Correction: In paragraph 12, “Maritime Security Risk Analysis Model” with “Cyber will also be incorporated into the Coast Guard’s risk assessment models and the Coast Guard will work to provide better guidance to maritime security committees on how it wants them to address cyber and how to mitigate the incidents.” Correction was made to reflect that cyber security is not currently addressed in the removed reference. Correction made on October 8, 2014.
Wednesday, the American Association of Port Authorities hosted a port security seminar and expo in Baltimore, Md. Rear Adm. Paul Thomas, assistant commandant for prevention policy, was the keynote speaker.
His remarks were focused on cyber security, the evolution of energy and its impact on the Maritime Transportation System, and liquefied natural gas as fuel and its potential security implications.
“What worries me is that we not lose focus on what it takes to secure a port. To think that we can ever be done investing in the security of our ports is a concern of mine. We need to stay focused on port security and continue to adjust to evolving threats,” said Thomas.
Thomas pointed out advances of technology as a part of the need for a refocus on port security.
“The state of technology in 2001, with Windows XP, iPods, portable DVD players and a few camera phones is significantly different than where we are today where all of this is now on your smartphone with streaming video, every phone can record and take pictures, play music and function as a computer,” said Thomas.
Thomas stressed a need for focusing closer on cyber security in the port environment.
“Cyber security is not an easy topic but no doubt we have been seeing cyber security incidents in the maritime domain. We’ve seen container tracker systems hacked, access control systems manipulated and WiFi at facilities accessed,” said Thomas.
Thomas shared that whether cyber incidents are accidents or attacks is a distinction without a difference. He proposed that the question should be how could we let this happen and how do we prevent it from happening again?
The Government Accountability Office put out its Maritime Critical Infrastructure Protection report in June, which stated three conclusions. The first was that the Coast Guard has not conducted a risk assessment that addresses cyber threat, vulnerabilities and consequences. The second was that the security plans required by law and regulations do not address cyber security and, last, that the information sharing on cyber security is lacking.
Thomas called for feedback from maritime stakeholders on these three conclusions and shared the steps the Coast Guard has taken to address them.
“We have not been silent on the topic of cyber in the Coast Guard. We have issued alerts, advisories and best practices as well as engaged our Area Maritime Security Committees and the Area Maritime Security Plan. We have provided assessment tools for industry to use to put their plans into place and enforced requirements for the reporting of cyber incidents,” said Thomas.
Thomas also shared some of the Coast Guard’s ongoing efforts in relation to cyber security. The Coast Guard is creating a cyber strategy and is working to leverage cyber into operational risk decision-making and distribute risk assessment tools as well as to share cyber best practices. Cyber will also be incorporated into the Coast Guard’s risk assessment models and the Coast Guard will work to provide better guidance to maritime security committees on how it wants them to address cyber and how to mitigate incidents.
“We are working to provide tools that help industry to have a basic cyber hygiene that provides at least a minimum standard of cyber protection,” said Thomas.
Thomas spoke on the need for a phased approach that ends in a cyber security regime equal to the physical security regimes we have in place now with the Maritime Transportation Security Act .
“What does this mean? It means that we identify the equivalent of MTSA requirements, such as a fence, guard and camera, and figure out what those are in the world of cyber. We need to identify what the cyber fence, guard and cameras are and then put those safeguards in place. We need to understand and define cyber secure areas, and the cyber credentials needed to enter theses areas,” said Thomas.
Thomas spoke about the need to set cyber security standards, ensure those standards are met and address incidents immediately and work to prevent future incidents from occurring.
“This is not something we can take lightly and we have an obligation to do at least the minimum for cyber security for our economy. I believe that our nation expects that we, as maritime professionals, are taking all necessary steps to secure the marine transportation systems against all threats; including cyber,” said Thomas “As a group, we need to make sure basic cyber security standards are met. It is not my job to ensure compliance at your facility. There are basic processes that you can put in place such as ensuring that your people are putting security first evidenced by actions such as changing their passwords when needed. What processes will you put into place that will make sure people are following these standards? What will you do when something goes wrong?”
Thomas spoke on the need for regulation for cyber security to create a minimum standard throughout the nation’s ports.
“I believe that eventually we will regulate cyber security as we do physical security, but that we should create that regulation by figuring out what the best practices are in industry and incorporate those into regulations. The bad way to go about it is to wait for an incident that makes us move forward on reactive regulations,” said Thomas.
Thomas spoke on the need to protect against both cyber security and cyber safety incidents. He described cyber security as preventing outsiders from getting into systems and cyber safety as the protection from an accidental insider threat. Thomas identified examples of cyber safety incidents as systematic problems, and spoke on the risks associated with automated process such as an oil release due to a cyber safety incident.
Thomas brought two upcoming events for the maritime community:
1) There will be an upcoming Federal Register notice soliciting comments on the need for a Maritime Transportation Sector Coordinating Council as a means to improve communication on cyber security. You can subscribe to Maritime Commons to receive notification of this when it has been finalized.
2) The Coast Guard will be sponsoring a public meeting to begin discussion on the right way to develop cyber security standards and compliance processes and achieve a basic level of cyber security. Subscribe to Maritime Commons for notification and details on the public meeting when it is scheduled.
The other two areas that Thomas touched on were the revolution of energy and its impact on the Maritime Transportation System and LNG.
“We are producing more oil in the US, particularly crude, in the past three years than ever before. We are producing about 2 million barrels more today than we were three years ago. In addition to that, we are producing natural gas as well. The crude oil piece is important because we are out of capacity in regards to pipelines. Many of you have crude oil coming into your ports by rail and barges. You will be seeing an increase in vessel traffic in your facilities because of the increase in this production. There are security implications associated with crude and LNG. Volume increase leads to security risk increases, and the nature of the product is different which also causes security implications,” said Thomas.
If you are in one of these ports, these are good discussion topics for your Area Maritime Security Committee. For further information, contact your local Coast Guard Sector.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.