- Cargo & Facilities

1/22/2015: Guidance on maritime cyber security standards – Part 2 from the Office of Port and Facility Compliance Chief

Last week, the Coast Guard’s Office of Port and Facility Compliance hosted an interagency public meeting called ‘Guidance on Maritime Cybersecurity Standards.’ The Coast Guard, along with the National Institute of Standards and Technology, Nuclear Regulatory Commission and the Industrial Control Systems Cyber Emergency Response Team, presented on cyber security as it relates to the maritime domain.

Maritime Commons is providing you with condensed remarks from the meeting as well as useful resource links in a five-part series. Coast Guard comments shared in this post are from the Chief of the Coast Guard’s Office of Port and Facility Compliance. Read the other four posts for additional summarized comments and resources on maritime cyber security standards.

Subscribe and stay tuned!

Delivered by Capt. Andrew Tucci

The Coast Guard wanted to host this public meeting to help evaluate and address cyber security risks to the maritime industry and maritime critical infrastructure. The Coast Guard has a long history of protecting our nation from threats and cyber is now one of those threats and we need to figure out how to best address this threat.

We brought in interagency partners to demonstrate and add to our dialogue and because we are looking to learn from those who have been working at this and already had success. We need to leverage the tools and capabilities that already exist. Ultimately, what we want to do is achieve safety and security for our nation and ensure the public can be confident that our systems are secure.

We wanted to use this opportunity to proffer questions to you and get you thinking about cyber in terms of how it can impact your operations. The Coast Guard needs your feedback.

Looking at these questions should be a collective process that includes vessel and facility operators, IT professionals and security personnel. Gathering together a team to conduct an assessment will create the best outcome.

Here is a list of questions I would like you to consider. Please look at these and provide your own comments and questions to the docket ….

• What cyber dependent systems, commonly used in the maritime industry, could lead or contribute to a transportation security incident if they failed or were exploited by an adversary? What would the consequences be?

• What procedures do vessel and facility operators use to identify potential cyber vulnerabilities? Are you using existing processes from governmental agencies, insurance companies or your own? What is your risk assessment process? Are there existing programs that the Coast Guard could recognize? To what extent do they address transportation security incident risks?

• What factors should determine when manual backups or other non-technical approaches are sufficient to address cyber vulnerabilities? Once you’ve identified your risk, there needs to be a variety of ways to mitigate that risk. Sometimes these solutions can be very non-technical such as a float switch that can cut off a system if the technological system fails.

• To what extent do current training programs for vessel and facility personnel address cyber? In many cases, the largest risk is the end-user and training can mitigate a great deal of risk. How much risk could be mitigated by providing training? What should that training cover? Are there training programs out there right now that include the type of cyber training that could work for maritime industry?

• How can the Coast Guard leverage the Alternative Security Program? The Coast Guard has standards mostly addressing physical securities for vessels and facilities. We have programs where vessel and security operators submit plans to address physical security risks. We also have ASPs which allow certain segments of industry that essentially develop their own alternative way of meeting security requirements. With this, you get an ‘umbrella’ plan for all the members of that association or organization. The Coast Guard agrees that it achieves a necessary level of security that is acceptable. Perhaps this is appropriate with cyber. For all companies, under an umbrella, to adopt a cyber security plan, and apply to all facets of the company. I offer this as the ASP as a potential way to address cyber standards as a compliment to their already existing security plans.

• How can vessel and facility operators reliably demonstrate that critical systems meet appropriate cyber security standards? Both industry and the Coast Guard want to be able to say that we are confident we have a good security system in place in regard to cyber risks. How can we be confident that a system is secure? The Coast Guard is interested in finding a credible way that both parties can be sure there is a secure plan in place so that all concerned are confident we have good secure systems for our ports, vessels and facilities.

• Do classification societies, insurers and other third parties recognize cyber security practices that could help the maritime industry and Coast Guard address cyber risks? Are there existing practices in place we can look at? What is already being done ‘out there’ that the Coast Guard can recognize? We are not looking to reinvent the wheel. We would like to know what you are currently doing within your own organizations and companies?

The Coast Guard is seeking your critiques, input and questions! You can provide these on the docket which will be open until April 15, 2015.

The entire public meeting was recorded and is available for public viewing on YouTube. You can view it here! Follow @maritimecommons on Twitter for live updates at Coast Guard events.

In addition to this post, be sure to read the other posts from the ‘Guidance on Maritime Cybersecurity Standards Public Meeting.’

Part 1: From the Deputy Commandant for Operations

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.

Leave a Reply