News

Experts Offer Cybersecurity Guidance In AWO Webinar

The latest in a series of webinars offered by The American Waterways Operators featured Coast Guard and civilian experts in cybersecurity sharing the latest tips and development in the ongoing battle to maintain security in the systems on which inland traffic increasingly relies. 

The webinar, titled “Cyber Risk Management: 2021 Outlook for the Towing Industry,” held January 27, was hosted by Caitlyn Stewart, director of regulatory affairs for AWO. Speakers included Lt. Cmdr. Kelley Edwards, of the critical infrastructure protection branch of the Coast Guard’s Office of Port and Facility Compliance; Lt. Nate Toll, deputy and operations officer of the Coast Guard’s newly created Cyber Protection Team; and Lessie Longstreet, global director of outreach and partner engagement at the Cyber Readiness Institute. 

Edwards began by reminding participants of the Coast Guard’s Cyber Strategy, published in 2015, which outlines its goals: defending cyberspace, enabling operations and protecting infrastructure. Email spoofing remains one of the most-used gateways into systems for bad actors. Kelley referred to one particular spoofed email attack in which email senders impersonated Coast Guard officials, which resulted in a cascading set of spoofed emails. 

NVIC 01-20 offers guidance on how to comply with existing regulations on cyber security for shore facilities, but it does not create new obligations or regulations, she said. A companion NVIC specifically for vessels is under preparation, but some of the information in this NVIC can also prove valuable to vessels. 

A document released by the Coast Guard last October, CVC-WI-027, “Vessel Cyber Risk Management,” urges vessels to include cyber risk measures into their towing vessel safety management systems, which would bring them into compliance with international standards.

SolarWinds Breach

The Coast Guard also issued a Marine Safety Information Bulletin on the SolarWinds software breach. In December, it was discovered that sophisticated malicious actors had been able to insert multiple “Trojan horse” packages into software offered by SolarWinds, a company based in Austin, Texas, that provides network operating software for at least 300,000 customers including “numerous” government agencies around the world. According to a recent SEC filing by SolarWinds, approximately 18,000 of their 300,000 customers were running vulnerable versions of the SolarWinds Orion platform. The malware “allowed for elevated credential access [to the attackers] and lateral movement throughout the network and the ability to create other persistent devices on the network.” The Coast Guard urged all entities using any version of this software to take immediate action.

The Coast Guard policy letter of 2016 gave guidance on how to report cyber incidents and breaches of security, both for vessels and shoreside facilities. Kelley urged all parties concerned about cyber incidents to contact their local captains of the port, who can guide them to resources to help them assess vulnerabilities and improve their security plans. These will have to be submitted to the Coast Guard beginning in October of this year, extending through October 2022.

Lt. Nate Toll described the activities of the Coast Guard’s Cyber Protection Team, which was set up about six months ago. While the team cannot, at present, act as a first responder to cyber incidents as private contractors do, it can perform threat-hunting on a network to help uncover buried malware and “help you clear adversary activity,” he said. The team can also do simulated attacks to assess vulnerabilities. Interested parties can request a visit from a CPT team by sending a request to maritimecyber@uscg.mil. 

Lessie Longstreet spoke about cyber threats to small business, which make up the majority. She said 80 percent of businesses have fewer than 10 employees, and 95 percent have fewer than 100. Sixty-seven percent of small business fail to survive a cyber breach. The average cost of a cyber breach is $3.92 million. 

The Cyber Readiness Institute, founded in July 2017, develops free resources to improve cyber readiness for small and medium-sized businesses. Most of their resources focus on human behavior, she said.