top of page

Secure Horizons

Anchoring Resilience in Maritime Cybersecurity

From the desk of Mike Wilkes

Mar 7, 2024

Critical infrastructure is being targeted by threats that can disable our economy by disrupting the normal operations of business, transportation, communications and government. Threat actors include not only organized crime and nation states but also bored teenagers who are finding novel ways to wreak havoc with billion dollar companies just because they can. We are seeing a democratization of crime that extends powerful tools and capabilities once reserved for well-funded and coordinated cyber attacks. Hybrid cyber-kinetic warfare has begun to emerge in the theater of operations worldwide and will not recede anytime soon.


satellite image of Evergiven in the Suez Canal
Image credit: March 28, 2021, satellite file image from Planet Labs Inc.

The importance of maritime transport has, until recently, been largely ignored or overlooked among discussions of cybersecurity and our exposure as a nation, an economy and as individuals. But when the Evergiven lodged itself sideways in the Suez Canal for six days in March of 2021 the impact to the global economy and disruption of access to goods from that one event (triggered by human error, not malicious threat actors) began a gradual realization that supply chains are not just three links long: your upstream provider, your business and your downstream consumers.


Maritime Cybersecurity Survey link: https://forms.gle/kBvjChiiTN2pJPCW7


A holistic view of the global supply chain ecosystem must be acknowledged as essential to understanding how to protect ourselves from systemic risk. Maritime security sits squarely at the center of that ecosystem. According to Statista.com, total global trade was worth $22.3 trillion in 2021. At least 80% or more of that global trade is carried by sea. So 80% of that is almost $18 trillion in goods needed to keep our world of producers and consumers happy.


Risk Quantification

In April of 2022 I was invited to deliver a presentation for the 3rd Annual Port of the Future Conference in Houston, TX entitled “Proactive Security Measures for Global Maritime Shipping.” My presentation highlighted some of the data that SecurityScorecard collected after making a quantitative analysis of the cybersecurity health of 100 global shipping container companies compared with the Forbes Global 2000. Security ratings are an objective “outside-in” method for quantifying cybersecurity risk based on OSINT (Open Source INTelligence).


Quantification of risk is one helpful element of good security awareness, and so while it might be deemed by many as a necessary element, it is far from being a sufficient element of infosec programs. There are, of course, many ways to understand and manage risk. I should also note that, collectively, we might also benefit by flipping the discussion and instead talk about finding indicators of resilience as well as risk and attempting to measure and quantify those as well. “Resilience champion” is now part of my LinkedIn profile instead of “risk evangelist” that I had used previously to describe myself reflecting this change in perspective.


Image credit: Mike Wilkes presentation title slide

Types of Measures

There are different types of measures that we can take with regard to security. They largely fall into two categories: reactive and proactive. A proactive approach to cybersecurity includes preemptively identifying security weaknesses and adding processes to identify threats before they occur. On the other hand, a reactive approach involves responding to incidents such as hacks and data breaches after they occur.


Phil Venables wrote a thought piece back in 2022 where he makes the point that cyber resilience is not a plan, it is a capability. If we are to design, build and defend critical infrastructure then I think it is beholden upon us to focus on resilience if we are to enjoy robust, fault tolerant systems upon which our society increasingly relies.


Forms of reactive security measures:


  • logging

  • monitoring

  • auditing

  • tracing

  • digital forensics


Forms of proactive security measures:


  • assess supply chain risk profiles continuously

  • schedule penetration testing and red team exercises

  • establish an incident response retainer

  • perform table top exercises at least annually 

  • implement vulnerability disclosure program and/or bug bounties


For a more sustainable approach to managing modern cybersecurity programs, you need both proactive and reactive capabilities and tools. We need more proactive hacking by researchers at events like DEFCON, for example, where cybersecurity challenges can make use of Fathom5’s Grace Maritime Cyber Testbed that have shown it’s possible to sink a ship by attacking the ballast systems.


Imagine the attention to maritime security that will follow from an incident with Icon of the Seas with a combined passenger and crew of almost 10,000. By comparison, it was the sinking of the Titanic (maiden voyage passenger count was 2,240) to give rise to international efforts for coordinated maritime safety rules (Safety of Life at Sea) which took nearly 50 years to be adopted and enforced. It represented a considerable step forward in modernizing regulations and keeping up with technical developments in the shipping industry at the time.


