As of this writing, port authorities, terminal operators, shipping companies, cruise lines and other stakeholders throughout the maritime domain are now hard at work considering their strategies for taking advantage of the 2018 Port Security Grant Program (PSGP) that was just announced this week . And within this program, there is a unique opportunity for ports to reconsider their approach to one of the top threats to our country, to our economy, and to our maritime lifeline; cyber-attacks. On page 47 of the 2018 PSGP Notice of Funding Opportunity (NOFO,) “Improving Cybersecurity Capabilities” is highlighted, and in particular, the focus is put on management of cyber risks. But as our community considers their grant applications, similar questions arise across the entire domain when it comes to cybersecurity.
What exactly is “cyber risk management” and how is it different than “cyber security”?
How can port operators prioritize the many areas of cybersecurity projects suggested? (e.g. “…projects that enhance the cybersecurity of access control; sensors; security cameras; badge/ID readers; ICS/SCADA systems; process monitors and controls (such as those that monitor flow rates, valve positions, tank levels, etc.); security/safety of the ship-to-port-to-facility-to intermodal interface, and systems that control vital cargo machinery at the ship/shore interface (such as cranes, manifolds, loading arms, etc.); and passenger/vehicle/cargo security screening equipment.”)
What strategy will use the PSGP funding in a way that offers attractive time to value and then can scale across the entire port infrastructure and benefit all maritime/port operations stakeholders (including 3rd party vendors)?
What is a sustainable, scalable, adaptive, and most importantly, affordable to a port operator, terminal operator, shipping company, cruise line or third party vendor, regardless of size?
By considering these and related questions carefully, port operators can make the most effective use of the PSGP funding by focusing on cyber risk management using a “B.E.S.T” value framework; Benefits all stakeholders; is Enterprise-wide; is Scalable, and; offers fast Time-to-Value.
Why this is so important to the PSGP and United States ports
Experts have pointed out that the growing “Internet of Things” (“IoT”) is rapidly finding its way into port operations. Riley Walters said it best in his Heritage Foundation article, The U.S. Needs to Secure Maritime Ports by Securing Network Ports.
“With port and vessel network systems implementing new technology, stakeholders are moving away from traditional stand-alone systems, and maritime industrial control systems (ICS) are becoming more integrated. While new systems help to streamline production and increase the flow of trade, the number of vulnerabilities in network systems is also increasing. Cyber threat actors continue to find new ways of accessing network systems, through traditional land-line connections, new or pre-existing Wi-Fi ports, and USB-introduced threats, such as installing malware (Stuxnet) or extracting information (Edward Snowden). Vulnerabilities in smaller systems can be exploited to gain access to larger networks—a time-consuming type of attack for the everyday hacktivist, but a credible investment for drug smugglers and nation-state sympathizers.”
The connection of maritime operations to the IoT is also illustrated in the story reported by David Poque in his Yahoo story, Royal Caribbean is Making a Big Bet on Technology:
“For the last few years, Royal Caribbean (RCL) has been on an almost maniacal push to turn its cruise ships into technology showpieces. Most of the developments are one-off technologies, massively expensive and time-consuming to develop and debug: robot bartenders, battery-powered bumper cars, a dedicated satellite for providing internet service, and so on.”
This expansive digital footprint in maritime operations is also illustrated in the picture below (courtesy of the US Coast Guard briefing on Maritime Cybersecurity).
This expanse of digital port infrastructure is referred to as the “Threat Surface,” and the Threat Surface is growing exponentially every day.
“A port ecosystem includes many non-traditional IT assets that rarely get tested or protected, such as printers, cameras and bi-directional data exchanges. In addition, the mix of private or hybrid clouds, on-premises networks, co-managed systems and links to other systems from third party vendors or service providers, represents a very broad and rapidly expanding threat surface,” said Mark DuPont, Executive Director of the National Maritime Law Enforcement Academy. “This is further compounded when you consider the ‘Bring-Your-Own-Device’ world that we now live in. These are all entry points to your port operations, and the question becomes, ‘how do we keep up?”
