CENTER FOR 21ST CENTURY SECURITY AND INTELLIGENCE
“America must also face the rapidly growing threat from cyber-attacks . . . our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” — President Barack Obama, 2013 State of the Union Address
Today, U.S. port facilities rely as much upon networked computer and control systems as they do upon stevedores to ensure the flow of maritime commerce that the economy, homeland, and national security depend upon. Yet, unlike other sectors of critical infrastructure, little attention has been paid to the networked systems that undergird port operations. No cybersecurity standards have been promulgated for U.S. ports, nor has the U.S. Coast Guard, the lead federal agency for maritime security, been granted cybersecurity authorities to regulate ports or other areas of maritime critical infrastructure. In the midst of this lacuna of authority is a sobering fact: according to the most recent National Intelligence Estimate (NIE) the next terrorist attack on U.S. Critical Infrastructure and Key Resources (CIKR)is just as likely to be a cyber attack as a kinetic attack.
The potential consequences of even a minimal disruption of the flow of goods in U.S. ports would be high. The zero-inventory, just-in-time delivery system that sustains the flow of U.S. commerce would grind to a halt in a matter of days; shelves at grocery stores and gas tanks at service stations would run empty. In certain ports, a cyber disruption affecting energy supplies would likely send not just a ripple but a shockwave through the U.S. and even global economy.
Given the current absence of standards and authorities, this paper explores the current state of cybersecurity awareness and culture in selected U.S. port facilities. The use of the post-9/11 Port Security Grant Program (PSGP), administered by the Federal Emergency Management Agency in consultation with the Coast Guard, is also examined to see whether these monies are being used to fund cybersecurity projects.
In the end, the research shows that the level of cybersecurity awareness and culture in U.S. port facilities is relatively low. In most ports, basic cybersecurity hygiene measures are not being practiced. Of the ports studied, only one had conducted a cybersecurity vulnerability assessment, and not a single one had developed a cyber incident response plan.
PSGP federal program managers have not expressly included cybersecurity projects in their funding criteria. While this did not exclude ports from seeking PSGP monies for cybersecurity projects, it certainly did not incentivize them. Of the $2.6 billion allocated to the PSGP over the past decade, less than $6 million—or less than one percent—was awarded for cybersecurity projects, and only one port in this study had used PSGP monies for a cybersecurity project. Ironically, a large number of security systems purchased with PSGP monies are networked into port command centers, making them more vulnerable to cyber attacks.
Most municipal ports are so-called landlord ports that lease out their terminals to private entities. Thus, the research also found that landlord ports have little awareness of what networked systems are being run by their lessees and almost no awareness of what, if any, cybersecurity measures are being taken to protect these systems.
Based on these findings, a series of policy recommendations are provided for Congress, DHS and the Coast Guard, and port facility owners and operators for how cybersecurity in U.S. port facilities might be incentivized and improved. In sum, these recommendations call for: Congress to pass legislation that provides the Coast Guard authority to enforce cybersecurity standards for maritime critical infrastructure (consistent with how it already enforces physical security in maritime critical infrastructure); the adoption of NIST cybersecurity standards for port facilities; DHS to structure the PSGP grant program to incentivize cybersecurity projects; the Coast Guard to ensure a functional information sharing network is in place that allows government, port owners and operators, and maritime industry stakeholders to exchange cyber threat information; and port owners and operators to conduct cyber vulnerability assessments and prepare response plans. Most of these recommendations are relatively simple steps that will greatly enhance not only maritime cybersecurity and resilience but ultimately U.S. homeland and national security.
About the Center for 21st Century Security and Intelligence
“The Center for 21st Century Security and Intelligence (21CSI) was created to address the key issues shaping security policy over the coming decades. The Center seeks to answer the critical questions emerging in defense, cybersecurity, arms control, and intelligence in an all-encompassing manner, seeking not just to explore important new policy challenges but also how they cross traditional fields and domains.”