Abstract
Since its earliest days, U.S. economic prosperity has been dependent upon maritime trade. The ships, boats, terminals, and related maritime critical infrastructure that support this trade are increasingly dependent on cyber technology. Cyber incidents involving navigation, cargo control, and other industrial processes could threaten lives, the environment, property, and could significantly disrupt regular trade activity. The U.S. Coast Guard, with long standing authority to address safety and security risks in the marine transportation system (MTS), encourages ship and vessel operators to establish a risk assessment and mitigation process to address cyber-related threats. State and local governments can contribute to this process through information sharing, and in Area Maritime Security Committees and other forums designed to address risk.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
American Association of Port Authorities. “Seaports and the U.S. Economy.” http://aapa.files.cms-plus.com/PDFs/Awareness/US%20Economy%20Fact%20Sheet%2012-4-12.pdf. Accessed April 2015.
- 2.
U.S. Coast Guard investigations 2011–2015, and personal communications by the author.
- 3.
Coast Guard Field Intelligence Report dated 27 July 2015 (For Official Use Only).
- 4.
Europol Public Information Intelligence Notification 004-2013, European Cybercrime Center.
- 5.
See for example, “oil and gas industry targeted by hackers”, last accessed 8 February 2015 at http://securityaffairs.co/wordpress/36843/cyber-crime/cyberattacks-on-oil-and-gas-firms.html.
- 6.
www.cgerisk.com, last accessed 4 March, 2016.
- 7.
See for example 33 Code of Federal Regulations Part 127, which details requirements for liquefied natural gas facilities.
- 8.
U.S. Coast Guard Marine Safety Manual, Volume 1, Administration and Management, COMDTINST M16000.6, chapter 1, available at https://www.uscg.mil/directives/cim/16000-16999/CIM_16000_6.pdf.
- 9.
For example, 33 Code of Federal Regulations Part 105.260(a)(6) requires waterfront facilities to protect security and surveillance equipment, but does not specify how that must be done.
- 10.
U.S. Coast Guard Marine Safety Manual, Volume 2, COMDTINST 16000.7B, Chapter 1 describes marine equipment and materials. Available at https://www.uscg.mil/directives/cim/16000-16999/CIM_16000_7B.pdf.
- 11.
- 12.
A holistic view of risks and solutions is arguably the most important step.
- 13.
US-CERT, Top 30 Targeted High Risk Vulnerabilities, https://www.us-cert.gov/ncas/alerts/TA15-119A, accessed 8 February 2016.
- 14.
The U.S. Coast Guard maintains a liaison officer at the National Cybersecurity Communications and Integration Center (NCCIC) to facilitate interagency cooperation.
- 15.
U.S. Cyber Command is an armed forces unified command that centralizes command of cyberspace operations and defense of U.S. military networks.
- 16.
A full description of all U.S. government cyber authorities is beyond the scope of this paper. See for example, “Cybersecurity, National Strategies, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, GAO-13-187, and http://www.dhs.gov/topic/cybersecurity.
- 17.
Title 33, Code of Federal Regulations, Part 103.405 address AMSC responsibilities, including computer systems and networks.
- 18.
U.S. Coast Guard Navigation and Inspection Circular 09-02, Change 4, Enclosure 3. Available at www.uscg.mil/hq/cg5/nvic.
- 19.
- 20.
An A-60 bulkhead is a structural fire protection standard for ship construction. It refers to the ability of a bulkhead to prevent the spread of fire and smoke for 60 min.
Abbreviations
- AMSC:
-
Area Maritime Security Committee
- CERT:
-
Computer Emergency Response Team
- DHS:
-
Department of Homeland Security
- DOD:
-
Department of Defense
- DOE:
-
Department of Energy
- DOJ:
-
Department of Justice
- GPS:
-
Global Positioning System
- IMO:
-
International Maritime Organization
- IT:
-
Information Technology
- MTS:
-
Marine Transportation System
- MTSA:
-
Maritime Transportation Security Act
- NIST:
-
National Institute of Standards and Technology
- SCADA:
-
Supervisory Control and Data Acquisition
- SOLAS:
-
Safety of Life at Sea
- USB:
-
Universal Serial Bus
References
Khakzad, N., Khan, F., & Amyotte, P. (2012). Dynamic risk analysis using bow-tie approach. Reliability Engineering and System Safety, 104, 36–44.
Wierenga, P. C., Lie-A-Huen, L., de Rooij, S. E., Klazinga, N. S., Guchelaar, H.-J., & Smorenburg, S. M. (2009). Application of the Bow-Tie model in medication safety risk analysis. Drug Safety, 32(8), 663–673.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A—Cyber Risk Bowtie Model
The model below depicts cyber risk management activities. On the left, the model notes several types of attack or threat vectors. These range from sophisticated, targeted attacks from “Advanced Persistent Threats” (including, but not limited to nation-states), down to a simple technical error, such as improper software updates. The term “insider threats” also represents a broad range of actors—from those with special access and a desire to inflict deliberate harm on an organization to those who unknowingly introduce malware by clicking on the wrong link or plugging a personal smart phone or other device into a USB drive or other port (Fig. 6.3).
