- Cargo & Facilities

1/27/2015: Guidance on maritime cyber security standards – Part 5 Concluding remarks

Last week, the Coast Guard’s Office of Port and Facility Compliance hosted an interagency public meeting called ‘Guidance on Maritime Cybersecurity Standards.’ The Coast Guard, along with the National Institute of Standards and Technology, Nuclear Regulatory Commission and the Industrial Control Systems Cyber Emergency Response Team, presented on cyber security as it relates to the maritime domain.

Maritime Commons is providing you with condensed remarks from the meeting as well as useful resource links in a five-part series. Coast Guard comments shared in this post are from the Chief of the Coast Guard’s Office of Port and Facility Compliance and the Assistant Commandant for Prevention Policy Read the other four posts for additional summarized comments and resources on maritime cyber security standards.

Subscribe and stay tuned!

Delivered by Capt. Andrew Tucci

Resilience is a topic that relates closely to cyber security and the framework. There are a lot of differences between physical and cyber securities. A part of any good program will answer how we respond effectively, and then how we recover from that. How do we get our systems back online? There are two sides to it. If you have a cyber incident, what is your resiliency plan to recover from it?

We take our responsibility to protect the nation very seriously. We are deeply appreciative of the hard work by those in maritime industry taking the time to help us protect our waterways and nation.

Cyber is not just a domestic issue; it is a global one. The Coast Guard has already begun conversations at the International Maritime Organization to start a dialogue about establishing a risk process and better addressing cyber security at the international front as well.

We are going to take all of the input received on the docket, which is open until April. I encourage you all to submit comments. We are going to start working on what a policy might look like. When we get to the point where we have a decent draft, we will be transparent and, of course, invite more comment.

Rear Adm. Paul Thomas, assistant commandant for prevention policy, concluded the meeting with remarks about timeline and incentives.

Delivered by Rear Adm. Paul Thomas

There were questions from the audience about timelines and incentives that I’d like to address. The Coast Guard just recently conducted a study about the cost burden to industry of all the regulations that we have published since 1973. We found that 88 percent of the entire cost burdens of all regulations, over all those years, were due to two regulations, OPA 90 and MTSA. Both of these regulations followed predictable disasters. The lesson learned should be that we should not wait for an incident to occur that will make us move forward on reactive, more expensive, regulations; we need to be proactive in approaching this.

We are here to have a discussion with industry so we can develop a standard together, one that works and is reasonable in terms of the cost benefit. If we wait until an incident occurs, that opportunity goes away. There is another thing I’d like to get people to think about. We’ve talked about cyber in terms of security but cyber is a safety issue as well and there is liability associated with safety and environmental standards to the extent that any of your vessel and facility safety systems are cyber-dependent, and accessed by people.

Most ships built today have software that manages its engines. Oftent, that software is updated while the vessel is underway and the master doesn’t even know when the software is being updated. If the safety management system for that vessel doesn’t address who can do updates, when they can do them or what conditions the engines need to be in when the update occurs, then you have a real liability and a real problem.

We need to think about this more holistically. I personally believe that the authorities to approach this from both safety and security aspects are there…we need to have the discussion and not necessarily limit it to transportation security incidents.

The Coast Guard is seeking your critiques, input and questions! You can provide these on the docket which will be open until April 15, 2015.

The entire public meeting was recorded and is available for public viewing on YouTube. You can view it here! Follow @maritimecommons on Twitter for live updates at Coast Guard events.

In addition to this post, be sure to read the other four posts from the ‘Guidance on Maritime Cybersecurity Standards Public Meeting.’

Part 1: From the Deputy Commandant for Operations

Part 2: From the Office of Port and Facility Compliance

Part 3: From Cyber Command

Part 4: Cyber resources

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.