Need a Role Model for Shared Cyber Incident Response? Look to the Coast Guard
Cyber incidents are not a question of if, but when. Risk assessment, prevention, and preparation are all key, just as they are in dealing with other types of predictable incidents. A cyber attack on a major U.S. port in August was thwarted by the port’s use of threat detection software and quick coordination with a capable, trusted public-sector responder: the U.S. Coast Guard. Close coordination and information sharing between industry and the Coast Guard, which has the power to act as regulatory agency prevented a potential disaster; a port disruption would have slowed already clogged supply chains. The port’s advance planning, timely communication with their regulator, and a well-coordinated incident response made the key difference in this case.
Unfortunately, not all sectors are set up to replicate this success. Many regulatory bodies do not have existing field-level operator relationships, an operational commander’s capability to manage a large incident, or the resources to deploy ready-made teams for cyber response. However, all critical infrastructure sectors should use the port’s incident as a case study on how to build cyber resilience within their own sectors.
The port was prepared for a breach of this type.
The marine industry is no stranger to catastrophic events. Hurricanes, oil spills, and accidents cause massive disruptions to operations and can slow the flow of commerce through ports and waterways to a trickle. In many ways, preparing for these catastrophic events translates well to cyber risk preparedness; operators know an incident is going to happen, even if they may not know where or when they will occur or how severe their effects will be. Guided by industry standards and, in some cases, regulatory policy, they consequently identify their vulnerabilities and reinforce them to a given risk tolerance. From there, they put into place plans for what to do if an incident exceeds their preventative steps. All of these are translatable best practices for any industry under threat of cyber attack.
The port took these key preparatory steps, and the Coast Guard had the established relationships and authorities to respond quickly. The attackers used a zero-day vulnerability to insert malware in the self-service, single sign-on system (SSO). Fortunately, as one of those preventative steps, the port used a privileged account management (PAM) system, which automatically logged all authentication activity and watched for anomalies. When the attackers tried to move around in the system, they were detected by the PAM and their ability to navigate around the network was frozen. When the port’s automated systems detected unusual activity, their existing breach plan snapped into effect, and they isolated the compromised network within 90 minutes. Operators then quickly notified their Sector Risk Management Agency (SRMA) – the Coast Guard – which initiated a robust incident response.
Each of the sixteen critical infrastructure sectors whose assets, systems, and networks are considered crucial to national security partners with an SRMA. The SRMAs are expected to collaborate across government and the private sector and serve as the primary federal interface for industries within their specific sectors. They are also to provide or facilitate technical assistance to help identify and mitigate cyber vulnerabilities and support mandatory reporting in accordance with DHS requirements.
Not all SRMAs are the same. The Coast Guard’s organizational structure facilitated a smooth and timely response.
Not all SRMAs are created equally capable of supporting cyber response operations. To best facilitate a timely and effective response in the event of a cyber incident, SRMAs should not only be designated as the clear lead for a federal response to a crisis but also establish and maintain relationships across their sector through regular on-scene operations, meetings, and collaboration.
In many industries, the private sector must navigate a maze of applicable federal regulations and state laws for reporting security incidents. That maze gets more confusing when the security breach is a cyber incident. There are often multiple reporting methods and receivers, and, in practice, that reporting is often based on relationships rather than systemic processes. In addition, trust between SRMAs and industry is critical. In the maritime sector alone, there are over 20 federal government organizations with regulatory, management, or oversight roles in maritime security. Private sector operators are much more inclined to share information with and take direction from a regulator if they have an existing relationship. Conversely, they may hold out on an unknown government agency that is perceived to lack local knowledge.
The Coast Guard holds a unique position; it is both an armed service and a regulatory agency, and operators are required to report to the Coast Guard any breach of security or suspicious activity. The Captain of the Port (COTP) serves as local operational commander with expansive legal authorities. The COTP is a one stop authority shop; COTPs have clear jurisdiction as the lead federal representative for second order impacts of a cyber-incident such as pollution, impacts to commerce, waterway obstructions, and other security risks. In addition, he or she has an imbedded link to the intelligence community. COTPs have operational command over local capacity, as well as access to deployable resources, like Coast Guard’s Cyber Protection Teams (CPTs). As the on-scene federal entity with extensive authorities and institutionalized relationships across local public and private sector partners, the COTP is the key entity to bring all stakeholders to the table to help instill order among the chaos created by any event.
In the aforementioned example of the cyber attack, the port reported the incident to the Coast Guard through the National Response Center. Upon receiving the incident report, the local COTP employed the National Incident Management System (NIMS) and stood up a unified command (UC). This allowed for cohesive response operations across the port, Coast Guard, FBI, and CISA. Specifically, it allowed them to operate side by side, often at a very technical level, and ensured the right people were plugged in at each agency. The CPT had personnel that were trained, on-call, and able to deploy to the site of the incident to provide face-to-face assistance to the port, as well as the tools and personnel to provide remote forensic analysis at a speed that ensured tactically relevant information. The UC successfully isolated the breach, conducted forensic analysis to inform CISA’s vulnerability disclosure and joint alert process, and enabled cargo operations to continue through the port unimpeded.
