The Critical Infrastructure Gap: U.S. Port Facilities and Cyber Vulnerabilities

Posted by Content Coordinator on Monday, August 19th, 2013

BROOKINGS INSTITUTION
CENTER FOR 21ST CENTURY SECURITY AND INTELLIGENCE

Executive Summary

“America must also face the rapidly growing threat from cyber-attacks . . . our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” — President Barack Obama, 2013 State of the Union Address

Today, U.S. port facilities rely as much upon networked computer and control systems as they do upon stevedores to ensure the flow of maritime commerce that the economy, homeland, and national security depend upon. Yet, unlike other sectors of critical infrastructure, little attention has been paid to the networked systems that undergird port operations. No cybersecurity standards have been promulgated for U.S. ports, nor has the U.S. Coast Guard, the lead federal agency for maritime security, been granted cybersecurity authorities to regulate ports or other areas of maritime critical infrastructure. In the midst of this lacuna of authority is a sobering fact: according to the most recent National Intelligence Estimate (NIE) the next terrorist attack on U.S. Critical Infrastructure and Key Resources (CIKR)is just as likely to be a cyber attack as a kinetic attack.

The potential consequences of even a minimal disruption of the flow of goods in U.S. ports would be high. The zero-inventory, just-in-time delivery system that sustains the flow of U.S. commerce would grind to a halt in a matter of days; shelves at grocery stores and gas tanks at service stations would run empty. In certain ports, a cyber disruption affecting energy supplies would likely send not just a ripple but a shockwave through the U.S. and even global economy.

Given the current absence of standards and authorities, this paper explores the current state of cybersecurity awareness and culture in selected U.S. port facilities. The use of the post-9/11 Port Security Grant Program (PSGP), administered by the Federal Emergency Management Agency in consultation with the Coast Guard, is also examined to see whether these monies are being used to fund cybersecurity projects.

In the end, the research shows that the level of cybersecurity awareness and culture in U.S. port facilities is relatively low. In most ports, basic cybersecurity hygiene measures are not being practiced. Of the ports studied, only one had conducted a cybersecurity vulnerability assessment, and not a single one had developed a cyber incident response plan.

PSGP federal program managers have not expressly included cybersecurity projects in their funding criteria. While this did not exclude ports from seeking PSGP monies for cybersecurity projects, it certainly did not incentivize them. Of the $2.6 billion allocated to the PSGP over the past decade, less than $6 million—or less than one percent—was awarded for cybersecurity projects, and only one port in this study had used PSGP monies for a cybersecurity project. Ironically, a large number of security systems purchased with PSGP monies are networked into port command centers, making them more vulnerable to cyber attacks.

Most municipal ports are so-called landlord ports that lease out their terminals to private entities. Thus, the research also found that landlord ports have little awareness of what networked systems are being run by their lessees and almost no awareness of what, if any, cybersecurity measures are being taken to protect these systems.

Based on these findings, a series of policy recommendations are provided for Congress, DHS and the Coast Guard, and port facility owners and operators for how cybersecurity in U.S. port facilities might be incentivized and improved. In sum, these recommendations call for: Congress to pass legislation that provides the Coast Guard authority to enforce cybersecurity standards for maritime critical infrastructure (consistent with how it already enforces physical security in maritime critical infrastructure); the adoption of NIST cybersecurity standards for port facilities; DHS to structure the PSGP grant program to incentivize cybersecurity projects; the Coast Guard to ensure a functional information sharing network is in place that allows government, port owners and operators, and maritime industry stakeholders to exchange cyber threat information; and port owners and operators to conduct cyber vulnerability assessments and prepare response plans. Most of these recommendations are relatively simple steps that will greatly enhance not only maritime cybersecurity and resilience but ultimately U.S. homeland and national security.

Figure 6. Port by Port Data - Cybersecurity Vulnerability Assessment and Response Plans

View full report (PDF): U.S. Port Facilities and Cyber Vulnerabilities

About the Center for 21st Century Security and Intelligence
www.brookings.edu/about/centers/security-and-intelligence
“The Center for 21st Century Security and Intelligence (21CSI) was created to address the key issues shaping security policy over the coming decades. The Center seeks to answer the critical questions emerging in defense, cybersecurity, arms control, and intelligence in an all-encompassing manner, seeking not just to explore important new policy challenges but also how they cross traditional fields and domains.”

Tags: , , , , , ,

Comments are closed.

Follow InfraUSA on Twitter Facebook YouTube Flickr

CATEGORIES


Show us your infra! Show us your infra!

Video, stills and tales. Share images of the Infra in your community that demands attention. Post your ideas about national Infra issues. Go ahead. Show Us Your Infra!  Upload and instantly share your message.

Polls Polls

Is the administration moving fast enough on Infra issues? Are Americans prepared to pay more taxes for repairs? Should job creation be the guiding determination? Vote now!

Views

What do the experts think? This is where the nation's public policy organizations, trade associations and think tanks weigh in with analysis on Infra issues. Tell them what you think.  Ask questions.  Share a different view.

Blog

The Infra Blog offers cutting edge perspective on a broad spectrum of Infra topics. Frequent updates and provocative posts highlight hot button topics -- essential ingredients of a national Infra dialogue.


Dear Friends,

 

It is encouraging to finally see clear signs of federal action to support a comprehensive US infrastructure investment plan.

 

Now more than ever, our advocacy is needed to keep stakeholders informed and connected, and to hold politicians to their promises to finally fix our nation’s ailing infrastructure.

 

We have already engaged nearly 280,000 users, and hoping to add many more as interest continues to grow.

 

We require your support in order to rise to this occasion, to make the most of this opportunity. Please consider making a tax-deductible donation to InfrastructureUSA.org.

 

Steve Anderson

Managing Director

 

SteveAnderson@InfrastructureUSA.org

917-940-7125

InfrastructureUSA: Citizen Dialogue About Civil Infrastructure