Published on July 12th, 2019 📆 | 1641 Views ⚑
0Call Out Bad Cyber Hygiene to Protect Ports
Poor cyber hygiene practices that could lead to crippling disablements in critical ports need to be called out on a continuous basis to motivate and inform better cybersecurity, the Coast Guardâs cyber chief said.
Rear Adm. David Dermanelian, assistant commandant for C4IT (CG-6) and commander of Coast Guard Cyber Command, said at the Government Technology and Services Coalitionâs USCG Day that the Coast Guard is focused on defending its portion of the network to ensure mission support and making sure information gets to and from the people who need it.
That extends to protection of portions of maritime operations that depend on cybersecurity â if crane operators were disabled, for instance, it could cause chaos at that port.
Dermanelian noted that âthere are many different places where you could disrupt a port and cause hundreds of millions of dollarsâ impact if you disrupt a port for a day.â
âCyber is not a self-licking ice cream cone â itâs got to be linked to a larger operation,â he said, stressing that while the Coast Guard canât defend all of cyberspace the most important aspects of cyber terrain must be identified and one âbetter have a plan for when things go bump in the night.â
The Coast Guard is standing up a 39-person cyber team in which a team of three to five cyber experts can respond to a port cyber event, advise the sector commander and ask them to exercise a remediation plan. In addition, the Coast Guard can call upon its relationship with the Department of Homeland Securityâs cyber response team to bring its expertise and support when needed.
Dermanelian said one of the challenges in enforcing good cyber hygiene is âcompliance doesnât motivate folks very much.â Sharing actionable threat information, though, âmotivates folks to then go back and comply because they know thereâs someone whoâs actually taking advantage of [the vulnerability].â
âIf an adversary was successful, highlight it,â he said. âLetâs hold ourselves accountable for how that happened.â
Commercial firms, Dermanelian said, often donât understand when an adverse event happens on the cyber front that bad cyber hygiene is âlike shaking a hundred hands at a conference and not washing your hands before picking up a burger.â
Cameron Naron, director of the Office of Maritime Security at the Maritime Administration (MARAD) and a retired Coast Guard officer, stressed that ports are not unitary entities and the cyber defense ops within are segmented. On the ship side, larger operators do a âpretty good jobâ with fairly robust IT departments, he said, âalthough they donât have everything locked down.â
âMost of the U.S. flag carriers do not have their own IT or cyber departments,â he noted. Most ships also donât have IT staff aboard vessels.
A major deficiency, Naron said, is the lack of a maritime information sharing and analysis center (ISAC) to ensure carriers know the ânitty gritty detailsâ of events such as the 2017 NotPetya malware attack that knocked out operations at Maersk. MARAD is working with industry to support the creation of a maritime ISAC, he said, âbut theyâve got to get it off the ground.â
MARAD is also working to ensure that the Ready Reserve Force is equipped to confront cyber challenges as well as national emergencies. âHow do we train for operating in a contested environment?â Naron asked. âWho are we training? There is a need; weâre just in a nascent phase of getting proper training to the ships when needed.â
âThen youâve got to do something like that for industry, too,â he added.
Lt. Kevin Kuhn of the Coast Guard Office of Design and Engineering Standards highlighted a recent survey that asked maritime companies if they are prepared for a cyber attack. Ninety-four percent of small companies said there were completely unprepared.
Small companies, Kuhn said, lack the pressure from corporate leadership to shore up cyber defenses. Maritime hackathon events similarly draw large companies.
âThat advances the body of knowledge, but how do we take that knowledge and put it in an easy-to-understand way for the smaller companies?â he asked.
Commander Jamie Embry of the Cyberspace Planning and Resources Division at the Office of Cyberspace Forces said itâs âgoing to take a cultural shift to recognize itâs more than ITâ as the Coast Guard cyber domain continues to evolve.
âWe are beginning to make that change starting with the cyber strategy,â she said.
Gloss