Skip to main content

Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity

GAO-14-459 Published: Jun 05, 2014. Publicly Released: Jun 05, 2014.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Actions taken by the Department of Homeland Security (DHS) and two of its component agencies, the U.S. Coast Guard and Federal Emergency Management Agency (FEMA), as well as other federal agencies, to address cybersecurity in the maritime port environment have been limited.

While the Coast Guard initiated a number of activities and coordinating strategies to improve physical security in specific ports, it has not conducted a risk assessment that fully addresses cyber-related threats, vulnerabilities, and consequences. Coast Guard officials stated that they intend to conduct such an assessment in the future, but did not provide details to show how it would address cybersecurity. Until the Coast Guard completes a thorough assessment of cyber risks in the maritime environment, the ability of stakeholders to appropriately plan and allocate resources to protect ports and other maritime facilities will be limited.

Maritime security plans required by law and regulation generally did not identify or address potential cyber-related threats or vulnerabilities. This was because the guidance issued by Coast Guard for developing these plans did not require cyber elements to be addressed. Officials stated that guidance for the next set of updated plans, due for update in 2014, will include cybersecurity requirements. However, in the absence of a comprehensive risk assessment, the revised guidance may not adequately address cyber-related risks to the maritime environment.

The degree to which information-sharing mechanisms (e.g., councils) were active and shared cybersecurity-related information varied. Specifically, the Coast Guard established a government coordinating council to share information among government entities, but it is unclear to what extent this body has shared information related to cybersecurity. In addition, a sector coordinating council for sharing information among nonfederal stakeholders is no longer active, and the Coast Guard has not convinced stakeholders to reestablish it. Until the Coast Guard improves these mechanisms, maritime stakeholders in different locations are at greater risk of not being aware of, and thus not mitigating, cyber-based threats.

Under a program to provide security-related grants to ports, FEMA identified enhancing cybersecurity capabilities as a funding priority for the first time in fiscal year 2013 and has provided guidance for cybersecurity-related proposals. However, the agency has not consulted cybersecurity-related subject matter experts to inform the multi-level review of cyber-related proposals—partly because FEMA has downsized the expert panel that reviews grants. Also, because the Coast Guard has not assessed cyber-related risks in the maritime risk assessment, grant applicants and FEMA have not been able to use this information to inform funding proposals and decisions. As a result, FEMA is limited in its ability to ensure that the program is effectively addressing cyber-related risks in the maritime environment.

Why GAO Did This Study

U.S. maritime ports handle more than $1.3 trillion in cargo annually. The operations of these ports are supported by information and communication systems, which are susceptible to cyber-related threats. Failures in these systems could degrade or interrupt operations at ports, including the flow of commerce. Federal agencies—in particular DHS—and industry stakeholders have specific roles in protecting maritime facilities and ports from physical and cyber threats.

GAO's objective was to identify the extent to which DHS and other stakeholders have taken steps to address cybersecurity in the maritime port environment. GAO examined relevant laws and regulations; analyzed federal cybersecurity-related policies and plans; observed operations at three U.S. ports selected based on being a high-risk port and a leader in calls by vessel type, e.g. container; and interviewed federal and nonfederal officials.

