Coast Guard cybersecurity strategy relies on industry’s vigilanceOct 2, 2015 03:42 PM
The U.S. Coast Guard’s new cyber strategy will count on industry cooperation to secure the nation’s maritime assets in the face of growing threats.
In June, the commandant of the Coast Guard, Adm. Paul F. Zukunft, released the cyber strategy document that outlined the agency’s plan to ensure the security of the nation’s maritime transportation system (MTS) in recognition of the rapidly evolving cyber domain.
The Coast Guard’s strategy includes securing the service’s own computer systems as well as the operating environment for ocean carriers, coastwise shipping, inland waterways, Great Lakes and the nation’s 60 sea and river ports, which handle more than $1.3 trillion in annual cargo.
The Coast Guard will focus on recognizing cyberspace as an operational domain; developing guidance and defining the mission space; leveraging partnerships to build knowledge, capacity and understanding of MTS vulnerabilities; sharing information; organizing for success; building a well-trained cyber work force, and making thoughtful future cyber investments.
“The impact on the industry is still to be seen, but it will open peoples’ eyes to the fact there are problems,” said Fred Roberts, director of the Department of Homeland Security Center of Excellence at Rutgers University. “There are regulations about physical security but not a lot of regulations or standards for cybersecurity.”
While the marine industry faces some unique threats, many others are similar to issues at any company, said Capt. Andrew Tucci, chief of the Office of Port & Facilities Compliance for the Coast Guard.
“All technology has a bit of a downside and brings some risks,” Tucci said. “While there are attacks by state actors or terrorists or sophisticated hackers — and they are legitimate risks — computers can also go wrong on their own.”
The 43-page document calls for the Coast Guard to build its own cyber command and staff, and cooperate with governmental and private-sector partners to protect the system. Threats can come from attacks by state and non-state actors, transnational organized crime groups and terrorists, as well as general cyber risks such as viruses and malware.
“This applies whether you’re talking about administrative computers or talking about the networks that are on the ships or cargo-handling systems, all kinds of things,” Roberts said. The strategy calls for continued cooperation with Transport Canada and the International Maritime Organization.
“The computers are the same and the threats are the same. There’s no reason why we should come up with different ways of approaching the same problems,” Tucci said.
Modern vessels are vulnerable to cyber problems because the electronic and computer systems are fully integrated with link navigation, steering control, communications and cargo systems. Systems with pumps and compressors have embedded software that can be hacked. Shoreside operations have similar vulnerabilities, with telephone and security systems relying on Internet connectivity.
One of the most feared threats is GPS spoofing, in which a fake GPS signal could mislead the bridge crew about heading and location.
Not all threats come from specific attacks. Poor cyber hygiene, such as clicking on email attachments from unknown sources, can lead to problems on a vessel.
Tucci recounted an event with a foreign-flag vessel on which a crewmember inserted an unauthorized USB drive into a computer on the bridge and, due to malware on the drive, the ship lost access to its navigational charts.
“If the crew is 100 percent dependent on the electronic systems to navigate, that could be a problem,” Roberts said. “Resilience is a big deal.”
As the Coast Guard’s strategy takes shape, Tucci recommends those in the industry get involved in their Area Maritime Security Committee, with one for each Captain of the Port Zone.
Most new measures will come in the form of policies and procedures rather than technological solutions.
“The Coast Guard doesn’t view this as an IT problem,” Tucci said. “We view it as a risk problem and we encourage the industry to view it in the same way.”