Recommendations: Cooperation on maritime cybersecurity

Table of contents

Raise the baseline
Deepen stakeholder awareness
Collaborate on cyber risk

A collaborative path forward for cybersecurity in the MTS

When plotting a course on the assailable ocean, conditions rarely allow a navigator to chart a directly line home. Hazards below the open of every ocean and the capriciousness of weather systems require a gang to systematically reassess the vessel ’ s military position and adjust manoeuver to reach its address safely. Both the captain and the crew are expected to navigate using all means available, a lens that should apply to approaching recommendations to reduce cybersecurity risks for the MTS as a whole : actors within the MTS must be capable of tapping into every available resource .
The approach to maritime cybersecurity must ultimately be holistic ; even if every component of the MTS was cyber batten, the interconnection of the subsystems might not result in a impregnable MTS. Taking the steps necessary to build a secure maritime world will require a better reason of the cybersecurity-threat landscape, coupled with a segment scene of MTS infrastructure. This will allow developers, policy makers, owners, and regulators to match the best policy levers with particular nautical systems, and achieve better cybersecurity result across the entire MTS .
This report puts forward twelve recommendations—split into three overarching themes—to aid better secure all subsystems of the MTS from evolving cyber threats. First, stakeholders operating within the MTS must raise the service line for cybersecurity across the maritime industry and ship communities. Knowing is half the battle, and stakeholders must develop a sector-specific cyber gamble framework, a global intelligence clearinghouse, and a common cyber-incident threat matrix, while pushing for an active, industry-wide vulnerability disclosure policy .
second, MTS stakeholders must deepen their understanding of maritime cybersecurity and associated risks by building cross-sector linkages, particularly through new professional and international exchanges between academia, diligence, and government. Stakeholders must design MTS cyber-specific educational certifications to support these new work force initiatives, with the goal of upskilling the industry and attracting endowment into a cyber-aware MTS. Developers and the nautical industry must collaborate on eradicating systemic software vulnerabilities from MTS software. Lawmakers and regulators must complement these efforts by ensuring that MTS receive adequate resources to improve cybersecurity .
Third, executives and high-level stakeholders in the populace and individual sectors globally must prioritize cybersecurity as partially of their broader hazard management efforts, leveraging increase security system measures and appropriate hazard mitigations to help support long-run improvements in cybersecurity. MTS stakeholders should assess risk by relating their cybersecurity maturity to those of other sectors, like energy, better integrating cybersecurity with traditional nautical policy coverage, and last, improving cybersecurity proactively through multistakeholder simulations .
The majority of these identified actions build on or integrate exist programs, such as the US Department of Energy-backed Cyber Testing for Resilient Industrial Control Systems ( CyTRICS ) platform, run across four national lab and the Department of Transportation ( DOT ) Maritime Administration ( MARAD ) 2021 Port Infrastructure Development Program ( PIDP ). These programs are embedded in broader lines of policy campaign and come with well-established relationships—both virtues over starting from scratch .
The maturity and effectiveness of contemporaneous approaches to cybersecurity in the MTS fail to reflect the vital function nautical transportation system plays in supporting global department of commerce, divers department of energy systems, and national security. Cyber threats will only continue to metastasize, accelerating both in measure and consequence. Navigating through such disruptive waters requires an all-hands-on-deck approach—both in the United States and beyond—to improve the collective cybersecurity of the MTS .

Figure 12: Recommendation pillars.

