This week, the Coast Guard participated in a maritime cybersecurity learning seminar and symposium with the American Military University and Command, Control and Interoperability Center for Advanced Data Analysis, or CCICADA, at Rutgers University. The organizers of the event plan to publish a comprehensive book on cybersecurity as an outcome of the symposium. The attendees included participants from government, private sector and academia. CCICADA is the Department of Homeland Security’s University Center of Excellence on cybersecurity.
Maritime Commons is providing you with condensed remarks from the symposium. Coast Guard comments shared in this post are from the Chief of the Coast Guard’s Office of Port and Facility Activities.
Subscribe and stay tuned for an additional posts on this event to include a preview from the Deputy Commandant for Operations on the Coast Guard Cybersecurity Strategy!
Subscribe and stay tuned for more on this event!
Delivered by Capt. Andrew Tucci
Cyber is a worldwide domain and I’d like to point out that the Coast Guard is a worldwide organization; we operate in a variety of missions to include the safety and security of the maritime transportation system and the global supply chain.
Ports are fascinating places to me because you have people and goods coming from all over the world into a port, with good traveling to and from those ports by ship, truck rail, air, and pipeline.
The goods we import and export are vital to our daily lives. They include the energy that warms our homes, the food that goes on our tables and the other cargos needed to live our lives and operate our businesses.
What are our risks in the port environment? Who can the risk potentially impact? Ports are where we really share risk and cyber is one of those risks. Port assessments must include cyber risks.
When conducting a port cyber assessment, I have two inclusions to suggest:
1) Include operators: Many of us may label cyber as an IT problem. However, if you only have IT personnel looking at your risk, you will only find IT-related vulnerabilities, risks and solutions. Perhaps you have operator solutions which maybe low tech, reliable and cheaper than whatever high-tech solution may exist. You want to bring those groups together collectively. Including your IT personnel, emergency managers, operational personnel, etc. within your organization will do a much better job of finding risk and finding solutions.
2) Include stakeholders: This includes, but is not limited to, operators, IT personnel, security personnel, customers, suppliers and a broad community of stakeholders. Think outside of a company or organization and expand input to include the community of stakeholders that are relevant to you as a business. You don’t need to share proprietary information to include them in your assessment. The fact that you’re doing business with them means that they matter to you and you matter to them. You have shared risks and vulnerabilities. You’re going to find improved solutions if you take this approach.
We’re not able to solve the issue of cyber risk all at once; what we’re trying to do is create a culture of cyber risk management. Bring in that all of the talent across your organization as well as stakeholders to collectively understand the risks. Ultimately what you’re trying to do is create that culture where people will recognize risk quickly and then have all of those people and knowledge to draw from to identify and mitigate risks and solutions.
If you’re able to bring these folks together to perform your risk assessment on a regular basis, we may be able to solve this problem.
Read the series:
Remarks from the Coast Guard 11th District Staff Judge Advocate
Sneak preview of the Coast Guard’s Cybersecurity Strategy
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.