From the desk of Rear Adm. Paul Thomas, assistant commandant for prevention policy
I was recently asked by a member of industry about Coast Guard personnel discussing cyber with terminal operators during Coast Guard inspections. I wanted to address this as I understand there is some amount of nervousness in giving unnecessary information or in not providing the right type of information.
As I’ve discussed in previous contributions to this blog, cyber-based technology is used widely in the marine industry, and frequently is associated with critical functions such as propulsion, navigation, cargo control and safety and security monitoring.
The Coast Guard is working to increase our understanding of these systems. This understanding is critical in enabling us to assess and compare both cyber and non-cyber related risks. This information, in turn, enables the service to meet our responsibilities to the public in assuring that those risks are properly managed.
As part of this process, Coast Guard marine inspectors and facility inspectors may ask operators about what cyber systems they employ and what functions they perform. They may also ask operators if they are aware of cyber best practices, such as the NIST Framework, and information provided by DHS CERT and ICS-CERT.
Please understand that our goal in these conversations is to raise awareness and promote a mutual understanding of potential cyber risks in the maritime domain. We are not seeking technical, detailed or proprietary information about any organization’s cyber practices. Indeed, few, if any, Coast Guard personnel posses the technical knowledge to evaluate such issues. Despite any shortfalls in cyber technicalities, like their industry counterparts, our facility and vessel inspectors are maritime professionals who understand the potential consequences should a cyber system be deliberately exploited, subjected to the inadvertent introduction of malware or misused. Operator-to-operator discussions between the Coast Guard and industry can help us work together to build a safer, more resilient, marine transportation system.
I encourage facility and vessel operators to consider how they can incorporate cyber risks into Safety Management Systems, security plans required by the Maritime Transportation Security Act, as well as other existing systems. Note that these are performance-based systems, in which industry conducts a risk assessment and proposes general mitigation measures without disclosing the details of identified vulnerabilities. I fully expect that the Coast Guard will apply these principles to cyber-related risks in the future.
Like the rest of society, the maritime industry is becoming increasingly dependent on cyber technology. While this technology has many benefits, it also introduces risk. I look forward to working with the industry to address these risks responsibly. I encourage you to work with your local Coast Guard inspectors as well as your Area Maritime Security Committees. Together we can keep our people, environment and economy safe, secure and thriving.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.