Editor’s Note: Earlier this month, senior Coast Guard leaders had the opportunity to make remarks on various topics during the Connecticut Maritime Association’s Shipping 2017 conference and expo in Stamford, Connecticut.
For those of you who were unable to attend, Maritime Commons is providing a condensed version of each set of remarks, in a four-part blog series. These remarks are not ‘as delivered’ but provide a condensed version of the panel highlights in the ‘panel-conversational’ style.
First up, are remarks made by Rear Admiral Paul Thomas, assistant commandant for prevention policy, during a shared-stage panel on cyber security. In his remarks, Thomas focuses on the importance of incorporating cyber risk management at every stage of ship design, construction, and operation.
The panel was moderated by Kathy Metcalf, president and CEO of the Chamber of Shipping of America, an organization dedicated to representing the industry regarding US and international legislative, regulatory, and administrative interests.
Shipboard Cyber Risk Management – The Next Step
We’ve been working hard on cyber risk management together for more than three years now. It’s useful, I think, to take some time and reflect on where we’ve been, where we are, and where we are headed with regard to cyber risk management and cyber security in the MTS, and specifically in shipping in the view of the Coast Guard. I’ll focus on shipping because I believe this audience is largely focused there, but the Coast Guard has also been working hard on cyber risk management throughout the MTS and particularly at regulated port facilities and in the navigation systems and services we provide. With regard to port facilities, the authorities and the mechanisms of governance may be slightly different, but the key concepts are the same as I will discuss for international shipping.
So where have we been. Two years ago we were talking about the need to build awareness of cyber risks in shipping. At the time, I and many others told you that cyber is so much more than a security issue and so much more than an IT issue. Cyber represents a new operational risk that must be managed like other operational risks; and the good news – this industry, the international shipping industry, knows how to manage operational risk.
I’m not going to spend time today re-making the case that I and others have made in recent years ago that cyber is how we operate and presents operational risks that must be managed. It is clear, that case has been made, and congratulations to all of you for taking the message to heart.
Look at the progress that has been made in two short years. First; Cyber Risk Management (CRM) is now a household term in the shipping industry. This is not always the case in other critical infrastructure segments. It reflects a maturity of understanding of the entire cyber challenge beyond hackers and attackers. Shipping industry associations have publish CRM guidelines, class societies have published RPs, International Association of Class Societies has made cyber safety and CRM a focus area, and the International Maritime Organization also has developed guidelines for shipboard CRM that we expect will be finalized in June.
The Coast Guard, in addition to participating in all the efforts I have mentioned, has conducted vulnerability assessments at ports, port facilities and aboard ships of all types to better understand the depth, breadth and scope of this challenge. We have partnered domestically with NIST [National Institute of Standards and Technology], FERC [Federal Energy Regulatory Commission], NRC [Nuclear Regulatory Commission], FCC [Federal Communication Commission] and others to bring lessons and best practices from other sectors to shipping and the Marine Transportation System; and we have developed useful tools that help all of us build awareness.
So we can check the box on awareness of Cyber as a Risk Management challenge.
Our focus now is in installing governance over cyber risk in the same way we have installed governance for physical risks. It is our view that, to the extent a ship or shipping company relies on cyber systems to meet existing international or domestic requirements around safety, security and environmental protection there already exists an obligation to understand and manage the risks associated with those systems.
The U.S. has submitted a paper to IMO for consideration at MSC 98 that makes the case for installation of governance over cyber risks as part of the Safety Management System (SMS) required by the IMO’s ISM Code. ISM requires that SMS establish safeguards for all risks, and put in place procedures to ensure compliance with all requirements of the convention and domestic regulations. ISM specifically mentions computer systems, which we take to include control systems. Our paper suggests a timeline for port state control officers to verify that SMS do indeed address cyber risks.
We’re focused now on the basic components of governance that can get at the risk associated with the operations and maintenance of critical cyber systems, and that help to mitigate the risk of existing systems that have vulnerabilities inherent in their design and integration with shipboard systems. These basic components include the things you are all familiar with; designated person responsible for CRM, corporate structure to address CRM; training requirements based on access to cyber systems, corporate and shipboard procedures for operations and maintenance of critical cyber systems…all the things you expect to be in place to manage other types of operational risk.
The Coast Guard will issue policy in the coming weeks providing guidelines for CRM and installing governance at regulated port facilities. Our intention is to require that basic component of governance be identified, including identification of cyber systems employed to meet existing regulatory requirements, in the next Facility Security Plan for the highest risk facilities. This Navigation and Vessel Inspection Circular is not directly applicable to ships, but it will be a useful reference for ship operators looking to incorporate CRM into SMS.
The Coast Guard has also worked closely with NIST to develop tailored cyber risk profiles for bulk liquid terminal that provides a template for installation of governance at these high risk facilities. We will soon publish similar profiles for offshore drilling and production operations, and passenger vessel and terminal operations; as well as a CRM guide for small business operators.
Now is the time to move beyond awareness, and to get at the risk inherent in existing critical cyber systems by installing basic governance over the operation and maintenance of these systems. You know how to do that.
The next step is to mitigate inherent cyber risk through standards for the design, construction and integration of shipboard cyber systems in the same way we set standards for ship structure or propulsion systems. I know that IACS is working hard on this and individual Class Societies have their own cyber safety programs. The ship of the future will have cyber systems designed and integrated to class and other standards which are incorporated into IMO and domestic regulation, and those systems will be operated and maintained IAW approved SMS compliant with ISM or domestic requirements.
How we get there, how fast and who leads is still up for debate. But the need to incorporate cyber risk at every stage of ship design, construction and operation is known.
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.