CSC 2.0 Reports

Full Steam Ahead: Enhancing Maritime Cybersecurity

By Jiwon Ma, Will Loomis

U.S. waterways provide energy-efficient transportation options to move goods and people, but hackers have increasingly targeted the maritime industry.

Executive Summary

Since its inception, the United States has been a maritime nation dependent on its maritime transportation system (MTS) as vessels evolved from manpower-intensive wooden sailing ships to highly automated container ships. The U.S. MTS consists of approximately 25,000 miles of navigable waterways, 250 locks, 3,500 marine terminals, 29 container ports, thousands of recreational marinas, as well as the Great Lakes and St. Lawrence Seaway.

This infrastructure supports the tens of thousands of container ships, oil and gas carriers, chemical tankers, tugs and barges, cruise ships, ferries, and other vessels that drive a large portion of the U.S. economy and global trade.

In this vital subsector of U.S. transportation, operators rely on technologies and industrial control systems to navigate, communicate, and control various aspects of maritime operations vital to national security and prosperity. It is a highly distributed, diverse subsector composed of subsystems — ships, ports, shipping lines, shipbuilders, cargo handlers, traffic controllers, and many more — each of which represents a network of systems on its own.

A cyberattack against a complex maritime ecosystem could be devastating to the stability of the global economy. U.S. government and industry efforts to protect against such attacks, however, are lagging.

In its March 2020 final report, the congressionally mandated Cyberspace Solarium Commission repeatedly highlighted the need for better government-industry cybersecurity collaboration and better resourcing of government efforts to support the private sector. Picking up on this theme, a group of scholars at the Atlantic Council (including one of this report’s co-authors) published Raising the Colors: Signaling for Cooperation on Maritime Cybersecurity, which proposed short- and long-term solutions to improve the cybersecurity of the MTS. Building on that monograph’s foundation, this report provides additional analysis of cyberattacks against the MTS along with recommendations to resource the subsector’s cybersecurity more fully.

The report is divided into three sections. The first section looks at how the cyber threat to the MTS has evolved in recent years. The next discusses U.S. government efforts to address cyber issues affecting the MTS. Last is a section with recommendations for Congress to ensure uninterrupted commerce and the movement of goods and people across U.S. borders.

If Congress acts on these recommendations, it can empower the MTS subsector by providing additional resources and grant-funding opportunities; supporting agencies in testing the resilience of the subsector’s operational technology (OT); and directing the U.S. Coast Guard (USCG) to develop programs to address challenges in the workforce. Lastly, in the tradition of the Cyberspace Solarium Commission, this report offers sample legislative text to demonstrate how lawmakers could implement these recommendations.

Recommendations for Congress

  • 1 – Mandate increased resources for the U.S. Coast Guard to support its responsibilities as a Sector Risk Management Agency (SRMA)
  • 2 – Establish an operational technology test bed within CISA to identify potential cybersecurity vulnerabilities for critical systems used within the MTS
  • 3 – Require U.S. Coast Guard participation in grant programs that will ensure sufficient funding for mitigating MTS cyber risk
  • 4 – Direct the U.S. Coast Guard to develop cybersecurity education and workforce programs