The Future is Now
By Marco Ayala, 1898 & Co., Burns & McDonnell and Andy Bochman, Idaho National Laboratory
Photo courtesy of Danny Schnautz.
Critical infrastructure regulators and defenders often talk about interdependencies. As in, it’s not enough to secure your own sector’s assets and the systems and networks that support them, you also must ensure that others upon which your success depends are doing the same. Often these other multisector entities are dispersed over wide geographic areas. But an example of where interdependencies are laid bare, where many come together and co-exist on the same dense footprint, is the modern shipping port. Because of their centrality to both national security and economic security, from a cyber adversarial perspective, this makes ports perhaps the best targets on earth.
Nevertheless, a port operator might be tempted to say, “yeah, but it’s not likely to happen on my watch, and I know this because it hasn’t happened yet.” The reality, however, is that whether it's happened yet or not has no bearing on whether it's likely or very likely to happen to you. In a time of rapid technological change, it’s safe to say that past is no longer prologue, and that port operators would be better off basing his or her risk calculus on what’s now plain to almost everyone: that when a function is so critical, and relies on the synchronized choreography of so many players, each of which is rapidly modernizing with digital, wireless, automated and, in ports, increasingly, autonomous systems, then it’s time to give strategic cybersecurity challenges a sustained look and prioritize getting that house in order.
This past decade has seen dramatic changes in the maritime and shipping industries. In many countries, ports of the future are now ports of the present, with ubiquitous mesh wireless networks, autonomous terminals and autonomous cranes. Ports so enabled are a marvel, yet at the same time they’re a house of cards, a veritable assemblage of Jenga blocks. The many benefits in efficiency and flexibility these technologies have ushered in are in many ways offset by the new attack surfaces and opportunities they present for cyber criminals and even more capable adversaries intent on disrupting operations … or worse. One doesn’t have to look far to see examples where there’s been a steep price to pay for this transition to reliance on digital technologies. (Google Maersk, K-Line, or Shaheed Rajee port for example.)
New advancements in technology have given the world faster network speeds, massive amounts of computing power, ubiquitous connected “smart” devices, and proceeding at approximately the same lightning pace, are the new vulnerabilities in these technologies, coupled with a lack of awareness in the people who use them.
A Plausible Pathway to Demonstrably More Secure High-Tech Ports
In every sector, an organization’s cybersecurity capabilities are characterized by conformance to a mix of general and industry-specific standards, frameworks and best practices. Periodically, third party assessments gauge how close to, or how far from, a given organization is from acceptable minimum levels of performance. A billion-dollar annual budget would still not be enough to enable a port’s chief security officer to achieve, maintain and demonstrate compliance for all the myriad interconnected, digitally dependent systems he or she has to contend with. And no worries, as most port CSOs have budgets several orders of magnitude less than that.
So who’s in charge of making sure ports are secure? No one organization it turns out, and therein lies the problem. In the U.S., while a very large number of government and commercial entities depend on their reliable functioning, the DoD, TSA, DOE, the DOT and other federal, state and local interests each bring with them a different set of standards and assessment and enforcement approaches. The result as you can likely imagine: pure chaos. What can be done about this? A few things, perhaps.
The Best Cybersecurity Standards for Ports
Here are three completely neutral or mapped to port-relevant sectors:
1. ISA/IEC 62443 Series of Standards. This series of standards, developed by the International Society of Automation’s (“ISA”) ISA99 committee and adopted by the International Electrotechnical Commission (“IEC”), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (“IACSs”). The committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
Instead of too many standards, how about just a few … or maybe even one. The rapidly evolving ISA/IEC 62443 suite of security standards[1] for control systems is increasingly seen by many as the best path towards unifying security practices, across all sectors, products, and organizations. Here’s an outline of its primary contents, covering four parts:
I. General
1-1: Terminology, concepts and models
II. Policies and procedures
2-1: Establishing an IACS security program
2-3: Patch management in the IACS environment
2-4: Security program requirements for IACS service providers
III. System level
3-1: Security technologies for IACS
3-2: Security risk assessment for system design
3-3: System security requirements and security levels
IV. Components and requirements
4-1: Secure product development lifecycle requirements
4-2: Technical security requirements for IACS components
Still evolving with input from a broad set of subject matter experts, 62443 is now referenced more than any other standard, and all signs point for it to become more prominent in the future, not less. (For more reading, visit isa.org.)
Nevertheless, there are at least one or two more we want to address here.
