These efforts will impact both the public and private sector, with the nation’s roughly 300 ports operated by states, counties, municipalities, private companies or a mix. Cyber attacks are a pressing threat, with ransomware forcing Japan’s largest port to shut down several terminals last year. The Port of Los Angeles alone stopped 750 million “cyber intrusion attempts” last year, said Gene Seroka, the port’s executive director, in a recent media briefing.
Anne Neuberger, who is the Biden administration's deputy national security adviser for cyber and emerging technology, spoke at the same briefing, discussing some potential risks, as well as federal plans for setting minimum cyber standards across U.S. waterfront facilities and vessels. She called the Los Angeles port’s Cyber Resilience Center a best practice and praised it for bringing together the public and private sector to safeguard critical infrastructure.
The Port of Los Angeles says it has been on the leading edge of several cybersecurity measures. According to the port, it was the first U.S. seaport to establish a cybersecurity operations center in 2014, and it was also “the first seaport in the world to establish a Cyber Resilience Center” in 2021.
But cybersecurity can vary widely across the maritime transportation system.
The Coast Guard’s Cyber Protection Teams studied organizations in the marine environment and found concerning problems. They noted that in most cases the organizations' operational technology systems were running end-of-life software with known exploited vulnerabilities. Plus, operational technology systems often had vulnerable network protocols that hackers could potentially use to escalate their privileges. In some cases, insufficient access controls meant hackers who’d penetrated IT networks might be able to shift over to operational technology networks and cause physical harm.
The White House took aim at port and maritime cybersecurity with a February executive order. That order empowers the Coast Guard to respond to malicious cyber activity in the sector, such as by ordering maritime vessels and waterfront facilities to mitigate dangerous cyber issues. It also lets the Coast Guard inspect facilities that pose potential cyber risks as well as inspect and control the movement of vessels that do — or might — present a cyber threat to maritime infrastructure. Additionally, the order requires reporting of cyber incidents and active threats endangering vessels, harbors, ports and other waterfront facilities.
Following up on the order, the Coast Guard has issued a notice of proposed rulemaking for establishing minimum cybersecurity requirements for U.S. vessels and maritime facilities. Organizations have through May 22 to submit comments.
Seroka supported this idea, saying he’s campaigned for years for U.S. ports to adopt a uniform set of protocols to defend against cyber attacks.
The White House is also concerned about possible risks from China-manufactured cranes used at U.S. seaports, as well as the cranes’ associated IT and operational technology systems. Neuberger said one concern is that the cranes might give China remote access it could leverage to disrupt port operations during a future crisis or conflict.
The Coast Guard is expected to instruct port owners and operators to take some actions, and federal dollars aim to onshore more crane manufacturing, per the executive order. Neuberger said the same security requirements would be imposed on cranes manufactured in any country, not just China.
Meanwhile, maritime industry lobbying group the American Association of Port Authorities has pushed back on fears about China-made cranes. In a news release, the association said that ports and state, local, and federal law enforcement partner to detect and mitigate risks from the cranes, and that there are currently no known cyber or kinetic security breaches stemming from using the cranes at U.S. ports.