Recommendations

GAO recommends that DHS direct the Coast Guard to (1) assess cyber-related risks, (2) use this assessment to inform maritime security guidance, and (3) determine whether the sector coordinating council should be reestablished. DHS should also direct FEMA to (1) develop procedures to consult DHS cybersecurity experts for assistance in reviewing grant proposals and (2) use the results of the cyber-risk assessment to inform its grant guidance. DHS concurred with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.
Closed – Implemented
In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they originally expected this to be completed by July 2017. In May 2018, the agency updated the information and stated that they are on track to complete the assessment by fall 2018. Subsequently, in September 2018, we met with USCG officials to review the updated NMSRA and confirmed it contained information related to cyber-related threats, vulnerabilities and potential consequences. Specifically, USCG identified maritime assets that were susceptible to cyber-related threats based on the level of connectedness of those assets. For example, USCG determined that crane controls within the container terminal to have a lower degree of connectedness and thus less susceptible to cyber threats. However, the terminal operating system were determined to have the highest level of connectedness and thus the most susceptible to cyber threats. Additionally, the USCG determined that the maritime environment, comprised of the container terminals, bulk liquid terminals, vessels and off shore assets, to have a total cyber risk of $1.67 billion.
Department of Homeland Security To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.
Closed – Implemented
In June 2018, the United States Coast Guard (USCG) reported that a working group had completed its review and had proposed changes to the Guidelines for Development of Area Maritime Security Committees and Area Maritime Security Plans Required for U.S. Ports. In September 2018, USCG provided guidance from the Commandant of USCG that instructed Area Maritime Security Committees to consider cyber risks when identifying critical port infrastructure and operations, identifying risks (threats, vulnerabilities, consequences), determining mitigation strategies and implementation methods (e.g., recovery and resiliency planning) and when developing and describing the process to continually evaluate overall port security. USCG also included the Area Maritime Security Assessment Job Aid, which is a foundational step in gathering information needed to develop and maintain Area Maritime Security Plans. The Area Maritime Security Assessment Job Aid contains suggested protocols and procedures for considering cyber-related vulnerabilities when completing the assessment. As such, USCG has demonstrated an assessment of cyber-related risk is considered when developing key maritime sector plans.
Department of Homeland Security To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished to better facilitate stakeholder coordination and information sharing across the maritime environment at the national level.
Closed – Implemented
In April 2017, the U.S. Coast Guard (USCG) stated that the tasking for the National Maritime Security Advisory Committee to explore the issue of information sharing mechanisms in regards to cyber information had been completed. In October 2017, USCG stated that they engaged with the industry, through multiple fronts to explore the reestablishment of a Maritime Sector Coordinating Council (SCC). USCG stated that due to the combination of factors, including a lack of entities actively pursuing reestablishment of the SCC and discussions with other DHS entities that indicated a SCC is a self-organized, self-run and self-governed organization, officials stated that the USCG concluded establishing a SCC was unnecessary. Further, officials stated that existing information sharing mechanisms, including the information sharing portal HOMEPORT, Area Maritime Security Committees, the National Maritime Security Advisory Committee, Port Readiness Committees, etc. are providing industry with a sufficient level of information.
Department of Homeland Security To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.
Closed – Implemented
In May 2018, FEMA provided evidence of a formalized process established with the United States Coast Guard to ensure individuals with cyber expertise are included in the grant process. Specifically, FEMA provided a standard operating procedure (SOP) to provide Security Grant Program (PSGP) officials with a documented procedure for rapidly consulting with cybersecurity subject matter experts. The SOP outlines reach-back procedures between FEMA and the United States Coast Guard Cyber Command on any cyber-related issues that may arise during the review of grant proposals at both the field and national levels. As such, FEMA demonstrated the existence of procedures to ensure cybersecurity subject matter experts are consulted during the review of cybersecurity-related grant proposals.
Department of Homeland Security To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.
Closed – Implemented
In May 2018, FEMA provided us with the draft language of the guidance it planned to issue to support the 2018 Port Security Grant Program (PSGP) process. Specifically, they provided the guidance for the "enhancing cybersecurity capabilities" priority. In July 2018, we confirmed that the draft guidance was consistent with the language of the final version of the published PSGP guidance. In September 2018, we were able to review the Coast Guard's update National Maritime Security Risk Assessment (NMSRA) and confirm a nexus between the cyber-related threats, vulnerabilities and consequences identified there and the update PSGP guidance. For example, the updated guidance encourages applicants to consider a variety of cybersecurity projects, including those that enhance the security of systems that control vital cargo at the ship/shore interface. This is consistent with the cyber-related risk to the terminal operating systems, the information systems used by terminal operators to, among other things, control container movements and storage. that is highlighted in the updated NMSRA.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Computer securityCritical infrastructureFacility securityFederal agenciesHomeland securityInformation technologyMaritime securityMilitary forcesPort securityRisk assessmentRisk managementTransportation securityInformation sharingPolicies and procedures