Defense Media Network

CGCYBER and Coast Guard Cybersecurity

Although the U.S. Coast Guard is part of the U.S. Department of Homeland Security (DHS) rather than the Department of Defense (DOD), Coast Guard Cyber Command (CGCYBER) is a service component of DOD’s joint U.S. Cyber Command (USCYBERCOM). Stood up in 2013, it also works closely with DHS and the National Cybersecurity and Communications Integration Center, which is responsible for critical infrastructure response for the nation.

Specifically, CGCYBER works on anything dealing with the maritime environment and the U.S. Marine Transportation System (MTS). Its mandate was laid out in the 2015 “U.S. Coast Guard Cyber Strategy”: “We will ensure the security of our cyberspace, maintain superiority over our adversaries, and safeguard our Nation’s critical maritime infrastructure.”

“For enabling ops, we’re centralizing operations of the enterprise platform – defensive and DOD Information Network Operations [DODINOP] – under CGCYBER, which was just formalized in February 2017,” Cmdr. Lars McCarter, CGCYBER director of operations, explained. “We’ve aligned defending cyberspace with those who do operations and maintenance to better enable operations for the service.”

One piece of that is providing and supporting the enterprise platform, now centralized in the Network Operations and Security Center (NOSC), which comprises:

C4IT Service Center Centralized Service Desk

Telecommunication and Information Systems Command (TISCOM) Enterprise Services Operations Division

Cyber Security Operations Center (CSOC)

New funding for FY 17 allowed the addition of 64 personnel to CGCYBER, for a total complement of 400, a mix of government contractors and military personnel, most reassigned from other locations. For example, of 120 at the Centralized Service Desk in St. Louis, Missouri, 110 came from the Enterprise Service Operations Branch, which was reassigned to CGCYBER from the Telecommunication and Information Systems Command.

In 2017, the first two Coast Guard Academy graduates were selected to go to Cyber Command. They were given a C4IT (command, control, communications, computers, and information technology) officer’s specialty code (OSC) pending creation of a cyber officers OSC, which is still under discussion. At this point, cyber is not a full-fledged career path in the Coast Guard, and those working there can go into other career fields if they leave.

“We have an environment today where cybersecurity in the maritime environment is shared. The owners and operators of the MTS have the primary responsibility. What we’re trying to determine is should the government have more responsibility. And, quite frankly, at this time, we don’t know. But right now cyber is a shared model where the owner/operator is required to provide security and we provide guidance.”

The Coast Guard has 11 congressionally mandated missions, ranging from ice breaking to law enforcement to maritime safety and aids to navigation. While cybersecurity has become an increasingly important component of all the uniformed services and government agencies, it has not been designated as a 12th mission.

“I don’t know that cyber will ever become a mission area; it is intertwined with all the other mission areas the Coast Guard does,” McCarter noted. “We’re already tasked to some degree with [cyber] protection of the MTS through our other mission areas. So the question is, how do we apply cyber methodologies to those other mission areas to ensure they continue unabated under cyber attack.”

Part of the answer is the creation of a Cyber Protection Team (CPT).

“We’re in the process, probably won’t be IOC [initial operational capability] for at least a year, but we’re starting to man it under the NOSC. The CPT will be responsible for defensive cyberspace operations outside the enterprise platform on systems not connected to our central networks. That would include our training networks, some control systems not always connected to the DODINOP, etc., as part of protecting the MTS,” he said.

“We have an environment today where cybersecurity in the maritime environment is shared. The owners and operators of the MTS have the primary responsibility. What we’re trying to determine is should the government have more responsibility. And, quite frankly, at this time, we don’t know. But right now cyber is a shared model where the owner/operator is required to provide security and we provide guidance.”

Under the current system, however, that can be problematic, as was the case with a June 2017 ransomware attack on Maersk, the world’s largest container shipping company. Maersk was one of the first high-profile victims of a growing number of attacks that encrypt the victim’s hard drive, preventing the computer from booting and blocking access to all data, then demand a ransom payment to release it.