If one thinks of the individual cyber security “tools” ports, terminal operators, shipping companies, cruise lines and other stakeholders are using today and may likely use in the future (e.g. network scanners, firewalls, etc.), the fact becomes clear that this will always be a moving target. Cyber security tools are in a constant state of change; some become less effective while new tools may offer specific, new capabilities. But one thing they all have in common is that they generate data; and lots of it focused on potential vulnerabilities. The more cyber tools, the more data. So where do you begin? When it comes to the cyber threat, there really is never a state of being secure since ports are increasingly overwhelmed with the scale and scope of the cyber threats facing them, as reported in our White Paper, No Safe Harbors.
Cyber Risk Management vs. Security Management
The benefit of a cyber risk management approach is that it offers a framework for evaluating all cyber risks, and then based on threat intelligence applied to the vulnerabilities, it provides the ability to prioritize the highest risks. With this consideration in mind, a cyber risk management strategy that Benefits all port security stakeholders is essential to creating and sustaining an enterprise-wide approach to understanding the entire port threat surface. This ensures the foundation for truly comprehensive and complete view of the infrastructure, including 3rd party vendors.
With the Enterprise-wide port threat surface identified and validated, port security teams can use their current cybersecurity IT tools for vulnerability scans in conjunction with services like the RiskSense Platform that ingests, scores and prioritizes all risks using global threat intelligence. Using a FICO-like or credit score type of risk scoring methodology called “RS3,” all stakeholders can view their scores from the highest port management level, down to the smallest port stakeholders. This cyber risk management approach provides continuous risk scoring and comparisons across all port systems and IT assets helping focus resources more effectively on the highest risks.
This approach offers ports several key advantages:
1. Satisfies the requirements of the PSGP: (Taken from the FEMA 2018 PSGP NOFO)
… “applicants are encouraged to propose projects that would aid in implementation of all or part of the Framework for Improving Critical Infrastructure Cybersecurity… ”
…” helps organizations understand, communicate, and manage their cyber risks ”
…helps prioritize the focus on the highest risks across the port threat surface and better utilize the data from resources like the Department of Homeland Security’s Enhanced Cybersecurity Services (ECS) program, and
… provides a highly organized way to more effectively identify and manage existing gaps and required mitigation efforts, as well as support additional grant requests (e.g. …” mitigating projects may be funded that include purchase of equipment, software, and infrastructure designed to harden cybersecurity.”)
2. Provides an effective way to manage cyber risk over time:
An approach that can be implemented quickly, at low relative cost and then Scale up to support all port stakeholders, the growth of the company, or expand to suppliers, vendors and partners.
Prioritizes the highest risks against the latest threat intelligence, (RiskSense utilizes over 60 real-time threat intelligence sources to identify the highest risks) and maximizes the Time to Value for ongoing investments in cyber security.
Considerations for your PSGP Application
As ports consider their application for the PSGP funding, we recommend a proposal to fund the creation and implementation of a Port Cyber Risk Management program using the RiskSense platform as the basis for other cyber security improvements. Effective proposals may be developed using a “B.E.S.T” value framework;
Benefits all port security stakeholders, creating a unified and threat-centric approach to prioritizing the highest cyber risks. This does not replace or compete with the cyber security tools, but rather augments your current and future cyber security tools, services and practices at all levels. Adopting a common cyber risk methodology and prioritization approach like the RS3 score helps organize and focus actions, investments and resources.
Enterprise-wide ensuring every IT asset of the entire port threat surface is identified, validated and managed based on a risk perspective. With this approach the weakest links can be prioritized and managed.
Scalable allowing ports to start quickly, validate results and then cost-effectively extend to every corner of your port infrastructure.
Time-to-Value means gaining traction fast, improving the overall management of cyber risk and focusing the use of funding on the most critical areas.
Using the PSGP to jump start major improvements to your port cyber security and managing cyber risk with RiskSense as your partner, means all resulting actions and investments in cyber security will be much more effective if done within the framework of a comprehensive Cyber Risk Management program.
For as little as $12.50 per device in your organization, we can provide you with the Cyber Risk Management platform that can give you a “dashboard” type view of your organization (or the entire port) and identify the prioritized threats using the most advanced intelligence resources in the industry. Make your cyber security program proactive, rather than reactive.
We are ready to support your PSGP application and assist you in its writing and submission.
Contact us today for our PSGP application template.
For more information: Contact Chris Coyle at cbcg@risksense.com or 401.524.7818
For more about RiskSense, check out these links: