Critical Infrastructure Security , Operational Technology (OT)
Experts Praise White House Port Cybersecurity Initiatives
Cyber Actions Reflect 'Positive Step' in Addressing Overlooked Issues, Experts SayNew Biden administration cybersecurity standards for U.S. maritime ports mark a crucial step toward addressing long-ignored vulnerabilities in IT and OT systems across the critical infrastructure sector, experts told Information Security Media Group.
See Also: Energy Sector Threat Brief
An executive order released Wednesday institutes mandatory requirements to report cyber incidents that could endanger "any vessel, harbor, port or waterfront facility." The U.S. Coast Guard also issued a notice of proposed rule-making to establish minimum cybersecurity requirements for the maritime industry (see: Biden to Sign Executive Order Raising Maritime Cybersecurity).
Experts say port IT and OT systems contain a bevy of security vulnerabilities that could lead to potentially catastrophic economic and national security consequences - such as sweeping disruptions in port operations, ransomware attacks and the ability for foreign adversaries to gain unauthorized access to critical infrastructure networks.
"The convergence of IT, OT and IoT powering today's modern maritime infrastructure means these devices are increasingly connected to the internet - and exposed to the threats this communication channel can unleash," said Marty Edwards, deputy CTO for OT/IoT at security firm Tenable.
Edwards, who previously served as director of the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team, said ports "are often overlooked for the myriad hidden and potentially underprotected systems running inside them." Those often include legacy control systems and sensors that are responsible for critical port operations, such as facility security and vessel navigation.
The Coast Guard is seeking public feedback through April as it aims to establish minimum cybersecurity standards for vessels and ports. The proposed rules call for extending current maritime reporting mandates for "hazardous conditions" to include cybersecurity incidents, as well as directing port operators to notify the Cybersecurity and Infrastructure Security Agency and FBI of those breaches.
Extending reporting requirements to include cybersecurity incidents will significantly improve collaboration between federal cyber authorities and U.S. ports, according to Xavier Bellekens, a lecturer and chancellor fellow for the Institute for Signals, Sensors and Communications at the University of Strathclyde in the United Kingdom.
"Sharing data is key," Bellekens told ISMG. "When a port faces an attack, there's a high chance that adversaries are looking at all other ports - whether they're small ones or large ones - to see if their infrastructure might be the same."
Bellekens also said that expanded information sharing and incident reporting mandates could benefit smaller ports with limited cybersecurity resources, since they can use threat intelligence data to target specific vulnerabilities in real time.
The Coast Guard also announced plans to issue a maritime security directive that tasks port operators with taking a series of actions to address the risks associated with Chinese-manufactured cranes and other critical port components. Nearly 200 ship-to-shore cranes manufactured by the People’s Republic of China operate across U.S. commercial strategic seaports, federal officials said during a Tuesday phone call with reporters, and only about half of them have been assessed for potential cybersecurity concerns.
A U.S. maritime advisory published Wednesday identifies a series of significant threats to port equipment, networks and operating systems, including PRC-manufactured technologies and systems with remote access capabilities that "potentially leave them vulnerable to exploitation."
The advisory recommends that port operators adhere to a comprehensive set of internationally considered cybersecurity best practices, including performing periodic backups of key software programs and ensuring strong physical security and access control of devices and infrastructure. It also urges operators to contact the Coast Guard, CISA and the FBI after they discover compromised equipment or suspicious activity within marine transportation systems or OT and IT assets.
Kevin Jones, a professor of computer science at the University of Plymouth who led the institution's Maritime Cyber Threats Research Group, told ISMG the overall set of actions reflects a "positive step" that could "increase awareness and prompt further research" in cybersecurity protections for U.S. ports.
"This is probably one of the 'easiest' attacks that could be developed in terms of serious consequences," Jones said of cyberattacks that target maritime ports. "The deeply embedded hardware-based attacks possible by a nation-state are very difficult to detect and prevent. Focusing attention on the possibilities has to be beneficial."