The U.S. Coast Guard, the National Institute of Standards and Technology (NIST), and maritime industry stakeholders have developed a voluntary cybersecurity “Profile” for Maritime Bulk Liquid Transfer (MBLT) facilities. This Profile will be released Thursday at the American Petroleum Institute’s 11th Annual Cybersecurity Conference in Houston.
The Profile implements the NIST Cybersecurity Framework, which was developed in 2014 to address and manage cybersecurity risk in a cost-effective way based on business needs and without placing additional regulatory requirements on businesses. The Profile is how organizations align the Framework’s cybersecurity activities, outcomes, and informative references to organizational business requirements, risk tolerances, and resources. Through this industry-focused Profile, MBLT facilities are provided a pathway for integrating the Framework into organizational operations.
The Profile is the first of its kind for the maritime transportation sector, and it is the result of the coordination between the Coast Guard Office of Port and Facility Compliance, the NIST’s National Cybersecurity Center of Excellence (NCCoE), and industry stakeholders.
“Working with the Coast Guard to engage the oil and natural gas industry in creating this profile is a prime example of the collaboration that takes place at the NCCoE,” said Don Tobin, senior security engineer at the NCCoE. “Organizations working in this critical mission area can leverage the profile to determine and reach their desired state of cybersecurity.”
The Profile identifies and prioritizes the minimum subset of Framework Subcategories relevant to MBLT facility operations, providing the flexibility to address Subcategories in a systematic way that is relevant to their unique operations. The Profile pulls into one document the recommended cybersecurity safeguards and provides a starting point to review and adapt risk management processes. It outlines a desired minimum state of cybersecurity and provides the opportunity to plan for future business decisions.
“This first Cybersecurity Framework Profile for the maritime transportation sector is the culmination of hard work from industry stakeholders, the Coast Guard and NIST to provide guidance to the MBLT industry to adapt their risk management processes to include cyber risk management,” said Capt. Ryan Manning, chief of the Office of Port and Facility Compliance. “While these profiles are voluntary in nature, I highly encourage industry to consider using this to achieve optimal cybersecurity for their respective organization.”
Cyber risk management in the maritime industry has become increasingly important with the evolvement of cyber-dependent technologies in the past decade. The Coast Guard and the maritime industry have recognized the growing potential for cyber-based systems to impact bulk liquid and other elements of the Marine Transportation System. Operational technology, now more than ever operates valves, pumps, sensors, control gates, cameras, and performs many other vital safety and security functions. Cyber attacks could lead to significant consequences. Cyber incidents, such as software problems, non-targeted malware, or operator error could have equally as serious of an impact. The potential consequences of a cyber attack or incident not only impact operations, but can also pose a threat to the Marine Transportation System as a whole.
“These facilities face inherent cybersecurity vulnerabilities and the. Coast Guard hopes this profile will assist organizations with mitigating them, and provide a long-term process for developing an internal cyber risk management program,” said Lt. Cmdr. Josephine Long, a marine safety expert in the Critical Infrastructure Branch within the Coast Guard’s Office of Port & Facility Compliance.
According to Long, the Coast Guard anticipates working with the NCCoE to build four additional profiles; the next two will address passenger vessel and terminal operations, as well as mobile offshore drilling operations.
For more information, please view the entire Maritime Bulk Liquids Transfer Cybersecurity Framework Profile.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.