U.S. President Joe Biden has signed an Executive Order aimed at shoring up the cybersecurity of U.S. ports, a move fuelled by mounting concerns about the vulnerability of this critical infrastructure to cyberattacks. This initiative marks a significant shift in policy, empowering key agencies and outlining concrete actions to bolster defences.

By empowering key agencies, establishing clear standards, and fostering collaboration, the initiative aims to strengthen U.S. ports against the evolving threat of cyberattacks, safeguarding the nation's maritime economy and national security.

Expanded authority for DHS

The core of the Executive Order lies in granting the Department of Homeland Security (DHS) and the Coast Guard expanded authority to address maritime cyber threats. DHS gains the power to directly tackle these challenges, while the Coast Guard receives specific tools:

  • Mandating Action: The Coast Guard can now compel vessels and waterfront facilities to address cyber vulnerabilities that endanger safety. This proactive approach aims to prevent incidents before they occur.
  • Enhanced Visibility: Mandatory reporting of any cyber threats or incidents targeting ports and harbours becomes mandatory. This real-time information sharing allows for swifter response and mitigation efforts.
  • Control and Inspection: The Coast Guard gains the authority to restrict the movement of vessels suspected of posing cyber threats. Additionally, inspections of vessels and facilities deemed risky can be conducted.

Mandatory cybersecurity standards

Furthermore, the initiative emphasises the importance of collaboration and information sharing

Beyond these broad powers, the Executive Order establishes foundational elements for improved cybersecurity. Mandatory cybersecurity standards will be implemented for U.S. ports' networks and systems, ensuring a baseline level of protection across the board. This standardisation aims to eliminate weak links in the chain and prevent attackers from exploiting individual vulnerabilities.

Furthermore, the initiative emphasises the importance of collaboration and information sharing. Mandatory reporting of cyber incidents fosters transparency and allows government agencies and private sector partners to work together in mitigating threats. Additionally, the Executive Order encourages increased information sharing among all stakeholders, facilitating a unified response to potential attacks.

Risk management strategies

To address specific concerns, the Coast Guard will issue a Maritime Security Directive targeting operators of Chinese-manufactured ship-to-shore cranes. This directive outlines risk management strategies to address identified vulnerabilities in these critical pieces of port infrastructure.

The long-term success of this initiative hinges on effective implementation. The Executive Order encourages investment in research and development for innovative cybersecurity solutions, recognising the need for continuous improvement and adaptation to evolving threats.

Recognising the urgency of cyber threats

Some concerns exist regarding the potential burden of yielding with new rules for less port operators

The initiative has been met with widespread support from port authorities, industry stakeholders, and cybersecurity experts who recognise the urgency of addressing cyber threats. However, some concerns exist regarding the potential burden of complying with new regulations for smaller port operators. Effective communication, resource allocation, and collaboration between all stakeholders will be crucial in ensuring the successful implementation of this comprehensive plan.

This Executive Order is a positive move that will give the U.S. Coast Guard (USCG) additional authority to enhance cybersecurity within the marine transportation system and respond to cyber incidents,” comments Josh Kolleda, practice director, Transport at NCC Group a cybersecurity consulting firm.

The more impactful and noteworthy piece is the associated Notice of Proposed Rulemaking (NPRM) from the USCG on “Cybersecurity in the Marine Transportation System,” adds Kolleda. Portions of the proposed rulemaking look similar to the Transportation Security Administration (TSA) Security Directive for the rail industry and the Emergency Amendment for the aviation industry.

Coordinating with TSA on lessons learned

The focus here is on the PRC because nearly 80% of cranes operated at U.S. ports are manufactured

The USCG should be coordinating with TSA on lessons learned and incorporating them into additional guidance to stakeholders and processes to review plans and overall compliance, says Kolleda. At first glance, the NPRM provides a great roadmap to increase cybersecurity posture across the various stakeholders, but it underestimates the cost to private companies in meeting the requirements, particularly in areas such as penetration testing,” says Kolleda. “It is unclear if or how the federal government will provide support for compliance efforts. As this seems to be an unfunded mandate, many private companies will opt for the bare minimum in compliance.”

Cyber espionage and threats have been reported by the Director of National Intelligence from multiple nation-states including China, Russia, and Iran,” adds Paul Kingsbury, principal security consultant & North America Maritime Lead at NCC Group. The focus here is on the People’s Republic of China (PRC) because nearly 80% of cranes operated at U.S. ports are manufactured there, he says.

Minimum cyber security requirements

The state-sponsored cyber actors’ goal is to disrupt critical functions by deploying destructive malware resulting in disruption to the U.S. supply chain,” says Kingsbury. “These threat actors do not only originate in China or other nation-states but also include advanced persistent threats (APTs) operated by criminal syndicates seeking financial gain from such disruptions. The threat actors don’t care where the crane was manufactured, but rather seek targets with limited protections and defences. The minimum cyber security requirements outlined within the NPRM should be adopted by all crane operators and all cranes, regardless of where they are manufactured.”

Kingsbury adds: “The pioneering risk outlined in the briefing is that these cranes (PRC manufactured) are controlled, serviced, and programmed from remote locations in China. While this is a valid concern and should be assessed, there are certainly instances where PRC-manufactured cranes do not have control systems manufactured in PRC. For example, there are situations in MTS facilities where older cranes have been retrofitted with control systems of EU or Japanese origin.”

Monitoring wireless threats

The Biden Administration’s recent Executive Order is a critical step forward in protecting U.S. ports from cyberattacks and securing America’s supply chains,” says Dr. Brett Walkenhorst, CTO at Bastille, a wireless threat intelligence technology company.

To ensure proper defense against malicious actors accessing port-side networks, attention must also be paid to common wireless vulnerabilities. Attacks leveraging Wi-Fi, Bluetooth, and IoT protocols may be used to access authorised infrastructure including IT and OT systems. Monitoring such wireless threats is an important element in a comprehensive approach to upgrading the defences of our nation’s critical infrastructure.”

Download PDF version Download PDF version

Author profile

Larry Anderson Editor, MaritimeInformed.com

An experienced journalist and editor, Larry is MaritimeInformed.com's eyes and ears in the fast-changing maritime marketplace, attending industry and corporate events, interviewing maritime leaders and contributing original editorial content to the site. He leads MaritimeInformed.com's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for maritime professionals. Larry also commissions Expert Commentary / Thought Leadership features, providing a platform for the industry's top executives to comment on the dynamic maritime industry.

In case you missed it

Transforming maritime operations with augmented reality
Transforming maritime operations with augmented reality

Augmented reality (AR) is making waves across various industries, and maritime is no exception. For maritime professionals, AR offers practical, real-time solutions that enhance sa...

NAPA Logbook enhances data collection for Anthony Veder
NAPA Logbook enhances data collection for Anthony Veder

Anthony Veder, a gas shipping company, has strengthened its partnership with NAPA, a global provider of maritime software and data services, to expand the use of electronic logbook...

Sustainable marine coating solutions from PPG
Sustainable marine coating solutions from PPG

PPG has announced its 50th order for the electrostatic application of marine fouling control coatings. The project will be carried out on the VLCC SIDR, a 336-metre oil tanker ope...

vfd