Image credit: Titanic Sinking, engraving by Willy Stöwer.

Two Modern Efforts

There are two modern efforts worth mentioning in wrapping up this musing on maritime cybersecurity: The International Maritime Organization’s (IMO) Maritime Single Window (MSW) and the Notice of Proposed Rule Making (NPRM) for Title 33 of the CFR.


Maritime Single Window

When looking at the creation of the Maritime Single Window we have to first look at the Convention on Facilitation of International Maritime Traffic (FAL). Since April of 2019, the FAL Convention makes it mandatory for ships and ports to exchange FAL declarations electronically, and as of January 2024, the single window approach will be mandatory in all ports.


This is a major milestone in the digitization of the maritime industry from a commercial shipping and transportation perspective. But given the speed with which technology finds its way into the industry (aka not that quickly if the Titanic incident is used as a baseline) we must consider the very act of modernization of maritime communications systems as delivering new attack vectors and exposure to risk. See my July 2023 webinar “Cyber Threats and Mitigations for Maritime and Critical Infrastructure OT” hosted by Stevens Institute of Technology for the Maritime Security Center operating as a center of excellence for the US Department of Homeland Security for more information about this initiative as well as a review of several cyber threats in the maritime sector.


NPRM for Title 33 of the CFR


Please make the effort to read the proposed changes for MTSA-regulated owners and operators of facilities and vessels. The USCG has asked for individuals to submit their comments using the following page:


https://www.federalregister.gov/documents/2024/02/22/2024-03075/cybersecurity-in-the-marine-transportation-system


Image credit: screenshot of the NPRM on cybersecurity

The Code of Federal Regulations (CFR) is divided into 50 titles that represent broad areas subject to federal regulation in the United States. Title 33 pertains to Navigation and Navigable Waters and the US Coast Guard recently published a Notice of Proposed Rule Making (NPRM) on February 22, 2024 entitled “Cybersecurity in the Marine Transportation System” that takes up proposed changes to several elements and requirements for the over 3,700 MTSA-regulated entities and facilities and operate our ports and vessels. Specifically, the rule is applicable to owners & operators of:


  • U.S.-flagged vessels subject to 33 CFR part 104

  • U.S. facilities subject to 33 CFR part 105 

  • Outer Continental Shelf (OCS) facilities subject to 33 CFR part 106


I won’t trouble you with all of the details of this NPRM as you can read it yourself, but I did want to highlight some of them because of their relative import and impact to improving the resilience and security of our maritime system. In no particular order, they propose to require:


  • a named CySO (private sector we call them CISO) for each facility (available to the US Coast Guard 24x7)

  • establish a cybersecurity plan

  • achieve cybersecurity plan approval by the Captain of the Port (COTP), Officer in Charge, Marine Inspection (OCMI) for facilities or Marine Safety Center (MSC) for vessels

  • establish a cybersecurity incident response plan

  • ensure that quarterly drills/exercises, annual audits, annual table top exercises, annual inspections and annual cybersecurity assessments are conducted

  • perform drills every quarter testing elements of the cybersecurity plan

  • schedule an exercise at least once each calendar year, with no more than 18 months between exercises with the substantial and active participation of the CySO

  • configure minimum password strength on all IT and OT systems

  • ensure that user credentials are removed or revoked when a user leaves

  • ensure all cyber incidents are reported to the National Response Center (NRC)

  • provide cybersecurity training to all personnel (part-time, full-time, temporary, or permanent)

  • complete the training 180 days after effective date of the final rules and annually thereafter

  • establish a process through which all IT and OT vendors or service providers notify the owner or operator or designated CySO of any cybersecurity vulnerabilities, incidents, or breaches, without delay

  • perform backup of critical IT and OT systems, with those backups being sufficiently protected and tested frequently

  • CySO must ensure that a penetration test has been completed in conjunction with Facility Security Plan (FSP) or Vessel Security Plan (VSP) renewal


These are all well and lovely as they say. One might have expected them to have been introduced before this point in time as they don’t really present as “leading edge” requirements for compliance and good cybersecurity hygiene. But let’s be happy that they are likely coming into regulations this year with maybe a 180 day implementation timeline. There are, however, some ambiguities that should be cleared up. 


