American ports, terminals, ships, refineries, and support systems are vital components of our nation’s critical infrastructure, national security, and economy. Cyber attacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyber attack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country.
In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyber attack scenarios in the maritime sector could credibly lead to a Transportation Security Incident, we must identify and prioritize those risks, take this threat seriously, and work together to improve our defenses.
Fortunately, the men and women of the United States Coast Guard take our responsibility to protect the nation from threats seriously. As in other areas, we will work with the private sector, and with other federal, tribal, state, and local agencies to address this new threat. The President’s recently signed cyber security Executive Order sets requirements for executive branch agencies to address cyber risks. We have started that work already, and will keep the private sector informed of our progress. We will also be asking for advice and cooperation.
What can be done :
Fortunately, the process for doing so is parallel in structure to that of other security and safety efforts: assess risk, adopt measures to reduce that risk, assess progress, revise, and continue. These processes, taken together, can significantly improve an organization’s risk reduction efforts and increase resilience through continuity of business planning.
Looking specifically at cyber security, consider the following steps:
• Conduct a Risk Assessment – begin by assessing what parts of your enterprise are controlled or supported by computer systems. What are the consequences should those systems become inoperable, controlled by outside parties, or misused by internal parties?
• Identify and Adopt Best Practices – what information technology security standards are most applicable to your systems? Are your systems meeting those standards, are your employees familiar with them? When were they last updated? What backup systems, redundancies, or replacements are available?
• Secure Your Supply Chain – As with just-in-time inventory and production systems, consider the cyber vulnerabilities and practices of your suppliers, customers, and other organizations critical to your company’s profitability. Discuss cyber security with those organizations and consider incorporating good cyber practices into marketing and contracting.
• Measure Your Progress – Test your cyber practices through drills and exercises. Identify any gaps or lessons learned, and set specific goals with timelines for making needed improvements.
• Revise and improve security – Review your latest risk assessment, evaluate any new cyber systems you may have added since that time, incorporate lessons learned and revise your cyber security policies and procedures accordingly.
One way to start this process is to take advantage of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICSCERT). ICS-CERT provides a wide range of information, tools, and services that can help companies assess their security, identify recommended practices, and improve their cyber security.http://ics-cert.us-cert.gov/
Coast Guard Releases New Maritime Cyber Security Assessment & Annex Guide
The Coast Guard is proud to release the Maritime Cybersecurity Assessment & Annex Guide (MCAAG), which will help Maritime Transportation Security Act (MTSA)-regulated facilities and other Marine Transportation System (MTS) stakeholders address cyber risks. This voluntary guide serves as a resource for baseline cybersecurity assessments and plan development, particularly the Facility Security Assessments (FSA) and Facility Security Plans (FSP) required by MTSA. The initial incorporation of cybersecurity into required FSAs and FSPs was due by October 1st, 2022. During the implementation phase, stakeholder feedback reflected a desire for continued development of guidance and support from the Coast Guard. MCAAG offers an additional resource for MTSA-regulated facilities to enhance and expand on their current efforts as they continually assess cyber risks and vulnerabilities.
Coast Guard Releases First Update to Facility Inspector Job Aid (PDF form is fillable when downloaded or opened in browser)
The Coast Guard announces the release of Facility Inspector – Cyber Job Aid version 2, in order to provide the service’s marine safety personnel, as well as regulated maritime facilities, with additional, updated guidance as they continue address documented cyber vulnerabilities at Maritime Transportation System Act (MTSA) Regulated Facilities. This publication provides the Coast Guard workforce with a renewed perspective and tools needed to ensure compliance with regulatory requirements. It builds off the original Cyber Job Aid by incorporating feedback, questions and lessons learned from Coast Guard inspectors and maritime facility stakeholders during the implementation period of cybersecurity into Facility Security Assessments and Facility Security Plans. While the implementation period for incorporating cyber into FSAs and FSPs has since concluded upon the release of this job aid, the document represents our commitment to continually reviewing and evolving our guidance.
NVIC 01-20: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities
This Navigation and Vessel Inspection Circular (NVIC) provides guidance to facility owners and operators in complying with the requirements to assess, document, and address computer system or network vulnerabilities. In accordance with 33 CFR parts 105 and 106, which implement the Maritime Transportation Security Act (MTSA) of 2002 as codified in 46 U.S.C. Chapter 701, regulated facilities (including Outer Continental Shelf facilities) are required to assess and document vulnerabilities associated with their computer systems and networks in a Facility Security Assessment (FSA). If vulnerabilities are identified, the applicable sections of the Facility Security Plan (FSP) must address the vulnerabilities in accordance with 33 CFR 105.400 and 106.400.
NVIC 01-20 FAQs (Updated 2022)
Promulgation of Navigation and Vessel Inspection Circular (NVIC) 01-20
Federal Register Notification
Maritime Specific Cybersecurity Framework Profiles
The Office of Port and Facility Compliance (continues to collaborate with the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) to develop customized maritime specific cybersecurity framework Profiles. A Profile implements the NIST Cybersecurity Framework, which was developed in 2014 to address and manage cybersecurity risk in a cost-effective way based on business needs and without placing additional regulatory requirements on businesses. The Profile is how organizations align the Framework’s cybersecurity activities, outcomes, and informative references to organizational business requirements, risk tolerances, and resources.
- Cybersecurity Framework Profiles Overview
- Appendix A. Maritime Bulk Liquid Transfer Profile
- Appendix B. Offshore Operations Profile
- Appendix C. Passenger Vessel Profile
- Appendix D. Industry Cybersecurity Processes & Profile Mappings
Please check Homeport for the most up-to-date information on cyber risk management: https://homeport.uscg.mil.
Federal Register Notice: https://www.federalregister.gov/articles/2014/12/12/2014-29205/guidance-on-maritime-cybersecurity-standards
- Maritime Cybersecurity Awareness Webinar
- Dial C for Cyber Attack
- Cyber Risks in the Marine Transportation System
- ICS-CERT 2012 Year in Review
- Enhanced Cyber Security Services
- Presidential Policy Directive / PPD-21
- Administration Strategy on Mitigating the Theft of U.S. Trade Secrets
- Presidential Policy Directive - Critical Infrastructure Security and Resilience
- Content Preview Comment Matrix
Facility security - (202) 372-1132 or 1131
Facility safety and environmental protection - (202) 372-1130