REGULATIONS
Cybersecurity: Moving from Ideas to Action By C.F. St. Clair
Photo Credit: Shutterstock/ Shutterstock/forestgraphic
O
n August 3, the Coast Guard released its updated “Cyber Strategic Outlook” to address rising threats of cyberattacks against U.S. maritime systems. The Coast Guard writes that cyberattacks are “one of the most significant threats to (U.S.) economic and military power since World War II” and that cyber threats outpace physical threats. The outlook is an update to a 2015 cyber strategy report. The outlook is not a regulatory document per se, but operators will want to acquaint themselves with the Coast Guard’s prime areas of concern and be on the lookout for new Coast Guard directives to prevent and counter cyber hacking. Partnerships are central to this cyber defense. The outlook repeatedly references that Coast Guard Captains of the Port (COTP) will reach out “to (defense) partners, allies, international regulatory and standards organizations, and the private sector to identify and manage risks to the global maritime transportation system.” COTPs are charged with establishing an Area Maritime Security Committee and maintaining an Area Maritime Security Plan. The critical nature of cyber defense comes across in the Coast Guard’s observation that, when facing a military threat, the actual, physical ability to surge forces from domestic seaports is largely uncontested. However, that capability depends on routine, everyday commercial technology networks. If those systems are compromised, or fail, the consequences are dire: “We can no longer assume that our surge
capability and sea lines of communication will be uncontested during times of crisis,” the Coast Guard writes. To expand its cyber operations, the Coast Guard will work from risk-based and risk management strategies focusing on three broad areas, referred to as “lines of effort:” • • Defend and operate the Enterprise Mission Platform—this is the Coast Guard’s portion of the Department of Defense Information Network; • Protect the Marine Transportation System (MTS)—this is the effort most likely to involve personnel from the private sector and public ports; and • Operations in and through cyberspace—this will advance the Coast Guard’s cyberspace capabilities to complement traditional duties pertaining to defense, maritime safety and the environment. The Coast Guard notes that interconnected technologies are foundational for maritime transportation. The flip side, however, is that saboteurs use the same tech. New tech developments and applications are constant, of course; more accurately, they are constantly compounding. For example, the Coast Guard cites autonomous shipping, offshore platforms and cargo vessels as some of the future developments adding to “the attack vectors” that could be used by hackers. The outlook comments “as helpful as these new technologies are for business and supply chain operations, the advantages and complexity also increase the
target surface for cyber incidents.” The outlook is clear about what the Coast Guard needs to do to actuate its new lines of effort. What’s less clear, though, is timing: when will this work start? For example, the Coast Guard lists 10 priority tasks for protecting the MTS, ranging from reporting requirements to deploying cyber protection teams to coordinating with interagency partners. When asked about a timetable, though, despite the urgency, a Coast Guard spokesperson said that an internal team “will develop an implementation plan” but “at this point there are no defined starts, deadlines, or resource needs identified.” Ditto for any new COTP outreach to maritime officials. Area Maritime Security Committees will be tapped for increased cybersecurity “across the industry by promoting cyber risk management, accountability, and unified response plans.” Again, though, no start time yet. Cybersecurity is a priority within many groups, of course. One port security expert, commenting on background because his internal team is still reviewing the Coast Guard’s new document, said that, in general, there are many good ideas in the Strategic Outlook. He said many ports are now working to add a cyber component to overall port security plans. There are concerns, however, about exactly what should be included; still, people are proceeding with the goal of at least completing a plan even though it might be judged incomplete. He said guidance now is important to avoid “a disconnect” if cyber plans need formal approval but are then found wanting. The American Bureau of Shipping (ABS) has extensive resources on cybersecurity. A good starting document is the ABS summary “A Primer on IMO Cyber Risk Management Guidelines.” ABS notes that maritime cybersecurity has been a topic of confusion and debate for the past 20 years. Recently, though, new guidance has been forthcoming. IMO recommends placing cyber planning within safety management systems (SMS) development, familiar to most maritime professionals. The ABS Primer references conceptual approaches similar to the Coast Guard’s, i.e., developing systems built on identification, protection, detection, response and recovery. September 2021 // Marine Log 11
