Do you have a Transportation Worker Identification Card (TWIC)? Do you remember the days when you didn’t need to give 24 hours’ notice before your ship could enter a U.S. port? Well, these and several other improvements to port security were brought to you by the Maritime Transportation Security Act (MTSA) in 2002 in response to the attacks of 9/11.
Background
Following 9/11, Congress first focused on aviation security. Shortly afterwards, lawmakers began to work on new laws and regulations on maritime and port protections. Hence, the MTSA was established by the federal government, and signed into law by President George W. Bush on November 25, 2002. The full provisions of the law came into effect on July 1, 2004.
Overall, the MTSA creates a broad and consistent security program for all the US ports to better identify and deter threats in the maritime domain.
The MTSA included the following types of requirements:
- Establishment of TWIC cards which included biometric security, such as fingerprints;
- Installation of Automated Identification Systems (AIS) for most large passenger and commercial vessels;
- Requirement for 24 hours’ notice prior to a ship entering a U.S. port;
- Establishment of Area Maritime Security Committees chaired by the U.S. Coast Guard Captain of the respective ports;
- Establishment of restricted areas and signage;
- Performance of vulnerability assessments for all ports, vessels, cruise ships (more than 150 passengers or over 100 gross tons);
- Completion of Maritime Security Plans for ports, vessels, cruise ships which are reviewed and approved by the Coast Guard;
- Expectations for regular drills and exercises in the maritime domain.
But What About Cyber?
Originally, the MTSA was primarily focused on physical security issues ranging from signage on fences to TWIC cards to video monitoring. On Feb. 26, 2020, the U.S. Coast Guard the document Guidelines for Addressing Cyber Risk at Marine Transportation Security Act (MTSA) Regulated Facilities document. As cited in the Federal Register on March 20, 2020, the circular clarifies the existing MTSA requirements related to computer system and network vulnerabilities of MTSA-regulated facilities.
It also provides owners and operators of the facilities with guidance on how to analyze these vulnerabilities in their required Facility Security Assessment (FSA) and address them in the Facility Security Plan (FSP). Additionally, the circular doesn’t include a checklist or otherwise prescribe cyber security solutions. Instead, it emphasizes that existing regulations require MTSA-regulated facilities to assess and address vulnerabilities in computer systems and networks and provides guidance on how to mitigate those cyber security vulnerabilities identified in the facility’s security assessment.
According to the maritime law firm Adam and Reese, the guidelines offer the following recommendations:
- Implementing measures to limit unauthorized access to restricted areas and systems, including those controlled by cyber networks;
- Describing how drills and exercises will evaluate cybersecurity vulnerabilities of the FSP;
- Describing how and when physical security and cybersecurity personnel will coordinate for notifications of suspicious activity, breaches of security or heightened security levels;
- Documenting cyber-related procedures for managing software updates and patch installations;
- Documenting how cybersecurity is included as part of personnel training, policies and procedures, and explaining how this material will be kept current and monitored for effectiveness;
- Detailing cyber-related procedures for interfacing with vessels, including any network interaction, portable media exchange, remote access, or other wireless access sharing.
Interestingly enough, this added cyber emphasis does not precisely apply to ports or port facilities.
The Future of the MTSA
The general consensus is that the MTSA and its requirements have matured significantly since their initial implementation in 2004. However, since the beginning, some members of Congress have expressed concern that the MTSA doesn’t go far enough in its requirements for increasing port security. For example, the MTSA does not explicitly address the terrorist who tries to appear as a “legitimate” shipper.
In a Congressional Research Service paper titled Maritime Security: Overview of Issues by John F. Frittelli, it was noted that “…some industry observers contend that carriers and shippers will always place speed and efficiency above security matters. On the other hand, most experts acknowledge that there are just too many cargo movements for the government to monitor on its own. A key question is to what extent government authorities should rely on the due diligence of private companies in tightening control over maritime commerce.”
In 2012, US representative Frank A. LoBiondo, Chairman of the Coast Guard and Maritime Transportation Subcommittee, did state “I believe our ports and waterways are much safer than they were 11 years ago. However, he did mention that deficiencies in the following areas need improvement:
- A lack of sufficient TWIC-deployment regulations.
- A lack of uniform tracking technology requirements on vessels, and
- The ability of authorities to enforce the MTSA despite budget cuts.
Overall, I suspect the MTSA will evolve to address the continued “old-fashioned” and new threats—especially cyber. One area in question is security of autonomous ships. Also, port security is expected to be addressed in more detail.
In fact, earlier in September 2021, the International Association of Ports and Harbors (IAPH) announced publication of cyber guidelines for ports and port facilities. These guidelines can be viewed at https://bit.ly/IAPHCyberGuide1.
Could these guidelines be incorporated into the MTSA? It will be interesting to watch developments in this area of security.
Ernie Hayden’s background includes management and technical roles focused on cyber and physical security since the tragedy of 9/11. He was previously U.S. Navy Nuclear and Surface Warfare Officer, and has published a book entitled Critical Infrastructure Risk Assessment – The Definitive Threat Identification and Threat Reduction Handbook which has been awarded the 2021 ASIS Security Book of the Year.