Recommendations

Raise the baseline

Given the depleted baseline for cybersecurity in the MTS, the recommendations in this report focus on elevating the standard of cybersecurity by identifying four key problems that underpin this reality and want attention : a more particular fixed of cybersecurity guidelines, a acquit menace matrix for nautical incidents, more streamlined intelligence share, and a codify vulnerability disclosure program. The recommendations in this section, numbered consecutive, seek to address these problems utilizing the points of leverage in the MTS identified in the previous life-cycle sections .
The first trouble is how organizations approach security and guidelines for best practices. The IMO, the chief international maritime body, provided cybersecurity guidelines deoxyadenosine monophosphate recently as 2017, which rely heavily on the NIST Cybersecurity Framework ’ s five functions to provide high-level management to MTS stakeholders. Despite the IMO ’ mho guidelines, vary cybersecurity frameworks are developed and promulgated by both stakeholder organizations and multilateral bodies, such as BIMCO, the American Bureau of Shipping ( ABS ), and ENISA. Each framework changes and adds crucial elements, yet these modifications unintentionally create a tapestry of frameworks that clash at the hustler flat. For a sector that is already thus building complex in nature with a changing attack surface based on the type, function, and age of a transport or facility, cyber hazard frameworks should not create add confusion .
The second problem is the want for a collective taxonomy of maritime cyber incidents and how those incidents should be logged and reported, arsenic well as defining a minimal criterion for cybersecurity incidents to be reported. Cyber incidents will manifest differently across diverse sectors of the MTS. Present lack of reporting continues to erode the situational awareness that is necessity for police enforcement and incident responders within the USCG to execute their mandate of prevention and reaction within US territorial waters and other deployment areas. The proclivity for misreporting or underreporting incidents has the electric potential to result in the far-flung compromise of critical MTS systems, which could cascade into the loss and damage of physical infrastructure, goods, and human biography. The USCG should be able to accurately assess incoming ships and the ongoing cyber hazard landscape of an operational area—but it will depend on an accurate incident log to do therefore .
The third problem is the need for more streamline intelligence sharing within the MTS. According to the NMCP, there are more than twenty US federal organizations that have a role in the MTS. additionally, numerous individual, nongovernmental, and international organizations inundate union organizations with an unsustainable number of intelligence requests ; these varied actors are not evenly able to dedicate resources to remediation efforts. The ability to promptly plowshare intelligence with pertinent organizations is necessity but presently missing in the MTS .
The final issue is vulnerability disclosures. Vulnerabilities are inevitable ; while vendors do not intentionally put vulnerabilities within their products, their retain presence presents a credible risk to the MTS and its critical systems. however, the moo prioritization of cybersecurity within the MTS has led to a lax access to addressing vulnerabilities or known populace exploits. Vulnerability disclosure must be prioritized, as the ability to promptly address known flaws is a critical footfall to making any ecosystem more secure .

1.  Drive a sector-specific cybersecurity framework with low barriers to implementation
The uracil government must continue and expand its role as a driver for safety guidelines within the MTS. Led by NIST, new cybersecurity framework profiles, based on the existing NIST Cybersecurity Framework, should focus on developing subsector specific guidelines and best practices for cardinal players within the MTS that can be supported by international entities like BIMCO, ICS, and the IMO, ampere well as be well adopted by industry actors .

1. Building on the existing partnership between national institute of standards and technology and the MITRE Corporation, national institute of standards and technology, in partnership with key private-sector stakeholders, should develop industry-focused cybersecurity framework profiles tailored to address the risks and needs of specific subsystems of the machine translation, prioritizing key commercial and energy terminals, major shipping liners, and port systems.
2. Led by the USCG and State Department, these profiles should be promoted to and advocated for with international partners like the EU’s ENISA, as well as key international organizations such as BIMCO, intelligence community, and international maritime organization. Specifically, the United States should use the inclusion of the national institute of standards and technology framework in international maritime organization 2021 to push for international uniformity along a similar framework.

2. Define a threat matrix of maritime cyber incidents
As the established incidental respondent within the MTS, the USCG should design a threat matrix of MTS -specific cyber incidents. This matrix should be developed in partnership with the MTS, information sharing and analysis centers ( ISACs ), and key insurance entities, and be accessible and functional by regulative bodies, incident responders, and insurers to identify, assess, and log cyber vulnerability in individual vessels and facilities across the MTS .

1. Captains of US ports should establish cross-sector working groups in their individual operational regions to develop a unite threat matrix and taxonomy of incidents, and use this information to develop a new form, such as form 2692 ( Report of Marine Casualty, or OCS-related Casualty ), on which operators can immediately map newly detected cybersecurity risks, vulnerabilities, and incidents to the terror matrix. specifically, this process needs to involve key players in the policy diligence, as their frequent inspections provide them with the most across-the-board data and analytic capability on risks facing the

   MTS

   .

