A cyber attack on a seaport in the United States, even if it causes minimal disruption to the flow of goods, could have major negative impacts on the economy yet ports haven’t done much to protect themselves from cyber threats, a Coast Guard official warns in a new paper published by the Brookings Institution.
“The potential consequences of even a minimal disruption of the flow of goods in U.S. ports would be high,” Cmdr. Joseph Kramek, who is serving as a fellow at Brookings, writes in his study, The Critical Infrastructure Gap: U.S. Port Facilities and Cyber Vulnerabilities. “The zero-inventory, just-in-time delivery system that sustains the flow of U.S. commerce would grind to a halt in a matter of days; shelves at grocery stores and gas tanks at service stations would run empty.”
Kramek points out that more than 95 percent of goods traded by the U.S. are handled by seaports.
Moreover, writes Kramek, there are no cyber security standards for ports and the Coast Guard, which is the lead federal agency for maritime security, has no cyber security authorities to regulate maritime critical infrastructure.
Kramek also warns that “research shows that the level of cybersecurity awareness and culture in U.S. port facilities is relatively low,” adding that basic security measures aren’t in place and of the six ports he studied just one had done a vulnerability assessment and none had an incident response plan. On the other hand, none of the ports studied for the report had suffered “a disruptive cyber attack,” he says.
Kramek notes that ports are no different from other sectors in the economy in that they rely heavily on networked computer and control systems for their operations. Most municipal ports are “landlord ports,” which means the terminals are leased out to private entities, but the landlords typically don’t know what networks their tenants are managing and have “almost now awareness of what, if any, cybersecurity measures are being taken to protect these systems,” he says.
In the post-9/11 era seaports have received federal security grants through a Department of Homeland Security program called the Port Security Grant Program (PSGP). Kramek points out that cyber security is not “expressly” listed as a criterion for project funding, and while ports can apply for cyber-related funding, he says they have not bee incentivized to do so.
Of the $2.6 billion in port security grants awarded in the past 10 years, less than $6 million, which is less than 1 percent, has gone toward cyber security projects, Kramek says. Of these funds, only one port has used them for a cyber security project, he adds.
Security grant funding typically goes toward physical security measures, which is where regulatory authorities are focused, Kramek says.
“Ironically, a large number of security systems purchased with PSGP monies are networked into port command centers, making them more vulnerable to cyber attacks,” Kramek says.
Despite the relative passivity toward cyber security, Kramek says the steps that can be taken to boost the network security of ports are simple and available, such as incentivizing the PSGP program to fund these security projects.
For his research, Kramek studied six U.S. ports in Baltimore, Md., Beaumont and Houston, Texas, Los Angeles and Long Beach, Calif., and Vicksburg, Miss. Kramek provides a list of recommendations for Congress, DHS, the Coast Guard and ports to boost cyber security at the ports, including among others the need for vulnerability assessments and incident response plans, authorizing PSGP grant, and providing the Coast Guard with authority to enforce cyber security standards for maritime critical infrastructure.