The requirements need some “sharpening” as they say. For example, are the annual cybersecurity assessments going to be performed by third-party external parties, or will an internal assessment suffice for compliance? When strong passwords are mentioned, how can we not also specify what makes a password strong (length requirements are superior mitigations to brute force attacks for example than complexity requirements since hackers don’t really care whether you have put “!” as the final character of your password in order to meet the “special character” rule).


Also revocation of credentials is great, but when? One day after exit/termination of the user, one week? Most of the CISOs that I know prefer to disable access during the exit interview, so “same day” revocation is a best practice. You can rest assured that, as a new member of the Sector New York US Coast Guard AMSC (Area Maritime Security Committee) subcommittee on cyber security, that I will be offering my full attention to improving the details and context for these proposed rules to avoid any misunderstanding or variance due to interpretation of broad language.


From the NPRM:

"We seek your comments on this proposed rule and whether we should: use and define the term reportable cyber incident to limit cyber incidents that trigger reporting requirements, use alternative methods of reporting such incidents, and amend the definition of hazardous condition."

The term “reportable cyber incident” is one of the big ticket items here in my view. If we suddenly expect all of these regulated facilities and vessel operators to begin sending the US Coast Guard National Response Center an email or making a phone call to 800-424-8802 every time someone scans their public-facing IP addresses or fails to authenticate successfully with their ECDIS computers or port call APIs I think we’re going to see a deluge of noise attempted to be ingested in the name of threat intelligence sharing.


We have structured reporting protocols like STIX and TAXII that have been used for years to help ingest observations of TTPs (Tactics, Techniques and Procedures) but I dare say that the National Response Center is not running a TAXII server (or two or three hundred…) just yet. But it is definitely a good idea to try to provide a good and actionable definition of reportable cybersecurity event/incident.


The current CFR definition speaks about reporting activities that may result in a TSI (Transportation Security Incident) which, to me at least, feels a bit tautological and thus not terribly good guidance. Whoever drafted the language for that definition previously really didn’t seem to want to go out on a limb and provide actionable guidance for the sector (snarky mode /off).


We need your help


Image credit: canva.com with the prompt “maritime security showing shipping containers and cranes”

Lastly, let me make a request for your help in providing data for a survey that we are conducting in partnership with the Synthetic Decision Group on Maritime Cybersecurity. If you work in the Maritime Transportation Sector, whether you are an MTSA-regulated owner or operator or not, please fill out my short survey so that we can produce a report summarizing the responses. We will share the results with the community and hope to plan an event in the near future to discuss the responses with everyone.


The deadline for our survey is May 31st.


Maritime Cybersecurity Survey link: https://forms.gle/kBvjChiiTN2pJPCW7 


 


Maritime Cybersecurity Course


Sign up here if you're interested in our 2 hour course "Cybersecurity Risk in Critical Infrastructure for Board Directors" which includes maritime OT examples of risks and threat mitigations.


The course topics include:


  • Systemic and Cognitive Risk

  • Governance of IT and OT Systems

  • Best Practices for Mitigation of Risk

  • Sustainable Resilience

  • Third-party Risk


The Security Agency has created this executive-level course for owners and operators of critical infrastructure that aims to bridge the information technology (IT) and operations technology (OT) domains from a governance perspective. This course is intended to help move a board director or senior executive from "cyber curious" towards "cyber aware" as it is foolish to think that executives can or need to become cybersecurity experts in order to provide proper governance of cybersecurity programs within their organizations. But modern governance of risk most definitely now includes management of cybersecurity threats and how to prioritize effective programs of mitigation.


The board of directors essentially needs to know enough about cybersecurity in the IT and OT domains in order to provide "effective challenge" when CISOs, FSOs (Facility Security Officers) and other information security professionals seek budget to implement controls and tools to address attacks from organized crime, nation states and (for better or for worse) bored teenagers.

bottom of page