The U.S. Department of Homeland Security, Coast Guard and Federal Emergency Management Agency (FEMA) have been taken to the woodshed in a General Accounting Office (GAO) report on maritime cybersecurity.
The GAO said the response to mandates to improve computer security efforts to protect the networks managing shipping ports, for example, has been limited. The report says that while the Coast Guard and FEMA have battened down physical security at the ports, risk assessments have yet to be conducted to determine critical vulnerabilities and consequences of exploit.
“Coast Guard officials stated that they intend to conduct such an assessment in the future, but did not provide details to show how it would address cybersecurity,” the GAO said. “Until the Coast Guard completes a thorough assessment of cyber risks in the maritime environment, the ability of stakeholders to appropriately plan and allocate resources to protect ports and other maritime facilities will be limited.”
The Coast Guard is expected to update its cybersecurity guidance this year, but the GAO cautions that without a risk assessment, there are likely to be shortcomings in protecting critical systems, as well as in sharing threat information.
The GAO also hammered FEMA, which prioritized cybersecurity funding in 2013, for not consulting with computer security experts to review any mitigation proposals. The report said the Coast Guard’s lack of a risk assessment is also partly to blame.
“Because the Coast Guard has not assessed cyber-related risks in the maritime risk assessment, grant applications and FEMA have not been able to use this information to inform funding proposals and decisions,” the GAO said. “As a result, FEMA is limited in its ability to ensure that the program is effectively addressing cyber-related risks in the maritime environment.”
U.S. ports move more than $1.3 trillion in cargo annually, and any disruption to this because of a criminal or nation-state hacking operation would impact the country’s economy, the GAO said.
DHS wants to see the Coast Guard and FEMA wrap up the maritime risk assessment and use those results to build a cyber-related risk plan for the sector, the report said.
Government officials are concerned that ports would be at a significant disadvantage if criminals were able to attack a network, shut down surveillance or manipulate tracking of vessels and cargo.
The report also highlights a 2013 attack in which hackers infiltrated a foreign port network and executed malware on the system in order to track the movement of containers in which they were smuggling drugs.
“A criminal group used hackers to break into the terminal operating system to gain access to security and location information that was leveraged to remove the containers from the port,” the GAO said.
Europol said the attackers hacked into computers at two container terminals and a harbor company. They did so by sending infected attachments via email to staff members, installing keyloggers and stealing credentials needed to access key systems.
“Once the computers were under their control, the group could follow ‘their’ container and upon arrival, unload it to a location and at a time of their choosing,” a 2013 Europol report said. “This in return enabled the criminal group’s drivers to access the container before the normal harbor staff would.”