After reviewing the cyber risks to the Maritime Transportation System (MTS) and the US Coast Guard’s role in securing such systems, the Government Accountability Office (GAO) found several gaps and made five recommendations, a newly published report shows.
According to GAO, the Coast Guard should improve the accuracy of cybersecurity incident information, provide ready access to cyber deficiency data, align its cyber plans to the national strategy, establish competency needs for cybersecurity personnel with MTS responsibilities, and address any gaps in competencies.
The recommendations, GAO says, were made after reviewing reports on MTS cybersecurity risks, regulations, and documentation and inspection data from 2019 through June 2024, and after interviewing federal and non-federal stakeholders at four ports.
Cybersecurity risks to MTS, which includes roughly 360 commercial sea and river ports, include state-sponsored (China, Iran, North Korea, and Russia) and cybercrime threat actors and reliance on technology vulnerable to cyberattacks, GAO’s report shows. Cyberattacks have affected port operations and future incidents could have severe impact, the office says.
“To help address these risks, the Coast Guard assists MTS owners and operators through offering direct technical assistance, providing voluntary guidelines for implementing cybersecurity practices, and sharing cyber threat information. The service also provides oversight through facility and vessel inspections, including the identification and documentation of cybersecurity-related deficiencies,” GAO notes.
The office’s review, however, determined that the Coast Guard’s system of record does not provide ready access to complete information on cybersecurity issues discovered during inspections at facilities and vessels, and that updating it would resolve the gap and help prevent cyberattacks impacting the MTS.
Additionally, GAO discovered that the Coast Guard’s cyber strategy does not cover all key characteristics for an efficient national strategy, including problem definition and risk assessment; goals, subordinate objectives, activities, and performance measures; resources and investments; and roles, responsibilities, and coordination.
According to GAO, the Coast Guard has not ensured that its cybersecurity personnel has the competencies required to address risks to MTS, has not fully developed competency requirements, and has not fully assessed and addressed competency gaps.
GAO provided a draft of its report to the Department of Homeland Security (DHS) and Department of Transportation (DoT), which provided technical comments. DHS, GAO says, concurred with its five recommendations.
Related: CISA’s OT Attack Response Team Understaffed: GAO
Related: GAO: Federal Agencies Yet to Fully Implement Incident Response Capabilities
Related: GAO Tells Federal Agencies to Fully Implement Key Cloud Security Practices
Related: Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns
