The critical infrastructure gap: U.S. port facilities and cyber vulnerabilities

U.S. port facilities rely as much upon networked computer and control systems as they do upon stevedores

In sum, these recommendations call for: Congress to pass legislation that provides the Coast Guard authority to enforce cybersecurity standards for maritime critical infrastructure (consistent with how it already enforces physical security in maritime critical infrastructure); the adoption of NIST cybersecurity standards for port facilities; DHS to structure the PSGP grant program to incentivize cybersecurity projects; the Coast Guard to ensure a functional information sharing network is in place that allows government, port owners and operators, and maritime industry stakeholders to exchange cyber threat information; and port owners and operators to conduct cyber vulnerability assessments and prepare response plans.

The policy paper concludes by saying that taking steps to enhance cybersecurity in U.S. port facilities as part of the broader set of cybersecurity initiatives to protect other sectors of U.S. CIKR will greatly enhance the security and resiliency of this lesser-known but vitally important sector.

This research indicates that while the awareness of current cybersecurity needs and culture in U.S. ports is relatively low, many of the steps to improve this situation are relatively simple and can be done now. The PSGP’s resources present a tremendous opportunity to incentivize and fund some of these initial steps, including conducting a baseline round of cybersecurity vulnerability assessments in port facilities.

Existing structures such as the robust AMSCs should also be leveraged to provide coordinated communication of the threat, and steps that can be taken now to mitigate and minimize cyber vulnerabilities, including adding cyber incident response procedures to area maritime security plans and individual facility security plans.

While Congress continues its effort to pass comprehensive cybersecurity legislation, the full suite of existing authorities should also be scrutinized to see how they might be applied
in the interim or the absence of comprehensive cyber legislation. In the end, cybersecurity in port facilities should not be viewed as a regulatory intrusion into a new domain, but rather as a natural extension of the existing suite of security measures required to protect our ports, which our homeland and national security depend upon, and which U.S. economic security has relied on since the earliest days of our nation.

A copy of the report can be downloaded in PDF form by going to the following lnik: