In a 50-page policy paper just released by the Brookings Institute and authored by Commander Joseph Kramek of the U.S.Coast Guard and a Federal Executive Fellow at the institute, the current state of affairs related to vulnerabilities at our national seaports is discussed and options to shore up cyber security are offered.
In the executive summary, Commander Kramek writes that today's U.S. port facilities rely as much upon networked computer and control systems as they do upon stevedores to ensure the flow of maritime commerce that the economy, homeland, and national security depend upon. Yet, unlike other sectors of critical infrastructure, little attention has been paid to the networked systems that undergird port operations.
No cybersecurity standards have been promulgated for U.S. ports, nor has the U.S. Coast Guard, the lead federal agency for maritime security, been granted cybersecurity authorities to regulate ports or other areas of maritime critical infrastructure. In the midst of this lacuna of authority is a sobering fact: according to the most recent National Intelligence Estimate (NIE) the next terrorist attack on U.S. Critical Infrastructure and Key Resources (CIKR) is just as likely to be a cyber attack as a kinetic attack.
The potential consequences of even a minimal disruption ofthe flow of goods in U.S. ports would be high. The zero-inventory, just-in-time delivery system that sustains the flow of U.S. commerce would grind to a halt in a matter of days; shelves at grocery stores and gas tanks at service stations would run empty. In certain ports, a cyber disruption affecting energy supplies would likely send not just a ripple but a shockwave through the U.S. and even global economy.
Given the current absence of standards and authorities, this paper explores the current state of cybersecurity awareness and culture in selected U.S. port facilities. The use of the post-9/11 Port Security Grant Program (PSGP), administered by the Federal Emergency Management Agency in consultation with the Coast Guard, is also examined to see whether these monies are being used to fund cybersecurity projects.
In the end, the research shows that the level of cybersecurity awareness and culture in U.S. port facilities is relatively low. In most ports, basic cybersecurity hygiene measures are not being practiced. Of the ports studied, only one had conducted a cybersecurity vulnerability assessment, and not a single one had developed a cyber incident response plan.
PSGP federal program managers have not expressly included cybersecurity projects in their funding criteria. While this did not exclude ports from seeking PSGP monies for cybersecurity projects, it certainly did not incentivize them. Of the $2.6 billion allocated to the PSGP over the past decade, less than $6 million—or less than one percent—was awarded for cybersecurity projects, and only one port in this study had used PSGP monies for a cybersecurity project. Ironically, a large number of security systems purchased with PSGP monies are networked into port command centers, making them more vulnerable to cyber attacks.
Most municipal ports are so-called landlord ports that lease out their terminals to private entities. Thus, the research also found that landlord ports have little awareness of what networked systems are being run by their lessees and almost no awareness of what, if any, cybersecurity measures are being taken to protect these systems.
Based on these findings, a series of policy recommendations are provided for Congress, DHS and the Coast Guard, and port facility owners and operators for how cybersecurity in U.S. port facilities might be incentivized and improved.