The Maritime Transportation System (MTS) in the United States contributes to 25% of all US gross domestic product (GDP) and consists of a complex network of waterways, ports, shipyards, and bridges, which interconnect with critical highways, railways, airports, and pipelines. To outline how the U.S. government can better protect U.S. MTS infrastructure from increasing cyber threats targeting both information technology (IT) and operational technology (OT) systems, the White House recently released a National Maritime Cybersecurity Plan detailing ways to mitigate current and future cyber risks to the maritime sector.
The document is divided into three main objectives with priority actions for achieving each. The three objectives include addressing the need for cybersecurity standards, enabling information sharing within the industry, and developing a highly skilled maritime cybersecurity workforce. While the plan is focused on outlining potential government actions, the vast majority of maritime critical infrastructure is owned, operated and controlled by entities outside of the U.S. federal government. So, what should MTS stakeholders do next? We’ll dig into each objective in the National Maritime Cybersecurity Plan and give our take on what the MTS stakeholders responsible for cyber risk management can do to get a head start and potentially align their efforts to what the government may enact.
Risks & Standards
Most companies within the MTS operate complex, heterogeneous systems comprised of both IT and OT components that are vulnerable to cyberattacks because of their connection to the internet. Further, these IT and OT systems are increasingly connected to industrial internet of things (IIoT) systems to support a variety of reporting requirements for both operational and regulatory requirements. Some operators can’t properly manage the cybersecurity of these IT, OT and IIoT systems themselves since they are owned by another public or private entity, or they lack the budget and expertise to do it. Until the recent acceleration of cyberattacks on the U.S., cybersecurity and risk management was often an afterthought for many ports and maritime facilities. To mitigate this, the Plan states that the US National Institute of Standards and Technology (NIST) will create an international risk framework for port OT systems based on input from the industry and promote this framework internationally. To facilitate the implementation of these new standards, the Department of Homeland Security (DHS) will also promote cybersecurity grants to protect maritime critical infrastructure. We recommend that companies operating in the MTS study the current NIST Cybersecurity Framework (CSF), as well as the Navigation and Vessel Inspection Circular (NVIC) 01-20 to build an understanding of what this new framework might look like and how they can get a head start on applying cyber risk management practices. You’ll notice that the first step in the NIST CSF is to create an accurate inventory of all your physical devices, systems, software platforms, and applications. Without good data on what you have in your cyber-physical environment, the other functions in the framework won’t work. Applying the right mix of people, process, and security technology will be critical for the MTS moving forward.
Information & Intelligence Sharing
To strengthen the cyber resilience of the MTS as a whole, information and intelligence sharing across the industry is critical to address common cybersecurity vulnerabilities. Organizations such as Information Sharing and Analysis Centers will provide a pathway to achieve this across the private and public sector. The National Maritime Cybersecurity Plan states that the United States “will promote domestic and international engagement to facilitate information sharing and best practices to build a coalition of maritime cybersecurity advocates”. To prepare for this, you should begin to engage with entities like the MTS-ISAC, which has become a go-to source for information on emerging cyber threats and serves as a centralized point of daily cyber threat intelligence sharing and coordination of best practices for both IT and OT system cybersecurity. In addition, the MTS-ISAC shared 70 maritime cybersecurity advisories in 2020 and holds numerous educational webinars throughout the year.
Create a Maritime Cybersecurity Workforce
As the volume, variety, and sophistication of cybersecurity threats to the maritime industry increase, the MTS struggles to maintain an appropriate level of cybersecurity talent. This is caused by two core issues. The first is the lack of skilled cybersecurity professionals in general, and those who also understand the maritime industry are a much smaller subset. This talent shortage is a major concern and will likely take over a decade to make a meaningful change. However, there’s also another issue plaguing the industry— the large investment required to build an in-house security team, which is a major barrier for smaller companies in the MTS with limited budgets. To develop a stronger maritime cybersecurity workforce, the United States will promote career paths and training for specialists in port and vessel systems. This will take a coordinated effort between both the public and private sector, and the MTS-ISAC will likely play an important role in advocating for this effort. DHS will also provide grants, as mentioned above, to help accelerate the adoption of effective cybersecurity practices by giving companies in the MTS the resources they need to implement both the right people and technology.
The National Maritime Cybersecurity Plan highlights the critical role of the MTS in both national security and the supply chain and increases awareness around the need to improve its cyber resiliency. This plan will likely continue to evolve with time, but for now, we recommend familiarizing yourself with the NIST CSF, engaging with the MTS-ISAC, and applying for cybersecurity grants from DHS to get the resources you need to create a cyber resilient future.
To learn more about the NIST CSF, check out our Compliance Guide, which explains what this framework is and how to benchmark your progress within it, plus helpful tips from our cybersecurity experts.