2. The

   USCG

   , led by the Commandant ’ south Office and supported by DHS and the Office of the National Cyber Director, should leverage its position within the international nautical residential district to push this newfangled threat matrix and taxonomy of nautical cyber incidents to the international nautical community through the

   IMO

   , specifically targeting critical deal regions and waterways, such as the Panama Canal Authority or Suez Canal Authority, that would benefit the most from such an incidental matrix when it comes to systemic risk reduction .

3. Create a global clearinghouse for MTS intelligence
To facilitate information sharing and prevent news blockages across the global MTS, the USCG must establish a clearinghouse that can actively declassify MTS -relevant cyber-threat intelligence and provide global alerts to requisite stakeholders across the private sector and internationally .

1. With resources and functional support from the news community, DHS, in collaboration with the

   USCG

   , should promote the bilateral declassification and release of

   MTS

   cyber-threat intelligence and vulnerabilities as alerts, modeled after those of DHS

   CISA

   ‘ s rumor-control on-line resources for 2020 election security system .

2. Using its captains of the interface, and in conjuction with

   DOT

   ,

   DOE

   , and DHS, the

   USCG

   should establish dialogue sessions focusing on clear communication channels, deconflicting roles, and streamlining collection functions across nongovernmental organizations (

   ISACs

   and

   ISAOs

   ) and individual companies engaged in

   MTS

   cyber-threat intelligence solicitation .

3. internationally, the State Department, the

   USCG

   , and DHS should individually look to engage with US allies, neighbors, and major trading partners, with the captive of creating thick relations on information solicitation and sharing within the

   MTS

   . This should be explored with key maritime strategic partners such as Australia, the United Kingdom, Japan, Singapore, and the Netherlands .

4. Push an industry-wide, transparent vulnerability disclosure policy
The MTS, supported by the US politics, should push a policy of transparency and openness around vulnerability disclosures. The business stakeholders and regulative authorities—such as embark liners and course societies within the MTS —should work together and coordinate in encouraging software providers to follow a ninety-day disclosure policy or another mutually agreed-upon window .

1. Led by occupation stakeholders and regulative bodies, this policy will affect all vendors looking to provide systems to the

   MTS

   , whether for logistics, navigation, communication, or

   OT

   processes such as the conveyance of oil and natural gases. To minimize electric potential risk, vendors should be expected to provide alternate solutions for patching when other conditions prevent normal updates .

2. internationally, US representatives to the

   IMO

   should propose the universe of an

   IMO

   -housed, industry-led, disclosure body that can both independently identify, and be externally notified of, vulnerabilities to

   MTS

   -specific software .

Deepen stakeholder awareness

The adjacent set of recommendations focus on the necessitate to deepen understand of nautical cybersecurity and its consociate risks, and bring attention to the needed best practices and work force exploitation for mitigating these risks across the MTS. Despite the tendency of increasing cyberattacks targeting the maritime community, the MTS still lags when it comes to education and train related to cybersecurity. To promote a deeper understand of cybersecurity in the MTS, the recommendations in this section strive to address three key problems : the need for more cross-sector collaboration and cognition exchange, the lack of nautical cyber education and train programs in the MTS, and the want for extra fund to secure the MTS .
contribution of the problem in the MTS has been a miss of understand of stakeholder perspectives, with vessel operators unaware of seller challenges, vendors unaware of the mentality of vessel operators, and regulators frequently prescribing unachievable targets due to lack of visibility into the industry. For an coordinated industry like the MTS, it is challenging to holistically secure the ecosystem if stakeholders do not understand the needs and perspectives of other, distinguish actors. Existing programs such as the USCG ’ randomness Marine Industry Training Program, which offers its forces “ internships with maritime diligence organizations and early regulative agencies ” for up to a class, are a step in the right field guidance. Yet, the MTS needs a more robust program, with the goal of instilling a culture of effective gamble awareness, assessment, and management by encouraging exchanges between government, occupation, and academia to learn from one another ’ south cybersecurity experiences .
The second key trouble is the deficit in train and education around cyber hazard in the MTS. Many of the vulnerabilities in the MTS exist because of the lack of cognition of basic cyber hygiene. Beyond the insufficient general cybersecurity cognition across the MTS, there besides is a insufficient, albeit growing, maritime cybersecurity cognition in the incident-response residential district. There is a pressing want to create a cybersecurity-capable work force, ensuring cyber literacy among the future generation of mariners and operators .
last, more fund within the MTS is needed to support an increased focus on cybersecurity gamble mitigation—especially within the USCG given their contribute character in protecting US maritime assets. As the cyber-threat landscape continues to expand and more incidents warrant governmental intervention, extra support, personnel, and education will be required. The NMCP outlines a major push for a nautical cybersecurity work force, which echoes the objectives outlined by the USCG ’ s inner strategy documents to ensure that it develops a capacity to deal with MTS cyber issues. however, should the MTS menace landscape continue to grow in proportions and relative scale, the system will cursorily find itself short-handed, overburdened, and exhausted by incidents. While the multistakeholder nature of the MTS allows for greater interest of private and nongovernmental actors in incident reception, this may not be sufficient to adequately address significant cyber incidents .

