Recent cyberattacks have exposed critical vulnerabilities that exist within the Marine Transportation System (MTS). For many, getting buy-in from management to address cybersecurity issues has been a major barrier, but are cybersecurity challenges more about people, processes or technology? How are next generation mariners approaching security challenges? What sort of changes will be compelled by a recent executive order to improve maritime cybersecurity?
These were just some of the questions that were explored by our panel of experts during the recent Cybersecurity: What You Need to Know Now webinar. Numerous topics and issues related to cybersecurity were discussed during the webinar but our panel was not able to address them all. Thankfully, one of our panelists took the time to do just that.
Hunter McWilliams is a founding member of the Coast Guard Cyber Command’s Maritime Cyber Readiness Branch (MCRB), a team established to serve as the Coast Guard’s experts for all things MTS cybersecurity. During the webinar, he talked about what it means for his team to address vulnerabilities with new digital technologies that are continually changing but lays out details below regarding regarding FIPS-140 certification, pen testing and other assistance the Coast Guard may be able to provide and more.
Watch the Cybersecurity webinar: What You Need to Know Now here.
Workboat Audience: How does the mission of DHSs subagency, Cybersecurity and Infrastructure Security Agency (CISA), marry with the cybersecurity mission of the Coast Guard?
Hunter McWilliams: It’s certainly a complementary relationship.
Many of our members of the Coast Guard’s Cyber Protection Teams (CPTs) spent time detailed to CISA performing services for general infrastructure before focusing on maritime infrastructure services offered through the Coast Guard. Generally speaking we work together, share information, and supplement one another regarding cybersecurity issues for public infrastructure. The U.S. Coast Guard, like CISA, is an agency under DHS. CISA is responsible for all U.S. critical infrastructure, while our focus is solely on the marine transportation sector.
Workboat Audience: We recently bid on the USCG Waterways Commerce Cutter (WCC) program and saw a large C5I component to the program and each vessel, even though it is an inshore vessel. Will this be typical of all USCG programs moving ahead?
Hunter McWilliams: I can’t speak to the bidding/contracting of the USCG WCC program. As a member of the Maritime Cyber Readiness Branch, my experience is primarily in the marriage of regulatory activities for vessels and facilities with cybersecurity application. If you would like, you can email us at [email protected] requesting the information, and I can attempt to direct you towards the appropriate department/branch!
That being said, I imagine that all vessels the Coast Guard invests in will likely need to prioritize modernization efforts like the C5I components you observed.
Workboat Audience: How is the Coast Guard Cyber Command working with facilities on the inland waterways in particular? Many of them think that they are "too small" to be a target of a ransomware attack.
Hunter McWilliams: At the Maritime Cyber Readiness Branch we’ve worked with CG-FAC and CG-5P in the application of cybersecurity for the MarineTransportation System. The position the CG has taken with all vessels and facilities, regardless of geographic location, is that they will continue to be held to the standard of the Maritime Transportation Security Act (MTSA).
For cybersecurity, this doesn’t change; access control is access control, monitoring is monitoring, security measures for Restricted Areas are security measures for Restricted areas, etc. The standards are the same regardless of if we are speaking about access control, monitoring, or security measures for physical elements or cyber elements.
There is certainly enough evidence to suggest that size and location aren’t requisite requirements for threat actors in terms of who will be attacked. But in the same manner that regulations apply to the inland waterways facilities historically with physical security, they will continue to apply to inland waterways facilities in terms of cybersecurity.
Workboat Audience: Can you comment on needs "in the field" or onboard measures needed as opposed to enterprise measures like CMMC. How panicked should we all be about implementing CMMC?
Hunter McWilliams: Speaking from the position of the US Coast Guard, our expectations of facilities and vessels in the MTS is framework agnostic. We are just happy to see an entity apply an appropriate cyber framework towards their company policy, namely Facility Security Plans/Vessel Security Plans/Company Security Plans.
Workboat Audience: How important is FIPS-140 certification for maritime equipment and/or are there other baseline tests USCG Cyber wants to see equipment go through?
Hunter McWilliams: At present we do not have certification requirements for maritime equipment beyond those you may find in the existing Maritime Transportation Security Act regulations. As long as equipment complies with the expectations of the Codified Federal Regulations that exist, you are meeting Coast Guard Cyber requirements.
Workboat Audience: The marine insurance industry is having trouble getting its head around the risk that a Cyber event could present to vessels and facilities with respect to causing bodily injury or property damage, thus they imagine the worst. Is their fear justified?
Hunter McWilliams: I cannot speak of specific details of incidents that I have investigated. However, we have observed many circumstances on the world stage where cyber events have caused bodily injury and/or damage. These events are not exclusive to non-maritime transportation system entities. Maritime facilities and vessels use technology that controls operational and safety systems used in the process of the manufacturing, storage and transport of bulk oils, chemicals, hazmat, etc.
I would be remiss to believe that these technology systems are not subject to the same risk concerns of any other cyber-physical system that could cause bodily injury or property damage.
Workboat Audience: Does anyone know of cyber security events that affected the navigation or propulsion systems of vessels?
Hunter McWilliams: As a member of the Maritime Cyber Readiness Branch, I can confirm that I have been privy to events that have caused an impact to vessel navigation and/or propulsion systems.
Workboat Audience: Where could I find more information about pen testing and other assistance USCG may be able to provide to identify areas that need to be hardened/improved upon?
Hunter McWilliams: Excellent question. For assistance from the Coast Guard’s Cyber Protection Team, please contact us at [email protected].
You can also find more information about the Maritime Cyber Readiness Branch/Cyber Protection Team services (via this downloadable PDF) as well as Coast Guard Cyber Command via these respective links:
Watch the Cybersecurity webinar: What You Need to Know Now here.