The U.S. tugboat, towboat and barge industry is just as vulnerable as any other industry when it comes to cyber risk, according to the American Waterways Operators.
That's why the national trade organization has partnered with the U.S. Coat Guard to develop "Cyber Risk Management: Best Practices for the Towing Industry," to help identify and manage cyber risks faced by operators on the waterways.
Because "one size does not fit all," companies are urged to take a tailored approach that incorporates a cyber risk management policy and related procedures into their existing safety management system.
"The tugboat, towboat and barge industry is a vital component of our nation's critical infrastructure, transporting annually over 760 million tons of commodities that power the American economy," according to Tom Allegretti, AWO president/CEO.
"As our industry continues to integrate cyber systems into all aspects of its operations in order to meet the demand for efficient maritime cargo transport, we recognize the importance of providing our companies with resources to mitigate against the growing range of cyber threats."
Caitlyn Stewart is the director of regulatory affairs with AWA.
"This is an issue that has really been on our radar screen for, I would say, the last three or four years, as an organization and an industry," she said.
"The barge industry, like any industry that you can think of, has become increasingly reliant on cyber-connected systems, both information systems and operational systems, in recent years. And, those connective systems are vulnerable, not cyber attacks by malicious actors but disruption, perhaps inadvertently.
"So, it's just important for companies to understand where their vulnerabilities exist and to act to mitigate them," she said.
According to Stewart, the place for operators to start on cyber risk management is by conducting a risk assessment.
"There are steps you can take to begin to protect yourself against a cyber incursion, intrusion of disruption, such as password protocols and educating employees about malicious links in emails, phishing, and what a phishing email looks like," she said.
"What we advise companies to do is start by looking at what cyber-connected systems that they have, what those systems do, and how they might be accessed or how they might be compromised. That mapping, that sort of assessment exercise, is intended to help companies understand where they should focus their resources."
The industry does move a lot of critically important cargo, and some of that cargo is classified as dangerous, according to Stewart.
While admitting anything that would have the potential to create an environmental incident is of very high concern, "we haven't seen any attack that has targeted a company based on the cargo that they move, or an attempt to gain control of a vessel or something like that, but the risk of disruption from an economic perspective is a concern and could have the potential to be very damaging on its own," she said.
"An increasing number of attacks that disrupted operations in the maritime industry is one of the reasons that we sat down this path and really drove home to our members what the potential consequences of something like this could be," Stewart said.
The Coast Guard has adopted the National Institute of Standards and Technology cybersecurity framework as the foundation for its guidance to other segments of the maritime industry on cyber risk management.
It includes five functions: identify physical and software assets, people, date and risks; protect assets by training users and mitigating risk; detect cyber incidents; respond with defined response processes; and recover assets or systems affected by cyber incidents.
The response from the industry to the best practices has been positive, according to Stewart.
"There are companies in our membership and in the industry that have a large, well-resourced IT department," she said. "And, then there are companies that are smaller and don't have IT personnel dedicated to cyber risk management specifically.
"Whatever their situation on that spectrum, companies have taken what we have put out and are reviewing it to see where they fall. We're going to continue to take feedback that we get and update the best practices or create new materials for them to utilize. It will all be driven by their feedback."
Training employees is a big part of cyber risk management.
"They are the first line of defense for small suppliers," Stewart said. "They can be on the lookout for things that are out of the ordinary or that represent potential attempts to compromise the system. That is really vital."
According to Stewart, the increasing reliance on technology increases the risk that, even inadvertently, things can go wrong with a computer system.
"One of the examples that is often used is if an employee brings in a thumb drive from home and plugs it into a (work) computer, and doesn't realize there is a virus on that drive, it can disrupt the system.
"The (cyber) risks are multi-faceted and they don't just come from bad actors," she said.
"So, the better sense a company has of their systems - and the way those systems are connected - they can put safeguards in place to make sure they are protected."