Maritime connectedness continues to be a key asset for U.S. economic and strategic interests. Threats to port and vessel network systems have long been overshadowed by concerns about kinetic attacks and supply-chain security. All maritime stakeholders remain at risk of cyber intrusion as cyber attackers seek any and all means of accessing maritime networks. Therefore, key measures need to be in place to evolve symbiotically as new threats emerge.
The U.S. Department of Homeland Security (DHS) and maritime stakeholders need to stay ahead of these risks in order to keep trade flow maximized, while avoiding the creation of regulations that may slow trade and hinder business.
Risks for Port Cybersecurity
For all U.S. industries, cybersecurity costs are growing. Cyber attacks on port systems can have a variety of negative effects. The economic losses from port delays or closure can vary in severity. One port’s failure negatively affects all connecting regional ports. In 2002, the 11-day closure of 29 ports on the West Coast cost an estimated $11 billion. Northeast ports lost an estimated $50 billion—$1 billion in cargo delays alone—because of Hurricane Sandy in 2012. As labor disputes that began in October 2014 continue in West Coast ports, trade partners in Asia are feeling the effects of undelivered goods.
With port and vessel network systems implementing new technology, stakeholders are moving away from traditional stand-alone systems, and maritime industrial control systems (ICS) are becoming more integrated. While new systems help to streamline production and increase the flow of trade, the number of vulnerabilities in network systems is also increasing. Cyber threat actors continue to find new ways of accessing network systems, through traditional land-line connections, new or pre-existing Wi-Fi ports, and USB-introduced threats, such as installing malware (Stuxnet) or extracting information (Edward Snowden). Vulnerabilities in smaller systems can be exploited to gain access to larger networks—a time-consuming type of attack for the everyday hacktivist, but a credible investment for drug smugglers and nation-state sympathizers.
In September 2014, the Senate Committee on Armed Services reported that Chinese hackers were behind the successful advanced persistent threat (APT) attacks on contractors in U.S. Transportation Command (TRANSCOM), dating as far back as 2008. The military relies on these commercial vessels for strategic and humanitarian contingencies, transporting 95 percent of U.S. Forces’ dry cargo annually. According to the report, Chinese military compromised “multiple systems” on a commercial ship contracted by TRANSCOM for logistics routes. Between June 2012 and May 2013, the FBI reported two shipping companies and eight technical service providers of TRANSCOM were victims of cyber intrusion.
A report by CyberKeel, a maritime cybersecurity group, later showed how in late 2013 drug smugglers hired hackers to move drugs through the Port of Antwerp, the second largest seaport in Europe and a member of the Cargo Security Initiative since 2011. The hackers bypassed remote terminals to allow release of the containers and deleted the container transportation information—attributing this to “ghost shipping.” The report also showed that, if the hackers had wanted, they could have caused severe congestion and port disruption with the information they accessed.
Two Government Accountability Office (GAO) reports in 2014 highlighted the DHS’s need to enhance cybersecurity for maritime systems and DHS facilities. Much like the TRANSCOM report, the GAO reports echoed the need to better define cyber threats and to establish how and to which agency cyber threats are to be reported. The reports also raised a concern about the lack of information sharing among agencies—a cyber threat may fall to the DHS, Department of Justice, Department of Transportation, Department of Defense, or any combination, depending on the victim of the attack.
The U.S. Coast Guard (USCG) began taking public comments at the end of 2014 on how to better develop guidance for maritime cybersecurity. The USCG noted past instances of drug smuggling, disgruntled employees sabotaging network systems, and the disruption of an unmanned crane through cyber intrusions of its GPS. U.S. Coast Guard Commander Joseph Kramek reported that cybersecurity awareness and culture at U.S. ports—specifically in the ports of Baltimore, Houston, Los Angeles, Long Beach, Vicksburg, and Beaumont—were relatively low. He recommended that the DHS, along with the USCG and Federal Emergency Management Agency, need to better address port cybersecurity more, while still focusing on kinetic defense. Only in 2014 did the Port Security Grant Program start allowing grants based on cyber vulnerability assessments. While the threat of a physical attack on or through ports still exists, stakeholders need to realize that cyber threats cannot be addressed in the same way as kinetic defense, although cyber attacks can affect kinetic systems.
What Should Be Done
- Readdress legislation on increasing cyber information sharing. The DHS and the U.S. Computer Emergency Readiness Team (US-CERT) have taken the lead on cyber information sharing in the past. As they continue to lead, all stakeholders need to agree on threat-defining language. Port stakeholders across federal departments, agencies, and private businesses need to increase cyber information sharing and the ease with which information is shared. The President’s recent executive order highlights the importance of information sharing, but falls short in addressing liability risks. Increasing cyber information sharing includes working with international partners because cyber attackers may enter U.S. port networks by any available means. Domestically, agencies should address continuity and simplicity in identifying cyber threats, such as the definition and severity of threats, attacks, and solutions, while avoiding the creation of catch-all regulation that hinders business.
The Administration should:
- Include a focus for handling cybersecurity for port security in the new Cyber Threat Intelligence Integration Center (CTIIC). The recently introduced agency, modeled after the National Counterterrorism Center, aggregates cybersecurity information across government. Cyber attacks can happen in a manner of seconds, which is why simplifying reporting of cyber threats is important, including to which agency the threat is reported and the information to be shared interdepartmentally. This will give stakeholders an advantage in responding to cyber threats.
The DHS should:
- Continue to work with the Department of Commerce’s National Institute of Standards and Technology (NIST) program as the USCG continues to receive public comment on how to address cybersecurity.
The continued growth of port and network systems is critical for a strong U.S. economic and strategic system. Cyber threats emerge across all network spectrums. While some systems may be considered more critical than others, system administrators need to able to trust that intermediary software, hardware, and connections are also secure. While kinetic defense will always take priority for port and vessel security, cybersecurity should come into focus as the number and severity of cyber attacks continues to grow.
—Riley Walters is a Research Assistant in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.