Could a faceless enemy remotely hijack shipboard or shore-side equipment and cause physical harm to people or critical infrastructure within the Marine Transportation System (MTS)? What might make for interesting science-fiction has emerged as an alarmingly plausible threat. Examples abound of increasing aggressiveness and capability exhibited by nation states or criminal actors conducting cyberattacks against organizations large and small.

Taking one example, the Cybersecurity and Infrastructure Security Agency (CISA) Alert AA21-042A of February 11, 2021, details how unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment facility. The unidentified actors used the SCADA systems software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process. Though this example isn’t specifically maritime, the demonstrated capability for a cyberattack to impact SCADA, or other industrial control systems, is alarming in a maritime context – especially when coupled with numerous events and indicators showing cyber threats as both real and expanding in the MTS.

The recently published U.S. Coast Guard 2021 Cyber Strategic Outlook indicates: “Cyber-attacks against the United States are one of the most significant threats to our economic and military power since World War II. The events of the last five years, including the exploitation of U.S. Coast Guard networks and information, attacks on maritime critical infrastructure and adversarial efforts to undermine our democratic processes, reinforce that cyberspace is a contested domain.” The document goes on to detail initiatives the Coast Guard is implementing to mitigate cyber threats to the MTS.

Awareness and Protocols

Many regional coordinating bodies have proactively recognized the need for and adopted cybersecurity threat mitigation strategies. The Cyber Strategic Outlook calls for Captains of the Port (COTP), assisted by port security specialists and a growing MTS cyber workforce, to advance management of cyber risk to the MTS with planning, coordination and completion of exercises.

The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity provides a common language to identify, protect, detect, respond and recover from cyber threats. Those framework elements translate to multi-prong cyber threat mitigation efforts of the COTP and regional committees already underway in many locations.

Regulatory Compliance

Among other initiatives, the Coast Guard recently hired MTS cyber specialists at the districts, including my position, area offices and headquarters while filling MTS cyber positions at field unit sectors and some Marine Safety Units. These externally facing positions act as liaison, advisor, conduit for information and support for plan or exercise development.

In these positions, much of our current effort is directed towards helping field units, regulated facilities and vessels comply with Maritime Transportation Security Act (MTSA) provisions relevant to cybersecurity. Requirements for MTSA facilities to incorporate cybersecurity into annual facility security assessments and plans began in October 2021 and is ongoing.

Though vessels with international documents have already been required to incorporate cybersecurity measures, requirements for MTSA vessels such as lakers, small passenger vessels carrying more than 150 persons and towing vessels transporting dangerous bulk cargo barges take effect on Dec. 31.

Guidance for reporting cybersecurity-related suspicious activity or breaches of security at MTSA regulated facilities or vessels is detailed in CG-5P Policy Letter 08-16. Coast Guard Maritime Commons serves as the Coast Guard blog for maritime professionals and offers a subscription option to maintain awareness of updates to MTS policy and regulation.

Allowing Industry Latitude

While cybersecurity may initially seem daunting as a broad field with limitless technical depth, there are resources, technical standards and recommended practices to manage risk. The Coast Guard has not fixed MTSA compliance to any single standard, allowing industry substantial latitude to tailor a cyber program to the needs of the organization, or to provide documentation of programs that may already be in place.

The Coast Guard has published guidance documents for regulated facilities and vessels that may be used to assist in compliance. For a small-to medium-sized entity, the CISA Cyber Resilience Review (CRR) may be a useful place to start or refine a program as it “provides a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices.”

The Coast Guard or CISA, on request, may be able to provide onsite assessment of an organization’s cybersecurity. If a smaller organization is unsure where to begin, the CISA Cyber Essentials Starter Kit may be an appropriate tool to assess cybersecurity fundamentals and identify areas for improvement. CISA alerts provide an insightful resource in defending against emerging cyber threats and may be subscribed to on the CISA Alerts webpage.

Response Readiness

The Coast Guard has built out substantial capability under the Coast Guard Cyber Command (CGCYBER) to respond to cyber risk. The Maritime Cyber Readiness Branch (MCRB) is one of these capabilities, providing support to respond to cyber events or questions. For readers familiar with Coast Guard National Centers of Expertise (NCOE) in other technical arenas, the MCRB is basically a cyber NCOE. CGCYBER also has a deployable Cyber Protection Team (CPT) and is in the process of commissioning two more CPTs. On request, the CPT is a deployable force that can provide onsite assistance for pre-incident assessment of vulnerabilities or assistance to incident commands in the event of an attack.

Building resilience in the ever-evolving cyber landscape requires a multi-faceted adaptive effort to identify, protect, detect, respond and recover. Threat actors in the cyber arena are voracious, numerous and seemingly multiplying.

Fortunately, vigilance through well devised and maintained countermeasures can substantially reduce risk. Turning the tide, so to speak, may well prove to be similar to the initial implementation of safety management systems and safety culture. It will involve demystifying the technical aspects of cybersecurity. In coming years “cyber hygiene” and cybersecurity safeguards may become as natural and ingrained into MTS culture as fire protection.