cargo ship

Safe Harbors: Securing Ports to Protect the Nation’s Critical Maritime Infrastructure

By Molly Manchenton

The last few years have reminded us supply chains are crucial to a functioning world economy—and our nation's ports play a huge role in the chain. That's why, with industry input, MITRE researchers are helping ports and shipping companies fend off cyberattacks by assessing and mitigating their system vulnerabilities. 

Georgia’s Port of Savannah is one of the fastest-growing container terminals in the country. Between 2020 and 2021, its total container trade expanded by nearly 20 percent, generating more than $100 billion in sales and shipping for companies as diverse as Target, IKEA, International Paper, and Gulfstream Aerospace.

But a single cyber or marine casualty incident can close down the port completely, creating a ripple effect across critical infrastructure and disrupting the global supply chain, says Josie Long, MITRE cyber risk mitigation engineer.

“And all of it could be set into motion by somebody on the other side of the world,” she adds. Automation and system updates are not always completed domestically or shipboard.

Many connect cyberattacks with data breaches, but they can have operational impact as well. A cybersecurity strategy developed for the specifics of each location and asset helps ensure goods keep moving domestically and globally.

“Each port has different dynamics and is dramatically diverse,” Long says, describing the consequences of a mishap. “I always use the port of Savannah as an example. It’s one ship in, one ship out because of the narrowness of the channel. If there are any issues, it shuts down the port completely.”

Now, with industry input, Long and her MITRE colleague Michael Thompson, a critical infrastructure and cyber engineer, aim to help ports and shipping companies fend off cyberattacks by assessing and mitigating their own system vulnerabilities.

The Cybersecurity Framework Profile that Long and Thompson developed for liquefied natural gas (LNG) is posted on the National Cybersecurity Center of Excellence website.

Making Port Cybersecurity Affordable, Adaptable

The world’s largest and most-mature port operators and transportation companies can afford consultants to do this assessment and mitigation work for them. But not every organization in the maritime critical infrastructure sector has the resources. Thompson and Long’s work developing the profile will help organizations adopt and implement the full National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the NIST Cybersecurity Framework.

The NIST Cybersecurity Framework is voluntary guidance that helps organizations of all sizes better manage and reduce cybersecurity risk. It establishes a common language and process to help organizations secure data and systems.

One of the three main components of the NIST Cybersecurity Framework are what’s called profiles. Profiles are the alignment of the functions, categories, and subcategories with the business requirements, risk tolerance, and resources of the organization. A profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, and considers legal/regulatory requirements and industry best practices.

In the real world, cyber is not just zeros and ones and bytes and bits. It’s operational technology that changes the physical world, and that makes it dangerous.

Michael Thompson

Hodgepodge of Targets Makes Ports Attractive to Attackers

Ports are target-rich environments. Thompson describes a multinational system of systems: individual vessels, ports and terminals, shipping lines, shipbuilders, intermodal transport operators, cargo and passenger handlers, vessel traffic control, maritime administrators, among others.

It’s typical for a ship owner based in one country to operate the ship under the flag of another country and then lease it to a company from a third country. At the same time, the ship’s operational technology may be managed and updated by technical staff somewhere else in the world.

And the ship doesn’t operate in a vacuum. Layer in operational technology—physical systems to operate cranes, motors, pumps, and more—on land and on the water, Thompson says, and the problem becomes even more complex and the risks potentially deadly. On an LNG tanker alone, a cyberattack could trigger fuel leaks into the air or the water. A hacked navigation system could leave a tanker floundering, direct it into another vessel, or cause it to run aground. An explosion or fuel leak could have devastating effects on the environment and the nearby population.

“In the real world, cyber is not just zeros and ones and bytes and bits,” Thompson says. “It’s operational technology that changes the physical world, and that makes it dangerous.”

Long and Thompson drew on their professional experience to develop maritime profiles of several sectors, including bulk liquid fuel transfer, cruise ships, and offshore operations like oil platforms.

With Industry Input, Crafting A Way Forward

Thompson, an Air Force veteran with experience in cybersecurity, instrumentation, and control systems, joined MITRE in 2021. Long brought decades of expertise from a career with the U.S. Coast Guard, where she worked in mid-Atlantic ports.

“You’re preventing bad things from happening through safety, security, auditing, and inspections," Long says. "Think of any of the maritime assets the Coast Guard regulates. My final tour was in Savannah as the officer in charge."

They relied on that experience to engage voluntary cooperation from professionals in the maritime sector. “The whole idea was to get their fingerprints on it,” Thompson says. “We reached out to our contacts from industry life, and they were forthcoming with what they thought, with the problems they saw, and how they currently do things.”

That enabled the team to deliver risk and vulnerability assessments that are unique to individual aspects of maritime transportation.

The project illustrates MITRE’s commitment to put our experts’ deep technical knowledge to work hardening critical infrastructure against cyber and physical risks and making the world safer.

“This is something MITRE is uniquely positioned to do,” Thompson notes. “This is our life’s work. We’re here to serve the greater good.”

Join our community of innovators, learners, knowledge-sharers, and risk takers. View our Job Openings.