The Coast Guard recently published NVIC 01-20, which addresses cyber security requirements for facilities subject to the MTSA. Although the Coast Guard has been addressing cyber security in the marine transportation system since about 2013, this NVIC represents a significant policy change in that it requires facility operations to incorporate cyber security into their Facility Security Plans.
A key purpose of the NVIC is “to assist owners and operators in identifying computer systems and networks whose failure or exploitation could cause or contribute to a Transportation Security Incident (TSI).”
As FSOs and facility operators know, an informed, thoughtful Facility Security Assessment is the foundation of any Facility Security Plan. The FSA starts with identifying and validating possible vulnerabilities, and then applying mitigation measures.
To meet the intent of the NVIC, we simply have to incorporate our cyber dependent systems into that process. That will include systems that contribute directly to security, like cameras, and PACS, and systems with security implications, like communications or cargo control.
There are, of course, challenges. How can one determine if a given cyber system is “vulnerable?” When selecting mitigation measures, what cyber security standards is the Coast Guard likely to accept? How can facility operators identify what systems fall within the scope and intent of the MTSA? How should those measures be described in an FSP in a way that provides reasonable clarity without constraining business flexibility or revealing proprietary information?
Fear not. At Seebald & Associates, we are in frequent contact with the Coast Guard personnel responsible for these policies, and our team includes personnel with a deep understanding of cyber security at both the policy and technical level.
One useful approach is to make use of the Cyber Security Framework, developed by the National Institute of Standards and Technology (NIST) and referenced in the section 3.b. of the NVIC. The Framework is arranged around 5 basic concepts – Identify, Protect, Detect, Respond, and Recover – that align well with MTSA regulations. The Framework is flexible, suitable to organizations of any size/complexity, and performance oriented. If you use Industrial Control Systems, then we also recommend incorporating NIST 800-82, which is the other framework referenced in the NVIC.
Seebald & Associates will be hosting one or more webinars on this topic in the near future. In the meantime, take a look at the table below to see a simplified example of how a facility might start the process of addressing cyber in a way that meets the intent of the NVIC:
|
Coast Guard Requirement |
NIST Framework |
Example in FSP or Cyber Annex |
|
Facility Security Assessment |
Identify |
Include cyber/IT/OT experts in the FSA. Identify and evaluate ways that cyber vulnerabilities could contribute to a TSI. Technical procedures such as security scans and penetration testing may be employed to validate and quantify cyber vulnerabilities. |
|
Security Organization |
Identify |
FSP should identify who in the organization has responsibility for cyber security, and how that person will communicate and coordinate with the FSO. |
|
Access Control and Restricted Areas |
Protect |
FSP may reflect topics such as authentication, least privilege, encryption, and mobile device management (BYOD). |
|
Monitoring |
Detect |
FSP may reflect topics such as routine scanning of inbound/outbound data, data logging, use of virus detection software. |
|
Cargo Handling and DoS |
Protect Detect |
FSP may address security concerns with electronic transmission of cargo information between the facility and visiting vessels, including use of portable media (data in motion). Other topics include security of databases used for tracking cargo status/location on the facility (data at rest). DoS procedures may address data transmitting procedures and notifications of suspicious cyber activity for the facility and visiting vessels. |
|
Security Incidents, Drills, Exercises, and Training |
Respond Recover |
FSP may address topics such as incident monitoring, reporting, and logging, the use of backups, restoration procedures and testing, and procedures to ensure that a compromised system has been properly addressed and is now considered safe to operate. |
