FSO Cyber Security Training: The Time is Now

CAPT David Nichols
USCG (Ret),
ABS Group, dnichols@eagle.org 


When the U.S. Coast Guard published Draft Navigation and Inspection Circular (NVIC) 05-17 in July of 2017, it caught a lot of people’s attention. For the first time since the publication of the Maritime Transportation Security Act (MTSA) regulations in 2003, the word “cyber” appeared in the NVIC alongside existing facility security regulations that had previously been viewed as applying to physical security only. The addition of addressing cyber vulnerabilities at MTSA regulated facilities adds a new dimension to overall facility security that Facility Security Officers (FSOs) must know and understand.

FSOs have become exceptionally good at physical security, but the invisible threat of cyber risk requires knowledge of how cyber works and how it can pose a threat to a maritime facility. The good news is that an FSO need not be a cyber security expert to understand the nature of cyber security threats and how they threaten facility safety, security, and operations. The Houston Ship Channel Security District recently engaged ABS Group, a subsidiary of American Bureau of Shipping (ABS), to perform cyber security training for FSOs and other personnel responsible for facility security along the HSC to give them the knowledge and skills necessary to address cyber risk at their facilities.

At the heart of the training is an understanding of how cyber systems can result in a physical event that results in injuries, pollution, or a service disruption to facility operations. In an effort to remain competitive in an ever increasingly technical world, facility operators are installing more and more operational technology to improve efficiency and effectiveness.

Operational technology (OT) involves computer connected devices that perform critical functions at facilities such as turning valves, mixing chemicals, adjusting temperatures, etc. This OT “speaks” to other devices and interacts with humans through the internet and other similar connections. It is through these connections that hackers can access OT devices and manipulate what they do, intentionally causing them to perform operations that cause harm or disrupt service. Either way, the facility operator experiences a costly event enabled by cyber connections.

An important aspect of the training is understanding how cyber devices are connected. When considering physical threats to their facilities, FSOs could focus on threats “inside the fence line.” But cyber threats can originate anywhere in the world through internet connections. Therefore, understanding what your facility network systems are connected to is critical and will almost certainly reveal connected threats that are well outside of the fence. Therefore, it is no longer suitable for an FSO to focus inside the fence. They must involve OT personnel and information technology (IT) personnel who form the connections for the OT devices.

Students at the ABS training are taught to recognize IT and OT systems and ways in which they can be connected. By understanding these connections, the students begin to understand the vulnerabilities that cyber systems can create at their facility and take steps to address those vulnerabilities. Addressing security vulnerabilities is nothing new to FSOs, and they quickly realize that, while cyber is a different type of risk, it is a risk that can be addressed like any physical risk.

Once students are familiar with the types of vulnerabilities that can be created by cyber systems, they are trained in the tools that cyber professionals use to determine and rank cyber vulnerabilities at their facility. Fortunately, the U. S. Coast Guard (USCG) highlighted the National Institute of Standards and Technology Cybersecurity Framework (NIST) as a best practice in assessing cyber security at a facility. The NIST Framework does not tell facilities how to perform cyber security, but rather focuses them on outcomes that they should be achieving if they want to have good quality cyber security. If a facility is not achieving some of the outcomes, then they are likely opening themselves to cyber risk that they should address.

Finally, students are taught a method of scoring cyber risk quantitatively. A risk score can be assigned to each of the different cyber systems at the facility using a combined score of how critical the function is the system provides, how many different things it is connected to, and the nature of the connections (from open, to the worldwide web, to completely separated from the outside world). By assigning numeric values to cyber risks, students learn how cyber vulnerabilities can be ranked and prioritized.

The training is designed to be hands on, so students are placed in small groups to conduct a group exercises throughout the six to eight hours of training. In the last exercise of the day, the groups identify a vulnerability from a mock cyber assessment report that they think an FSO would likely address, use NIST documents to identify a mitigation for the vulnerability, and draft a provision for the Facility Security Plan that explains the vulnerability and how it is being controlled. Experience has shown that students perform all of these functions well at the end of the training session.

One of the most important aspects of the training is the confidence that FSOs have in discussing cyber security following the training. While the training is not intended to make an FSO a cyber expert, it teaches security personnel to understand the components of cyber security, how a cyber security assessment is performed, and the security risks associated with cyber. While the cyber security training is designed for FSOs, it can also be a valuable training tool for other facility personnel such as non-security personnel, IT and OT personnel, and corporate executives.

  • Date October 8, 2019
  • Tags 2019 September