“Maersk ended up shutting down their port facilities pre-emptively to stop the spread. That caused impacts for about 24 hours on their port operations. The attack did not compromise their entire system – they shut it down themselves – but the end result was the same: degraded operations. We have seen instances where malware on ships at sea has caused impact on company systems. And we can see future operational impact from those and we want to get in front of that,” McCarter said.

groundbreaking CGCYBER

Vice Adm. Charles Ray, deputy commandant for Operations (left), and Rear Adm. Kevin E. Lunday, commander of Coast Guard Cyber Command, cut the ribbon during the opening of the Coast Guard Battle Bridge ceremony, May 30, 2017. U.S. Coast Guard photo

“As a result, CGCYBER started sharing information as we looked into that incident and how we respond to cyber incidents and coordinate with our port partners. There were a lot of lessons learned. One thing we want the CPT to do is provide expertise to Coast Guard operations commanders, port captains, and others, when asked. Not necessarily direct, hands-on technical support, but guidance. The CSOC is a standard security operations center; DOD stood up CPTs to deploy that center technology.”

The biggest threat for the Coast Guard is adversaries targeting things off the DODINOP, especially the MTS, which is responsible for more than $1.5 trillion in annual cargo moving through U.S. seaports to and from international trading partners, in addition to billions of dollars in domestic goods and services.

“As we harden things on the DODINOP and align with DOD, we’ve found adversaries are more aggressively targeting those,” he said. “The other big threat is to the MTS. We don’t have the same visibility into that that we have with our own systems, but it is something the Coast Guard is very concerned about. Can an adversary impact cyber to the extent it would compromise MTS operations and the critical infrastructure of the nation and how do we deal with that?

“The way we approach cybersecurity is very similar to DOD. Our network, the EMP, is part of the DOD information network and we protect it to the same degree DOD protects it at large, following DOD standards for cybersecurity operations,” he explained.

“We have draft cybersecurity regulations and are looking at changing some regulations with Congress to require certain cybersecurity plans as part of the operations plans of critical infrastructure owners and operators. That’s proactive. On the reactive side, should something happen, we want them to know who to call for help.”

As with virtually every large organization, especially government and military, the Coast Guard is continually targeted by advanced persistent actors.

“Most attacks never become incidents; they are mitigated, sometimes automatically by our defense-in-depth systems and personnel at the CSOC. I wouldn’t say the number of effective incidents has risen, but the number of attempts has increased. We focus on those mission essential systems [MESs] we know are critical to our mission areas and directly apply our resources to the security of those MESs above all else,” McCarter said. “The Enterprise Mission Platform [EMP] underpins all 11 mission areas, so adversaries target information on that platform, regardless of specifics.

“We haven’t been able to map particular trends to particular target areas. When you do enterprise cyber risk assessment, your first goal is to measure those mission essential services needed to execute our 11 mission areas. Those MESs are viewed as our cyber key terrain and we apply additional defense-in-depth around them and watch them more closely than we do the rest of the EMP. That allows the most efficient use of our resources to ultimately ensure those missions can be executed.”

The Coast Guard’s unique status as a non-DOD uniformed military service is reflected in its CGCYBER organization and operations.

“The way we approach cybersecurity is very similar to DOD. Our network, the EMP, is part of the DOD information network and we protect it to the same degree DOD protects it at large, following DOD standards for cybersecurity operations,” he explained.

“Where we differ is how we align to DHS – we’re a component of DHS, but are considered a dot-mil as a member of DODINOP. Our CPT network will be certified to DOD quality standards, but fully interoperable with DHS. No other organization does that.”

Cybersecurity knows no national boundaries – Maersk, for example, is based in Denmark. And marine operations, even on inland waterways, is an increasingly international enterprise, in both military and civilian operations. For now, CGCYBER interacts with its USCYBERCOM international partners – the U.K., Canada, Australia, and New Zealand – and conducts annual exercises with them. But they do not train jointly with other nations or go anywhere to train another nation’s navy, a standard mission for the Coast Guard at large.

“I can see our engagements with international partners increasing in the out-years, however. Mexico has asked how we apply cybersecurity methods to the MTS. And Canada was briefed on cyber as one of a range of topics last year as part of a joint U.S. Coast Guard and Canadian Coast Guard exchange,” McCarter said.

“Through the next decade, I think CGCYBER will be more externally focused than today, more on critical infrastructure, on partnering with other U.S. government agencies to ensure security of critical infrastructure. I don’t know how that will materialize, but I think it will be an important development in the future.”

 

 

By

J.R. Wilson has been a full-time freelance writer, focusing primarily on aerospace, defense and high...