President Biden on Tuesday directed the Department of Homeland Security to impose new cybersecurity requirements on owners and operators of maritime infrastructure in the U.S. to further strengthen the nation’s cyber posture and the supply chain.
Biden’s executive order gives the Coast Guard authority to respond to cybersecurity threats in U.S. ports to include requiring facilities to close gaps and vulnerabilities, control the movement of vessels that may present a cyber threat, and enable the service’s commandant to prescribe measures to rectify a real or potential incident.
In addition to requiring maritime infrastructure and vessel operators to bolster their cyber posture, the directive, Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States, also requires mandatory cyber incident reporting.
Also, given ongoing threats from China to U.S. critical infrastructure, the Coast Guard on Wednesday issued a maritime security directive imposing cybersecurity requirements on owners and operators of Chinese-made ship-to-shore cranes installed in U.S. ports. The specifics of the security directive are considered sensitive and will not be publicly released, Rear Adm. John “Jay” Vann, commander, Coast Guard Cyber Command, told reporters on Tuesday evening.
Vann highlighted that Chinese-built ship-to-shore cranes account for nearly 80 percent of the installed based in U.S. ports and that Coast Guard captains of the port will work with owners and operators on the security directive and verify compliance. There are more than 200 Chinese made cranes at U.S. ports and regulated facilities and Coast Guard Cyber Protection Teams have examined 92 of those for malicious cyber activity, he said.
The U.S. also plans to invest $20 billion over the next five years in U.S. port infrastructure, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said during the media call. She also said that PACECO Corp., a U.S. subsidiary of Japan’s Mitsui E&S Machinery Co., is “planning to onshore domestic manufacturing capacity for American crane production for the first time in 30 years, pending final site and partner selection.”
The Coast Guard this week will also issue a draft regulation outlining minimum cybersecurity requirements to the nation’s maritime transportation system (MTS), which includes ports and waterways that facilitate more than $5.4 trillion in annual economic activity. The Notice of Proposed Rulemaking, to be published in the Federal Register, would apply to all regulated MTS entities, Vann said.
The draft regulations “are primarily based on the Cybersecurity and Infrastructure Security Agency’s cross-sector cybersecurity performance goals, which the maritime industry should already be familiar with,” he said. The rulemaking process gives all stakeholders an opportunity to give feedback on the baseline cybersecurity requirements. Comments will be accepted through April 22.
The new regulations follow cybersecurity requirements issued by the Transportation Security Administration nearly three years ago after a ransomware attack forced a major East Coast petroleum pipeline operator to pause operations. That temporary shutdown of a component of U.S. critical infrastructure led TSA to mandate cybersecurity best practices and incident reporting requirements, and other measures, for U.S. pipeline operators.
TSA later issued similar requirements to passenger and freight railroad carriers, and airport and aircraft operators.