With the signing of Navigation and Inspection Circular (NVIC) 01-20, Guidelines for Addressing Cyber Risks at Maritime Transportation Act (MTSA) Regulated Facilities, on February 26, 2020, the Commandant of the U.S. Coast Guard (USCG) made it clear that MTSA-regulated facilities must assess and plan for cyber security vulnerabilities. As many may recall, upon their issuance in 2003 the MTSA regulations did not mention the word “cyber.” In fact, they still don’t to this day. So what changed? The short answer is time and technology.
The MTSA regulations have always required measures to protect “telecommunication equipment, including computer systems and networks.” Historically this requirement has been viewed as a physical security mandate, i.e., lock your computer servers in a room to prevent unauthorized access. But times change, leading USCG in the summer of 2017 to make the pronouncement in draft NVIC 05-7 that MTSA regulations were “instructed to analyze vulnerabilities with computer systems and networks in their Facility Security Assessment (FSA).” Acknowledging the added value and efficiency of ever-increasing technology, USCG also recognized that such technologies are “inherently vulnerable and could introduce new vulnerabilities, that increase the potential for risk.”
Simply put, the Coast Guard is taking the legal position that, while they have not previously looked for an analysis of cyber security vulnerabilities in FSAs, they have always had the legal authority to do so under the existing regulations as written. In other words, the phrase “computer systems and networks” has always encompassed cyber security, and with the increasing use of cyber technologies, USCG is logically using their existing authority to combat an emerging threat.
This position is made clear in the release of the new NVIC 01-20, which finalizes draft NVIC 05-17. Specifically, the NVIC states that “under the MTSA regulations, an FSP (Facility Security Plan) must address any cyber security vulnerabilities identified in the FSA.” The NVIC further states that “when cyber security vulnerabilities are identified in the FSA, an owner or operator may demonstrate compliance with the regulations by providing its cyber security mitigation strategies in a variety of formats.”
So where does this leave us? It is clear that USCG expects to see MTSA regulated facilities assessing and planning for cyber security. But when? Immediately? Fortunately, USCG answered that question by releasing an ALCOAST message the same day as the NVIC’s release informing all Coast Guard units that there will be a 1.5 year implementation period ending on September 30, 2021. That being said,18 months will go quickly., It would seem prudent to begin taking advantage of cyber improvements sooner rather than later, knowing that there is a looming requirement on the horizon.
There is a lot of support (beyond a legal requirement) for acting in the near term. Consider some of these statistics from a 2019 SANS Institute report regarding Industrial Control Systems (ICS) and Operational Technology (OT) commonly used in port and terminal settings:
64% of operators do not fully understand cyber control systems.
There has been a 12.3% increase in high occurrence attacks since 2017.
61% of all cyber incidents had a disruptive effect to OT activities in 2019.
62% of cyber security managers rank people as the greatest risk.
As these numbers suggest, there is an immediate need for most companies to do a better job of controlling risk in their cyber systems. Part of the solution can, and should, include low cost solutions such as training. While most companies provide IT centric cyber training (and that’s a good thing), how many are conducting cyber security training for the many users of ICS and OT systems who face potentially serious safety consequences if operational systems are hacked and compromised?
In light of NVIC 01-20, cyber security training is now a mandate for FSOs. As the NVIC makes clear on its face, it changes nothing in the underlying MTSA regulations. That being the case, an FSO is mandated with knowing their FSP inside and out and making sure that it is properly implemented. How can this be accomplished without properly training the FSO in cyber security? It does not mean that the FSO has to become a cyber security expert, but they must understand the types and severity of cyber threats they face at their facility and have a general understanding of methods to control those threats.
Finally, NVIC 01-20 encourages the use of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as a standard for assessing and improving a facility’s cyber posture. By all accounts this is good advice. So if you are assessing your facility’s cyber vulnerabilities with inside talent or through a third party assessor, it would be wise to make sure that they are trained and experienced in the NIST CSF standard.