5. Expand cross-sector collaboration through academia, industry, and government
Key US politics organizations involved in the MTS —specifically, DOT, DOE, DHS, and USCG —should build upon such initiatives as USCG ’ s Marine Industry Training Program and Idaho National Laboratory ’ s OT Defender company by bringing over key elements, including the exchange processes and the grant structure, from the United Kingdom ’ s comparable Knowledge Transfer Partnership program. This action can serve to not only increase the impingement and oscilloscope of personnel transfers through the expansion of these programs, but besides to lay out a road map for a more collaborative grant-making procedure that can help facilitate the scale of these programs. once established, these US government organizations, in partnership with the secret sector, should work to expand OT Defender and the Marine Industry Training Program to include key partner states such as Australia, the United Kingdom, Japan, Singapore, and the Netherlands .
6. Supply maritime cyber education and certifications
In coordination with cybersecurity train and academic institutions, the USCG and DOT, supported by DHS and DOE, should commission course of study and industry-recognized certifications for MTS -specific OT and IT systems .

1. This tax force must prioritize developing educational modules, recognized by the

   IMO

   and International Class Societies and designed in consultation with system developers, which can allow existing members of either the

   MTS

   or the cybersecurity industry to upskill and move laterally between the two industries .

2. Led by the

   USCG

   and MARAD, this tax force must partake this basic

   MTS

   cybersecurity-education road map with maritime and merchant nautical academies within the United States and among strategic partners, outlining a basic naturally structure that academies can plausibly incorporate into their existent course of study .

3. LThe State Department should propose a minimum requirement of cybersecurity discipline for crew interacting with OT/

   IT

   and

   IoT

   systems as an amendment to the

   IMO

   ’ s International Convention on Standards of Training, Certification, and Watchkeeping for Seafarers (

   STCW

   )

7. Keep the MTS stocked: Addressing the resource question
The White House must commit to identifying new fund for DHS that can be directed to the USCG ’ south increased participation in protecting and responding to cybersecurity incidents specific to the MTS .

1. presently, the

   USCG

   earmarks approximately 10 percentage, or $ 32.68 million, of its annual budget to cybersecurity. A 20-percent fund increase toward the

   USCG

   ’ s activities—specifically tagged for cyber-enabling operations, cyber operations and train, maritime-sector cybersecurity engagement, and cyber security and defenses—should be considered. This increase should be coupled with top-line relief for the

   USCG

   ’ randomness wholly budget, so that specific fund increases can actually be spent where they are intended to be alternatively of being repurposed for other projects .

2. The

   USCG

   should use fund earmarked for maritime-sector cybersecurity engagement to expand its programs focused on working with private sector and weak state partners, to help hold and facilitate a larger ecosystem shift toward more sustainable cybersecurity practices, and execute the respective other activities outlined here as appropriate .

3. Taking a page from the proposed National Cyber Reservist Force, the

   USCG

   and DHS should support the universe of a network of erstwhile cybersecurity and

   MTS

   specialists that can find employment opportunities within

   MTS

   stakeholders ’ firms, specially those lacking potent cybersecurity, to help raise the baseline for the ecosystem.

