CG Publishes NPPD Report on Effects of Malicious Cyber Activity

This week the Coast Guard published a report by DHS-NPPD Office of Cyber and Infrastructure Analysis about the consequences of malicious cyber activity directed against seaport operations. The report, Consequences to Seaport Operations from Malicious Cyber Activity {sorry the CG Homeport does not use real links so: CG Homeport –> Cybersecurity –> Cyber Information (More)} takes a fairly high-level look at cyber threats.

Key Findings

The report makes the following four key findings:

• Unless cyber vulnerabilities are addressed, they will pose a significant risk to port facilities and aboard vessels within the Maritime Subsector;

• A cyber-attack on networks at a port or aboard a ship could result in lost cargo, port

disruptions, and physical and environmental damage depending on the systems affected;

• The impacts to critical infrastructure sectors depend on how a cyber-attack affects a port,

the level and length of disruption that occurs at the port, and the capability to divert

shipments to other ports;

• Several mitigation measures can increase the security and resiliency of ports: setting up maritime cybersecurity standards, sharing information across the sector, conducting routine vulnerability assessments, using best practices, mitigating insider threats, and developing contingency plans for cyber-attacks.

Cybersecurity Vulnerabilities

After providing a statistical overview of seaport operations in the United States and the various types of cyber systems (both land-side and ocean-going) that support those operations, the report provides a broad look at the various types of cybersecurity vulnerabilities that face operators of those systems. These include (with a brief discussion of each):

• Limited cybersecurity training and preparedness;

• Inadequately protected commercial off-the-shelf technologies and legacy systems;

• Errors in software;

• Network connectivity and interdependencies;

• Software similarities;

• Foreign dependencies;

• GPS jamming and spoofing; and

• Insider threats

This is followed by a brief discussion about how these vulnerabilities could be used to effect cyber-attacks on port operations and ship operations. Real-life illustrative examples are provided where available. For port operations the report looks at:

• Disruption of cargo operations;

• Accessing ICS;

• GPS disruption; and

• Other malicious activities

For ship operations the report looks at:

• GPS jamming and spoofing; and

• ICS access

Critical Infrastructure Effects

The report then looks at the consequences attacks on port systems could have on the general economy by addressing specific effects on various areas of critical infrastructure. A substantial number of real world examples are used to illustrate the potential effects. The effects on the following specific critical infrastructure sectors are looked at:

• Critical manufacturing;

• Commercial facilities;

• Food and agriculture;

• Energy;

• Chemical; and

• Transportation systems

Mitigation Measures

The concluding portion of this report very briefly discusses mitigation measures that could be employed. The measures discussed (at just a paragraph each) include:

• Establishing cybersecurity standards;

• Implementing information sharing systems;

• Conducting vulnerability assessments and exercises;

• Ensure the use of best practices;

• Resiliency efforts; and

• Ultimately, use unaffected alternative ports in the event of a real cyber-attack.

Commentary

One important vulnerability left out of this discussion is the area of information protection. Recent reports that sea going pirates are hacking shipping information about cargoes and shipping routes to target specific ships points out how much valuable information is being used in port information systems. Attacks on those information systems could also be used to misdirect the land-side shipment of high-value containers, expanding the reach of cargo hijackers.

While this report approaches the issue from a very high-level perspective of the port related cybersecurity problems facing the country, there is hardly a resounding call to action included in the report. The very brief and wholly inadequate discussion of mitigation measures leaves the impression that there is not much that can be done to prevent cyber-attacks or mitigate the effects of a cyber-attack. The final mitigation measure of just using an unaffected alternate port emphasizes the effective hands-off approach that the OCIA appears to be offering to the potential problem.

While I understand that the OCIA has no direct responsibility for port operations, the fact that this report was released by the Coast Guard means that it should have included, either as an addendum to the report or as a separate cover document, a proposed course forward for the Coast Guard, shippers, port operators and port facility owners. The failure to set the course will ensure that this document will settle into the Saragossa Sea of maritime bureaucratic effluvia, soon to be forgotten.