Today, the Department of Homeland Security (DHS) and the Biden-Harris Administration are taking new actions to protect American maritime critical infrastructure, bolster port cybersecurity, and improve supply chain resilience.
As a maritime nation, America’s prosperity remains inextricably linked to the integrated and extensive network of ports, terminals, vessels, waterways, and land-side connections constituting the U.S. Marine Transportation System (MTS). This extensive system supports $5.4 trillion worth of economic activity each year and contributes to the employment of more than 31 million Americans.
DHS has a strong and demonstrated track record in securing and safeguarding the maritime transportation system. Through existing security and safety regulations, DHS and its partners have forged a robust public-private partnership through contingency planning, exercises, grant funding, and response and recovery efforts. These relationships are all the more important as the industry and the country faces evolving cyber and technology challenges.
We have a national imperative to protect this critical infrastructure in a complex threat environment. MTS operators increasingly rely on an ecosystem of automated and cyber-dependent systems to enable critical operating functions, including ship navigation, engineering, safety and security monitoring. These systems have revolutionized the maritime shipping industry by centralizing operational control and improving efficiency. However, they also introduce vulnerabilities that, if exploited, could have significant cascading impacts to the MTS, the economy, and the American people.
Executive Order on Amending Regulations relating to the Safeguarding of Vessels, Harbors, Ports and Waterfront Facilities of the United States
On February 21, 2024, President Biden signed an Executive Order that will expand authorities for the United States Coast Guard (USCG) to ensure the Nation’s MTS is protected against malicious cyber activity. The Executive Order bolsters the USCG’s already robust authorities to protect the MTS from acts of terrorism and other conventional threats by explicitly addressing cyber threats.
Pursuant to the Executive Order, the USCG now has express authority to respond to malicious cyber activity, including by:
-
Requiring vessels and facilities to mitigate unsatisfactory cyber conditions that may endanger the safety of a vessel, facility, or harbor;
-
Requiring the reporting of any actual or threatened cyber incidents involving or endangering any vessel, harbor, port, or waterfront facility to the USCG and Federal Bureau of Investigation; and
-
Taking control of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure.
U.S. Maritime Security Directive for People’s Republic of China-Manufactured Ship-to-Shore Cranes
The Department remains focused on combatting cybersecurity threats to our critical infrastructure emanating from the People’s Republic of China (PRC). Our efforts include working with the private sector, issuing alerts and warnings, and conducting threat hunting operations to find and mitigate malicious cyber activity domestically. As an example, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) recently issued a cybersecurity advisory on the PRC-state-sponsored cyber actor known as VOLT TYPHOON, which has been identified by private sector partners as affecting networks across critical infrastructure sectors. Operational Technology (OT) systems are often built without security in mind and thus even more vulnerable to threats. The threat posed to our homeland security by PRC-directed activities, and their potential to disrupt critical infrastructure in times of conflict, necessitates government intervention.
Cybersecurity threats also arise from the reliance on untrusted vendors in critical infrastructure environments. PRC-manufactured ship-to-shore (STS) cranes make up the largest share of the global STS crane market and account for nearly 80% of the STS cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave PRC-manufactured STS cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system.
The USCG, leveraging its express authority to respond to malicious cyber activity, has issued a Maritime Security Directive to owners and operators of certain critical port infrastructure to take immediate steps to close vulnerabilities and mitigate unsatisfactory cyber conditions posed by the prevalence of PRC-manufactured STS cranes in the U.S. and the threat of disruption to U.S. critical infrastructure.
U.S. Coast Guard Notice of Proposed Rulemaking on Cybersecurity in the Marine Transportation System
Additionally, the USCG has just released a Notice of Proposed Rulemaking (NPRM) that will provide baseline cybersecurity requirements to protect the MTS from cyber threats. Based on CISA’s Cross-Sector Cybersecurity Performance Goals, these newly proposed regulations would require a number of cybersecurity measures including account security, device security, network segmentation, data security, training, incident response planning, and drills and exercises. Regulated entities would also be required to identify a Cybersecurity Officer responsible for overseeing implementation of the new requirements.
The NPRM that the USCG is publishing today is another critical step for the Department building on prior efforts in the transportation sector. Across the sector, the USCG and the Transportation Security Administration (TSA) utilize regulatory and voluntary approaches, such as stakeholder participation in advisory committees and adopting U.S. government best practices, to work with stakeholders to strengthen their cybersecurity posture. Following extensive collaboration with aviation partners, rapport-building with industry, and feedback from stakeholders over the past two years, the TSA has issued cybersecurity requirements for airport and aircraft operators, pipeline operators, and passenger and freight railroad carriers, as part of our Department’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure.
Like those issued by the TSA, the requirements being proposed by the USCG are performance based and variable according to the risk profile and capability of the entity. The USCG NPRM proposes regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. Consistent with the Administration’s goal of regulatory harmonization, DHS has leveraged common frameworks from the National Institute of Standards and Technology (NIST) and CISA to inform both voluntary cybersecurity practices and relevant regulatory requirements. Key USCG and TSA baseline cybersecurity elements are aligned to the NIST Cybersecurity Framework and CISA’s Cross-Sector Cybersecurity Performance Goals.
DHS Supply Chain Resilience Center
Today’s announcements to increase the cybersecurity and resilience of the maritime sector complement ongoing DHS efforts to increase the resilience of U.S. supply chains for critical infrastructure. Announced earlier this year, the DHS Supply Chain Resilience Center (SCRC) is focused on near-term priorities to address supply chain risks resulting from threats and vulnerabilities inside U.S. ports. The SCRC recently convened key DHS decision-makers and stakeholders for a robust tabletop exercise designed to test the resilience of critical supply chains that connect through our domestic ports. The exercise reviewed how DHS would respond to a cyber-attack impacting ship-to-shore crane operability and how DHS would coordinate within the Department and the interagency. In the future, the SCRC intends to partner with the Department of Commerce to strengthen the semiconductor supply chain and further the implementation of the CHIPS and Science Act and develop supply chain early warning systems with the interagency and key allies.
In today’s rapidly changing world, it is imperative that we evolve to meet the threats and challenges of tomorrow. The Executive Order and the Department’s efforts furthers the Biden-Harris Administration’s goal of securing our digital ecosystem and defending our Nation’s critical infrastructure.
###