According to a closing report launched by the Office of Inspector General (OIG) of the Department of Homeland Security, the U.S. Coast Guard has made progress over the previous two years in establishing a Maritime Cybersecurity Team, in line with statutory necessities, and strengthening the cyber posture of the Maritime Transportation System (MTS). Based on its findings, the report places ahead 4 suggestions to enhance the Coast Guard’s cyber readiness and prevention to make sure the safety of the U.S. provide chain. The Department of Homeland Security agreed with the 4 suggestions.
The report recognized that these groups, which started working as Cyber Protection Teams in 2021, are offering companies to assist business stakeholders stop and reply to malicious cyber exercise. Despite these efforts, adoption has been restricted, with solely 36 p.c of the Coast Guard sector having stakeholders that requested and acquired these companies. The reluctance of personal business stakeholders to make the most of supplied cybersecurity companies poses a big problem to totally implementing the Coast Guard’s Cybersecurity Readiness Strategy to guard the provision chain.
The Coast Guard report really helpful that Coast Guard Cyber Command and the Office of Port Facility Compliance develop and implement a strategic motion plan with particular benchmarks to make sure that Cyber Protection Teams and the Maritime Cyber Readiness Division are capable of successfully collaborate with Maritime Transportation Security Professionals – Cyber. The purpose is to enhance collaboration and strengthen collaboration with personal business stakeholders.
Agreeing with the advice, DHS famous that CG Cyber Command, the Port Facility Compliance Office, and the Cyberspace Command Office usually collaborate with MTSS-C on cyber danger administration actions. “In May 2024, the Coast Guard hosted a workshop with MTSS-C that included cyber danger administration on the agenda. The workshop additionally initiated an motion plan to additional construct business relationships. DHS estimates that these actions will likely be accomplished by April 30, 2025,” the report added.
According to the OIG evaluation, “We consider that the event of an motion plan to additional construct business relationships is in line with our advice. Once we have now reviewed this plan and have extra info concerning the deliberate implementation, work with CPT, and benchmarks for completion, we’ll shut this advice. This advice is open and resolved.”
The public remark interval ended on May 22, 2024. The Coast Guard is now contemplating the outcomes of the general public feedback to find out subsequent steps. DHS has not disclosed an anticipated completion date.
According to the OIG evaluation, “We consider that this new coaching, if applied in line with the proposed new rules, will present much-needed instruction to Coast Guard personnel. This advice will likely be closed as soon as the course supplies are reviewed and data is supplied on how the Coast Guard will distribute this coaching to applicable personnel. As there isn’t any anticipated completion date, this advice stays open.”
The Coast Guard has taken steps to strengthen the cyber posture of the maritime surroundings however faces challenges in implementing cybersecurity preparedness and prevention measures at U.S. ports and on U.S. waterways. Specifically, the Coast Guard applied companies to help personal business stakeholders at U.S. ports and on U.S. waterways. However, in fiscal 12 months 2022, solely 36% of personal business stakeholders within the Coast Guard sector requested and acquired companies supplied by Coast Guard CPTs.
The report famous that these challenges have left the Coast Guard unable to totally guarantee compliance with cybersecurity measures to guard MTS ports and waterways, and unable to supply consciousness, steerage and experience to guard personal business stakeholders’ belongings. “Without these safeguards in place, U.S. provide chains stay susceptible to exploitation, misuse or easy failure of cyber methods, which may end in damage or loss of life, harm to the maritime surroundings, and disruption of important commerce exercise,” the report added.
He added that whereas business individuals determine and report cyber occasions, they don’t persistently request the companies of CPTs to enhance their cybersecurity posture.
“Both the Coast Guard and personal business stakeholders mentioned business individuals are reluctant to request Coast Guard CPT companies, given the Coast Guard’s conventional function of regulation and enforcement,” the report detailed. “According to Coast Guard officers, business individuals are reluctant to make use of CPT companies because of issues that CPT could impose fines if it finds cyber deficiencies or poor cyber hygiene. Additionally, Coast Guard officers mentioned business individuals with very small operations are reluctant to make use of CPT companies partly as a result of they might lack the funds to harden already outdated or susceptible info expertise gear.”
