[Letter to the Editor] Remotely Operated Locks: An Unnecessary Cyber Risk

In reference to the article Remotely Operated Locks: Progress, But Still Under Study, from the May 2020 edition of Marine News magazine.

One can only wonder after the Colonial Pipeline cybersecurity disaster why the U.S. Army Corps of Engineers is still doggedly working to put every navigational lock and dam—our "critical infrastructure"—under a computer-operated, remote-controlled, open cybersecurity risk system.

Does the term “cybersecurity risk” have meaning to the Army Corps? The term cybersecurity risk means threats to, and vulnerabilities of, information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification or destruction of such information or information systems, including such related consequences caused by an act of terrorism (see: 6 U.S.C. § 148).

Please review Homeland Security Presidential Directive 7, which establishes a national policy for Federal departments and agencies to identify and prioritize critical infrastructure and to protect them from terrorist attacks.

And more…

Is the Pittsburgh District working with Homeland Secretary to carry out the functions assigned in the Homeland Security Act of 2002 and other Acts to secure all cybersecurity risks within the Army Corps?

All Federal department and agency heads are responsible for the identification, prioritization, assessment, remediation and protection of their respective internal critical infrastructure and key resources, consistent with the Federal Information Security Management Act of 2002.

Is the Army Corps capable of protecting this new cybersecurity navigational system? As of today, the Army Corps has approximately $2.7 billion waiting for deferred maintenance throughout the Army Corps Districts. So let us now add cybersecurity risk deferred maintenance costs. What a good idea!

The Army Corps should spend Congressionally allocated funds to engineer their time for an Infrastructure Plan that will clearly help rebuild the Corps and address the overlooked needs of the navigational critical infrastructures, not an open integrated cybersecurity risk debacle that could open river navigation to all on the "dark web" and put people and commerce at unneeded great risk.

So, will there be a cost to run and operate this new cybersecurity navigational automated lock and dam systems? Maybe the Army Corps should ask the good cost- and safety-conscious Colonial Pipeline executives.

One can now envision a lockage fee to pay for the new ongoing remotely operated cybersecurity maintenance.

-Michael Arendt, Towboat Capt. (Ret.)