Prevention/Protection measures reduce the likelihood of an incident by creating barriers to the malware or other measures that can compromise a system. These include technical measures, policy and training, and physical access controls. Once an incident has occurred, communications, response, and contingency plans reduce the impact of the event and promote rapid recovery. An organization with strong cyber resilience will consider all types of threats, institute both protection and response procedures to reduce risk, and promote a strong culture of cyber security through training, education, and leadership.
Appendix B—Cyber security Roles and Responsibilities
A full discussion of the various cyber security-related authorities and responsibilities within the federal government is beyond the scope of this paper. Broadly speaking, the Department of Homeland Security is primarily responsible for critical infrastructure protection, the Department of Justice is primarily responsible for criminal investigations, while the Department of Defense is responsible for national defense (Table 6.1).
These descriptions are best understood as generalizations. Individual agencies often have their own, unique authorities. For example, within DHS, the U.S. Secret Service has authority to investigate and prosecute certain types of computer fraud and other cyber crimes.
The U.S. Coast Guard, as a member of the Department of Homeland Security, has responsibility to help protect the nation’s maritime critical infrastructure, and to promote safety and security in the MTS. As a member of the U.S. Armed Forces, the Coast Guard works closely with the Department of Defense, including U.S. Cyber Command, in defending the nation. As a law enforcement agency, the Coast Guard has authority to investigate violations of all federal crimes with a maritime nexus (14 U.S.C.). Finally, the Coast Guard is a member of the intelligence community, providing us access to many sources of information that can help us with our mission to protect the American people.
Appendix C—A Cyber Safe Port: A Hypothetical But Hopeful Case Study
As an oil tanker approaches the coast, the Electronic Chart Display and Information System records the ship’s GPS position and automatically signals the engine room to switch to the clean burning fuels required to meet air quality standards for nearshore navigation. The crew on the bridge and in the engine room confirm the signal and monitor the Engine Management System as it controls the sequence of valves and pumps needed to make the switch correctly. The system also sends a report to state authorities and the ship’s owners, including sensor data confirming proper operation.
Thanks to the ability to securely download the latest charts and navigation information while still at sea, the crew and local pilot have the most up to date and accurate information about currents, channel depths, and aids to navigation. The ship enters the harbor safely.
Inside the harbor, the ship approaches a drawbridge that carries thousands of cars and trucks each day. Cyber systems raise the bridge, and have already sent alerts to drivers on the road, minimizing the impact on traffic. The tanker transits through the bridge. Computer-controlled systems on the ship, and on the assisting tug boats, control the engines and rudders, helping the mariners tie up the ship with precision and safety. Cyber systems on the ship, and on the terminal, help manage the transfer of gasoline, heating oil, and aviation fuel from ship to shore. Cyber systems on the terminal control the valves and pumps that distribute the different products to the appropriate storage tanks, providing real-time information on tank levels, product flows, environmental monitoring, and other information needed to run a safe and efficient business.
Meanwhile, a container ship approaches another terminal in the port. Although the ship will unload and load thousands of individual shipping containers, truckers and the terminal have devised a web-based system to schedule individual pickups, avoiding the long backups that previously clogged the local roads. Fully automated systems move the containers from the ship to the waiting trucks. Perishable goods and materials needed for just-in-time manufacturing make it to their destinations on time. Other cyber systems track the exact location of cargo waiting at the terminal to be loaded for export, including hazardous materials. Biometric identification cards are part of the access control system for the facility, as are computer controlled cameras, gates, and communication systems. The tracking and monitoring functions include state-of-the-art authentication and other security features, so that emergency responders, law enforcement agencies, and cargo owners have the information they need while denying criminals and others without a legitimate need to know.
The secure, efficient systems make the port a top choice among shippers. Vessel and facility operators diligently install required software updates, train crew, and employees on good cyber practices, and share information on emerging threats and vulnerabilities. These practices, combined with clear documentation, keep auditors happy and insurance premiums low.
In the Port Authority building, members of the Area Maritime Security Committee are meeting to plan their next security assessment and exercise. The Committee members include the Coast Guard, the FBI, Customs, state and local agencies, and many representatives from the private sector. They consider cyber along with other security risks, and develop contingency plans, conduct exercises, and share lessons learned. The Committee recognizes that despite their best efforts, successful cyber-attacks or simple technical failures at some point are likely. Their plans therefore include manual backups, notification procedures, and recovery plans to minimize the impact of those events. These plans, and the cooperative spirit in which they are made, improve the regions resilience for cyber and other hazards.
The above scenario is hypothetical only in that the technologies described are not widely adopted. Wise cyber risk management practices can help ensure that safety and security go hand in hand with technology.
Rights and permissions
Copyright information
© 2017 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Tucci, A.E. (2017). Cyber Risks in the Marine Transportation System. In: Clark, R., Hakim, S. (eds) Cyber-Physical Security. Protecting Critical Infrastructure, vol 3. Springer, Cham. https://doi.org/10.1007/978-3-319-32824-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-32824-9_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-32822-5
Online ISBN: 978-3-319-32824-9
eBook Packages: Political Science and International StudiesPolitical Science and International Studies (R0)