A dozen suspects were arrested last year and two tons of cocaine and heroin seized by Belgian and Dutch authorities who alleged a group of criminals used hackers to manipulate maritime companies’ computers and unload the drugs from a container.
This is one of the first times that such a tactic has come to light, according to Europol, the European Union’s law enforcement agency. It likely won’t be the last.
Maritime cybersecurity is a growing concern worldwide. Judging from two recent reports focusing on the U.S., not enough is being done to tackle it.
In June, the Government Accountability Office (GAO) concluded that U.S. ports are vulnerable to cybersecurity attacks.
“Disruptions in the operations of our nation’s ports, which facilitate the import and export of over $1.3 trillion worth of goods annually, could be devastating to the national economy,” the GAO said. “The growing reliance on information and communications technology suggests the need for greater attention to potential cyber-based threats.”
Likewise, Coast Guard Cmdr. Joseph Kramek, in a policy paper published last summer by the Brookings Institution where he was a fellow, said that ports are vulnerable. “In most ports, basic cybersecurity hygiene measures are not being practiced. Of the ports studied, only one had conducted a cybersecurity vulnerability assessment, and not a single one had developed a cyber incident response plan.”
The Coast Guard, which has its own cyber command unit, has been expanding and addressing cyber-based threats, but more needs to be done, the GAO said. The reports’ recommendations include:
• The Coast Guard should assess cyber-related risks and issue appropriate guidance;
• The Port Security Grant Program (PSGP) should encourage cyber-related proposals;
• Congress should give the Coast Guard authority to enforce cybersecurity standards the same way it enforces physical security.
Threats can come from corrupt or disgruntled employees, criminal groups, hackers and terrorists, said the GAO, and the consequences could be catastrophic.
“Shelves at grocery stores and gas tanks at service stations would run empty,” Kramek concluded after looking at ports on each coast and Vicksburg, Miss. “In certain ports, a cyber disruption affecting energy supplies would likely send not just a ripple but a shockwave through the U.S. and even global economy.”
“We did not find attacks in the U.S. The biggest incident we saw is one that happened in Europe,” said Stephen Caldwell, director, maritime security and Coast Guard issues, and co-author of the GAO report.
“They need to get more serious about these risks and do a detailed assessment,” he said of the Coast Guard, “and business should do that as well.”
The Coast Guard doesn’t have explicit authority over cybersecurity. The Maritime Transportation Security Act (MTSA), passed after 9/11, gives the Coast Guard some authority over communication systems and computers.
Under MTSA, “we look at cyber from a security standpoint. If something happens to a cyber system that can lead to a transportation security incident, it needs to be reported to the Coast Guard,” said Coast Guard Cmdr. Nicholas Wong, chief, domestic ports division.
A lot has changed recently, he said. “There’s a lot more awareness in general and a better understanding of the cyber threats. It is a serious consideration for us.”
The agency is developing a cybersecurity strategy and guidance on how to do assessments. “We’re likely going to have public meetings. We want to be transparent with industry,” he said.
The GAO concentrated on the Coast Guard and ports and not on vessels, offshore platforms, inland waterways or intermodal connections. But cybersecurity threats exist there, too. The GAO visited the ports of Houston, New Orleans and Los Angeles/Long Beach.
GPS and other navigation systems are vulnerable. Last summer, for example, a research team from the University of Texas changed the direction of a yacht in the Mediterranean using false GPS signals from a spoofing device.
“This is a hot spot in the industry. The regulators don’t have a clue,” said Michael Van Gemert, senior vice president of Northwest Technical Solutions, Houston, a technology consulting company that focuses on the offshore energy industry. “All the newest rigs are running on high-speed data networks. Most advanced companies have done a good job closing these holes. But there are a lot of workboats with old systems. Guys, you are a target.”
Van Gemert mentioned a rig that came into the Gulf of Mexico on which inspectors found “nasty stuff” in control system computers on the bridge that affected critical stability calculations. Hackers shut down a floating rig earlier this year and another rig’s computer was so compromised by malware that it took 19 days to make it seaworthy again.
“You will not see anybody blazing trails in leadership until they get hit,” Van Gemert said.
The Port Security Grant Program has been at the heart of many maritime security initiatives. Money has been used for what many refer to as guns, gates and gadgets (as well as identification cards). But funding has dropped from a high of $388.6 million in 2009 to $100 million this year.
Federal program managers did not include cybersecurity projects in their criteria, Kramek noted. “Of the $2.6 billion allocated to the PSGP over the past decade, less than $6 million or less than 1 percent was awarded for cybersecurity projects, and only one port in this study had used PSGP monies for a cybersecurity project. Ironically, a large number of security systems purchased with PSGP monies are networked into port command centers, making them more vulnerable to cyber attacks.”
Several ports disputed some of Kramek’s findings, saying they had high levels of security and up-to-date technology, according to published reports.
Paul Zimmermann, director of operations for the Port of New Orleans, said the solution to the GAO’s findings is “a collaborative effort by the entire industry – public and private entities – to address the issue.”
He agrees with GAO “that cybersecurity is an evolving area and certainly one of potential concern. Most cargo related information is generally held by private sector companies.” Until recently, most of that information has been guarded more for commercial than terrorist-related reasons.
Federal agencies have to provide the private sector not only with information but also grants to install safeguards, Zimmermann said. “This is not necessarily the role of port authorities. This needs to be a national approach.”
The American Association of Port Authorities (AAPA) said on its website that port information technology leaders and their counterparts in private industry “have been confronting the threat of cybersecurity for some time.”
AAPA said the Coast Guard is the logical enforcement authority for cybersecurity but needs more resources since it has been stretched and strained since 9/11.
Ed. Note: The GAO report is available at: www.gao.gov/assets/670/663828.pdf. The Brookings report is available at: www.brookings.edu (search for “Kramek”).