The Maritime Industry's Slow Boat To Cybersecurity

Despite the critical role the maritime transportation system plays in the economic health of the United States, and despite its fairly recent embrace of all things automated, cranes, vehicles, surveillance and even vessels, the sector has been slow to warm to the need to protect its digital systems and assets.

Post 9/11, security concerns about the nation’s borders, air space and infrastructure, including ports, moved front and center for a brief moment before other concerns, like the search for victims and perpetrators, the cleanup of the site and city, and legislative debate over homeland security needs versus long-held citizen rights, pushed infrastructure to a back burner. Critics kept up a steady drumbeat of worry over the safety of the nation’s ports. In the ensuing years, as port automation grew, physical security was upgraded and nailed down, helped in part by the government’s Port Security Grant program.

Talk about cyber security plodded along under the radar until the publication of two damning reports that took the nation’s ports, the US Coast Guard and Homeland Security Department to task for not aggressively or adequately addressing port cyber vulnerabilities.

Published in 2013, the Brookings Institution’s “The Critical Infrastructure Gap: US Port Facilities and Cyber Vulnerabilities,” is still considered valid today.  Published in 2014 by US General Accounting Office, “Maritime Critical Infrastructure Protection” directed its critique primarily at the US Coast Guard, which it said had failed to conduct a risk assessment that “fully addressed cyber threats, vulnerabilities and consequences.” 

The General Accounting Office also complained that both maritime security plans required by law, and regulation generally, also did not identify or address those same issues.  

“...Two if by Sea”
Perhaps spurred by those two reports, concern about lax port cyber security exploded in 2015, as the alarm was sounded loudly one after another, by a raft of industry organisations, government agencies here and abroad, academia, insurance companies, standards groups, think tanks and researchers. 

Almost simultaneous, together they released a wave of reports, seminars, white papers, primers, strategic plans, directives, resolutions, and even some legislative calls for assessment and information sharing - all addressing what they saw as a deeply worrisome lack of awareness, concern and action addressing the cyber security vulnerabilities of the nation’s ports.
Particularly alarmed were participants in a Maritime Cyber Security Symposium hosted in 2015 by the Command, Control and Interoperability Center for Advanced Data Analysis (CCICADA), where speakers warned that “Maritime Cyber Attacks Occur in a World of the ‘Quick and the Dead,’ and that “Cyber Attacks on Ports and Ships Could be Catastrophic.”

Maritime executives too came in for their share of criticism for failing to take the lead in making cyber security a priority, while the sloppy cyber hygiene of employees on the front line got them labeled as the weakest link.

Wherever you looked, regardless of source, the message was loud and clear, do something about cyber security or face serious business consequences, even regulation. By 2016, the focus was squarely on education, especially crew, and raising awareness that cyber security was a real and pressing danger and that a cultural shift needed to take place, placing cyber security on the same plane as safety management.

Now two-thirds of the way through 2018, much of the preceding 2.5 years also has been spent publishing cyber security guides and checklists, strengthening regulatory directives, completing five-year facility security plans, conducting cyber risk assessments, deploying mitigation efforts, and building relationships in the far-flung, highly complex and competitive port community through participation, in part, in the USCG’s Area Maritime Security Committees (AMSC), and their cyber subcommittees, which can be found in most key port areas.  

ASMCs are comprised of representatives from the USCG, government agencies, law enforcement, shippers, port authorities, terminal operators, harbor vessels, even some clients, all working to identify and address security issues, as well as share information and create best practices, in their areas of operation.

Some of the changes we’ll see this year into next is a much greater emphasis on cyber risk management, resiliency and collaboration, as the cyber security community tries to defend against complacency (even the best security efforts will take a hit at some point) by getting maritime companies and ports to create contingency plans to enable them to recover as painlessly as possible from a successful attack, and to encourage them to work collaboratively on building best practices and sharing information about attempted and successful cyber-attacks.

MarineLink

You Might Also Read: 

COSCO Cyber Attack And The Importance Of Maritime Cybersecurity:

Cybersecurity At Sea:
 

« White House To Step Up Cyber Counter-Offensive
Insurance Experts Expect Higher Cyber Losses »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

tietoevry

tietoevry

Tietoevry creates digital advantage for businesses and society. We are a leading digital services and software company with local presence and global capabilities.

Cyberwrite

Cyberwrite

Cyberwrite was founded to provide underwriters around the world a unique and innovative Cyber Underwriting platform.

Inavate Consulting

Inavate Consulting

Inavate Consulting are experts in defining and implementing information assurance solutions and governance frameworks. Our ISO27001 consultants are the most experienced in the industry.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

ProWriters

ProWriters

As a leading cyber insurance company, ProWriters offers flexible Cyber Liability Insurance coverage designed to cover privacy, data, and network exposures.

RNTrust

RNTrust

RNTrust provide solutions to meet today’s digital challenges utilizing digital technologies and services to make you more secured in digitally connected environment.

Team Secure

Team Secure

Team Secure provide Enterprise-grade Cyber Security consultancy, managed security services and cyber security staffing services.

Digital Element

Digital Element

Digital Element is a global IP geolocation and intelligence leader with unrivaled expertise in leveraging IP address insights to deliver new value to companies.

Clearvision

Clearvision

As an Atlassian Platinum Solution Partner, Clearvision works with teams in the UK and US, providing solutions for the Atlassian stack, Git and open source tooling.

SignalFire

SignalFire

SignalFire invest across both enterprise and consumer sectors at the seed and early growth stages.

Balance Theory

Balance Theory

Balance Theory provides the knowledge infrastructure and collaboration center for the cybersecurity community. A networked community to build better cybersecurity outcomes.

UM6P Ventures

UM6P Ventures

UM6P Ventures is an African based early-stage ventures firm operating two funds; a Digital Transformation fund and a Deeptech Ventures fund.

NETAND

NETAND

NETAND privileged access and identity management solutions will secure your business from cyber threats.

Delta Partners

Delta Partners

Delta Partners is a venture capital firm investing in Ireland and the United Kingdom with a strong focus on early stage technology companies.

Relatech

Relatech

Relatech is a Digital Enabler Solution Knowledge (D.E.S.K.) Company that offers digital services and solutions dedicated to the digital transformation of businesses.

Infosec Ventures

Infosec Ventures

Infosec Ventures incubates and scales cyber security innovators that solve inefficiencies in cyber security.