Are our ports protected from cyber pirates?

When Edward Teach blockaded Charleston, South Carolina, in 1718, he had an easy go of it as the port lacked guard ships – but word spread among colonial governors, and the pirate known as Blackbeard would be hunted down and killed within the year.

Today, cyber pirates have the potential to take control of ships' navigations systems, industrial control  systems at ports, or steal financial information from shipping firms. And while there are guard ships on watch, technically speaking, they may never find out what pirates are up to.

The Coast Guard, unsurprisingly, would like to fix that.

Since 2002, the Coast Guard has been tasked with addressing cyber threats to American ports. "We don't view this as a new mission, said RADM Paul Thomas, the Coast Guard's Assistant Commandant for Prevention Policy, at an Oct. 8 hearing of the Subcommittee on Border and Maritime Security of the House Homeland Security Committee. "We view this as a natural extension of our mission."

The Coast Guard is "perfectly positioned" to handle port cybersecurity, agreed Randy Parsons, who heads security at the Port of Long Beach in California.

Port pros are sharing information, but there isn't a formal platform for ports to share specific threats among one another

Jonathan Sawicki, who leads security at the Texas ports of Brownsville and Harlingen, said that reporting transportation security incidents to the Coast Guard currently is kind of a muddle.

"We have not reported any cybersecurity incidents because we have not had any that are significant enough to report," Sawicki told the subcommittee. Most reporting criteria are based on physical breaches instead of cyber-specific threats.

Loss of access control, cargo control or perimeter control are all reportable cyber issues, Thomas noted, while a cyber breach of a port's financial information isn't.

“The confusion comes because cyber touches all aspects of a port['s operations],” he noted. “It's very confusing to figure out which type of incident gets reported.”

What's next?

In the interest of furthering its cyber expertise, Thomas said the Coast Guard has a permanent presence in the Homeland Security Department's National Cybersecurity and Communications Integration Center.

But he also said he wouldn't rush to impose "hard" cyber standards on ports until other, related industries develop standards, since the infrastructure systems (rail, trucking, etc.) are so interrelated.

In these early stages of laying out concerns, building information sharing networks and establishing the rules of the road, Thomas said, the Coast Guard doesn't really need additional funding for cyber. But funding needs will grow in the compliance stage of the game.

The Coast Guard should look to break down barriers to info sharing, develop a secure mechanism for companies to share threat information with the government and perhaps anonymize information shared, so shipping companies don't suffer reputational damage when they disclose breaches, said Gregory Wilshusen, Information Security Issues Director at the Government Accountability Office.While praising voluntary info sharing and risk-based assessments, Long Beach's Parsons also noted issues, such as a lack of backup systems, plaguing national ports.

"I think there's gotta be some regulation," he said. "Left to our own devices, we don't seem to have done very well."