6/15/2015: Coast Guard Commandant on Cyber in the maritime domain

Maritime Commons attended the Area Maritime Security Committee meeting for the members at large to provide you with a wrap-up of what was covered by Coast Guard Speakers.

Coast Guard Commandant Adm. Paul Zukunft provided remarks on cyber in the maritime domain and the soon-to-be-released Coast Guard Cyber Strategy. The Cyber Strategy will be released tomorrow at the Center for Strategic and International Studies. You can watch it live-streamed from 2:30-3:30 p.m. (EST).

For those of you who were unable to attend, Maritime Commons is providing a condensed version of Zukunft’s comments from the AMSC meeting. These remarks provide speech highlights for your informational purposes.

Delivered by Coast Guard Commandant Adm. Paul Zukunft

They say all roads lead to Rome, well all ports lead to New York and this really is the financial center of gravity for the United States. We continue to live our lives as we did on Sept. 10, 2001 and what I mean by that is we are not going to let an event compromise our way of life.

The world has changed a lot in the last 42 years that I’ve worn this uniform. I go back to my first ship where we had Loran-A; Loran-C did not yet exist. In fact when I went to the Coast Guard Academy, I was issued a slide rule because we didn’t have pocket calculators. So…here I am to tell you all I know about cyber…isn’t that a little bit of an oxymoron? The truth of the matter is that the world has changed around us.

Most people don’t realize that Intel Corporation produces five billion transistors in one second. These are transistors that go into control mechanisms or supervisory control and data acquisition, or SCADA, networks. So, what if only 0.001 percent of those transistors were infected with malware? That still means you’ve got over a million transistors that are affected with malware proliferating our SCADA networks and proliferating the cyber domain.

The Coast Guard operates on land, sea and in the air but we also operate in the cyber domain; so for the Coast Guard, this isn’t a new mission, it’s just a new domain that we find ourselves operating in. To address this new domain, I will release a cyber strategy for the United States Coast Guard.

The first aspect of defending your network really begins with your workforce. What are you doing to protect your network?

The Coast Guard recently visited one liquefied natural gas facility that will produce more LNG than there are gas carriers in the world to support right now. They have great lighting, TWIC usage and fences. They have all of the physical protection measures in place and I asked what they were doing about cyber?

We are facing a time when the Panama Canal is expanding and gas ships leaving the United States, exporting LNG to the Asia Pacific market, who are competing with, number one, Russia. So you have to look at this from an adversarial standpoint. If you’re competing for market share, and much of the economy is so dependent upon petro-dollars, you might want to place an emphasis on cyber.

It’s great to have gate guards, security guards and facility security officers but you might want to make sure you have a cyber engineer on that workforce.

The Coast Guard now has 70 cyber-specialists working in cyber. Many of our organizations today did not come in with a cyber workforce but that is the workforce that we’re going to have to build as we go forward. There is a human resource capital that comes with defending our networks. And there’s a real cost.

Today the Coast Guard is present on five out of seven continents. Less than a month and a half ago, we were on all seven.

I would not be able to do that if I wasn’t connected to my widely dispersed Coast Guard using the cyber domain. Take a search and rescue case when a distress beacon goes off and alerts the Coast Guard with no human interface during that process whatsoever; it provides a precise location of the distress and in a matter of minutes we can launch but the Coast Guard needs a cyber capability in the cyber domain to retrieve that aspect of operations.

Just this last weekend, the Coast Guard interdicted six go-fast vessels carrying nearly four tons of cocaine across an area the size of North America. The Coast Guard doesn’t have an overly large fleet of ships out there but we knew where they were at and were able to vector planes and ships to stop these guys in their tracks using cyber. Cyber is a key enabler in our ability to conduct operations.

The Coast Guard’s authority for protecting critical infrastructure in the maritime domain is derived from the Maritime Transportation Security Act of 2002, which did not limit us to physical protection. Cyber can infiltrate a port complex or vessel. A number of the ships operate off SCADA networks so they can be remotely controlled from shore. But again, back to those five billion transistors…what if there is malware in that system and somebody else is vectoring that ship?

Just two years ago, we had a mobile offshore drilling unit in the Gulf of Mexico, drilling in over 7,000 feet of water, with dynamic positioning and thrusters and staying in a small radius because that’s critical to those operations. The signal failed to control the thrusters and this particular MODU had a drive-off and had to shut down the well. What happened was that various operators on that MODU were using the very same systems to plug in their smart phones, and other devices, to access other materials on the Internet, which introduced malware and that resulted in a drive off.

So it was human error and we saw how that can impact in the maritime domain.

We saw, during Deepwater Horizon, what happens when there’s a well failure and the blow-out preventer doesn’t do what it’s designed to do.

Another example of maritime cyber incidents was at a terminal in Europe that experienced a hack that jammed the GPS signal. You can buy GPS jammers at an electronics store for about $35. Many of our terminals are roughly 90 percent technology driven and 10 percent human interface. These terminals rely on a GPS signal to tell them where the container is in a stack and where it’s moved to. For 12 hours, this terminal was shut down because of a disgruntled employee hacking a system.

We are not looking to the Coast Guard to be a cyber watchdog but we are looking at best management practices and we are looking to the private sector to take this on as well. Quite honestly, I don’t want to access your systems. There’s personal identifying information, financial data and the federal government does not have a need to know but if we are aware of best management practices, we owe it to industry to share those with you.

So how does all of this work at the end of the day? You show up to work and your system has been shut down or you have failure. Maybe the air conditioning system failed so maybe it’s a localized failure but you’re not quite sure. You can notify the local Sector who will inform the National Cybersecurity and Communications Integration Center run by the Department of Homeland Security.

This elevates national level awareness by taking localized events and relating them to potential nationwide events. Let’s say we just had separate events in NY, Oakland or Miami. The NCCIC may identify this as a synchronized attack on the maritime domain and work to assign attribution.

So we have not played this cyber war game out completely yet but the Sony hacking event did play that out. It was an eye opener. Now we have the data hack on federal employees.

So I’ve gone full circle here on cyber as I look at a very forward leaning Area Maritime Security Committee and what you have done since we first created AMSCs.

The first port that had a COTP that was established back in 1917, I think if you go back in time and look at where we are today, this is the right place for me to be today as I’m looking for best practices, information sharing, collaboration and team building. It all happens here in New York.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.

Tags: , , , ,