Final Report: Coast Guard Should Take Additional Steps to Secure the Marine Transportation Systems Against Cyber Attacks
The U.S. Coast Guard has made progress in enhancing the cyber posture of the Marine Transportation System (MTS) by establishing maritime cybersecurity teams over the past two years, in line with statutory requirements, according to a final report published by the Department of Homeland Security’s Office of Inspector General (OIG). Based on its findings, the report proposes four recommendations to improve the Coast Guard’s cyber readiness and precautions to secure the U.S. supply chain. The DHS has concurred with four recommendations.
The report identified that these teams, which became operational in 2021 as Cyber Protection Teams, provide services to help industry stakeholders prevent and address malicious cyber activities. Despite these efforts, adoption remains limited, with only 36 percent of Coast Guard sectors having stakeholders who have requested and received these services. This hesitancy among private industry stakeholders to utilize the offered cybersecurity services poses a significant challenge to fully implementing the Coast Guard’s cybersecurity readiness strategies to protect the supply chain.
The Coast Guard report advises that the Coast Guard’s Cyber Command and Office of Port and Facility Compliance formulate and execute a strategic action plan with specific benchmarks. This plan would enable the Cyber Protection Team and the Maritime Cyber Readiness Branch to collaborate effectively with Marine Transportation Security Specialists–Cyber. The goal is to improve coordination and foster stronger working relationships with private industry stakeholders.
Agreeing with this recommendation, the DHS noted that the CG Cyber Command, the Office of Port and Facility Compliance, and the Office of Cyberspace Forces regularly collaborate and the MTSS-Cs on cyber risk management activities. “In May 2024, Coast Guard hosted a workshop with MTSS-Cs that included cyber risk management on the agenda. The workshop also initiated a plan of action to further build industry relationships. DHS estimates these actions will be completed by April 30, 2025,” the report added.
“We believe the development of a plan of action to further build industry relationships is in line with our recommendation,” according to the OIG analysis. “We will close this recommendation once we are able to review this plan and learn more about the planned implementation, the work with CPTs, and the benchmarks for completion. This recommendation is open and resolved.”
The report also suggests that the Coast Guard’s Assistant Commandant for Prevention Policy finalize and issue cybersecurity-specific regulations to grant enforcement authority for facility and vessel inspections. Having concurred with this, the report said that on Feb. 22, 2024, the Coast Guard published a Notice of Proposed Rulemaking entitled ‘Cybersecurity in the Marine Transportation System.’ Coast Guard used the Notice of Proposed Rulemaking to seek public comment on proposed regulations specifically focused on establishing minimum cybersecurity requirements for U.S. flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to MTSA regulations.
The public comment period ended on May 22, 2024. The Coast Guard is currently reviewing public comment results to determine the next steps. DHS did not provide an estimated date of completion.
“We believe the Notice of Proposed Rulemaking adheres to the intent of our recommendation. Finalization and publication of this new set of regulations will help Coast Guard with its cybersecurity enforcement authorities,” according to OIG analysis. “We will close this recommendation once we review the finalized, published regulations to ensure alignment with the recommendation. Because there is no estimated completion date, this recommendation is open and unresolved.”
The Coast Guard report recommends that the Coast Tweet’s Office of Port and Facility Compliance develop standardized cybersecurity training focused on enforcement authorities. The DHS concurred, adding Coast Guard’s Force Readiness Command is actively developing a Marine Safety Personnel Cyber Training e-learning course with input from other Coast Guard entities. However, formal training for the Coast Guard’s workforce on the compliance and enforcement activities of Coast Guard cyber security regulations requires the publication of a final rule on cyber risk management regulations. However, the DHS did not provide an estimated completion date.
“We believe this new training, when brought in line with the proposed new regulations, will provide much-needed instruction to Coast Guard personnel,” according to the OIG analysis. “We will close this recommendation when we review course materials and Coast Guard provides information on how this training will be disseminated to appropriate personnel. Because there is no estimated completion date, this recommendation is open and unresolved.”
Finally, the Coast Guard report advises that the Office of Port and Facility Compliance evaluate and confirm whether the Marine Transportation Security Specialist–Cyber position description and job series adequately reflect the demands and requirements of the role. The DHS concurred with this. The Office of Port and Facility Compliance and the Office of Cyberspace Forces are reviewing the existing position description and job series and comparing each against MTSS-C expectations and experiences in the field. This was also a topic of discussion during the May 2024 MTSS-C workshop mentioned in the initial recommendation.
Feedback from this workshop is under evaluation and will be included in the final determination as to whether the MTSS-C position description and job series are correct and whether any further actions are appropriate. DHS estimates completion of this work by April 30, 2025.
“We believe a multi-faceted review of the MTSS-C position will provide Coast Guard leadership with important information to evaluate the position description and job series,” according to the OIG analysis. “We will close this recommendation once we review workshop feedback and the overall evaluation and determination documentation as Coast Guard works through this process. This recommendation is open and resolved.”
The Coast Guard took steps to enhance the cyber posture of the maritime environment but faces challenges in implementing cybersecurity readiness measures and precautions at U.S. ports and on U.S. waterways. Specifically, the Coast Guard implemented services to aid private industry stakeholders at U.S. ports and on U.S. waterways. However, in fiscal year 2022, private industry stakeholders in only 36 percent of the Coast Guard’s sectors requested and received services provided by the Coast Guard’s CPTs.
Further, facility and vessel inspections did not always address cybersecurity, and the Coast Guard is not adequately staffed to provide cyber expertise for these inspections. These challenges occurred because industry stakeholders are hesitant to use the Coast Guard’s cybersecurity services, the Coast Guard does not have the authority or training to enforce private industry compliance with standard cybersecurity practices, and the job series classification for a key cybersecurity position leads to hiring delays.
