Cyber risk management continues to be a focus area across maritime industry. The Coast Guard continues to seek input from and engage with thought leaders and experts to determine the right level of regulatory oversight necessary to mitigate these risks that are faced onboard ships and in port facilities.
Rear Adm. Paul Thomas, assistant commandant for prevention policy, recently met with the National Academies of Sciences, Engineering, and Medicine’s Forum on Cyber Resilience for an open discussion regarding cyber risk management in the marine transportation system (MTS).
According to the Forum’s statement of task, the Forum is “designed to facilitate and enhance the exchange of ideas among scientists, practitioners and policy makers concerned with urgent and important issues related to the resilience of the nation’s computing and communications systems.”
True to that statement of task, Thomas utilized the discussion to gain insights from representatives from academia, private sector and government. He began with an overview of the current state of cyber risk management across the MTS, including challenges faced by the Coast Guard, as a regulatory agency, in developing guidance or regulations to mitigate those risks.
“One of the areas of risk management in the marine transportation system now is managing the risks associated with cyber systems,” said Thomas. “The reason that our marine transportation system is efficient and productive is because it is highly automated and it’s becoming more and more so. Cyber is how we are operating today, and more and more we need to figure out how to manage that risk.”
Thomas specifically noted that cyber was not unique to the maritime environment and that cyber is more than just a security challenge – it’s an operational risk management challenge.
“We are pushing hard for safety culture across the MTS in terms of how we operate; safety culture extends into cyber space,” Thomas added. “It’s not a brave new world. We need to apply our existing preventative approach to cyber.”
Thomas’ goal was to spark discussion covering a few key areas that the Coast Guard is currently focused on.
“What’s the third-party standard I can point to in a regulation? I don’t know what that standard is, but I’m looking for it.”
In addition to preventative measures, Thomas also asked for input on what should happen post-incident.
“We don’t know how to go in there and say, ‘The cyber system that was hacked has now been cleaned and repaired well enough for you to put it back into action’,” he added. “We need a third party to come in and help us with that as well.”
As he wrapped up his presentation, Thomas posed the following questions to the forum:
– Is there a third-party standard? Is it emerging?
– Are there third-party certifiers?
– Is this a viable approach to regulation? Is it something we see elsewhere?
The participants, made up of more than 20 forum members from across academia, the private sector and government, offered their thoughts and what they were currently seeing in their respective fields of expertise.
Initial comments received by Thomas noted that the financial industry, in general, looked to the National Institute of Standards and Technology (NIST) for cyber security standards, and they focused primarily on the Cyber Security Framework.
In addition, it was noted that data sharing proves invaluable in finding solutions to these challenges. It was suggested that the Coast Guard continue to develop and build relationships with Information Sharing and Analysis Centers (ISACs), if possible.
A member also noted that the separation between security personnel and continuity of business personnel can be key to understanding how an organization manages risk – security personnel tend to focus on the preventative measures, while the continuity of business personnel focus on what happens once an attack has occurred and how to return the system to safe operation. Participants noted that the areas of cleaning up post-cyber incident were still developing – it isn’t a solved issue quite yet.
Another member discussed the importance of utilizing automatic patching for updates to key systems within the MTS. The member mentioned that there is a trade off between automatic patching causing a problem and lack of patching causing a problem, but so long as there is a rigorous testing and rollout procedure, automatic patching is becoming an industry best practice.
A final thought focused on developing architecture for what these networks should look like, structurally. One of the questions posed was, ‘what parts of a system should be allowed to talk to other parts, and under what circumstances?’
Thomas took in all the input with the realization that the Coast Guard’s regulatory authorities are limited by many factors, and there is no simple or easy solution to the challenges faced regarding cyber risk management.
“We have a mandate to prevent bad things from happening in ports,” Thomas said. “I hope that I can come back to the forum in six months in order to see where we’ve been…and leverage what [the forum members] have seen out there.”
Rear Adm. Paul Thomas continues to seek stakeholder input regarding cyber risk management in the MTS. If you have ideas, thoughts or questions, join the conversation with @maritimecommons on Twitter using #MaritimeCyber.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.