This is a workforce problem, not a vendor problem: The new regulations require all 3,000 MTSA facilities to designate a cybersecurity officer (why the Coast Guard named them CySOs and couldn’t just call them CISOs, I do not know). Finding hundreds of qualified people who understand both operational technology in maritime environments and cybersecurity is nearly impossible. Many facilities are looking at IT professionals who will require cross-training on maritime technology systems and assets with 30+ year life cycles. This is quite different from the capital expenditure write-off of a laptop every 35 years.Especially concerning is the fact that thousands of CISOs are considering leaving their corporate roles because they’re tired of being used as scapegoats when breaches occur. Hopefully, some are now looking for side work as part-time contractors with maritime facilities, treating it as job-loss mitigation while doing something that gives them genuine job satisfaction. If hired, they would immediately see the benefits of their work improving the security posture of a port facility in their hometown.This is our critical infrastructure protection strategy: exhausted professionals moonlighting because facilities can’t afford full-time qualified staff.
What developers and security teams can actually do: If you’re reading this and thinking, “I don’t work at a port, why does this matter?” then consider your own supply chain dependencies. Your company most likely delivers services using third-party solutions, many of which depend on maritime logistics you never even think about. The systemic risk that emerges from complex systems means a port shutdown doesn’t just delay Amazon deliveries.During the pandemic, we couldn’t get toilet paper or laptops. Our supply chains were deeply disrupted by a health crisis. Now imagine that kind of pervasive disruption triggered deliberately, with government cybersecurity staff having been furloughed at a critical moment or no legal framework to safely share threat intelligence because Congress let it expire.Three concrete steps for this quarter:
If you’re responsible for critical infrastructure or provide services for core supply chain systems, conduct a realistic resilience assessment of what a 72-hour maritime disruption would mean for your operations. Not a theoretical risk assessment but a practical business continuity exercise.For mid-sized facilities facing these requirements, budget between $20,000$25,000 for penetration testing. Explore FEMA’s State and Local Cybersecurity Grant Program (SLCGP), though be aware these often have non-federal match funding requirements. Better yet, find ways for academia, private sector and public sector entities to collaborate, such as the MTS-ISAC, rather than forging ahead in isolation.If you’re a CISO considering what’s next in your career, consider that maritime facilities desperately need your expertise. This isn’t corporate security theater. This is mission-critical work protecting infrastructure that millions depend on. That you and your family depend on.
The saber-rattling is getting louder: The current geopolitical climate has maritime security at a heightened level of readiness for international conflict. If a nation-state wanted to discourage US intervention in some form of aggression in APAC, South America or elsewhere, the malware is already believed to be in place, ready to be triggered.In my discussions as part of the AMSC, we workshop scenarios constantly. What counts as an incident when the MARSEC (MARitime SECurity) Level needs to be elevated from 1 to 2 for a cybersecurity threat? MARSEC Level 2 requires additional protective security measures for a period of time across nautical facilities and vessels.This is the kind of thing that hasn’t happened yet, but for which we train constantly. The challenge is that anything compromising safety systems in a port would trigger a shutdown of the entire port. There’s an element of systemic risk to the complex ecosystem that ports support that includes rail, trucking, shipping, fuel or, yes, that weekly orange juice delivery.The US Coast Guard has been granted fairly large powers of authority in the event of an incident. But those powers are compromised when CISA staff have been furloughed and threat intelligence sharing has lost its legal protection. We can expect asset owners and sector agencies to continue to collaborate, but they will be doing so with additional (and avoidable) risk.
Monday morning action items: I lived in Manhattan during the first COVID lockdowns. I saw SWAT teams with sniper rifles taking up positions on rooftops across from grocery stores. That was contingency planning that thankfully didn’t need to be activated. But it revealed something crucial: Anything that threatens the ability to procure basic necessities will rapidly escalate in ways we’d rather not contemplate.The orange juice example isn’t about orange juice. It’s about what the Orange Star represents. A complex system held together by aging infrastructure that 3,000 facilities now need to better secure, with cybersecurity officers they don’t have, using grant funding that was stuck during the government shutdown, while the legal framework for threat sharing has expired and nation-state malware sits dormant in their systems.What you should do Monday morning: Elevate the discussion around cybersecurity risk with elected officials, boards of directors and everyday citizens. Accept the mantra of incident response: it’s not a matter of if, but rather just a matter of when.As an information security professional who has worked in this industry for 30+ years and who has given birth to major ecommerce sites in the Web 1.0 dotcom bubble, building and protecting banks and critical infrastructure in the ensuing years, I am not optimistic. Do we have the gumption and grit to do what’s needed?We must work together now with focus, conviction and verve, because the alternative is unthinkable. I mention the word “verve” because I feel there must be a creative energy to how we champion our collective resilience and how we defend our community, our democracy and our way of life.There’s no incident response plan for a perfect storm. Only preparation before it hits.This article is published as part of the Foundry Expert Contributor Network.Want to join?
Monday morning action items: I lived in Manhattan during the first COVID lockdowns. I saw SWAT teams with sniper rifles taking up positions on rooftops across from grocery stores. That was contingency planning that thankfully didn’t need to be activated. But it revealed something crucial: Anything that threatens the ability to procure basic necessities will rapidly escalate in ways we’d rather not contemplate.The orange juice example isn’t about orange juice. It’s about what the Orange Star represents. A complex system held together by aging infrastructure that 3,000 facilities now need to better secure, with cybersecurity officers they don’t have, using grant funding that was stuck during the government shutdown, while the legal framework for threat sharing has expired and nation-state malware sits dormant in their systems.What you should do Monday morning: Elevate the discussion around cybersecurity risk with elected officials, boards of directors and everyday citizens. Accept the mantra of incident response: it’s not a matter of if, but rather just a matter of when.As an information security professional who has worked in this industry for 30+ years and who has given birth to major ecommerce sites in the Web 1.0 dotcom bubble, building and protecting banks and critical infrastructure in the ensuing years, I am not optimistic. Do we have the gumption and grit to do what’s needed?We must work together now with focus, conviction and verve, because the alternative is unthinkable. I mention the word “verve” because I feel there must be a creative energy to how we champion our collective resilience and how we defend our community, our democracy and our way of life.There’s no incident response plan for a perfect storm. Only preparation before it hits.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4105838/no-more-orange-juice-why-one-ship-reveals-americas-maritime-cybersecurity-crisis.html