   Read more: Maritime search and rescue – Documentary

Collaborate on cyber risk

The final examination stage set of recommendations encourages MTS stakeholders to leverage every opportunity to increase awareness of the cyber risks stage within the sector and prioritize, both in support and in natural process, the extenuation of threats. To help push for and incentivize more prioritization of cyber risk and cyber risk moderation the MTS, the recommendations in this section strive to address five key problems : the pressing motivation to better secure critical energy network OT systems ; the concentrate cyber risk that is show in ports ; the current function of cyber indemnity in the MTS ; the lack of coordinate programs focusing on forecasting future cyber threats to the MTS ; and, last, an industry-wide press toward more basically secure growth practices .
first, there is an pressing motivation to better protect ICS and OT systems for department of energy networks within the MTS. ONG infrastructure is highly automated, and pipeline operators, terminal owners, and utilities alike rely on ICS products for monitoring and/or outback control. As ports modernize, all manner of vessels become more digitally dependant, and as offshore department of energy output ( for example, oil rigs, wind turbines ) turns increasingly to automated controls, the systems that undergird critical functions and processes are highly desirable and increasingly accessible targets to cyber adversaries. critical systems throughout the MTS are vulnerable to potential exploitation, but the stakes are specially high for MTS energy networks .
second gear, the MTS must do more to protect ports. Ports, in many ways, are the most authoritative part of the MTS, as they represent the point of synthesis where most players overlap. This synthesis results in a significant concentration of cyber risk. There is common law for ports to quickly adapt security measures to emerging threats : after 9/11, there was a unplayful and effective push to increase forcible security system that remains necessary and in station to this day. The cybersecurity threats to port operations, particularly those that play critical roles in ball-shaped deal and the mobilization of military forces, suggest a like adaptation is required in the way the port industry thinks about security .
Third, there is a lack of comprehensive examination and well-aligned policy coverage for owners and operators in the MTS. Cyber indemnity has emerged as a major merchandise for indemnity firms ; a 2019 Lloyd ’ s report placed the potential entire of premiums from cyber indemnity near $ 25 billion by 2024. Yet, plainly having cyber insurance neither prevents nor protects an entity from cyberattacks. In the aftermath of NotPetya, insurers informed victim organizations that they considered the attack to be an act of war, and, consequently, had negated their coverage. In holocene years, the broad industry has seen cyber insurance and monetary value set for insurance premiums emerge as a new lever to encourage adoption of better cybersecurity practices. however, cyber insurance can besides have the unintended consequences of discouraging organizations from investing in cybersecurity once they consider themselves covered. The focus on forcible security and base hit in existing nautical policy plans further complicates cyber indemnity for the maritime sector. Reworking these policies to include more holistic cybersecurity provisions, without discouraging investing, will be a catchy lineage to toe. For the MTS, this adaptation is vital, as it has developed a complex vane of indebtedness and duty between insurers, owners, operators, crowd, and ship masters .
adjacent, the volt should adopt a advanced set about to address and respond to emerging cyber threats. The MTS has long been structured to work for a just-in-time add model, where production and consequently supply revolves around customers ’ stated needs, rather than a broader and anticipatory just-in-case exemplary that would protect the system. The stream mentality is not geared to cybersecurity, as the cyber threat landscape evolves on an about day by day footing. While MTS stakeholders are beginning to prioritize cyber risk in the present, they must keep a keen eye on the threats and vulnerabilities that may lie beyond the horizon .
The concluding key problem is the lack of cognition and transparency around the cybersecurity of kernel nautical systems. As the ball-shaped stakeholders within the MTS continue their efforts to increase automation, improve efficiency, lower costs, and adjust to an increasingly digital global, they will be increasingly reliant on software to monitor, calculate, and execute critical tasks aboard a vessel. however, the security of these systems—and the maturity of the learning plan that purchases these systems—does not match their criticality. System vendors exist in an ecosystem apart from the MTS and prioritize meter to market, profit, and efficiency over security. vitamin a long as these attributes are deemed necessary for market competitiveness and valued over cybersecurity, the MTS will remain at a disadvantage before the battle begins .

