Assistant Commandant for Prevention Policy Rear Adm. Paul Thomas recently spoke at the American Association of Port Authorities Port Security Seminar and Expo in Chicago, Illinois. The expo brought members together to take a closer look at securing America’s ports from the inside out, with a special focus on supply chain security and their related cybersecurity and security related technology. Thomas’s keynote address July 19 kicked off a full agenda that included presentations by the Port of Chicago, Coast Guard Marine Safety Unit Chicago, the Chicago Police Department, and the Transportation Security Administration, among many others.

Thomas’s remarks are not ‘as delivered’ but provide a condensed version of the highlights in the ‘panel-conversational’ style.

Submitted by Rear Adm. Paul Thomas, assistant commandant for prevention policy

“Good morning. It is a pleasure to be here with so many port security professionals. This is my last public speaking engagement as the assistant commandant for prevention policy and it is fitting that I am here with AAPA today because it was one of my first speaking engagements when I started this assignment about three years ago.

I’ve often been asked, ‘Admiral, when will we be done securing our ports – how much more security do we need to buy? What keeps you awake at night?’

The response to both can be summed up in one sentiment: we will never be “done” securing our ports. And it’s the complacency implied in the question that keeps me awake at night.

Even in today’s complex geo-political and all-threat environment, as security professionals we must constantly fight complacency and this is why I thank and congratulate AAPA for keeping us focused on the important and emerging port security issues. Congratulations on a full and impactful agenda for this conference and for bringing so many thought-leaders together to ensure we continue to evolve strategies, polices, technologies, and information sharing practices to match the evolving threat.

When I last spoke with you, I talked a lot about the emerging threats in the cyber domain and how we all needed to start thinking about the cyber equivalent of basic physical security measures; a cyber fence, gate, guard, and surveillance system. This is no longer an emerging threat; it is a very real threat and although we have made significant progress, it is very apparent that we have much work to do.

I want to talk for just a few minutes about physical security. I worry that with the focus on cyber we run the risk of losing focus on physical security. If an enemy wants to kill or injure a lot of people or severely damage the environment at a port complex, physical attacks, not cyber attacks, remain the most effective means for a lot of reasons.

This is one of the reasons why the TWIC reader rule was drafted to apply to facilities where those high consequence targets exist, in a tank or in a ship, regardless of the intent to transfer cargo. As we work to modify the TWIC reader rule in response to industry concerns about the expanded applicability in the final rule, we’ll need your help to develop requirements based not on a safety paradigm – which addresses risk associated with the transfer of cargo – but on a security paradigm – which addresses risk based on the presence of cargo. We look forward to your thoughts on that.

The fact of the matter is that regulation can help form a baseline or foundation for a secure port facility – but it can never really provide security. That’s your job. Industry initiatives and innovation are the only way we will stay ahead of the threat and, again, why gatherings like this one remain relevant and important.

Nowhere is this truer than in the realm of cyber security. If physical attacks are the way to kill people, cyber attacks are the way to kill businesses and disrupt trade. You own the risk to business systems and cyber attacks that disrupt trade and, at least right now, the federal government, including the Coast Guard, has very little ability to influence your governance over that cyber risk.

Make no mistake. To the extent that you rely on cyber systems to comply with Coast Guard regulations regarding safety, security or environmental standards, we can and will influence your governance of the risk inherent in those systems; you already own the liability associated with the failure of those systems. To that end, you may have noticed the recent publication of a NVIC with guidance for MTSA facilities on cyber risk management. These are guidelines to help you understand which cyber systems you do rely on as part of your compliance strategy for Coast Guard regulations, and to assist in installing governance to manage that risk. Our goal is to require that FSPs [facility security plans] and VSPs [vessel security plans] identify critical cyber systems and describe the governance over those systems including who is in charge, how the systems are operated and maintained, what training is needed at every level of the organization, and what to do when intrusion or malfunction is detected. Ultimately, critical cyber systems at port facilities will be required to meet performance standards and operated and maintained as outlined in the FSP. It might require regulation to achieve these standards at every port facility, but the simple existence of Coast Guard guidelines should be enough to ensure that industry standard practice is at least as good as our recommendations – especially at high risk facilities.

But, as the recent ransom ware attack on APM terminals proved, there is a lot of cyber risk in business systems that might be beyond direct influence by regulators like the Coast Guard, but that can still disrupt business and trade, and produce the associated physical impacts on the port such as long ques for ships, trucks, trains, and chassis.

The APM attack was the first time we’ve seen in the U.S. a simultaneous impact on cyber systems in a massive geographic area – in this case in five different ports around the nation. This is why I say physical attacks can kill people; cyber attacks can kill businesses. The actual attack in this case was on systems in another country, and in fact intended for a completely different target, yet port facilities in the U.S. were impacted as they chose to shut down certain cyber systems as a defense mechanism to stop the spread of the ransom ware.

There is a lot the Coast Guard can and did bring to this type of incident. As you know, we are in the ports, well-networked and ready to take action to help mitigate and manage the impacts. Working through the AMSCs [Area Maritime Security Committees] we were able to quickly ascertain the impacts and help spread the word, both with port facilities but also interagency between the ports impacted and in D.C. Through our international networks we quickly learned about the impacts and action overseas at the point of the attack, and used that information to assess the potential for additional impacts here in the U.S.

However, there is a lot the Coast Guard cannot do during these types of incidents. As you know, Ports are complex in every way, including jurisdictionally. Add to that the complexity of cyber systems and the difficulty in determining attribution, and you’ll understand that it is difficult to answer the ‘who’s in charge’ or ‘who has the authority here?’ questions. We can’t always bring clarity to these incidents – particularly early on.

We can’t bring expertise to help you understand, manage or fix the cyber aspects of these incidents. We can pass along advice from CERT or NCCIC, but we can’t advise you on how to prevent the spread or reduce the damage.

We can’t help you determine when the threat has passed, or when it is safe to restart the systems.

And while we can and will exercise our authority to ensure that cyber failures do not damage people, the port, or the environment; we can’t exercise our authorities to ensure your business partners won’t damage your business systems.

We are conducting an extensive hotwash of the APM incident. We’ve already made some changes in our communication protocols. We’ll share any lessons learned because you can rest assured, we’ll be talking about another cyber incident impacting port facilities again soon.

Thank you for your time and attention this morning. I look forward to your thoughts.”

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.