According to the report, the Coast Guard conducts vessel and facility inspections in accordance with the Maritime Transportation Security Act of 2002 (MTSA) and the Code of Federal Regulations (CFR). “These vessel and facility inspections focus totally on bodily security and safety points, resembling whether or not fireplace suppression methods are functioning, alarm methods are working, and navigation methods are functioning. Although the Coast Guard’s inside directives and operational aids have been applied to incorporate cybersecurity parts throughout vessel and facility inspections, eight of the 9 inspections we noticed didn’t tackle cybersecurity on board vessels and services.”
“Consideration of cybersecurity elements contains inspecting primary cyber hygiene (resembling locking workstations and revealing passwords) and figuring out whether or not a cybersecurity occasion was a contributing issue within the failure of onboard methods,” the report famous. “When an inspection contains cybersecurity, inspectors usually solely take a look at whether or not a vessel or facility has accomplished cybersecurity documentation. At one location, a facility supervisor said that facility inspectors use a cyber job help supplied by the Coast Guard’s Office of Port Facility Compliance to overview cybersecurity throughout every inspection. However, when the audit crew spoke individually with the power inspector at that location, he acknowledged that he didn’t overview cybersecurity throughout his inspection and was targeted solely on bodily security.”
The report additionally famous that Coast Guard inspectors should not conducting cybersecurity checks, although they’re required to, primarily because of a scarcity of standardized cyber coaching. Inspectors throughout the three sectors mentioned they solely obtain minimal cybersecurity coaching through the Department of Homeland Security-wide annual session. While some inspectors expressed curiosity in elevated coaching primarily based on enforceable rules, others highlighted the disadvantages confronted by inspectors who don’t obtain correct steerage.
The company added that the Coast Guard companions with academic establishments for specialised programs in maritime cybersecurity, however funding constraints restrict enrollment. Without a proper coaching program, inspectors depend on written steerage and job aids. However, the steerage supplied could be troublesome to successfully implement, leaving gaps in essential areas resembling vetting third-party distributors and updating entry management methods. The Coast Guard’s Office of Port Facility Compliance careworn the necessity for cybersecurity rules to determine correct coaching for inspectors.
In February 2021, the Coast Guard launched the Maritime Transportation Security Specialist-Cyber (MTSS-C) function to reinforce cybersecurity within the maritime transportation system. MTSS-C works with Coast Guard districts, personal sector firms and stakeholders to implement cybersecurity rules, act as a liaison, and put together for and reply to cybersecurity incidents within the maritime transportation system.
Another problem recognized by the report is that when recruiting certified candidates for MTSS-C positions, they’re categorized as GS-0301 within the Management and Programs sequence, slightly than the extra frequent GS-2210 sequence for cybersecurity positions. This classification permits for a broader vary of candidates, doubtlessly lacking out on technically expert expertise.
The Coast Guard concluded that with $5.4 trillion flowing yearly and 90% of U.S. imports and exports passing by way of the maritime surroundings, the maritime transportation system has turn out to be a chief goal for adversaries and cybercriminals. Coast Guard Cyber Command is specializing in assaults on logistics and expertise firms that might concurrently have an effect on a number of organizations, together with ship administration software program. The Coast Guard is strengthening the maritime transportation system’s cyber defenses with complementary cybersecurity companies and sector-specific cybersecurity advisors to advertise business resilience towards cyber threats. However, some organizations stay hesitant to report incidents to the Coast Guard.
Earlier this month, CISA enhanced its Maritime Transportation System Resilience Assessment Guide (MTS Guide) with a brand new, easy-to-use, web-based software for maritime stakeholders. The replace provides necessary new sources and instruments to raised assess and tackle the resilience of port networks and inland maritime transportation methods.
Anna Ribeiro
Industry Cyber News Editor. Anna Ribeiro is a contract journalist with over 14 years of expertise within the fields of safety, knowledge storage, virtualization and IoT.