Coast Guard Weighs New Role in Maritime Cybersecurity Oversight
January 15, 2015
By David Perera
1/15/15 5:00 AM EST
The hyperphysical world of maritime security is about to get a virtual dimension as the Coast Guard kicks off a yearlong process to develop new cybersecurity guidance to industry.
It starts with a public meeting held Thursday in Washington, D.C., when the service expects a packed room of industry representatives to discuss how deeply Coast Guard maritime security oversight should penetrate into the computer systems of vessels and port facilities.
Ports are risky places — but cybersecurity risk in particular is getting bigger day-by-day, says Coast Guard Capt. Andrew Tucci, chief of the service’s headquarters-based Office of Port and Facility Compliance.
“We wouldn’t be doing our job for the public, nor the industry, if we didn’t figure out a way to address this aspect of risk,” he said.
Tucci heads up the Coast Guard’s cybersecurity effort, which should culminate with issuance of a Navigation and Vessel Inspection Circular — a detailed document the service uses to lay out how it enforces regulations.
The authority underpinning Coast Guard maritime industry cybersecurity oversight stems from the Maritime Transportation Security Act, a post-9/11 law that requires vessels and ports to assess security vulnerabilities and plan for their mitigation. The plans are subject to Coast Guard approval, and the agency also inspects for implementation.
The goal of the law is to prevent a maritime “transportation security incident,” an event that results in loss of life, or environmental damage such as a leaky tank — or one that would disrupt maritime transportation or cause economic disruption. A Coast Guard and Department of Homeland Security review concluded in mid-2014 found that MTSA is agnostic about the source of threats.
But that leaves open the question of what kind of cybersecurity incident rises to the level of TSI oversight. “We don’t really don’t know,” Tucci allowed. “We’re looking to the public, including industry of course, to propose some suggestions on how exactly to do this,” he said. The point of Thursday’s meeting is to hear from interested parties, not to make an announcement, he added. The service has also extended the written comments deadline by two months, to April 15.
Industry representatives told POLITICO they’re equally uncertain about what a cyberspace TSI would be. So far, only one public comment appears on the online dossier reserved by the Coast Guard to review public input.
“There’s a lot of unanswered questions for us right now,” said April Danos, chair of the American Association of Port Authorities information technology committee and head of the IT department at Port Fourchon, La., which services most deep water oil rigs in the Gulf of Mexico.
Part of that stems from the straight-forward nature of physical security. As Tucci noted, a breach of a physical fence isn’t difficult to detect or interpret. In contrast, “you’ve got a very dynamic cyber risk environment that’s different from our physical one,” he said.
Danos said her network gets hit with bits of malware or phishing attacks all the time — would those constitute reportable incidents under the new cybersecurity-flavored security plans?
Not likely — at least, not according to Marcus Woodring, managing director for health, safety, security and emergency management at the Port of Houston Authority and former Coast Guard captain. Nearly 70 percent of gulf container traffic comes to two terminals operated by his port authority.
“Someone tags my computer network, and let’s say they’re rebuffed by the firewall. I wouldn’t consider that reportable. Somebody clicks on an email link and we get malware on the computer — I wouldn’t consider that reportable,” he said.
Industry, or at least the AAPA, also gets anxious at the thought of universal cybersecurity standards. “We don’t all have the same issues,” Danos said, pointing to the variety of industries ports service — container shipping, liquid natural gas, bulk cargo such as grain.
“What a TSI is for one port may not apply to another port,” she added.
Ownership models also differ, with some port authorities acting just as a landlord to tenant terminal operators (such as Port Fourchon) and others actually operating as least some of their terminals (such as the Port of Houston Authority). Cybersecurity information sharing between all the public- and private-sector entities at work in a port might be nonexistent. Danos said she gets nothing from Port Fourchon tenants. “They’re not willing to share any cybersecurity information,” she explained.
How multimodal ports with integrated links to other transportation methods, such as air cargo, will handle Coast Guard oversight over just their maritime sections is another outstanding question.
The nautical world isn’t famous for attracting cybersecurity talent — raising questions not only at the industry end, but also at the Coast Guard, since it will be responsible for reviewing, approving, and inspecting companies’ plans.
“We’re very good at catching people climbing over the fence. Catching people trying to get into our network is a brave new world,” said Woodring.
The Coast Guard may have to invest in training, Tucci said, but it could also use third parties to handle technical aspects of oversight. Not every cybersecurity problem will necessarily have a technical solution, he noted. In fact, some existing physical security safeguards could be cited as solutions to cyber risk.
Tanks of volatile or toxic chemicals controlled by industrial control systems could conceivably hacked to overspill, for example. But tanks typically already have a float switch that manually cuts power once the tank is filled above 95 percent capacity.
“There’s a nice, low-tech, Y2K compliant way of addressing a cybersecurity risk,” he said.