We live in a world of increased reliance on digital interconnectedness. Across industries and roles, digital connectivity has allowed us to do more with less, enhancing the speed and efficiency with which we communicate and do our jobs. The United States Marine Transportation System (MTS) is one of the largest beneficiaries of this digital ecosystem. Employing 31 million Americans and supporting 95% of cargo entering the US, the MTS is critical to the US economy, and leveraging digital systems has allowed the MTS to manage a complex network of ports, terminals, vessels, waterways, and land-side connections to move cargo efficiently and safely.
While digital systems have revolutionized the maritime shipping industry and supply chains, they’ve also introduced security vulnerabilities that could have cascading impacts on the American economy and citizens if exploited. Recognizing this, the Biden-Harris Administration is focused on enhancing cybersecurity measures to safeguard maritime shipping infrastructure against 21st-century threats, making securing critical infrastructure a national imperative.
The administration recently announced an initiative to strengthen maritime cybersecurity. In this post, we’ll explore the key elements of the initiative and their implications for the maritime industry and industries like it.
Addressing maritime cyber threats
As part of the initiative, which was announced last month, President Biden signed an executive order empowering the Department of Homeland Security (DHS) to directly address maritime cyber threats. The order allows the DHS to implement new cybersecurity standards for securing systems and networks at American ports, while also granting the US Coast Guard express authority to respond to malicious cyber activities in the MTS. Furthermore, the order mandates the reporting of cyber incidents or active cyber threats, giving the Coast Guard the authority to control vessels or facilities that may pose a cyber threat.
In tandem with the president’s executive order, the US Coast Guard announced it would issue a Maritime Security Directive to specifically address cyber risk management for ship-to-shore cranes manufactured in China. The directive’s focus will include any Information Technology (IT) and Operational Technology (OT) systems that may be associated with these cranes. Under this directive, owners and operators will be required to carry out a series of actions to secure the US maritime infrastructure’s digital ecosystem as well as address new vulnerabilities that have been identified per the US maritime advisory.
The Coast Guard also issued a Notice of Proposed Rulemaking on Cybersecurity in the MTS as part of the initiative. MTS control systems and networks are subject to cyber attacks on a daily basis. With bad actors attempting to gain unauthorized access to MTS networks across the nation, the Coast Guard’s proposed rule changes are an attempt to strengthen the MTS’s digital systems and better manage threats by establishing cybersecurity requirements that meet international and industry-recognized standards.
Regulations aimed at securing identity
One of the greatest vectors for cyber attacks is identity. Unused, orphaned, and overprivileged accounts are common entry points for bad actors, enabling them to access organizations’ critical infrastructure and other sensitive data. Identity breaches pose a real threat to the MTS, potentially jeopardizing an industry that generates $5.4 trillion annually.
While we don’t yet know what specific regulations the Coast Guard will impose, it’s safe to assume requirements will include current cybersecurity best practices as defined by leading regulators like the the New York Department of Financial Services (NYDFS). To address growing cybersecurity threats in the financial industry, the NYDFS released a major update to its own regulations last fall, many of which were centered around identity security,
The Coast Guard’s new standards could similarly aim at strengthening the identity security posture within the MTS. A zero trust approach to identity security is becoming standard, with regulations requiring the implementation of practices like regular access reviews, remediation of unused and orphaned accounts, mitigation of overprivileged access, and a move toward zero standing privileges (ZSP). The Coast Guard could impose stricter compliance standards and enforce measures such as role based access controls (RBAC) and just-in-time (JIT) access for more critical infrastructure.
Complying with identity security regulations
Implementing effective identity security is a challenge for any organization, and can be especially complex for those using legacy and hybrid infrastructure, as is likely the case with many parts of the MTS. To comply with potential new identity security regulations, the first step for security teams will be to bring identity data together under one platform if it’s not already centralized. This will allow them to better understand their overall identity environment and begin to identify and remediate overprivileged access and other permission-based threats.
Centralization will also support implementation of stronger access controls across systems and resources to help mitigate instances of inappropriate provisioning and inadequate deprovisioning. And it will enable teams to run more regular access reviews that further reduce risk by catching and revoking risky access.
Success will be strongly contingent upon the ability to secure identity without slowing productivity at busy ports. Automation is instrumental in achieving this harmony. Leveraging it to replace the tedious work of manually reviewing, provisioning, and revoking access can help enforce stricter security standards without impacting worker productivity—while also subtracting the human error associated with these manual tasks.
Implications for related commercial sectors
Ultimately, the Biden-Harris initiative reflects a commitment to securing supply chains and addressing cybersecurity concerns within critical infrastructure. It’s aimed at fortifying America’s ports in the face of ever-evolving digital threats. Cargo systems are critical to the US economy—the MTS is likely just the first of several sectors within the space to see updated regulations. It may not be long before we see similar initiatives focused on securing trucking and railway industries as well.
However, this isn’t a shipping industry–specific trend, as evidenced by the NYDFS regulations emphasizing the need for stronger cybersecurity practices in financial institutions. As our reliance on digital infrastructure continues to increase, it only makes sense that the standards with which we protect that infrastructure grow in tandem.
Read the official White House announcement for more information about the Biden-Harris initiative and when new cybersecurity standards will be issued. To learn how ConductorOne can help you implement a zero trust approach to identity security, chat with us.