Georgia’s Port of Savannah is one of the fastest-growing container terminals in the country. Between 2020 and 2021, its total container trade expanded by nearly 20 percent, generating more than $100 billion in sales and shipping for companies as diverse as Target, IKEA, International Paper, and Gulfstream Aerospace. But a single cyber or marine casualty incident can close down the port completely, creating a ripple effect across critical infrastructure and disrupting the global supply chain, says Josie Long, MITRE cyber risk mitigation engineer.
Making Port Cybersecurity Affordable
The world’s largest and most-mature port operators and transportation companies can afford consultants to do this assessment and mitigation work for them. But not every organization in the maritime critical infrastructure sector has the resources. Thompson and Long’s work developing the profile will help organizations adopt and implement the full National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the NIST Cybersecurity Framework.
One of the three main components of the NIST Cybersecurity Framework are what’s called profiles. Profiles are the alignment of the functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization. A profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, and considers legal/regulatory requirements and industry best practices.
Hodgepodge Of Targets
Ports are target-rich environments. Thompson describes a multinational system of systems: individual vessels, ports and terminals, shipping lines, shipbuilders, intermodal transport operators, cargo and passenger handlers, vessel traffic control, maritime administrators, among others. It’s typical for a ship owner based in one country to operate the ship under the flag of another country and then lease it to a company from a third country. At the same time, the ship’s operational technology may be managed and updated by technical staff somewhere else in the world.
And the ship doesn’t operate in a vacuum. Layer in operational technology—physical systems to operate cranes, motors, pumps, and more—on land and on the water, Thompson says, and the problem becomes even more complex and the risks potentially deadly. On an LNG tanker alone, a cyberattack could trigger fuel leaks into the air or the water. A hacked navigation system could leave a tanker floundering, direct it into another vessel, or cause it to run aground. An explosion or fuel leak could have devastating effects on the environment and the nearby population. “In the real world, cyber is not just zeros and ones and bytes and bits,” Thompson says. “It’s operational technology that changes the physical world, and that makes it dangerous.”
Crafting A Way Forward
Thompson, an Air Force veteran with experience in cybersecurity, instrumentation, and control systems, joined MITRE in 2021. Long brought decades of expertise from a career with the U.S. Coast Guard, where she worked in mid-Atlantic ports. “You’re preventing bad things from happening through safety, security, auditing, and inspections,” Long says. “Think of any of the maritime assets the Coast Guard regulates. My final tour was in Savannah as the officer in charge.”
They relied on that experience to engage voluntary cooperation from professionals in the maritime sector. “The whole idea was to get their fingerprints on it,” Thompson says. “We reached out to our contacts from industry life, and they were forthcoming with what they thought, with the problems they saw, and how they currently do things.” The project illustrates MITRE’s commitment to put our experts’ deep technical knowledge to work hardening critical infrastructure against cyber and physical risks and making the world safer.
Did you subscribe to our Newsletter?
It’s Free! Click here to Subscribe.