8. Prioritize better OT security for global maritime energy networks
DOE CESER and FERC, in close partnership with key private-sector coordination groups such as the ONG-ISAC and the Electricity ISAC ( E-ISAC ), should use the ghost of mandate NERC CIP standards—potentially enforceable by audits and fines for noncompliance—to tug more effective self-regulation on the security of larboard, transportation, and cruise systems to better the cybersecurity carriage of energy and related MTS systems. Standards should be implemented in close partnership with key private-sector actors to prevent excessively restrictive standards ; enabling these actors to make the properly decisions for the right reasons without unnecessary cost is key .

1. Starting with an ONG-ISAC led review of the most relevant policies surrounding system cybersecurity within department of energy, DHS, and department of defense and in consultation with the national labs, industry should work to define standards for rapidly testing and deploying patches, updates, and new hardware to mitigate cybersecurity risk in mixed information technology / OT deployments for semipermanent and mobile assets, especially those operating in high-traffic areas.
2. CESER and CISA should work with the largest actors in the private sector to mandate, or at least promote, governance-structure updates for the montana, including the creation of a senior security and resilience position (vice president or higher) where such does not currently exist within private-sector entities. This type of position should have purview over information technology and OT systems, as well as cyber and physical security, and report regularly to the chief executive officer and board of directors or equivalent.

9. Move past “guns, gates, and guards” toward cyber risk assessment and management
Through current DHS and USCG efforts led by the captains of the port function, extra fund should be identified and either allocated to FEMA ’ s Port Security Grant Program ( PSGP ) and DOT MARAD ’ s Port Infrastructure Development Program ( PIDP ) or earmarked to develop a dedicate port cybersecurity-improvement grant managed by MARAD. This fund should be used to expand this work, with a specific focus on consecrated grants and funding for cybersecurity assessments and developments .

1. Additionally, DHS should adapt the model deployed after 9/11 to provide more stringent requirements for cybersecurity-improvement grants, aiding the state public administrators who facilitate these federal grants. DHS should also encourage ports to take the initiative to improve their own cybersecurity, as the Port of Los Angeles has done in collaboration with IBM. However, in this process, DHS and the USCG must be willing to be strict supervisors, and invite private-sector risk assessors to critically evaluate improvements, thereby ensuring improvements comply with a broader security vision for the metric ton .
2. Internationally, port operators should be encouraged by the USCG to expand their existing, and create new, international sister-port partnerships that focus on operational cybersecurity best practices. International companies should be encouraged to weigh the security advantages of collaboration on maritime cybersecurity by engaging with two sister ports.

10. Make cybersecurity a core component of conventional maritime insurance
Following the exemplar of the automotive industry in late years, insurers should push nautical clients to achieve and maintain stronger cybersecurity postures—in line with the guidelines put fore by NIST and the IMO —in exchange for premiums that reflect a commensurate horizontal surface of hazard reduction. premium price should be benchmarked to recognize and reward those who make incremental investments toward stronger and more holistic cybersecurity practices .

1. dot MARAD’s Office of Safety should implement regulations requiring ships to possess insurance that requires mature levels of cybersecurity coverage. This can be enforced by the USCG and DHS Customs and Border Protection.
2. Insurance companies dealing with cyber and maritime insurance should be encouraged to partner with research institutions like think tanks and the national labs to conduct long-term studies in this area to better address these emerging issues of potential financial risk.

11. Plan and simulate for future cyber challenges
The u government should utilize existing intelligence and military alliances, such as the Quadrilateral Security Dialogue ( involving the United States, Japan, India, and Australia ), NATO, and the Five Eyes intelligence confederation, to host external, bouncy nautical cybersecurity-focused exercises that heavily feature private-sector affair. While exercises already exist that stress on sleep together vulnerabilities and perceivable threats, these efforts should be built upon and expanded to include technology vendors, ship liners, and port operators. These organizations would benefit from annual exercises forecasting risks to the MTS, and, in turn, their increased readiness will help increase the resilience of the broader ecosystem. There are two clear-cut models that should be developed .

