(WASHINGTON) — Owners and operators of U.S. maritime facilities and vessels rely on systems that are connected to internal and external networks – including the internet. These facilities and vessels face heightened cybersecurity risks from certain nations and transnational criminal organizations.
The U.S. Coast Guard provides guidance for and inspects facilities and vessels that are subject to cybersecurity-related requirements. But it can’t readily access complete information on these inspection results – which can make oversight harder. The Government Accountability Office (GAO) made five recommendations to address this and other issues it found.
What GAO found
The Maritime Transportation System (MTS) faces significant and increasing cybersecurity risks including:
• Threat actors – China, Iran, North Korea, Russia, and transnational criminal organizations pose the greatest cyberthreats to the MTS.
• Vulnerabilities – MTS facilities and vessels increasingly rely on technology that is vulnerable to cyberattacks.
• Impacts – According to federal and non-federal officials, cyberincidents have affected port operations, and the potential impacts of future incidents could be severe.
To help address these risks, the Coast Guard assists MTS owners and operators through offering direct technical assistance, providing voluntary guidelines for implementing cybersecurity practices, and sharing cyberthreat information. The service also provides oversight through facility and vessel inspections, including the identification and documentation of cybersecurity-related deficiencies.
However, the Coast Guard cannot readily access complete information on inspection results specific to cybersecurity from its system of record (Marine Information for Safety and Law Enforcement). Updating its system to provide ready access to complete information on all cybersecurity-related deficiencies would help the Coast Guard better provide oversight of owners and operators and help position the service to prevent cyberattacks that could impact the MTS.
Although the Coast Guard developed a cyberstrategy to address MTS cybersecurity risks, it did not fully address all of the key characteristics needed for an effective national strategy. Specifically, the cyberstrategy fully addressed the key characteristic related to purpose, scope and methodology, but did not fully address the other four characteristics, as shown in the table below. Addressing all of the key characteristics would better position the Coast Guard to ensure its actions and resources are addressing the highest cybersecurity risks.
Further, the Coast Guard has not fully addressed leading practices to ensure its cyber workforce has the competencies needed to address MTS cybersecurity risks. Specifically, the Coast Guard has not fully developed competency requirements. In addition, the Coast Guard has not fully assessed and addressed competency gaps for its cyber workforce. Until it does, the Coast Guard will not have assurance it is effectively mitigating cybersecurity risks to the MTS.
Why GAO did this study
The MTS is an essential critical infrastructure subsector, handling more than $5.4 trillion in goods and services annually. As the lead risk management agency for the subsector, the Coast Guard is to protect the system from all threats, including those related to cybersecurity.
The James M. Inhofe National Defense Authorization Act for fiscal year 2023 includes a provision for GAO to review cybersecurity risks to the MTS, including vessels and facilities. This report addresses (1) cybersecurity risks to the MTS; (2) the Coast Guard’s efforts to assist and oversee MTS owner and operator actions on cyber risks; (3) strategic planning to mitigate these risks; and (4) implementation of leading practices on cyber workforce competencies.
GAO reviewed federal and industry reports on MTS cybersecurity risks, federal statutes and regulations, and Coast Guard documentation and inspection data from fiscal year 2019 through June 2024. GAO also interviewed federal and non-federal stakeholders at four ports based on volume of trade, geographic dispersion and other factors.
Recommendations
GAO is making five recommendations, including that Coast Guard (1) update its system of record to provide ready access to complete cyberdeficiency data; (2) ensure its cyberstrategy and plans align with all key characteristics of a national strategy; and (3) analyze, assess and address workforce competency gaps. The Department of Homeland Security concurred with GAO’s recommendations.
Click here to view the complete report.
– Government Accountability Office
