Maritime companies and U.S. ports are essentially private businesses, intent on getting the job done efficiently, safely and at a profit. But the clash between private businesses wanting to remain private and the need for public disclosure in the name of security has become an important part of the discussion over creating a national cybersecurity policy.
Cyber threats have become increasingly common in all businesses, and the maritime sector, as conduits of valuable cargo that fuel the international economy, is beginning to understand its vulnerabilities and experience its share of intrusions.
Modern vessels are vulnerable to hacking and other breaches because electronic and computer systems are fully integrated with navigation, communications, cargo systems, and steering. GPS is susceptible to spoofing, in which fake navigation signals could lead to positioning and directional mistakes. Shoreside operations are vulnerable to tampering with telephone and Internet connections. And there are also seemingly innocent mistakes by the crew, such as transmitting malware to the bridge computer by inserting an unauthorized USB drive.
The wheels of government are starting to turn in the direction of more cooperation, and perhaps regulation, to understand, avoid and deal with such threats. The Coast Guard came out with a cybersecurity strategy this summer, and just last week, the House Homeland Security Committee held a hearing in Congress on threats to the nation’s maritime transportation system. Private maritime companies, from the big cargo ships to the inland sector and ports, are also starting to assess their weak areas, with an eye toward training staff, beefing up security of their computer and Internet-based operational systems and creating plans and policies should a cyber attack cripple their operations.
But witnesses at last week’s hearing before the House Homeland Security subcommittee on Border and Maritime Security cited a troubling trend: Maritime businesses are reluctant to report cybersecurity breaches and to spend money on cyber programs that don’t generate revenues.
As Randy D. Parsons, security service director at the Port of Long Beach, Calif., stated: “To acknowledge that a cyber event has taken place could potentially diminish business reputation and public trust. Maritime stakeholders have deemed much of their information as proprietary to the degree that dissemination could create business disadvantages.”
Jonathan Sawicki, security improvement program manager at the ports of Brownsville and Harlingen, Texas, added that companies are also worried about competition and falling stock value if they go public.
Cybersecurity is a relatively new and evolving issue for the maritime industry. And similar to the federal security requirements imposed on vessels and at ports after the 9/11 attacks which have become another part of doing business, the industry should regard cybersecurity in the same way. Hacking of computer systems is a very real threat in today’s interconnected world – just remember how easy it was for hackers to access government files believed to be secure and credit card information at major retail stores.
As pointed out at the congressional hearing, not sharing cybersecurity information or preparing for an attack will make it harder to identify the kinds of threats facing the maritime industry, and establish effective ways to prevent and deal with them when they occur. And it could lead to disabled vessels and navigational mistakes – all of which are costly to a business – as well as major disruptions to the nation’s sea and river transportation network.
The views and opinions expressed in this blog are the author’s and not necessarily those of WorkBoat.