Cyber and Maritime Infrastructure

Threat, Risk and ResponseCAPT Fred Turner, USN

The Process

• Acknowledge a “cyber” threat to maritime infrastructure exists

• Assess the “cyber” risk to maritime infrastructure• Address the “cyber” issue to secure our maritime

infrastructure…but it must be a “team sport”– Industry – industry partnerships– Industry – law enforcement – military - government – International – regional – national partnerships

Cyber is not really a “threat,” “risk” or the “issue”…it is the medium/domain/terrain that interconnects with the maritime domain…and is the means by which an actor may threaten maritime infrastructure

We are here

Threat & Vulnerability

• Emerging cyber threat vs. critical infrastructure– Targets…face similar delivery methods & payloads

• Government organizations (civilian & military)• Defense industries• Energy sector• Communications sector• Financial sector• Maritime sector next?

– Evolving threat…web site defacement, DDoS, data destruction, ICS/SCADA/HM&E manipulation

– Motives…state & non-state…exploitation, theft, attack

• Network/communications infrastructure vulnerabilities– Network vulnerabilities; information assurance, removable media, wireless access– The users; insider threat and negligent users– Supply chain

Network infrastructure is directly tied into the maritime infrastructure… a system of systems which can effect port operations, ships at sea, etc.

Assessing the Risk

• Cyber Risk to Maritime Infrastructure =– Threat =

• Capability +• Intent ->

– Vulnerability -> – Consequences

• Challenges– Lack of common, understandable terminology– Lack of understanding of our networks and how they connect to maritime

infrastructure; need “maps”– Deficiency in including cyber in maritime infrastructure risk assessments…must

integrate into current processes– How do we calculate real vs theoretical risk? Potential impact on maritime

operations and cost?– Lack of understanding of “red lines;” ours and “theirs”

We are all connected and are thus only as strong as our weakest link…so to a large degree, we share each other’s risk

Terminal operating

system

Business network

M/V Line operations & maintenance network

Adversary

Compromised network

Compromised network

Compromised network

Securing Maritime Infrastructure

• Utilizing cyber risk assessment to enhance maritime security– Guidance; strategies, policies & plans– Training; for users but also to develop cyber expertise– Resource allocation; fix priority vulnerabilities in existing

architectures and networks…and build security into new ones

• Cyber security cooperation & collaboration– Information sharing (e.g., threat, vulnerabilities, incidents &

response, lessons, best practices, training) – Training; collaboration in curricula & sharing experts– Agreements; informal/voluntary OK but formal better– Organization; virtual group or regional cyber threat center

All stakeholders must participate…industry, law enforcement, military, government departments/ministries…at all levels…national, regional & international

Discussion

Back up

U.S. Government Accountability Office, Maritime Critical Infrastructure Protection, June 2014 (Washington, DC: GAO-14-459), 43.