Last week, the Coast Guard’s Office of Port and Facility Compliance hosted an interagency public meeting called ‘Guidance on Maritime Cybersecurity Standards.’ The Coast Guard, along with the National Institute of Standards and Technology, Nuclear Regulatory Commission and the Industrial Control Systems Cyber Emergency Response Team, presented on cyber security as it relates to the maritime domain.
Maritime Commons is providing you with condensed remarks from the meeting as well as useful resource links in a five-part series. Coast Guard comments shared in this post are from the Coast Guard Cyber Command. Read the other four posts for additional summarized comments and resources on maritime cyber security standards.
Subscribe and stay tuned!
The Assistant Commandant for Cyber Command, Rear Adm. Marshall Lytle provided some brief remarks before introducing a member of his staff to speak on evolving cyber threats in the maritime domain.
“Cyber is all about operations. It is critical to everything we do. Cyber has to be taken into account like everything else. Think about cyber and how it affects your operations,” said Lytle. “The Department of Defense has included cyber as one of the key domains to be protected along with land, sea, air and space. The Department of Homeland Security is working on how to set up standards for security in cyber so we can establish safe and secure borders and waterways.”
Evolving cyber threats
Delivered by Brett Rouzer
Cyber systems have revolutionized the way we conduct our lives. Whether it’s paying taxes online, ordering goods and services from our computers or smartphones or using social media… Our cyber systems have become critical enablers to how we live. Cyber security is a national priority; it is directly responsible for the success of our national economy as well as our national security.
As threats evolve, we need to evolve our thinking and approach to dealing with these threats. Physical security and cyber security are inextricably linked; you can’t do one well without the other. Today’s maritime fleets are technological marvels, driven by interconnected systems and functions.
Cyber threat actors can gain access to your systems from thousands of miles away or from another continent. The interconnectedness of today’s world provide cyber threat actors with a multitude of access points into vulnerable cyber systems and networks.
We face threats from hackers, phishing, social engineering and malicious coding. Threat actors include nation states, insiders, hacktivists, criminals and end-users.
You and your networks are only as secure as the individual at the keyboard. Train your users to know what to click on and what not to connect to your computer.
Specific instances that have impacted the maritime domain:
1) The smuggling of illicit cargo between two ports where the entrance to the system was a malicious email that an end-user clicked.
2) A facility where a disgruntled employee plugged malicious software into computers via thumb drives.
3) An oil rig where cyber technology caused the rig to tilt.
4) A GPS anomaly on an unmanned crane caused the crane to stop working and lose functionality impacting the movement of goods and services.
Here are some types and impacts of exploiting industrial control systems:
1) Direct physical damage to affected equipment and systems
2) Small-scale local disruptions
3) Injury or death to operators, passengers or the general public
4) Catastrophic disruptions to the transportation system
What would your organization do if all of your company’s computers stopped working? A simple question like this serves as the starting point for some key cyber risk analysis of your own operations.
The Coast Guard is seeking your critiques, input and questions! You can provide these on the docket which will be open until April 15, 2015.
The entire public meeting was recorded and is available for public viewing on YouTube. You can view it here! Follow @maritimecommons on Twitter for live updates at Coast Guard events.
In addition to this post, be sure to read the other four posts from the ‘Guidance on Maritime Cybersecurity Standards Public Meeting.’
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.