Your organization probably depends on waterway shipping, maybe more than you realize. According to the American Association of Port Authorities, Each AMERICAN state relies on at least 15 seaports to handle its imports and exports. As of 2016, these ports handle more than $3.8 billion worth of goods each day. Since EHS managers are frequently more and more responsible for the safe intake and shipping of materials and products, they’re wise to learn about the challenges that face what is still the most prominent shipping conduit.

Today, one of those challenges is the threat of cyber-attacks. The U.S. Coast Guard (USCG) is now forming guidelines to help marine facilities protect themselves and asking for industry recommendations toward that goal. Findlay All Hazards’ Maritime Security group wants to help make the EHS community aware of this effort, and help EHS managers understand their connections to domestic and international waterways.

Waterfronts these days look nothing like those of even two generations ago. Cargo receivers no longer off-load wooden boxes of bananas by hand, one a time. Huge shipping containers now move millions of tons of goods across the world, directed by computer systems. These systems run the access controls, direct the cranes and heavy equipment, allow shippers and receivers to communicate with partners in rail, highway, pipeline, and up and down the supply chain. The ‘vessel’ is no longer defined as just a ship, but as a vast network of computer systems. And as such, the vessel is now as much a target for cyber criminals as any other extensive online network.

Statistics on the number of cyber-attacks on domestic marine terminals’ computer networks are not available from U.S. law enforcement. But Findlay’s Maritime experts have received reports from their security services and training clients that the threat is growing. This reflects a distressing trend in all industries. IBM’s Managed Security Services reports that attacks targeting industrial control systems alone increased more than 110 percent in 2016 over last the previous year.

The maritime industry received a wake-up call about cyber threats when news reports circulated about cyber-attacks at the Port of Antwerp, the second largest port in Europe, between 2011 and 2013. During this period, a malware attack allowed narcotics traffickers to manipulate movement of containers through the port. When this security breach was discovered and safeguards installed, a second attack was initiated. This time, the drug traffickers broke into the physical location of the port server, installing key-logging devices. The traffickers then had wireless access to information typed by staff as well as screen shots from monitors.

Since its inception, the U.S. Coast Guard has worked to adapt to the changing technologies of the industries that it serves. Today, as the cyber threat becomes a more critical issue, the Coast Guard is focusing more resources toward this issue. USCG recognizes that the cyber threat is among the top risks to the U.S. Marine Transportation System.

To help industry to deal with this threat, the Coast Guard has issued a draft policy document for marine facilities subject to the Maritime Transportation Security Act of 2002 (MTSA). Navigation and Vessel Inspection Circular (NVIC) 05-17: Guidelines for Addressing Cyber Risks at MTSA Regulate Facilities was written to assist marine facilities in analyzing vulnerabilities within computer networks in their Facility Security Assessments. The draft also provides guidance and recommended practices for MTSA regulated facilities to address cyber-related vulnerabilities. It uses the NIST Cyber Security Framework to “implement a cyber risk management program, to include establishment of a cyber risk management team, policies, programs, and identification of critical systems.”

Drafts like this one give the industry the chance to comment on the Coast Guard’s ideas, before a final document on the subject is issued. The Coast Guard takes the comment process very seriously and frequently quotes extensively from the remarks they receive in the preambles to regulations, explaining how the comments shaped the final issue. If you would like to review the draft NVIC, download the PDF from Findlay All Hazards here. A link for comments is also provided on that page. The Coast Guard will accept comments until September 11, 2017.
​