This week, the Coast Guard participated in a maritime cybersecurity learning seminar and symposium with the American Military University and Command, Control and Interoperability Center for Advanced Data Analysis, or CCICADA, at Rutgers University, which is a Department of Homeland Security Center of Excellence.. CCICADA is a Department of Homeland Security University Center of Excellence. The large number of participants and attendees included high ranking government officials, maritime and cyber security industry representatives and academics from a number of fields.
Maritime Commons is providing you with a condensed version of remarks from event speaker Capt. Joseph Kramek, Coast Guard Eleventh District Staff Judge Advocate, who conducted research on maritime cyber security while serving as a Brookings Institution Federal Executive Fellow. Kramek spoke on a panel moderated by John Duncan of the American Bureau of Shipping Group, with fellow panelists Tiffany Jones of i-SIGHT Partners, and Andrew Bertolazzi of Ronin Security Solutions. Duncan framed the discussion by focusing on the elements of cyber risks and prevention frameworks; Jones discussed maritime cyber risks and threats; Bertolazzi discussed vulnerabilities in maritime terminals and solutions; and, Kramek discussed potential consequences of a cyber disruption.
Subscribe and stay tuned for more on this event!
Delivered by Capt. Joseph Kramek
Just two years ago, as I begin to research cyber security in the maritime sector, there was almost no work being done in this area of critical infrastructure – however, as evidenced by this large audience, much has changed, and many of you are now focused on maritime cyber risks.
My fellow panelists have discussed risk, threats and vulnerabilities – I have been asked to focus on consequences…how would a cyber disruption impact the maritime transportation system? And, since 95% of goods are shipped to or from the United States by sea, what we are really talking about is the global transportation system, and the consequences a cyber disruption would have to the U.S. economy.
Due to the threat of a labor disputes shutting down West Coast ports, the National Association of Manufactures and the National Federation of Retailers released a report this past June that looked at the impacts if the West Coast’s 29 ports shutdown. The study found that a West coast port shutdown would cost $2 billion dollars a day, and that a shutdown would have cascading consequences on the U.S. economy, including imports, exports and household purchasing power. According to the report, if a port was shut down for 20 days, it would cost an average of $366 per household.
Here’s a statistical snapshot of the report’s findings at 5, 10 and 20 days:
Now this study was conducted to analyze the potential impact of a total West Coast port shutdown. But that’s not what actually happened. We didn’t have a shutdown, we had a slowdown.
And, if you think about it, a slowdown might be more representative of what a real cyber disruption would look like. In the Coast Guard, we talk a lot about an incident that rises to the level of a Transportation Security Incident, or TSI. Why? Because our Coast Guard authorities are strongest when a TSI occurs.
But what about a lower consequence event such as a slowdown? What were the consequences and impacts? Well, they were also expansive, and impacted imports, exports, and jobs.
Auto manufacturers such as Honda, Toyota and Subaru—even though they are foreign automakers they have U.S. production facilities—had to reduce production because their supply of parts from Asia was disrupted. Wal-Mart experienced reduced inventory, particularly in electronics, resulting in a hit to their earnings. But it was exporters, and specifically agricultural exporters that were hardest hit. U.S. meat exporters had to put millions of pounds in cold storage, costing $85 million per week. California citrus exports were cut in half, and Washington state apple exports were also hard hit.
So, what did companies do? How did they prepare, and how did they respond? Well, many big box retailers like Wal-Mart and Target already have existing distribution strategies—the so-called 4-corners strategy brings cargo into to several ports even though they could bring it more cost effectively into just one—so you essentially don’t put all your eggs in one basket. They also have contingency plans, in the event their supply chains are disrupted for any reason—such as a natural disaster or a labor shortage—so they implemented these strategies.
Other companies, such as auto manufactures used alternative shipping methods such as air cargo to ship high-value items, and some companies with lower value items on order used air cargo and took a loss, just to ensure their customers remained supplied and satisfied. Still others rerouted or simply delayed shipments.
So, it’s useful at this point to briefly discuss the different categories of cargo…and contingency options. Containerized cargo is likely the easiest form of cargo to reroute, because a large number of port terminals are able to handle containers. However, other cargos such as petroleum products or break-bulk do not have as many re-routing options—this is because of the specialized handling and storage equipment these cargos require.
Recall, that this time last year, a vessel collision in the Houston ship channel, caused an oil spill that shutdown the ship channel for several days. Refineries need to operate at near capacity, both because of design, and to ensure profit. The channel shutdown interrupted tanker deliveries, and refineries, who only keep a limited reserve on hand, were looking at the possibility of shutting down plants—this would have had immediate consequences on the transportation sector.
We also have to do some thinking on how much inherent resiliency exists in our port facilities. The shipping industry is very efficient but many U.S. port facilities and terminals are already at or near capacity. So what are we doing to deal with that? Port operators are making them more automated so they can handle more cargo! In terms of the cyber realm, additional automation potentially introduces more cyber risk. We are going to have to think how we can mitigate this additional risk. Because we’ve become hyper-efficient, it adds difficulty to resiliency planning, as there’s just not a lot of extra capacity in our maritime transportation system.
In response to JohnDuncan’s question, what can port facilities and shippers take to protect against cyber vulnerabilities? One of the easiest and first steps port facilities and shippers can take is to conduct a vulnerability assessment. And, Tiffany Jones and Andrew Bertolazzi point out, this should also include a risk assessment. Doing so will provide you with a baseline. Vulnerability and risk assessments in most cases can be done at a relatively low cost, in relation to other cyber security steps, and they provide a benchmark on where you stand, and where you can extend a cyber security trackline of sorts as you attempt to better secure your operations.
Read the series:
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.