U.S. Releases Cybersecurity Plan for Maritime Sector
The U.S. government has released a plan with a list of top-priority items to mitigate threats and provide security to the crucial maritime sector.
The National Maritime Cybersecurity Plan, which was made public (PDF) on Tuesday, highlights several priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years.
The maritime sector, which includes hundreds of thousands of major waterways, shipyards, ports and bridges, contributes about $5.4 trillion to the U.S. gross domestic product.
At a high level, the plan sets out priorities and goals around the establishment of global standards to define maritime threats, beefing up threat intel and information sharing, and increasing the cybersecurity workforce in the maritime sector.
“The proliferation of IT across the maritime sector is introducing previously unknown risks, as evidenced by the June 2017 NotPetya cyber-attack, which crippled the global maritime industry for more than a few days,” the White House said.
“This plan articulates how the United States government can best buy down the potential catastrophic risks to national security and economic prosperity,” the government said, noting that the increasing reliance on IT and OT will continue to promote maritime commerce efficiency and reliability.
The plan calls for a high priority to be placed on what is described as deconflicting government roles and responsibilities.
“Some MTS operators lack the ability to control the security of critical systems because different public and private entities own and operate these interconnected systems. Although cybersecurity standards and frameworks are widely available, businesses often lack the resources or expertise to implement them effectively, leaving them vulnerable to cybersecurity disruptions,” the U.S. government warned.
Because no single entity owns, controls, manages, or regulates businesses or networks used throughout the maritime domain, the plan calls for the NSC (National Security Council) staff to identify gaps in legal authorities and identify efficiencies to de-conflict roles and responsibilities for MTS cybersecurity standards.
The plan’s other priorities include developing risk modeling to inform maritime cybersecurity standards and best practices; strengthening cybersecurity requirements in port services contracts and leasing; and improve the level of information sharing between the U.S. government and the private sector.
“Credible and actionable intelligence is required to strengthen maritime cybersecurity,” the government asserted, noting it will create mechanisms to share unclassified, and when acceptable, classified information with maritime industry stakeholders, increasing access to actionable information to protect maritime IT and OT networks.
Furthermore, the plan calls for the creation of an international “port OT risk framework” based on input from partners, which will be promoted internationally.
The plan also zeroes in on producing cybersecurity specialists and a robust workforce to manage and protect port and vessel systems.
“The dual threat of opportunistic ransomware infection and targeted nation state power projection over the past few years has demonstrated the impact of cyber attacks on national security and commercial supply chains,” Grant Geyer, Chief Product Officer at industrial cybersecurity firm Claroty, told SecurityWeek. “We saw examples of the potential for massive disruption during the 2017 NotPetya infections in commercial maritime enterprises, and Iran’s revelation that their port activities were disrupted by a cyber attack in 2020.”
“Coupling these highly vulnerable OT maritime environments with a severe lack of expertise in OT security,” Geyer continued, “creates the potential for massive risk to critical infrastructure. What strikes me as very important about the National Maritime Cybersecurity Plan is the purposeful focus on ensuring risk mitigation to the critical ships and port systems, and the focus on developing expertise and career paths for maritime cybersecurity.”