2. The National Institute of Standards and Technology Cybersecurity Framework. Now a part of the U.S. Department of Commerce, the National Institute of Standards and Technology (“NIST”) was founded in 1901 and one of the nation’s oldest physical science laboratories. Because NIST is a non-regulatory federal agency that acts as an unbiased source of scientific data and practices, including cybersecurity practices, the agency was selected for the work of developing cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.
NIST convened stakeholders to develop a Cybersecurity Framework (“CSF”) that addresses threats and supports business. While the primary stakeholders of the Framework are U.S. private-sector owners and operators of critical infrastructure, its user base has grown to include communities and organizations across the globe.
The CSF was issued under executive order 13636 in 2013 and it prepared the ground for requirements published in 2014. that is set to enhance the security and resilience of the Nation’s critical infrastructure. At the highest level, the CSF includes five categories: identify, protect, detect, respond, and recover. It was intended to be and continues to function as a lingua franca to allow practitioners in every sector to communicate effectively on security matters with each other, as well as with regulators and other stakeholders. Among its several benefits, it:
- Identifies security standards and guidelines applicable across sectors of critical infrastructure
- Provides a prioritized, flexible, repeatable, performance-based, and cost-effective approach
- Helps owners and operators of critical infrastructure identify, assess, and manage cyber risk
- Enables technical innovation and accounts for organizational differences
- rovides guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services
- Includes guidance for measuring the performance of implementing the Cybersecurity Framework
- Identifies areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations
The NIST CSF has been adopted as a framework across many industry sectors including ports and maritime. (For more reading, visit nist.gov/cyberframework.)
3. U.S. Coast Guard’s Navigation and Vessel Inspection Circular. The U. S. Coast Guard issued the Navigation and Vessel Inspection Circular (“NVIC”) 01-20; “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (“MTSA”) Regulated Facilities” at the beginning of 2020. This NVIC clarifies the existing MTSA requirements related to computer system and network vulnerabilities of MTSA-regulated facilities. It also provides facility owners and operators with guidance on how to analyze these vulnerabilities in their required Facility Security Assessment (“FSA”) and to address them in the Facility Security Plan (“FSP”). These requirements became effective October 1, 2021, with inspections now under way.
How deep, how far, and how wide the asset-owner operator goes to self-report is something many in industry have discussed, as well as what’s “good enough” to satisfy MTSA requirements. The imperative here is that adequate budgets for operational technology and mission critical system cybersecurity must be defined and achieved and as accordingly, assessment strategies must be realistic. (To read NVIC 01-20, click here.)
What Does a Demonstrably Secure Port Look Like?
Developed with support from the U.S. Department of Energy, the Department of Homeland Security, and the Department of Defense, an emerging methodology, Consequence-driven Cyber-informed Engineering or “CCE”, helps organizations identify the functions, processes, and supporting systems that must not be allowed to fail, for any reason, including cyber attack.
By beginning with a focus on attacks that could cause catastrophic consequences, it narrows the scope to only the most essential processes and functions. Then from an adversarial perspective, helps create the cyber kill chains that could stop port operations cold. Armed with this knowledge, port defenders can then develop engineered failsafes and stop gaps to keep the most capable cyber adversaries from achieving their goals. One target attainable via the CCE process: ISA/IEC 62443 Security Level 4 “Protection against intentional misuse using sophisticated means with extensive resources, IACS-specific knowledge and high motivation.”
That was for existing ports. What about completely new ports or ports that are perpetually modernizing? If you had the luxury to start from scratch in 2022, you’d still be confronted with products from suppliers lacking basic security controls and full of software vulnerabilities. One of the maritime sector’s main challenges in the cyber arena occurs when it adds new technologies on top of existing technologies. When this happens (and it happens all the time) security, reliability, and mission success become harder to manage.
Mission critical systems must be correctly secured from the earliest stages of design, all the way to front-end engineering, to check out, rollout, and what is often called turnkey handover. CCE’s sibling, Cyber-informed Engineering (“CIE”), aims to remedy the full product lifecycle cybersecurity portions of this problem. You can learn more about CCE and CIE here.
About the Authors
Marco Ayala is a process automation professional with over 25 years of experience working in petrochemical facilities, where he designed, implemented, and maintained their process instrumentation, automation systems, and process control networks. Currently, he is the director and ICS cybersecurity section lead with 1898 & Co. (part of Burns & McDonnell).
Andy Bochman provides strategic guidance on topics at the intersection of grid security and infrastructure resilience to senior U.S. and international government and industry leaders. Teaming with U.S. and international partner orgs, Andy has trained operators and regulators in dozens of Central, Eastern European, and Indo-Pacific countries and most of the U.S. states.