters transparency and allows government agencies and private sector partners to work together in mitigating threats. Additionally, the Executive Order encourages increased information sharing among all stakeholders, facilitating a unified response to potential attacks.
Risk management strategies
To address specific concerns, the Coast Guard will issue a Maritime Security Directive targeting operators of Chinese-manufactured ship-to-shore cranes. This directive outlines risk management strategies to address identified vulnerabilities in these critical pieces of port infrastructure.
The long-term success of this initiative hinges on effective implementation. The Executive Order encourages investment in research and development for innovative cybersecurity solutions, recognising the need for continuous improvement and adaptation to evolving threats.
Recognising the urgency of cyber threats
Some concerns exist regarding the potential burden of yielding with new rules for less port operators
The initiative has been met with widespread support from port authorities, industry stakeholders, and cybersecurity experts who recognise the urgency of addressing cyber threats. However, some concerns exist regarding the potential burden of complying with new regulations for smaller port operators. Effective communication, resource allocation, and collaboration between all stakeholders will be crucial in ensuring the successful implementation of this comprehensive plan.
“This Executive Order is a positive move that will give the U.S. Coast Guard (USCG) additional authority to enhance cybersecurity within the marine transportation system and respond to cyber incidents,” comments Josh Kolleda, practice director, Transport at NCC Group a cybersecurity consulting firm.
The more impactful and noteworthy piece is the associated Notice of Proposed Rulemaking (NPRM) from the USCG on “Cybersecurity in the Marine Transportation System,” adds Kolleda. Portions of the proposed rulemaking look similar to the Transportation Security Administration (TSA) Security Directive for the rail industry and the Emergency Amendment for the aviation industry.
Coordinating with TSA on lessons learned
The focus here is on the PRC because nearly 80% of cranes operated at U.S. ports are manufactured
The USCG should be coordinating with TSA on lessons learned and incorporating them into additional guidance to stakeholders and processes to review plans and overall compliance, says Kolleda. “At first glance, the NPRM provides a great roadmap to increase cybersecurity posture across the various stakeholders, but it underestimates the cost to private companies in meeting the requirements, particularly in areas such as penetration testing,” says Kolleda. “It is unclear if or how the federal government will provide support for compliance efforts. As this seems to be an unfunded mandate, many private companies will opt for the bare minimum in compliance.”
“Cyber espionage and threats have been reported by the Director of National Intelligence from multiple nation-states including China, Russia, and Iran,” adds Paul Kingsbury, principal security consultant & North America Maritime Lead at NCC Group. The focus here is on the People’s Republic of China (PRC) because nearly 80% of cranes operated at U.S. ports are manufactured there, he says.
Minimum cyber security requirements
“The state-sponsored cyber actors’ goal is to disrupt critical functions by deploying destructive malware resulting in disruption to the U.S. supply chain,” says Kingsbury. “These threat actors do not only originate in China or other nation-states but also include advanced persistent threats (APTs) operated by criminal syndicates seeking financial gain from such disruptions. The threat actors don’t care where the crane was manufactured, but rather seek targets with limited protections and defences. The minimum cyber security requirements outlined within the NPRM should be adopted by all crane operators and all cranes, regardless of where they are manufactured.”
Kingsbury adds: “The pioneering risk outlined in the briefing is that these cranes (PRC manufactured) are controlled, serviced, and programmed from remote locations in China. While this is a valid concern and should be assessed, there are certainly instances where PRC-manufactured cranes do not have control systems manufactured in PRC. For example, there are situations in MTS facilities where older cranes have been retrofitted with control systems of EU or Japanese origin.”
Monitoring wireless threats
“The Biden Administration’s recent Executive Order is a critical step forward in protecting U.S. ports from cyberattacks and securing America’s supply chains,” says Dr. Brett Walkenhorst, CTO at Bastille, a wireless threat intelligence technology company.
“To ensure proper defense against malicious actors accessing port-side networks, attention must also be paid to common wireless vulnerabilities. Attacks leveraging Wi-Fi, Bluetooth, and IoT protocols may be used to access authorised infrastructure including IT and OT systems. Monitoring such wireless threats is an important element in a comprehensive approach to upgrading the defences of our nation’s critical infrastructure.”