Enable breadcrumbs token at /includes/pageheader.html.twig

Coast Guard To Empower Maritime Cybersecurity

The Department of Homeland Security tackles maritime cybersecurity, enforcing regulations to counter rising threats.

The U.S. Coast Guard will enforce heightened cybersecurity measures for maritime commercial traffic and infrastructure, with new requirements and expanded authority to tackle rising threats.

The service’s expanded authority follows an executive order from early in 2024 that allows it to:

  • Require vessels, facilities and harbors to mitigate cyber risks.
  • Receive reports of cyber incidents involving any vessel, harbor, port or waterfront facility.
  • Take control of vessels that present a cyber threat to U.S. maritime infrastructure.

This effectively places cybersecurity of marine transportation digital infrastructure under Department of Homeland Security (DHS) supervision. The FBI was also given authority in this domain, in coordination with DHS agencies.

“The updated regulations also empower the commandant of the Coast Guard to prescribe conditions and restrictions for the safety of waterfront facilities and vessels in port, including measures to prevent, detect, assess, and remediate an actual or threatened cyber incident. They require reports to the captain of the port, Federal Bureau of Investigation, and Cybersecurity and Infrastructure Security Agency for evidence of sabotage, subversive activity, or actual or threatened cyber incidents involving or endangering any vessel, harbor, port, or waterfront facility,” said Kurt Fredrickson, Coast Guard spokesperson, in an email to SIGNAL Media.

The federal government will invest over $20 billion in U.S. port infrastructure over the next five years, according to a White House release. With cyber attacks gaining numbers and sophistication, the DHS pointed toward China.

The uptick in attacks was attributed to Volt Typhoon, an actor associated with Beijing and ransomware, according to the Coast Guard’s 2023 Cyber Trends And Insights In The Marine Environment report.

Meanwhile, the U.S. Coast Guard issued a notice of proposed rulemaking that was due in April of this year. After this, a final regulation is expected.

“In addition to the executive order, the Coast Guard proposes to update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S. flagged vessels, outer continental shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations,” Fredrickson said.

“I would expect the final rule will come out at some point over the next 12 months or so,” said Josh Koleda, transport assurance practice director for North America at NCC Group.

Meanwhile, the Coast Guard is in action.

“We’re seeing the Coast Guard increase cyber-protection teams. They now have three cyber protection teams that go out and do assessments and threat hunting and incident response,” said Joseph Re, general manager of Sev1Tech, Maritime Division.

The raft of regulations can be explained from a systemic point of view. “The entire ecosystem is only as secure as its weakest link,” Re said.

The Coast Guard said that companies will have to plan and hire.

“It requires a cybersecurity plan; it requires a cybersecurity officer,” said Re, a Coast Guard veteran of almost three decades.

Still, most mandates have already been put in place in previous regulations from different agencies, and the new regulation remains comprehensive but within what is expected, according to Koleda.

As agencies set new minimum cybersecurity standards, private operators will have to find ways to step up their provisions.

“New and emerging technologies create new attack paths,” Re said.

Underscoring this, Egon Rinderer, Shift5 chief technology officer, compared a ship to a city. “You have power systems and life support systems and everything from a sewage treatment plant to water purification, to electricity generation and distribution, steering, navigation.”

And multiple systems offer increased opportunities for attackers.
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Image
A 306-meter U.S. flagged container ship moors at Leatherman Terminal in Charleston Harbor, South Carolina Credit: Daniel Wright98/Shutterstock
A 306-meter U.S. flagged container ship moors at Leatherman Terminal in Charleston Harbor, South Carolina Credit: Daniel Wright98/Shutterstock

One of the Coast Guard’s new competencies will be receiving reports from all stakeholders. This is expected to improve the current knowledge and safety environment.

“Information sharing is critical and the most effective way to kind of defend against these attacks,” Re said.

Upgraded cybersecurity is now part of the building process, as engineering factors cybersecurity into planning.

“There’s been judicious steps to make sure there is network segmentation between the information technology and the operational technology,” Koleda said.

The layers of regulation borrow from another sector where cybersecurity is critical.

“If you look at the Transportation Security Administration, [the administration has] taken a similar approach for aviation security, where they work with industry partners and stakeholders and through advisory committees to identify best practices and strengthen the overall cybersecurity posture,” Re said.

Nevertheless, there is a domain where it would be harder to borrow from the air transport cyber standards.

“For unmanned surface vehicles, [regulations] are Navy-related as of current. These are largely coming from commercial industry and there are not specific cybersecurity requirements defined by the Navy or DoD, as of current,” said Steven Shpiner, managing director for research development at Prescient Edge, a systems integrator that specializes in unmanned surface vessels.

And looking at the operations environment, Koleda envisages a bumpy road, at least when the regulation first comes out.

“I would expect to see a lot of pushback from the port operators and the vessel owner-operators, not from a maybe requirement standpoint so to say, but potentially maybe on the frequency in which they need to submit plans,” Koleda told SIGNAL Media in an interview.

The costs associated with planning and performing complex penetration testing could be taxing, especially for smaller stakeholders, and those are expected to be the primary source of controversy, according to Koleda.

Meanwhile, “the major players are already doing it,” Koleda said.

In this scenario of change, Koleda identified low-hanging fruit: “Changing default passwords on a lot of the [operational technology] equipment, those are quick wins, and hopefully that should cover a lot.”

There is another aspect, according to Koleda, as vessels built this year will start to be compliant, but the whole industry will need an update well before the replacement of much of the capital currently keeping the U.S. and the larger world economy humming.

Another aspect Koleda wonders about, and which has yet to be confirmed, is whether non-U.S. vessels predominantly transporting U.S. citizens or using the country’s waters will need to comply at the same level as a ship bearing the nation’s flag.

So far, there has been limited conversation about unmanned surface vessels, despite the increasing military and civilian employment.

“There’s an opportunity for governments with the change that is forthcoming, with the use of drone boats or uncrewed vessels, depends on where you’re coming from: if it’s uncrewed or if it’s a drone vessel,” Shpiner said.

When the federal government issues its more comprehensive regulation, it is not expected to mark a point from which cybersecurity will start but rather the beginning of a long process. The web of legacy relationships behind capital with a life cycle substantially longer than the technologies it relies on is expected to open a debate that may take years, if not decades, to reach a satisfactory conclusion for all stakeholders.

The United Nations’ International Maritime Organization declined to comment for this story but pointed toward a set of regulations it published as mandatory standards it expects from all participants.