- Cargo & Facilities

1/21/2015: Guidance on maritime cyber security standards – Part 1 from the Deputy Commandant for Operations

Last week, the Coast Guard’s Office of Port and Facility Compliance hosted an interagency public meeting called ‘Guidance on Maritime Cybersecurity Standards.’ The Coast Guard, along with the National Institute of Standards and Technology, Nuclear Regulatory Commission and the Industrial Control Systems Cyber Emergency Response Team, presented on cyber security as it relates to the maritime domain.

Maritime Commons is providing you with condensed remarks from the meeting as well as useful resource links in a five-part series. Coast Guard comments shared in this post were delivered by the Deputy Commandant for Operations. Read the other four posts for additional summarized comments and resources on maritime cyber security standards.

Subscribe and stay tuned!

Delivered by Vice Adm. Charles Michel

Industry and public participation is absolutely critical to our success. The Coast Guard needs your comments, questions and critical thought. The Coast Guard does not own everything in the cyber realm; interagency partners and maritime stakeholders are critical to finding solutions on this front.

I think the cyber arena is the most dynamic area that I work in. It is the most challenging area that I work on as the Deputy Commandant for Operations, and that says a lot because we are working on big issues such as transnational criminal organizations, immigration, major changes in U.S. energy infrastructure and Arctic operations. So to say that cyber is the most dynamic area that I see, from my global perspective in the Coast Guard, is a big deal.

Every day it seems like there is another cyber hack or cyber attack. Cyber security is an interesting area because it requires a high degree of technical expertise and evolution, but as a policy maker, I have to convert it to policy. One of the responsibilities the Coast Guard is to prevent transportation security incidents as defined by the Maritime Transportation Security Act. MTSA was enacted after September 11, 2001 and it was primarily focused on physical security. However, cyber security incidents fall within the bounds of the MTSA, especially if they can become transportation security incidents.

Take a look at the maritime industry. Look at how much it relies on information technology infrastructure and how much it relies on communication, navigation, machinery control systems and other automated systems. The maritime industry is built on an IT backbone. Without the employment of this sophisticated technology, much of shipping could not be competitive. But each time these control systems are put in place, it creates vulnerabilities.

We’ve seen incidents caused by cyber accidents or attacks, such as a dynamically-positioned drilling rig that had an emergency break-away. It’s not always an intentional attack. The ability to have resiliency and control systems in place, and assess risk, is what I want to hold a discussion with you about.

As a regulator, this is on the Coast Guard’s to-do list because of our responsibility through MTSA. What tools we use to deal with cyber security can range from voluntary practices to full-on regulation. On the MTSA side of the house, we have mandatory regulation for physical security such as access controls, badging and restricted areas. Do we need a complementary cyber security regime to complement our physical security regime to avoid transportation security incidents?

Regulations are difficult to achieve, but they do provide a level of certainty. I cannot create regulation without full transparency and cooperation with our interagency partners and maritime industry, because this is not going to be a one-size-fits-all solution. We are going to have to look at the diversity of industry and make sure our solution is tailored to industry, is not an undue economic burden and is helpful to industry. You are going to have to help us to figure out where along that spectrum we are going to find this solution.

Whatever we create needs to be flexible. We have to devise something that will build into a very dynamic sector and have the ability to move into a very dynamic future.

I look forward to your critiques, input and questions!

You can provide these on the docket which will be open until April 15, 2015.

The entire public meeting was recorded and is available for public viewing on YouTube. You can view it here! Follow @maritimecommons on Twitter for live updates at Coast Guard events.

In addition to this post, be sure to read the other four posts from the ‘Guidance on Maritime Cybersecurity Standards Public Meeting.’

Part 2: From the Office of Port and Facility Compliance Chief

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.

Leave a Reply