Probe finds US Coast Guard has left maritime cybersecurity adrift
Numerous systemic vulnerabilities could scuttle $5.4T industry
Despite the escalating cyber threats targeting America's maritime transportation system, the US Coast Guard still lacks a comprehensive strategy to secure this critical infrastructure - nor does it have reliable access to data on cybersecurity vulnerabilities and past attacks, the Government Accountability Office (GAO) warns.
A newly released audit from the GAO, succinctly titled "Coast Guard: Additional Efforts Needed to Address Cybersecurity Risks to the Maritime Transportation System," highlights these shortcomings. The probe was conducted between December 2023 and December 2024.
Foreign governments, transnational criminals, and hacktivists alike are all looking to disrupt US ports and waterways, which support $5.4 trillion in annual economic activity and over 30 million jobs.
As thelead agency tasked with managing these risks, the US Coast Guard provides maritime transportation system (MTS) owners and operators technical assistance, threat intelligence, and other help to implement cybersecurity best practices.
The Coast Guard also provides facility and vessel inspections during which its officers document any security flaws they find.
"However, Coast Guard cannot readily access complete information on inspection results specific to cybersecurity from its system of record (Marine Information for Safety and Law Enforcement)," the GAO audit found.
The Coast Guard did develop a strategy to address MTS cybersecurity risks in 2021, but that document did not fully define the national security risks and vulnerabilities affecting critical operations or set measurable targets that can be used to gauge success.
This strategy also omitted an implementation budget, did not define the types of resources and investments needed, and skipped over who will implement it, according to the GAO.
Meanwhile, more nation-state intruders and criminal groups are attacking US transportation systems either for financial gain or to prepare for future disruptive or destructive cyberattacks.
- Biden asks Coast Guard to create an infosec port in a stormy sea of cyber threats
- US says China's Volt Typhoon is readying destructive cyberattacks
- Volt Typhoon not the only Chinese crew lurking in US energy, critical networks
- Homeland security hopes to scuttle maritime cyber-threats with port infosec testbed
In February 2024, the Feds warned that China's Volt Typhoon had compromised multiple critical infrastructure sectors including transportation.
And a year earlier, the Coast Guard warned [PDF] the BlackBasta ransomware group was conducting campaigns targeting maritime transportation operators. One of the group’s attacks focused on "an automation technology provider known in the MTS for its role supporting critical infrastructure sectors, including maintenance services offered for ship-to-shore cranes," the audit states.
Many of the IT and operational tech (OT) networks and systems supporting this sector are also increasingly "vulnerable to cyberattacks for a number of reasons, including their complexity and interconnections with other systems and the internet," the GAO report noted.
Additionally, Coast Guard officials and others interviewed for the audit admitted that a successful cyberattack on OT systems could have devastating effects:
Coast Guard officials and one nonfederal organization we met with told us that a cyberattack on OT used by a large vessel could cause that vessel to crash into a large bridge. This could result in an impact similar to the March 2024 non-cyber incident in which a major bridge in Baltimore, Maryland collapsed…Researchers from Rutgers University also raised the possibility of a cyberattack causing an explosion on a vessel carrying hazardous materials while docked in a facility… One nonfederal organization we met with told us that vessels could be lucrative targets for threat actors.
The Coast Guard also hasn't filled "vacancy gaps for key cyber personnel" that the GAO found in 2022, despite the Department of Homeland Security's urging. Specifically: of the 55 authorized MTSS-C cybersecurity specialists, eight positions remain vacant, as do 23 of the 156 authorized Coast Guard Cyber Protection Teams.
Until the service fills these posts, it won't be "optimally positioned" to recruit more difficult-to-fill jobs and retain skilled infosec personnel, the audit says.
To address these shortcomings, the GAO recommends that the Coast Guard undertake several actions including:
- Update its system of record to provide ready access to complete cyber deficiency data,
- Ensure its cyber strategy and plans align with all key characteristics of a national strategy, and
- Analyze, assess, and address workforce competency gaps.
The Department of Homeland Security agreed with all of these recommendations. "The safe operation of the MTS is critical to our national and economic security," according to the GAO. ®