The United States creates a non-profit organization to facilitate cybersecurity information sharing in the maritime sector

In February 2020, the United States created the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC), whose website has since been launched. The MTS-ISAC was established by a group of U.S. maritime stakeholders as a non-profit association (501(c)(6), broadly comparable to a French non-profit association) with the goal of promoting cybersecurity information sharing across the maritime community.

A growing awareness within the maritime sector

The creation of the MTS-ISAC reflects the maritime sector’s increasing awareness of cyber risks and the need for efficient and secure information sharing between stakeholders, including smart ports, shipping companies, and port operators. Within many maritime organizations, personnel combining both maritime and cybersecurity expertise remain scarce. As a result, sharing information among public and private actors has emerged as one of the most effective ways to strengthen collective resilience.

The ultimate objective is to improve the identification of threats, enhance detection capabilities, and better protect networks, systems, and personnel. These missions are broadly similar to those typically performed by a CERT (Computer Emergency Response Team).

An ISAC as a central coordination hub for maritime cybersecurity

The MTS-ISAC aims to serve as a central coordination point between public and private stakeholders, enabling trusted partners to rapidly exchange accurate and timely information about cyber threats. Information sharing and analysis efforts cover both Information Technology (IT) and Operational Technology (OT) environments.

The services provided by the MTS-ISAC are intended to help maritime operators better understand and manage cyber risks, particularly in light of evolving regulatory requirements. These include the IMO cybersecurity requirements entering into force on January 1, 2021, as well as U.S.-specific regulations such as the U.S. Coast Guard circular Navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities.

Positive feedback from the sector

Interviewed by Security Magazine, Scott Dickerson, Executive Director of the MTS-ISAC, explained:

“As the maritime sector increases its reliance on new technologies and integrates them into operational capabilities, stakeholders increasingly recognize the need to pool cybersecurity resources in order to manage associated risks effectively. As cyber threats continue to grow, effective information sharing among stakeholders significantly enhances their ability to manage these risks. While IMO and USCG circulars help provide guidance to the industry on cyber risk management, we believe effective maritime public-private partnerships will be the cornerstone of successful maritime cybersecurity risk management. The MTS-ISAC structure benefits any maritime stakeholder that owns or operates critical infrastructure and ensures that all participants operate on an equal footing in terms of cybersecurity information sharing and protection. MTS-ISAC contributes to building a maritime cybersecurity community, and we believe stakeholders will find our collaborative approach highly representative of the current operational environment of the maritime sector, while also providing essential mechanisms to protect shared information.”

David Cordell, CIO of the Port of New Orleans, added:

“By correlating cybersecurity information among key MTS stakeholders, the ISAC provides the early warning capabilities we all need to protect our organizations against incidents. Our participation in the MTS-ISAC brings us value that we could not obtain elsewhere.”

Christy Coffey, Vice President of Operations at MTS-ISAC, also expressed strong enthusiasm:

“The feedback from stakeholders regarding the creation of the MTS-ISAC has been phenomenal. The strong leadership of our board and executive team, the rapid sharing of suspicious and malicious activity targeting organizations, and the quality of our partnerships have all contributed to an extraordinarily successful launch.”

The governance structure

The first members of the ISAC board include:

• Alabama State Port Authority
• Greater Lafourche Port Commission (Port Fourchon)
• Jacksonville Port Authority (JAXPORT)
• the Port of New Orleans
• the Port of San Diego
• the Port of Vancouver
• six additional stakeholders from critical maritime infrastructure sectors

According to the MTS-ISAC website:

“Our board of directors is composed of stakeholders from across the maritime sector. This is their ISAC, and they have direct decision-making authority regarding how private and public sectors share information to improve the cyber resilience of the industry.”

The fifteen voting seats on the board include representatives from ports, terminal operators, shipping companies, the cruise industry, the energy sector, and government representatives.

Core missions

The services provided by the MTS-ISAC include:

• information sharing
• awareness and outreach
• training and exercises
• network monitoring
• threat intelligence
• penetration testing
• vulnerability assessments
• public-private collaboration
• risk management

In particular, the ISAC provides end-to-end support for the design and execution of tabletop and functional exercises, ensuring that stakeholders are properly coordinated and prepared to respond to cyber incidents. The ISAC is also responsible for producing post-exercise reports and sharing lessons learned with participating organizations.

Connections with other critical sectors

The ISAC also connects its members to a broader community of organizations operating critical infrastructures, including sectors such as aviation and commerce. It facilitates exchanges between maritime stakeholders and sector experts when specialized expertise is required.