Following the ransomware attack that targeted Colonial Pipeline in May 2021, and the fuel shortages the incident caused throughout portions of the Southeastern U.S., the public got an up-close look at how cyber threats could disrupt U.S. critical infrastructure.
In the aftermath of the Colonial Pipeline attack, as well as similar incidents targeting water, energy, agricultural and other sectors, the Biden administration began issuing a series of executive orders and releasing new rules, strategies and guidelines designed to strengthen cybersecurity practices to boost the security of the nation’s critical infrastructure, which is mainly owned and operated by private sector companies.
The latest move by the White House to address critical infrastructure came on Feb. 21 with an executive order to bolster cybersecurity defenses around U.S. maritime ports and waterways, which includes a $20 billion infrastructure investment from the federal government, additional responsibilities for the Coast Guard and updating security practices to fend off attacks.
“You see, most critical infrastructure owners and operators have a list of safety regulations they have to comply with, and we want to ensure that there are similar requirements for cyber when a cyberattack can cause just as much, if not more, damage than a storm or another physical threat,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters when President Joe Biden signed the order.
As with other executive orders, the latest White House initiative will significantly affect tech and security pros as well as the private sector and Coast Guard. This includes the need for additional talent to fulfill new cybersecurity requirements. At the same time, those interested in career opportunities will need to master new skills critical to this type of work.
“The executive order and focus on maritime cybersecurity will drive demand for compliance and cybersecurity professionals skilled in IT and operational technology [OT] convergence, risk quantification and supplier management,” Jose Seara, CEO and Founder at security firm DeNexus, recently told Dice.
“Tech professionals have new opportunities to explore OT cyber careers requiring strengths in data analysis, financial impact modeling, vendor governance and industrial network protocols,” Seara added. “Cross-training through maritime-focused cyber certifications will be key to capitalizing on the push to secure ports and vessels.”
Added Cybersecurity Responsibilities
In making the announcement, Biden administration officials noted that U.S. maritime ports and waterways account for $5.4 trillion of annual economic activity and serve about 90 percent of all overseas trade.
With this much economic activity, U.S. ports are a tempting target for nation-state groups and digital espionage as well as ransomware and cybersecurity gangs looking to steal and extort money. By issuing the executive order, the White House is looking to improve security by:
Giving the Coast Guard, which is part of the U.S. Department of Homeland Security, the authority to respond to cyber incidents affecting ports and waterways.
Requiring the owners and operators of ports and waterways to secure their IT and OT infrastructure while creating better cyber defenses. Updated regulations will follow the U.S. Cybersecurity and Infrastructure Security Agency’s performance goals.
Investing $20 billion in port infrastructure and security, which includes money to replace cranes that are manufactured in China, which many believe are vulnerable to cyber risks.
“While the executive order does not go into specifics, it is a step in the right direction by giving oversight authority to the Coast Guard,” said Dave Gerry, CEO at Bugcrowd. “Similarly to the Security and Exchange Commission guidance, I would expect to see additional guidance come out from the government in the near future.”
As the details of the executive order are solidified, the federal government and the private firms overseeing these ports will need additional tech professionals who understand cybersecurity and the nuances of maritime security, said Darren Guccione, CEO and co-founder at Keeper Security.
“The evolving landscape of maritime cybersecurity demands specialists who can integrate security measures into maritime operations, respond swiftly to cyber incidents and collaborate effectively with the Coast Guard to safeguard the nation's maritime infrastructure from cyber threats,” Guccione told Dice.
By creating new reporting and regulatory standards for private companies that oversee ports, these businesses will need to invest in tech and security professionals who can not only respond to incidents but who can ensure that these organizations are reporting these attacks to the right agency in a timely manner.
“The directive underscores the importance of cybersecurity standards that fortify the networks and systems of American ports, and creates a need for professionals with expertise in implementing and ensuring compliance with these standards,” Guccione added. “Moreover, the executive order introduces a mandatory reporting mechanism for cyber incidents or active threats affecting vessels, harbors, ports or waterfront facilities. This requirement necessitates a need for cybersecurity experts who can efficiently handle incident response and contribute to threat intelligence.”
OT, IoT and Other Cybersecurity Skills
Several cybersecurity experts noted that this specific executive order will require tech professionals to brush up on their knowledge of OT and internet of things (IoT) security. At the same time, those younger workers and students who want to get into this field should brush up on their skills in these areas as they are likely to be in demand.
“Having an appreciation for how IoT and OT systems – heavily used in port operations – function and how they are different than IT systems is crucial,” Bud Broomhead, CEO at security firm Viakoo, told Dice.
“For example, it is important knowing that IoT and OT systems do not allow agents to be placed on them – unlike IT systems – because of their unique operating systems, and therefore agentless security solutions must be used,” Broomhead added. “Or the importance of establishing and maintaining segmented networks, so that if vulnerable IoT devices are breached there are barriers in place to prevent lateral movement.”
Other cybersecurity experts see the latest White House executive order driving a greater need for more tech professionals who understand industrial control systems (ICS) and other platforms used in marine port terminals and on vessels.
“In particular, certifications in ICS cybersecurity, ISA/IEC 62443 standards, and maritime cyber risk frameworks will distinguish a candidate’s abilities to secure ships and port terminals,” Seara noted. “Hands-on lab experience with shipboard OT and proprietary protocols will also help cyber pros demonstrate specialized expertise to ship owners and port operators dealing with recent mandates.”
Besides the private sector, DHS and the Coast Guard must train and recruit tech professionals to meet new cyber standards. In turn, tech and security professionals interested in government careers can position themselves to take advantage of potential new opportunities.
“This executive order may open up new opportunities for existing DHS and Coast Guard personnel to train for information security or to hone existing skills,” Omri Weinberg, co-founder and chief revenue officer of security firm DoControl, told Dice. “It's also likely that it could lead to recruitment of new people into these organizations specifically for information security functions, whether as full-time government employees or as contractors, though the scope of this growth is not possible to guess at this early stage.”