The report states, "The U.S. Coast Guard plays a lead role in securing and safeguarding the MTS, which facilitates the transport of nearly $5.4 trillion in commerce, representing about 25 percent of the U.S. gross domestic product. The waterways and ports that make up the MTS include 25,000 miles of coastal and inland waterways with 361 ports, 124 shipyards, and more than 3,,500 maritime facilities. The MTS is a prime target for malicious actors who seek to disrupt our supply chain. The use of new technologies, such as those for navigation, communication, and security, benefits the supply chain. However, these technologies are increasingly vulnerable to exploitation, misuse, or simple failure, which could cause injury or death, harm the marine environment, or disrupt vital trade activity. As of August 2021, the Coast Guard estimated hackers attacked the MTS every 39 seconds, for an average of 2,244 cyberattacks per day."
As stated in the report, a failure to implement proper cybersecurity protections for the MTS could be catastrophic. The 2017 NotPetya ransomware attack is instructive because it highlights how catastrophic a cybersecurity failure can be. One of the biggest cyberattacks in history was reported by Wired in its 2018 article, "The Untold Story of NotPetya, the Most Devastating Cyberattack in History." The June 27, 2017, malicious attack hacked into the computers of the shipping and logistics mogul A.P. Møller-Maersk, crippled the shipping giant. "A single piece of code crashed the world," crippling ports, paralyzing corporations, and froze government agencies, according to Wired. Maersk's empire includes ports, logistics, and drilling in 574 offices in 130 countries with 80,000 employees around the globe.
On that June day, an IT administrator named Henrik Jensen, who worked in the Maersk IT department, found himself in a frantic scramble to stay ahead of what would be a cascading catastrophe. According to Wired, Jensen was "busy preparing a software update for Maersk's nearly 80,000 employees when his computer spontaneously restarted." He initially assumed the reboot was a benign software change being implemented by central IT. However, Jensen soon "watched every other computer screen around the room blink out in rapid succession." Jensen told Wired, "I saw a wave of screens turning black. Black, black, black. Black black black black black." He and his colleagues soon realized "all computers were irreversibly locked. Restarting only returned them to the same black screen."
These computers were connected to a network that was "responsible for 76 ports on all sides of the earth and nearly 800 seafaring vessels, including container ships carrying tens of millions of tons of cargo, representing close to a fifth of the entire world's shipping capacity." All were "dead in the water."
Cybersecurity: The Role of the U.S. Coast Guard
2002 marks the year when Congress implemented the Maritime Transportation Security Act of 2002 (MTSA). MTSA required the Coast Guard to establish maritime security teams to protect critical infrastructure. In 2013, The Coast Guard established its own Cyber Command, bringing it "in line with other military organizations as a part of U.S. Cyber Command run by the DOD." However, beginning in 2015, the U.S. Coast Guard entered a new operational domain, cyberspace. Working with DHS and the Department of Defense (DOD), the Coast Guard became partners in efforts to protect critical infrastructure associated with MTS.
The Coast Guard became the lead sentinel in protecting the supply chain, charged with "eliminating or mitigating vulnerabilities in the maritime domain." CISA and other Sector Risk Management Agencies (SRMA) also partner with the Coast Guard to "share incident reporting, threat, and vulnerability information and unify efforts to protect the nation's infrastructure."
Keep in mind that the evolution of MTS involves the "increased use of autonomous shipping, offshore platforms, and cargo facilities. It also includes military logistics as well as vital trade activity." The "growing reliance on cyber-physical technologies" makes securing these networks all the more critical.
OIG Finds Significant Challenges With Cybersecurity Readiness in the Coast Guard
The OIG found the Coast Guard faces significant challenges "implementing cybersecurity readiness measures and precautions at U.S. ports and on U.S. waterways." Challenges include failures to secure cooperation and compliance from the private sector, "facility inspections that did not always address cybersecurity, and Coast Guard is not adequately staffed to provide cyber expertise for these inspections." As a result, OIG found that the Coast Guard "cannot fully ensure compliance with cybersecurity measures intended to protect MTS' ports and waterways or provide awareness, guidance, and expertise to safeguard private industry stakeholders' assets." According to the report, the lack of compliance could result in catastrophic failures and potentially dangerous national security breaches.
The OIG audit analyzed "15 of the 30 assessments conducted by the Coast Guard's Cyber Protection Teams (CPTs)" to identify vulnerabilities. The 15 assessments yielded "194 incidents involving 54 different and exploitable vulnerabilities." 59 percent or 114 individual incidents involved "Critical or High vulnerabilities," a designation that refers to the "ease of exploitation and potential severity of impact...For example, an attacker could add security badges or turn off power to a system, which could impede operations within the MTS." An additional 29 percent or 57 individual incidents involved Medium vulnerabilities, which could "result in unauthorized disclosure of sensitive customer information." 7 percent, or 14 individual incidents, were deemed low vulnerabilities, and the remaining 5 percent were informational vulnerabilities.
Stunningly, between 2020 and 2022, "the number of incidents reported to and reviewed by Coast Guard increased by 111 percent, from 28 incidents in 2020 to 59 in 2022."
Industry stakeholders like the private sector do not consistently request CPT's services to improve their "cybersecurity posture." From 2021 to 2022, "in the six sectors that make up Coast Guard's District 7," none of the private stakeholders requested CPT's services, "despite a confirmed ransomware and phishing/spoofing incident within the district." Coast Guard personnel reported stakeholders hesitated to engage CPT's services because of concerns over "regulating and enforcing laws." Some smaller operations reported they didn't request services because the "enhancements to their already outdated or vulnerable information technology equipment" would be unaffordable. Some private stakeholders were also concerned they would be fined if vulnerabilities were found. Notably, while the Coast Guard can fine private stakeholders, however "CPTs do not fine stakeholders for vulnerabilities uncovered during assessments, hunts, and incident responses," most likely a distinction without a difference to private stakeholders.
In many cases, Coast Guard personnel admitted to not reviewing cybersecurity during inspections and only focusing on physical safety. Some of the gaps were due to a lack of authority or expertise. They were simply "limited in their understanding of how to address cybersecurity risks detailed in Facility Security Plans or Vessel Safety Management Systems and did not understand the terminology used in the documents." Inspectors also found there "were not sufficient regulations to support a written deficiency" when a cybersecurity issue was identified.
According to the report, staffing is also deficient in Coast Guard Cybersecurity. Filling positions is difficult, with some locations having vacancies for over two years. The suggested time frame for filling positions is 80 days. Qualified candidates are hard to find, and in many cases, because the jobs require a range of competencies that are not easily articulated in the current governmental job classification framework.
OIG recommendations include enhancing coordination with and efforts to build relationships with private industry stakeholders, clearer articulation of cybersecurity-specific regulations related to the enforcement authority of facilities, ports, and vessels, the establishment of standardized cybersecurity training for personnel, and ensuring that job descriptions adequately describe the competencies needed to perform the job of the MTS Specialist-Cyber position.
The report states that CISA "declined to schedule a meeting with relevant personnel and provide timely access to requested documents and information on numerous occasions throughout the audit." CISA officials disagreed with OIG's characterization of their failure to provide access to DHS information. According to a Memo included in Appendix B of the report, CISA offered to meet on a few occasions, but "OIG declined." The memo states that CISA "maintains it approached the audit forthrightly and in good faith."
