Page 19: of Maritime Reporter Magazine (June 2023)

just two miles from Russia’s Black Sea Fleet headquarters. reporting requirements for “covered entities” who operate

But eyewitnesses and webcams proved both ships were tied “critical infrastructure” in 16 sectors designated under federal to a pier almost 200 miles away, demonstrating a capability law, including transportation systems and commercial facili- to compromise navigation equipment. The incident received ties. CIRCIA requires these entities to report cyber-incidents global attention and was attributed to AIS spoo? ng tech- and payments to the Cybersecurity and Infrastructure Agency niques, displaying vessels where none were present. (CISA). CIRCIA’s regulations will be announced in the next

Ransomware has also hit the MTS when global shipping year, so details are uncertain. At a minimum, covered entities and logistics giant Maersk fell victim to the devastating “Not- must report cybersecurity events within 72 hours and ransom-

Petya” cyberattacks of 2017, bringing Maersk’s global opera- ware payments within 24 hours. tions to a standstill. The fact that Maersk was not even the The MTS is still uniquely vulnerable to cyber-attack and intended target of the attack underscores how vulnerable the will likely remain so for the foreseeable future. While these

MTS is. Criminal gangs aggressively exploited vulnerabilities new federal requirements will improve our defenses, they at the Port of Antwerp, collecting payments from fraudulent also present a host of compliance challenges for the maritime bills of lading on its information systems for two years. industry. That in turn will mean a signi? cant investment in

Against this backdrop of costly cyber-attacks and mischief, cyber defense and resiliency efforts. At a minimum, vessels, the federal government has issued several laws, directives, ports, terminals, suppliers, and maintainers should examine and advisories designed to improve national cyber-hygiene. their networks and prepare now. If an entity lacks ? rewalls, or

In May 2021. the Biden administration’s Executive Order multi-factor authentication, or tailored IRPs, or encryption for 14028 mandated federal agencies to secure their cloud ser- its sensitive documents, it should invest now.

vices, adopt “zero-trust” architectures, and deploy multifactor authentication and encryption on federal networks. It also es-

The Author tablished software development security standards, using the federal government’s purchasing power to force industry to

Price build more secure IT products.

Gene F. Price has substantial real-world experience in cybersecurity and focuses on Frost Brown Todd’s pri-

The National Institute of Science and Technology (NIST) vacy and data security practice and incident response issued detailed guidance on how to develop incident response planning. Recently retired from the U.S. Navy as a

Rear Admiral after 36 years of service.

plans (IRPs) for the inevitable cyber-attacks. IRPs de? ne the “players” for different response situations, their roles in an attack, and immediate actions to take. While not yet a require-

References ment for the MTS, IRPs are strongly recommended for vic- 1 The Atlantic Council, RAISING THE COLORS: Signaling for Cooperation on tims to have an organized means of quickly “? ghting back”.

Maritime Cybersecurity, October 2022.

The U.S. Coast Guard recently released the Maritime Cy- 2 Chris C. Demchak and Michael L. Thomas, War on the Rocks, October 15, bersecurity Assessment & Annex Guide (MCAAG) to help 2021, Can’t Sail Away From Cyber Attacks:‘Sea-Hacking’ From Land, https://

MTS stakeholders address cyber risks. This voluntary guide warontherocks.com/2021/10/cant-sail-away-from-cyber-attacks-sea-hacking- from https://warontherocks.com/2021/10/cant-sail-away-from-cyber-attacks-sea- addresses cybersecurity assessments and IRP development, hacking-from-land/ -land/.

particularly for Facility Security Assessments and Facility 3 H.I. Sutton, “Positions of Two NATO Ships Were Falsi? ed Near Russian Black

Security Plans required by MTSA. In 2021, the Coast Guard

Sea Naval Base,” USNI News, 21 June 2021.

released an updated version of the Cyber Strategic Outlook 4 John Filitz, Maritime Port Systems Cybersecurity Vulnerability; NMIO Bulletin (CSO), placing responsibility to “prevent and respond” to

Vol. 13, March 2019.

MTS cyber incidents on its shore commanders. One notable 5 https://www.dco.uscg.mil/Portals/9/CG-FAC/Documents/Maritime%20 statement in the CSO is that it will use its “existing frame-

Cyber%20Assessment%20%20Annex%20Guide%20(MCAAG)_released%20 23JAN2023.pdf?ver=NE11YUspj_kNa3xRoMd0TQ%3D%3D work for prevention and response activities to mitigate cyber risks,” which allows the Coast Guard to use its Captain of 6 United States Coast Guard Cyber Strategic Outlook (Washington, DC: Coast

Guard Headquarters, August 2021).

the Port authorities to prescribe cybersecurity conditions and 7 LT Rachel Ault, USCG, The Coast Guard Needs Stronger Policy to Prevent restrictions for shore facilities before an incident and over-

Maritime Cyber-Attacks, USNI Proceedings, February 2022.

sight afterward. 8 Id., pg. 28; “Security of Waterfront Facilities and Vessels in Port,” 33 C.F.R.

One important new statute is the Cyber Incident Report- § 6.1-1 (2016).

ing for Critical Infrastructure Act (CIRCIA), which created www.marinelink.com 19

MR #6 (18-33).indd 19 6/5/2023 2:44:17 PM