1. Led by the USCG, key stakeholders within the global meitnerium should come together to participate in a series of tabletop exercises focused on identification, mitigation, and response to emerging cyber threats to the machine translation. The program should be built upon the USCG ’s Project Evergreen Strategic Foresight Initiative and include both elements and stakeholders from the E- ISAC ’s annual GridEx exercise.
2. Building upon the Army Cyber Institute’s Jack Voltaic program community and NATO Locked Shields, the NATO Cooperative Cyber Defence Centre of Excellence ( CCDCOE ) should develop an international, integrated, live exercise that allows stakeholders in the montana to practice incident response and collaboration in real time. The program should be expanded to explicitly focus on incident detection and response for ships, ports, and cargo transport operations while at sea and at rest under live conditions with allies.

12. Push the MTS toward secure development
Led by the International Chamber of Shipping, operators within the MTS should look to establish a solution-oriented negotiation with key global maritime manufacturers and software vendors to design a more secure software-development life-cycle care procedure for the diligence. A push by MTS stakeholders can be subsequently coupled with politics efforts, led by DHS CISA, that are being considered in the wake of the Sunburst campaign. Internally, MTS businesses should be encouraged to improve their acquisition processes to require penetration testing and cyber-vulnerability assessments of technical products .

1. The montana must work directly with entities within the US government to develop and leverage common risk-assessment processes to rigorously and proactively assess montana system providers. Efforts must be undertaken to shift from security that is operational by intent to products that are secure by design. The montana is continually evolving into a more connected ecosystem, yet, until that happens, vessel- and port-based products must be secure. Secure design must be the goal, and the FASC is the body best positioned to advance this effort. Internationally, the United States—led by the State Department, scatter, and key private-sector stakeholders—can work to build and petition the inclusion of these secure-by-design recommendations into a new set of cybersecurity guidelines released by the international maritime organization to its members, like international maritime organization 2021.
2. In an effort led by the US Department of Commerce’s ( doctor ) NTIA )” content=”An Executive Branch agency that is principally responsible for advising the President on telecommunications and information policy issues.”], new products coming into the montana should be required to provide a “ software beak of materials ( SBOM ), a formal record containing the details and supply-chain relationships of the various components used in building software.” This information provides users insight into their true exposure to software supply-chain vulnerabilities and attacks, and allows operators to respond to new threats and attacks more rapidly.
3. The doe, in partnership with the department of energy national labs and key stakeholders in industry, should push key maritime system manufacturers to buy into the doe ’s Cyber Testing for Resilient Industrial Control System (CyTRICS) program to focus on accessing and protecting core OT systems for the maritime domain. The program will help support cyber vulnerability testing for key systems and provide a process for sharing “findings with manufacturers to develop mitigations and alert industry stakeholders using impacted components so they can address flagged issues in their deployed systems.”

Conclusion

The MTS is sailing into churning waters and needs all-hands-on-deck readiness to guide it through cyber threats and into safe harbor. The United States has recognized the threats adversaries pose to the MTS, but it can not address the challenge alone. A divers set of stakeholders across the MTS must work together to mitigate maritime cyber risk .
This report works to provide an entrance degree for all parties within the MTS by building a cohesive movie of key life cycles within the MTS, adenine well as highlighting significant cybersecurity risks. Misunderstanding or underestimating the nautical cybersecurity risk landscape has actual consequences for the integrity of global trade and energy markets. Everyone depends on moving resources across oceans ; everyone is a stakeholder .
The MTS is changing, and with that change comes a ruffianly bent of challenges. This report ’ south recommendations can act as an engagement design to complement existing maritime industry and policy efforts. These efforts must open dialogue among a divers place of diligence and allied stakeholders to protect national- and economic-security interests .
Port and transport operators must move forward in the interconnect and data-rich worldly concern of the twenty-first century to better serve clients and maintain operational excellence. Yet doing therefore brings increased reliance on OT and IT systems that expand attack surfaces within the nautical environment, and injects new vulnerabilities for which remedies remain insufficient .
By raising the service line for cybersecurity, deepening stakeholder awareness, and folding cybersecurity into its understand of risk, MTS stakeholders can improve their security postures and bolster safeguards to the MTS ’ s core character in global trade and energy .
collaboration is key in the MTS —across the individual and public sectors, within academia, and among governments the earth over—to understand complex problems, better fix for the future, and follow through solutions to these pressing challenges .

