In a 50-page policy paper just released by the Brookings Institute and authored by Commander Joseph Kramek of the U.S.Coast Guard and a Federal Executive Fellow at the institute, the current state of affairs related to vulnerabilities at our national seaports is discussed and options to shore up cyber security are offered.
In the executive summary, Commander Kramek writes that today's U.S. port facilities rely as much upon networked computer and control systems as they do upon stevedores to ensure the flow of maritime commerce that the economy, homeland, and national security depend upon. Yet, unlike other sectors of critical infrastructure, little attention has been paid to the networked systems that undergird port operations.
No cybersecurity standards have been promulgated for U.S. ports, nor has the U.S. Coast Guard, the lead federal agency for maritime security, been granted cybersecurity authorities to regulate ports or other areas of maritime critical infrastructure. In the midst of this lacuna of authority is a sobering fact: according to the most recent National Intelligence Estimate (NIE) the next terrorist attack on U.S. Critical Infrastructure and Key Resources (CIKR) is just as likely to be a cyber attack as a kinetic attack.
The potential consequences of even a minimal disruption ofthe flow of goods in U.S. ports would be high. The zero-inventory, just-in-time delivery system that sustains the flow of U.S. commerce would grind to a halt in a matter of days; shelves at grocery stores and gas tanks at service stations would run empty. In certain ports, a cyber disruption affecting energy supplies would likely send not just a ripple but a shockwave through the U.S. and even global economy.
Given the current absence of standards and authorities, this paper explores the current state of cybersecurity awareness and culture in selected U.S. port facilities. The use of the post-9/11 Port Security Grant Program (PSGP), administered by the Federal Emergency Management Agency in consultation with the Coast Guard, is also examined to see whether these monies are being used to fund cybersecurity projects.
In the end, the research shows that the level of cybersecurity awareness and culture in U.S. port facilities is relatively low. In most ports, basic cybersecurity hygiene measures are not being practiced. Of the ports studied, only one had conducted a cybersecurity vulnerability assessment, and not a single one had developed a cyber incident response plan.
PSGP federal program managers have not expressly included cybersecurity projects in their funding criteria. While this did not exclude ports from seeking PSGP monies for cybersecurity projects, it certainly did not incentivize them. Of the $2.6 billion allocated to the PSGP over the past decade, less than $6 million—or less than one percent—was awarded for cybersecurity projects, and only one port in this study had used PSGP monies for a cybersecurity project. Ironically, a large number of security systems purchased with PSGP monies are networked into port command centers, making them more vulnerable to cyber attacks.
Most municipal ports are so-called landlord ports that lease out their terminals to private entities. Thus, the research also found that landlord ports have little awareness of what networked systems are being run by their lessees and almost no awareness of what, if any, cybersecurity measures are being taken to protect these systems.
Based on these findings, a series of policy recommendations are provided for Congress, DHS and the Coast Guard, and port facility owners and operators for how cybersecurity in U.S. port facilities might be incentivized and improved.
In sum, these recommendations call for: Congress to pass legislation that provides the Coast Guard authority to enforce cybersecurity standards for maritime critical infrastructure (consistent with how it already enforces physical security in maritime critical infrastructure); the adoption of NIST cybersecurity standards for port facilities; DHS to structure the PSGP grant program to incentivize cybersecurity projects; the Coast Guard to ensure a functional information sharing network is in place that allows government, port owners and operators, and maritime industry stakeholders to exchange cyber threat information; and port owners and operators to conduct cyber vulnerability assessments and prepare response plans.
The policy paper concludes by saying that taking steps to enhance cybersecurity in U.S. port facilities as part of the broader set of cybersecurity initiatives to protect other sectors of U.S. CIKR will greatly enhance the security and resiliency of this lesser-known but vitally important sector.
This research indicates that while the awareness of current cybersecurity needs and culture in U.S. ports is relatively low, many of the steps to improve this situation are relatively simple and can be done now. The PSGP’s resources present a tremendous opportunity to incentivize and fund some of these initial steps, including conducting a baseline round of cybersecurity vulnerability assessments in port facilities.
Existing structures such as the robust AMSCs should also be leveraged to provide coordinated communication of the threat, and steps that can be taken now to mitigate and minimize cyber vulnerabilities, including adding cyber incident response procedures to area maritime security plans and individual facility security plans.
While Congress continues its effort to pass comprehensive cybersecurity legislation, the full suite of existing authorities should also be scrutinized to see how they might be applied
in the interim or the absence of comprehensive cyber legislation. In the end, cybersecurity in port facilities should not be viewed as a regulatory intrusion into a new domain, but rather as a natural extension of the existing suite of security measures required to protect our ports, which our homeland and national security depend upon, and which U.S. economic security has relied on since the earliest days of our nation.
A copy of the report can be downloaded in PDF form by going to the following lnik: