A feature from Volume 1, Issue 1 of Pacific Ports Magazine
By Christy Coffey, Vice President of Operations, Maritime Transportation System ISAC

First, we would like to thank the Association of Pacific Ports for requesting a blog. We are looking forward to speaking at their 107th annual event in 2021.

The concept of collaborating as a maritime community to identify, detect and protect against threats to the maritime transportation system (MTS) has a long tradition in the Pacific. This has been true whether facing a wide variety of threats and hazards and continues today. Look at the COVID-19 virus and how communities are using crowdsourcing, with public and private sector organizations working together locally and globally, to identify and move much-needed supplies and perform research.

Another example we regularly see relates to weather-related emergency response scenarios. These events are an excellent example of how public and private sector organizations work together to address and recover from the threat. While storms are not entirely predictable, we are aware that they occur, we understand the range of their potential impacts, and understand that there are actions that both sets of stakeholders are responsible for taking. So, the MTS develops and exercises plans to ensure preparedness.

Cyber risk management and the MTS 

When cybersecurity professionals in the Pacific apply the maritime community traditions with their own best practices from the NIST Cybersecurity Framework (www.nist.gov/cyberframework/online-learning/five-functions) — Identify, Protect, Detect, Respond, and Recover — the community can become more resilient to cyber risks in the face of motivated cyber adversaries. While information security professionals, or their organizational team, often focus on internal, individual activities to manage cyber risk, the sharing of threat information can serve as a force multiplier. Sharing information allows multiple organizations to more quickly identify vulnerabilities, threat activity and effective countermeasures. Rather than each individual stakeholder trying to counter cyber-attacks on their own, we can more efficiently tackle challenges at the community level for multiple reasons.

First, given the resources that cyber threat actors are pouring into their capabilities, the resources required to defend against threats is currently insufficient, especially when efficient use of those resources is not maximized. We believe the maritime community well understands the resource challenges that are present.

Second, the MTS continues to rapidly apply new technologies to port environments to increase operational efficiencies. Information technology (IT), operational technology (OT), and Internet of Things (IoT) technologies are being quickly integrated in port operations. These technologies are being integrated less often by single organizations, but frequently across the MTS ecosystem by multiple stakeholders including suppliers, vendors, and operators of other modes of transportation. As a result, IT, OT, and IoT cybersecurity challenges have become community challenges. However, we often try to address them as individual organizational challenges.

Third, we know that there is a shortage of cybersecurity expertise around the globe, and even fewer professionals that are focused on the specific challenges of maritime environments. This shortage places additional pressure on organizations. While the initial reaction to this pressure might be to focus those resources internally, we understand the efficiencies generated by pooling resources into a larger community effort. A team of resources can accomplish more than the sum of its parts.

U.S. Government is adjusting its focus

Well, we’re starting to see government actions to focus resources on these maritime community cybersecurity challenges. In February, the Department of Homeland Security’s (DHS) Federal Emergency Management Agency (FEMA) released the Port Security Grant Program (PSGP) Notice of Funding Opportunity which prioritized cybersecurity as the one area that “attracts the most concern” and subsequently included it as a funding priority for this year’s grants. This is certainly a welcome reprioritization.

A month later, the U.S. Coast Guard published the Navigation and Vessel Inspection Circular (NVIC) No. 01-20: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities which requires regulated facilities to address cyber risk in their Facility Security Assessments (FSAs) and Facility Secur-ity Plans (FSPs). Industry had been eagerly awaiting this NVIC. While it provides some clarification regarding MTSA requirements, the Coast Guard also released a “Cyber Job Aid” to “provide the service’s marine safety personnel with additional guidance as they address facilities’ documented cyber vulnerabilities.”

Unfortunately (and please keep in mind challenges #2 and #3 above), this guidance is being read by some who may not understand the details of cybersecurity as to what is required to manage cyber risk. The NVIC and the “Cyber Job Aid” fail to mention some of the basics of cybersecurity (e.g., access control lists, alerts, securing APIs, asset inventory, availability — those are just some of the As, let alone B-to-Z).

Helping connect the community

How can we help break this cycle by managing risk through “checklist cyber controls” to address compliance requirements?  First, we have to acknowledge the challenges above as well as the limitations of traditional approaches. The MTS-ISAC community, which engages both public and private sector stakeholders, is leveraging historical, regional relationships in a new way to address local cybersecurity challenges while maintaining global connectedness and situational awareness.

The MTS-ISAC has issued several TLP:GREEN Advisories that highlighted how threat actors have targeted MTS critical infrastructure, and how security controls can prevent unauthorized access to port systems. These advisories are shared quickly throughout the MTS-ISAC community and then more broadly with the maritime community with actionable intelligence and cybersecurity control recommendations to help other MTS stakeholders prevent similar cyber risk from impacting them. Stakeholders have not seen this type of timely advisory used in the maritime sector other than by the MTS-ISAC.

While working at the international as well as the local level to share malicious and suspicious cybersecurity activity is effective, local communities also provide a connectedness for working together on educational initiatives, adoption of best practices, and incident preparedness through exercises and response plans. We will be more successful in mitigating cyber risks through an MTS and critical infrastructure all-hands approach — private and public sector working together, private sector working together at a local level with global connectedness, and cross-sector collaboration. In addition to issuing regular TLP-GREEN advisories to trusted maritime stakeholders, the MTS-ISAC is holding regular webinars to raise awareness on a variety of maritime cybersecurity topics, including a recent informational webinar on protecting GPS, and supporting local maritime cybersecurity exercises.

For more information on the MTS-ISAC, visit https://www.mtsisac.org/. We hope you will join our community and learn more about efforts underway to manage cyber risk at the Maritime Cybersecurity Summit in Orlando, FL November 4-5, 2020 (https://www.maritimecybersecuritysummit.com/).  

About Christy Coffey

Christy Coffey is a cybersecurity professional, collaboration advocate, computer scientist, and inventor. She has worked across the cybersecurity and software industries for over 30 years and holds a MS in Cybersecurity with a CNSS certification, a BS in Computer Science, and a Top-Secret security clearance. She has authored numerous cybersecurity-themed papers, spoken at events, been interviewed by media, and is a subject matter expert on “Cybersecurity Information Sharing.”