The report identified that due to these challenges, the Coast Guard cannot fully ensure compliance with cybersecurity measures intended to protect the MTS’ ports and waterways or provide awareness, guidance, and expertise to safeguard private industry stakeholders’ assets. “Without these protective measures in place, the U.S. supply chain will remain vulnerable to the exploitation, misuse, or simple failure of cyber systems, which may lead to injury or death, harm the marine environment, or disrupt vital trade activity,” it added.
It added that although industry stakeholders identify and report cyber events, they do not consistently request CPT’s services to improve their cybersecurity posture.
“Both Coast Guard and private industry stakeholders told us industry stakeholders are hesitant to request Coast Guard’s CPT services, given Coast Guard’s traditional role in regulating and enforcing laws,” the report detailed. “Coast Guard personnel said industry stakeholders are reluctant to seek CPT services due to concerns that CPT may issue fines if it identifies cyber deficiencies or instances of poor cyber hygiene. Further, according to Coast Guard personnel, industry stakeholders with very small operations are reluctant to use CPT services, in part, because they may not be able to afford enhancements to their already outdated or vulnerable information technology equipment.”
The report found that in line with the Maritime Transportation Security Act of 2002 (MTSA) and the Code of Federal Regulations (C.F.R.), the Coast Guard conducts vessel and facility inspections. “These vessel and facility inspections primarily focus on physical safety and security issues, such as whether firefighting equipment is functional, alarm systems are operational, and navigational systems work. Despite Coast Guard’s internal instructions and job aids implementing the inclusion of cybersecurity elements during vessel and facility inspections, eight of the nine inspections we observed28 did not address cybersecurity on vessels and within facilities.”
“Reviewing cybersecurity elements includes looking at basic cyber hygiene (such as locked workstations or openly displayed passwords) or determining whether a cybersecurity event was a factor in the failure of an onboard system,” the report pointed out. “If inspections do include cybersecurity, the inspector usually only checks whether the vessel or facility has completed cybersecurity paperwork. At one location, a facility supervisor stated that facility inspectors used a cyber job aid provided by the Coast Guard Office of Port and Facility Compliance to review cybersecurity during each inspection. Yet, when the audit team spoke separately with facility inspectors at that location, they admitted to not reviewing cybersecurity during the inspections and only focusing on physical safety.”
The report also touched upon the fact that Coast Guard inspectors were not conducting cybersecurity checks despite requirements to do so, mainly due to lack of standardized cyber training. Inspectors across three sectors mentioned receiving minimal cybersecurity training only during annual DHS-wide sessions. While some expressed interest in more training based on enforceable regulations, others highlighted the disadvantages faced by inspectors without proper guidance.
It added that the Coast Guard partners with an educational institution for specialized maritime cybersecurity courses, but funding limitations restrict the number of attendees. Without a formal training program, inspectors rely on written guidance and job aids. However, the provided guidance may be challenging to implement effectively, leaving gaps in critical areas like vetting third-party vendors and updating access control systems. The Coast Guard’s Office of Port and Facility Compliance emphasized the need for cybersecurity regulations to establish proper training for inspectors.
In February 2021, the Coast Guard introduced the Marine Transportation Security Specialist–Cyber (MTSS-C) role to enhance the maritime transportation system’s cybersecurity. MTSS-Cs collaborate with Coast Guard districts, private industry, and stakeholders to implement cybersecurity regulations, serve as liaisons, and prepare for and respond to cybersecurity incidents in the marine transportation system.
Another challenge that the report identified was that in hiring qualified personnel for the MTSS-C position stems from the classification as GS-0301, in the Administration and Program series, rather than the typical GS-2210 series for cybersecurity positions. This classification allows for a broader range of applicants, potentially missing out on technically proficient individuals.
Additionally, using GS-0301 makes it difficult to utilize direct hire authority, limiting the ability to quickly fill the position with qualified candidates. In contrast, the Cybersecurity and Infrastructure Security Agency (CISA) utilizes direct hire authority for cyber positions under the GS-2210 series, a practice permitted by OPM guidelines.
In its conclusion, the Coast Guard said that with $5.4 trillion annual flows and 90 percent of U.S. imports and exports passing through the marine environment, the marine transportation system is a prime target for hostile nations and cybercriminals. Coast Guard Cyber Command has noted attacks on logistics and technology companies that could impact multiple organizations simultaneously, including ship management software. Coast Guard is enhancing marine transportation system cyber defenses with complimentary cybersecurity services and sector-specific Cybersecurity Advisors, fostering industry resilience against cyber threats. Some organizations, however, remain hesitant to report incidents to the Coast Guard.
“Without regulations providing the authority to better govern cybersecurity, Coast Guard will remain unable to enforce industry stakeholder compliance with cybersecurity measures intended to protect the MTS,” the report disclosed. “Additionally, without trained cyber personnel in the districts and sectors to work with industry stakeholders, understanding of cyber vulnerabilities and the use of Coast Guard–provided cybersecurity services will not spread quickly. Limited regulatory authority and inadequate training and subject matter expertise across Coast Guard sectors impede Coast Guard’s ability to carry out its responsibilities for securing the MTS against cyber threats.”
Earlier this month, the CISA enhanced its Marine Transportation System Resilience Assessment Guide (MTS Guide) by introducing a new user-friendly web-based tool for maritime stakeholders. The update adds important new resources and tools to better evaluate and address the resilience of port networks as well as the inland marine transportation system.