Structural work remains.
Aside from the positive outcome in this particular incident, there is still structural work to do to align the public and private sectors for cyber preparedness and effective response. The 2020 National Maritime Cybersecurity Plan identified a number of areas for improvement for the maritime sector that can be applied across critical infrastructure sectors. Notably, there is overlap, and in many places, gaps in authorities between multiple federal agencies and organizations. As noted above, this can be confusing to the private sector for reporting and incident response organization. Regulations and standards have not kept pace with technology. Most critical infrastructure security regulations were developed within the context of physical security but did not take into account cyber breaches of security. Regulators and industry operators make good faith efforts to apply these standards to cybersecurity, but absent clear performance-based standards, there will continue to be inconsistencies in application and enforcement of existing physical security standards. The National Institute of Standards and Technology (NIST) developed a widely accepted cybersecurity framework that can serve as the backbone of further standards development.
The Coast Guard is a bit of a unicorn in its design, authorities, and position as the only military service within the Department of Homeland Security. However, other SRMAs can borrow some of the Coast Guard’s best practices to build cyber resilience within their own sectors.
At the most basic level, SRMAs should constantly reinforce to their industry partners that they should develop cyber plans aligned with the NIST cybersecurity framework, but voluntary and intensive joint modeling of the consequences of a ransomware attack, for example, would also help prepare and build relationships. Just like the Coast Guard’s efforts for hurricane preparedness, industry should make appropriate risk tolerance calculations to determine how much they can realistically reduce their attack surface and buy-down risk, and then construct and exercise plans for what to do when a cyber event overwhelms their defenses. Much has been written about defense in depth for cybersecurity, and as six-time national champion football coach Paul “Bear” Bryant famously noted, “offense sells tickets, defense wins championships.”
While it may not be structurally feasible for some SRMAs to maintain field offices, SRMAs should take actions to develop and institutionalize operational relationships through regular meetings, exercises, or preparedness events. Regulators and response agencies do not want to find themselves in a situation where they are exchanging business cards with their industry partners for the first time during a cyber response. Robust information sharing and operational collaboration are largely built upon institutional trust. Timely reporting and collaborative communication between the affected party and the regulator and response agency are crucial.
Finally, when a significant cyber incident occurs in a critical infrastructure sector, the SRMA should be available to provide operational leadership for incident response. DHS should evaluate how the National Incident Management System, in particular the unified command approach, could be adapted for response to a cyber-attack. Such adaptation would ensure a coordinated and comprehensive response to the event.
The Coast Guard was uniquely well positioned to help the port respond to and recover from this incident. Other SRMAs should build on that success and learn important lessons from this experience, from the necessity of anticipating risk and rehearsing responses, to the advantages of a unified command response and well-established relationships. Critical infrastructure remains at threat from malevolent cyber actors, and that threat will challenge us to work collaboratively across government, industry, and infrastructure.
(Photo Credit: U.S. Coast Guard photo by Petty Officer 2nd Class Hunter Medley)
 An August 2021 report by the Senate’s Homeland Security and Governmental Affairs Committee on cybersecurity within the Federal Government recommended that Federal agencies and entities notify CISA of cyber incidents.
 Regulated entities may also limit what information they share with regulators if they believe it is in their financial interest to do so. A strong professional and institutionalized relationship and mutual trust between regulator and regulated can help facilitate information sharing.
 Port facilities are regulated by the Coast Guard under the Maritime Transportation Security Act of 2002. As such, operators are required to report any breach of security or suspicious activity. Traditionally, those reports were to the Coast Guard through the National Response Center. There is some confusion within industry on whether reports should go to the Coast Guard or the Cybersecurity and Infrastructure Security Agency (CISA).
 It is incredibly difficult to engineer a smooth response to a crisis event from scratch. But an organization can create the conditions for a more seamless response by instituting a coordinated organizational framework, like NIMS. The UC allows all members of the various participating organizations to set aside issues like overlapping authorities, jurisdictions, and resource ownership to focus on establishing clear objectives. Operational management is by specific, measurable objectives, and incident planners identify strategies, tactics, tasks, and activities to achieve those objectives. All stakeholders and participants operate from a shared vocabulary and processes to share resources, integrate tactics, and act collaboratively. Real-time and historic information is collected, processed, summarized, and distributed broadly to ensure that the UC and those in the operations and planning sections maintain wide situational awareness. Resource planning is based upon capability and capacity needs, rather than who has operational or tactical control of a specific asset. Logistics managers provide for all the incident’s support needs and financial specialists monitor and manage multiple sources of funding and track and report accrued costs. Most significantly, the various positional roles within the organizational structure are staffed by those with expertise and qualifications in those specific areas.