Acknowledgments

This project would not have been possible without the digest of Idaho National Laboratory and the Department of Energy. specifically, the authors would like to thank Virginia Wright, Geri Elizondo, Andrew Bochman, Tim Conway, Frederick Ferrer, Rob Pate, Sean Plankey, Nick Anderson, and Puesh Kumar .
Thank you to the staff and researchers who supported this project from its origin, including Trey Herr, Madison Lockett, and Emma Schroeder. Thank you to Nancy Messieh and Andrea Ratiu for their support in managing the digital plan and network interactivity of this composition, and to Donald Partyka for designing the report ’ sulfur graphics. For their peer review, the authors thank Alex Soukhanov, Suzanne Lemieux, and Marco Ayala .
Thank you to the participants of the versatile workshops held over the past year for feedback on this effort and to the numerous individuals who lent their insights and expertness with the authors during that time .

Disclaimer

This material is based upon work supported by the U.S. Department of Energy through the Idaho National Laboratory, Contract Number 241758. This report was prepared as an bill of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any guarantee, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or utility of any information, apparatus, merchandise, or process disclosed, or represents that its use would not infringe privately owned rights. address herein to any specific commercial product, procedure, or service by trade mention, trademark, manufacturer, or otherwise does not necessarily imply its endorsement, recommendation, or prefer by the United States Government or any agency thence. The views and opinions of authors expressed herein do not necessarily state of matter or reflect those of the United States Government or any agency thence .

Author biographies

William Loomis is an adjunct conductor with the Atlantic Council ’ s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. In this character, he manages a wide range of projects at the link of geopolitics and national security with internet, with a focus on software issue range security and nautical cybersecurity. Prior to joining the Atlantic Council, he worked on commercialize research and scheme at an emerging technology start-up in Madrid, Spain. He is besides a certified Bourbon Steward .
Virpratap Vikram Singh is a adviser with the Atlantic Council ’ s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. He is the Cyber and Digital Fellow for the Saving Cyberspace Project at Columbia University ’ mho School of International and Public Affairs, supporting inquiry and programming pertaining to cyber conflict and cybersecurity policy. Over the last two years, he has designed and authored multiple scenarios for the Initiative ’ s Cyber 9/12 Strategy Challenges in New York, Austin, and Washington D.C. previously, he worked as the Digital Media and Content Manager for Gateway House, a extraneous policy think tank in Mumbai. He holds a overlord in International Affairs ( International Security Policy ) from Columbia University ’ mho School of International and Public Affairs and a BA in Liberal Arts ( Media Studies and International Relations ) from the Symbiosis School for Liberal Arts .
Gary C. Kessler, PhD, CISSP, is a nonresident elder colleague with the Atlantic Council ’ s Cyber Statecraft Initiative. He is president of the united states of Gary Kessler Associates, a consult, research, and training company located in Ormond Beach, Florida, and a principal adviser at Fathom5, a maritime digital services party headquartered in Austin, TX. He has been in the informationsecurity field for more than 40 years. Gary is the co-auhor of “ Maritime Cybersecurity : A Guide for Leaders and Managers, ” equally well as more than 75 other papers, articles, books, andb ook chapters about information security, digital forensics, and technology. He has been a speaker at national and international conferences for closely 30 years .
Xavier Bellekens is a non- house physician aged companion with the Atlantic Council ’ s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. He is the chief executive officer of Lupovis Defence, and used to work as an assistant Professor and Chancellor ’ s Fellow in the Institute for Signals, Sensors and Communications with the Department of Electronic and Electrical Engineering at the University of Strathclyde, Scotland. His experience spans from cyber-defence, deception, disincentive and attribution of cyber-threats in critical infrastructures to cyber-situational awareness and cyber psychology and cyber-diplomacy .

Explore the full report

These Recommendations are separate of a larger body of content encompassing the entirety of Raising the colors : Signaling for cooperation on nautical cybersecurity— use the buttons below to explore this report on-line .

The Atlantic Council ’ south Cyber Statecraft Initiative, within the Scowcroft Center for Strategy and Security, works at the link of geopolitics and cybersecurity to craft strategies to help shape the behave of statesmanship and to better inform and fasten users of technology .

Learn more

Related content

relate Experts : Will Loomis, Gary Kessler, and Xavier Bellekens
visualize : Loaded cargo ship .