CISA Restarts Seaport Cybersecurity Exercises
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has restarted a series of tabletop exercises designed to boost cybersecurity at U.S. seaports.
The COVID-19 pandemic derailed the initiative, known informally as the port security ecosystem tabletop exercise, after the first event in Savannah, Georgia, Klint Walker, CISA supervisory cybersecurity advisor, reported during an interview with SIGNAL Media. Other events and priorities, including Walker’s pursuit of an advanced degree, further delayed the effort.
But Walker is once again driving the proof of concept with a likely return to the Port of Savannah. “Our original exercise was with the Port of Savannah, and that is who we’re reaching out to. Matter of fact, I go next week to talk to the Port of Savannah to see if we can get the schedule for them to redo what we did originally,” he said.
The ports of Charleston, South Carolina, Wilmington, North Carolina, and Tampa, Florida, may be next on the list. “We’re also in discussions with the Port of Charleston. I’m hoping to make a visit to them in the next two months to solidify what we’re going to be doing with them shortly. And we’re—fingers crossed—we’re hoping that the Port of Wilmington and maybe the Port of Tampa are going to want to be our next two. Those are the four that I have on my current calendar, but we’re open to other ports reaching out to us and saying that they’d like to participate.”
While the current list includes only East Coast ports, any port can participate, Walker said. “It doesn’t matter where these ports are in the United States. Any port that would like to see what we’re doing or work with us, we’re more than happy to support that and bring what we have currently in draft format so that they can help us build a better product.”
The restart is needed because of the expanding threat to ports, a critical piece of the American supply chain. “We’re hoping to get this going again because the threat has definitely elevated in this particular arena,” Walker offered. “Supply chain has really come into focus in the recent years, in that we’ve seen how it’s not just the critical infrastructure itself but the suppliers that bring that critical infrastructure. COVID was a great example of how the ports were limited in their capacity to get equipment in and out or move goods from ship to shore, and that really impacted our economy. It impacted the way that we did business nationally.”
U.S. ports already have proven to be tempting targets for cyber attackers. In 2021, for example, the Port of Houston in Texas issued a statement saying it had fought off an attempted hack and “no operational data or systems were impacted,” the Associated Press reported. Then-CISA Director Jen Easterly reported the attack that same week to a Senate committee, saying she believed a nation-state actor, which she did not identify, was behind the attack.
Additionally, hacker groups Volt Typhoon and Salt Typhoon, which are associated with the People’s Republic of China (PRC), have attacked U.S. critical infrastructure, including ports, although the specific ports have not yet been publicly identified. The groups use so-called “living off the land” techniques, which CISA has described as “a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure.”
“When we look at how the PRC has definitely shown that they’re capable of going after—with their living off the land techniques and their Volt Typhoon and Salt Typhoon—we see that there’s a definite interest in them going after the ports and going after the supply chain,” Walker said.
To make matters worse, many ports rely largely on systems supplied by China. In 2024, for example, the House Committee on Homeland Security and the Select Committee on the Chinese Communist Party released a joint investigative report exposing the rising threat to U.S. economic and homeland security posed by the Chinese Communist Party. The report asserted that Shanghai Zhenhua Heavy Industries, dominates the global market share of ship-to-shore port cranes, and that China’s broader maritime infrastructure dominance creates significant cybersecurity and national security vulnerabilities for both the United States and its allies.
More recently, NETSCOUT, which provides application and network performance management products, reported that a newly formed group, DieNet, had targeted the Port of Los Angeles and other critical infrastructure in the United States and Iraq.
One challenge to protecting U.S. critical infrastructure anywhere, including ports, is that private companies own the majority of that infrastructure, so it requires city, county, state and federal governments to work together with industry. “This is the ultimate in public-private partnerships, because a lot of times the port is owned or operated by the city and the county, sometimes even the state, whether we’re talking about a seaport or an airport, but it’s the private sector doing all the business there,” Walker explained. “And an impact to any one of those can cause a domino effect, what we call a cascading effect, to ripple throughout the state, or even throughout the region. So, what you’re looking at here is the ability of the National Guard, the U.S. Coast Guard, the federal entities such as Department of Homeland Security and CISA, to work with state and local and also private sector.”
Rick Siebenaler, CEO, Maritime Cybersecurity Institute, a nonprofit organization, stressed to SIGNAL Media the value of cooperation and information sharing. “Independent organizations need to be able to work with each other, be open to sharing information, not be fearful of doing that, he said, adding that seemingly minor cyber incidents could signal a much bigger threat. “What might appear to be normal, run-of-the-mill cyber activities that happen all of the time may be just the tip of the iceberg to a much bigger strategy.”
The CISA team intends to build a framework that any seaport can adopt and adapt, including bulk container, commercial and recreational ports, for example.
“The reason we do a proof of concept is because what we want to build is an exercise that we can duplicate. Because if you’ve seen one port, the old adage is, you’ve seen one port,” Walker said. “Every port operates as a unique ecosystem, but there’s still some common ground there, and what we want to build is a framework that we can then recreate at every other port. We can send out this template to every cybersecurity advisor, every U.S. Coast Guard unit, or even the city, and they can recreate this themselves.”
The common ground may be that entities around a seaport will all be hit by the same hurricane, or they may share a common technology stack, connect to the same wide area network or share the same data center or some of the same information technology systems. All involved need to identify which resources to prioritize in emergencies and determine how they can work together to identify gaps and effectively and efficiently restore systems. They might even be able to combine resources and purchasing power to build a more secure ecosystem.
The effort is currently a proof of concept, but building a legacy is the goal. “If we can get a template of a framework for national use and this does become an official program of record—whether that program is picked up by the Coast Guard, whether it’s picked up by the National Guard, by CISA, by the Department of Homeland Security, whoever wants to own the final product is fine,” Walker said. “But I think that you measure success by the number of people willing to participate or carry on the legacy of this program and do these tabletop exercises. And if people start to collaborate and share information and build that common operating picture from a cyber perspective for each port, even in steady state operations, and they maintain this vigilance and awareness, I think that’s a measure of success.”
Comments