GAO: Cybersecurity lacking at US ports
Corianne Egan, Associate Editor | Jun 09, 2014 12:35PM EDT
The U.S. Department of Homeland Security will assess cybersecurity at ports across the nation after a report from the U.S. Government Accountability Office that showed the DHS wasn’t doing enough to stop cyber threats.
The GAO’s 50-page report, released last week, says the DHS, the U.S. Coast Guard and the Federal Emergency Management Agency need to beef up cybersecurity efforts at the U.S.’s 360 sea and river ports. The year-long investigation, which began in April 2013, showed that while on-the-ground security has been addressed, cybersecurity is lacking.
“Disruptions in the operations of our nation’s ports, which facilitate the import and export of over $1.3 trillion worth of goods annually, could be devastating to the national economy,” the GAO report said. “While the impact of a physical event (natural or manmade) appears to have been better understood and addressed by maritime stakeholders than cyber-based events, the growing reliance on information and communication technology suggests the need for greater attention to potential cyber-based threats.”
The DHS, in response to the report, said it is already working to include cybersecurity in its risk assessments for maritime infrastructure. Those risk assessments should help the DHS decide on a plan of action as it relates to cyber threats, and also will help FEMA guide funding initiatives. The DHS said research into the topic is ongoing and the department has no set date for the recommendations to be implemented.
There has not been a cyber attack that has managed to globally disrupt commerce, but a few examples exist of how hackers or terrorists could infiltrate maritime systems. The GAO cited a case the Europol European Cyber Crime Center picked up that showed hackers attempting to get into a terminal operating program to locate specific cargo containers containing smuggled drugs to remove them from a port.
Sea Intel founder Lars Jensen, who started a maritime cybersecurity company earlier this year, cited the recent penetration of systems at the Port of Antwerp, successful manipulation of the course of a vessel in the Mediterranean, and the “demonstrated ability to manipulate AIS (automatic identification system) data for existing vessels as well as (to) create fake AIS data,” emulating vessels and distress beacons as reasons for concern.
The GAO identified several areas where threats could occur. Terminal operating systems, business operating systems and industrial control systems are at risk, the GAO said, and can be compromised by viruses, hackers, phishing schemes and terrorist attacks. Any such event at a U.S. port could disrupt commerce, GAO said.
Since 2003, the GAO has continually rated nearly all government systems supporting infrastructure as high-risk targets. On Monday, the Center for Strategic and International Studies released a report by software company McAfee that said losses to individuals and companies worldwide associated with cybercrime could reach $575 billion per year.
The GAO’s report showed that the Department of Homeland Security has not done a risk assessment for U.S. ports, and that most security plans for ports didn’t include contingency plans for cyber attacks. Although FEMA does identify cybersecurity as an area that requires funding, the GAO said its granting process is lacking efficiency and expert analysis.
There are currently 43 port-area maritime security councils. The report also noted that a larger, national group, the Maritime Modal Sector Coordinating Council, has become defunct, and that the DHS and USCG should determine whether that council is of value when assessing cyber threats. The council is just one more way of information-sharing between the government and port shareholders, the GAO said.
No comments:
Post a Comment