Assessing Maritime Transport Systems from a Consequence Based Cyber Informed Engineering Strategy

Idaho National Laboratory (INL) is one of the national laboratories of the United States Department of Energy.  In this webinar, Marco Ayala, Director at ICS Cybersecurity and Andy Bochman, Senior Grid Strategists at Idaho National Laboratory, and Homeland Security share their expertise on proactive approaches to securing maritime ports, terminals, and offshore platforms.  

In today’s technological golden age, the rapid development of advanced technology has pushed maritime further than ever before, but it would be naive to ignore the ripe opportunity these innovations present for advanced hackers to infiltrate. Andy Bochman States, “because you’re a critical infrastructure — when you’re targeted, you will be compromised.” Perimeter defenses such as firewalls, VPN’s, intrusion detection systems, and employee training need to be optimal, however, high level hackers are highly likely to pass through these systems. 

Determining the likelihood of a breach is done using a multitude of methods including the use of empirical data and statistical analysis. Although there are many ways to determine likelihood of breach, oftentimes the data only covers one sector of a facility instead of taking an integrated approach to the entire technological infrastructure of the organization. Misunderstanding the full spectrum of each sector and its cybersecurity can lead to miscalculation.  

Consequence-driven Cyber-informed Engineering (CCE) is a methodology developed by INL focused on securing the nation’s critical infrastructure systems. In his book, Countering Cyber Sabotage Introducing Consequence-driven Cyber-informed Engineering (CCE), Bochman explains the overarching categories that define CCE:  

Consequence-driven leads: executives and operational experts must run through series of exercises to identify the most critical functions essential to fulfilling their organization’s mission and determine the potential consequences of a cyber-attack against these functions. 

Cyber-informed guides: System operators must identify key points within a critical system vulnerable to a cyberattack.  

Engineering: Organizations must implement proven engineering principles to automated systems and have human involvement in critical digital areas.  

As a vital medium for commerce and entrance into the U.S, Maritime Transportation Systems are huge targets and are expected to experience an increase in cyberbreach attempts.  

The CCE methodology lessens potential attacks through a 4-step process. 

 Step 1: consequence prioritization. 

 Step 2: systems-of-systems analysis 

 Step 3: consequence-based targeting  

 Step 4: mitigations and protections  

Recently, the Port of Houston was a target of a suspected nation-state hack. Due to timely response and actions, business operations were not impacted. If compromise had not been detected before a critical point, the attacker could have had unrestricted remote access to the network, furthering options that could’ve severely impact port operations.  

The CCE method proactively provides critical infrastructure owners, operators, vendors, and manufacturers with a robust approach to risk mitigation. By determining the most critical functions, identifying methods an adversary could use to compromise the critical functions, evaluating complex systems, applying proven engineering, protection, and mitigation strategies stakeholders can isolate and protect their most critical assets from advanced adversaries.  

Learn more about Consequence Driven Cyber Informed Engineering  

In the lead up to the 2022 Port of the Future Conference, the University of Houston is hosting a series of monthly webinars. 

More Posts

Ships, Semi truck and airplane displaying Import Export labels

WITA 5th Annual International Trade Conference

The International Trade Conference highlighted the importance of private sector engagement and support of innovation in the global system of trade. Recognizing the growing role of trade in addressing critical issues such as climate change, biodiversity, and environmental sustainability, businesses and governments must lean on collaboration to prioritize social responsibility just as much as economic growth.

List of CTPAT Member Benefits

Managing CTPAT | For New Compliance Managers

A CTPAT manager’s role is to help ensure a company complies with all applicable CTPAT requirements, including security measures like access controls and physical security where goods are stored or processed before being shipped out.

iPad displaying ctpat validation processes

CTPAT Validations | What To Expect

Be sure to check with your Supply Chain Security Specialist (SCSS) to determine if your validation will be in person or virtually this year, as each format brings its own types of challenges. During a CTPAT validation, your SCSS will examine your company’s processes and evidence of implementation for compliance in areas such as commitment of upper management to promoting a culture of security

Coworkers collaborating at a meeting

Driving Company-Wide CTPAT Awareness

For most companies, the 12 Minimum Security Criteria (MSC) sections touch various departments, so making compliance a team effort is vital. The first step is to ensure that all key employees are aware of CTPAT requirements by having them participate in compliance efforts on a regular basis.

This website uses cookies to ensure you get the best experience on our website.