Background:

American ports, terminals, ships, refineries, and support systems are vital components of our nation’s critical infrastructure, national security, and economy. Cyber attacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyber attack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country.

In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyber attack scenarios in the maritime sector could credibly lead to a Transportation Security Incident, we must identify and prioritize those risks, take this threat seriously, and work together to improve our defenses.

Fortunately, the men and women of the United States Coast Guard take our responsibility to protect the nation from threats seriously. As in other areas, we will work with the private sector, and with other federal, tribal, state, and local agencies to address this new threat. The President’s recently signed cyber security Executive Order sets requirements for executive branch agencies to address cyber risks. We have started that work already, and will keep the private sector informed of our progress. We will also be asking for advice and cooperation.

 What can be done :

Fortunately, the process for doing so is parallel in structure to that of other security and safety efforts: assess risk, adopt measures to reduce that risk, assess progress, revise, and continue. These processes, taken together, can significantly improve an organization’s risk reduction efforts and increase resilience through continuity of business planning.

Looking specifically at cyber security, consider the following steps:
•     Conduct a Risk Assessment – begin by assessing what parts of your enterprise are controlled or supported by computer systems. What are the consequences should those systems become inoperable, controlled by outside parties, or misused by internal parties?

•     Identify and Adopt Best Practices – what information technology security standards are most applicable to your systems? Are your systems meeting those standards, are your employees familiar with them? When were they last updated? What backup systems, redundancies, or replacements are available?

•     Secure Your Supply Chain – As with just-in-time inventory and production systems, consider the cyber vulnerabilities and practices of your suppliers, customers, and other organizations critical to your company’s profitability. Discuss cyber security with those organizations and consider incorporating good cyber practices into marketing and contracting.

•     Measure Your Progress – Test your cyber practices through drills and exercises. Identify any gaps or lessons learned, and set specific goals with timelines for making needed improvements.

•     Revise and improve security – Review your latest risk assessment, evaluate any new cyber systems you may have added since that time, incorporate lessons learned and revise your cyber security policies and procedures accordingly.

One way to start this process is to take advantage of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICSCERT). ICS-CERT provides a wide range of information, tools, and services that can help companies assess their security, identify recommended practices, and improve their cyber security.http://ics-cert.us-cert.gov/

NEW - 
The U. S. Coast Guard is pleased to announce the availability of the draft Navigation and Vessel Inspection Circular (NVIC) 05-17. The NVIC is titled "Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities". As noted in the Federal Register notice, there will be a 60 day public comment period. We encourage the public to read the draft NVIC and provide comments.

UPDATE: The Coast Guard has extended the Comment period by 30 days until October 11, 2017.  Details can be found here.

Maritime Specific Cybersecurity Framework Profiles

The Office of Port and Facility Compliance (continues to collaborate with the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) to develop customized maritime specific cybersecurity framework Profiles.  A Profile implements the NIST Cybersecurity Framework, which was developed in 2014 to address and manage cybersecurity risk in a cost-effective way based on business needs and without placing additional regulatory requirements on businesses. The Profile is how organizations align the Framework’s cybersecurity activities, outcomes, and informative references to organizational business requirements, risk tolerances, and resources.

 

  1. Cybersecurity Framework Profiles Overview
  2. Appendix A. Maritime Bulk Liquid Transfer Profile
  3. Appendix B. Offshore Operations Profile
  4. Appendix C. Passenger Vessel Profile
  5. Appendix D. Industry Cybersecurity Processes & Profile Mappings

Please check Homeport for the most up-to-date information on cyber risk management:  https://homeport.uscg.mil.

Federal Register Notice:  https://www.federalregister.gov/articles/2014/12/12/2014-29205/guidance-on-maritime-cybersecurity-standards


References :

  1. Maritime Cybersecurity Awareness Webinar
  2. Dial C for Cyber Attack
  3. Cyber Risks in the Marine Transportation System
  4. ICS-CERT 2012 Year in Review
  5. Enhanced Cyber Security Services
  6. Presidential Policy Directive / PPD-21
  7. Administration Strategy on Mitigating the Theft of U.S. Trade Secrets
  8. Presidential Policy Directive - Critical Infrastructure Security and Resilience
  9. Content Preview Comment Matrix

Contacts:

Facility security - (202) 372-1132 or 1131
Facility safety and environmental protection - (202) 372-1130