By Brian A. Shajari, Maritime Physical/Cyber Security Instructor, American Bureau of Shipping (ABS)
Commercial maritime sector cyber security has increasingly become a major concern due to the potential damage that could be inflicted to any given port facility on America’s waterways. After the terrorist attacks of September 11, 2001, the United States
recognized the vulnerability of so many facilities on our waterways and their potential to trigger a major disruption to our economy and way of life.
The many issues faced concerning cyber security are issues that could affect ports, petrochemical facilities, and vessels at sea that rely on networks for communications and navigation. Protecting these systems and networks are vital to protecting America’s
waterways, ports, and other facets of this network that feed so much of the nation’s economy and the daily needs of shipping throughout the world.
In recent years, the maritime industry has been subject to increasing levels of cyber attacks. The lack of a standardized response system has led Photo courtesy of ABS. to an under reporting of cyber incidents and no clear guidance as to who should be notified
in the event of a cyber incident. Additionally, the absence of integrated cyber security plans into existing security programs in MTSA-regulated facility security plans has led to an overall confusion of cyber security amongst port management, leading
to a culture of confusion and fear of cyber security.
Cyber attack prevention strategy in the private maritime sector lies in understanding the consequences of a cyber attack and the mitigation strategies behind avoiding an attack altogether. Basic strategies include having a standardized cyber incident
plan, conducting an assessment, keeping the physical infrastructure of a network safe, and understanding what motivations lie behind cyber attacks.
Regulatory bodies have recognized the threats that face these facilities. The U. S. Coast Guard (Coast Guard) recently released Navigation and Vessel Inspection Circular (NVIC) 01-20, titled Guidelines for Addressing Cyber Risks at Maritime Transportation
Act (MTSA) Regulated Facilities. Much like all NVIC’s, this one gives good recommendations for a Facility Security Officer (FSO) to implement and maintain a good, solid cyber security program at their respective facility. The FSO is the heart of a
security program at a facility; therefore, they will be looked to for the answers to questions pertaining to cyber security as it relates to physical security and securing industrial control systems.
This NVIC guidance sounds ideal and practical; for many FSOs at smaller facilities, this guidance appears as if the content finally gives them direction with regards to cyber security. However, when one typically discusses cyber security within port facilities,
the topic is sometimes met with confusion and with the ever-growing question of “What does the FSO have to do with this? This is for the ITs.”
Luckily for the FSOs and their respective staff, the NVIC has outlined fifteen major points that directly correlate to their existing duties as outlined in 33 Code of Federal Regulations (CFR) 105. Breaking down cyber security requirements and mapping
them over to existing regulations not only demystifies cyber security but helps the FSO and their support staff understand their role in cyber security - and most importantly, how to tackle the issue at their facility.
An important factor to consider regarding the new NVIC is the informed references (or backing) that the content relies on. For years, the National Institute of Standards and Technology (NIST) has been recognized as a reliable source for the development
and maintenance of a thorough cyber security program. As such, the Coast Guard uses NIST Special Publication (SP) 800-82, Revision 2 as a reference to backup the NVIC. This publication addresses the many responsibilities that FSOs are already familiar
with: assessments, security protocols, access control, personnel vetting, monitoring, and other aspects of the daily functions and duties of security personnel within a MTSA-regulated facility. It is important that the same verbiage is used and the
same security practices are maintained, as this helps the FSO understand what cyber security means to them and their facility. Most importantly, uniform verbiage and processes prevent confusion and help them assess their vulnerabilities.
Risk management is another major factor behind cyber security in the maritime sector, most especially at MTSA-regulated facilities. Reducing the risk of a major accident or preventing the loss of an essential service often requires the application of
process control and safety systems. Therefore, major risk reduction or continuity of essential services may depend upon the correct functioning of these systems. In the context of cyber security these systems are often termed Industrial Control Systems
(ICS) or Operational Technology (OT), terms FSOs are now finding familiar.
To reduce risk and the overall threat of a cyber attack, the facility should first carry out an assessment. Conducting a cyber security assessment, aimed at finding the major gaps within a facilities’ cyber-enabled systems and networks is a vital first
step at establishing a cyber security program. Most importantly, an assessment should meet an essential requirement of NVIC 01-20: to carry out an assessment and include cyber security into the facility security program. Including this as either an
annex to the Facility Security Plan (FSP) or as a separate plan will be a requirement for MTSA-regulated facilities by September 2021. However, some internal barriers may exist for the FSO in setting up an integrated cyber security program. Pushback
from higher, corporate IT staff or management could be an issue. It is, therefore, important for the FSO to incorporate these individuals into the existing security program and educate them on the guidance and requirements set forth in NVIC 01-20.
During the assessment process, the FSO (and supporting staff) will begin to see the correlation to their existing duties and the level of effort that is required to establish this cyber security program, which will not be much if the NVIC guidance is
followed. Additionally, they will begin to understand a key factor: cyber security is not complicated. It is just tedious, much like enforcing the existing regulations in 33 CFR 105.
The assessment should concentrate on the obvious industrial control systems and the cyber-enabled equipment that supports daily facility operations. Additionally, the assessment should gauge the level of knowledge that facility security (and operations
personnel) have with regards to cyber security as it pertains to the Facility Security Plan (FSP). Sounds familiar? This same type of knowledge is tested during a physical security assessment by a third-party assessor. Cyber security knowledge should
be tested using the same process.
Finally, drills and exercises (that are already required for facilities) should include cyber security injects on a regular basis. This accomplishes two major steps in an establishing a cyber security program: it gets the facility security personnel familiar
with cyber security and begins to condition them to the terms and threats requiring their response. How about establishing and testing incident response plans to cyber incidents? Yes, the IT staff may have that covered, but have they practiced it
in a drill or exercise at the facility? Additionally, have they used the Incident Command System for testing incident response to a cyber incident? If not, this should be considered, because it combines knowledge of both the FSO and IT staff and bridges
any gaps between them. Furthermore, using this recognized emergency response system can get management buy-in and potential budget increases for cyber security, once they see and recognize the cyber threat to their facility.
What lies ahead for MTSA-regulated facilities beyond 2020? The obvious answer is to match facilities up with the recommendations set forth in NVIC 01-20 and conduct a cyber security assessment, integrating the plan into an existing physical security program.
The Coast Guard has set forth guidance in the recently released Marine Safety Information Bulletin (MSIB) 18-20 to
address setting up a cyber security program. This MSIB contains a cyber security job aid, which Coast Guard facility inspectors will use, and the NVIC itself. If FSOs and facility management want to have direct involvement in their cyber security
program, they should start with this bulletin and team with their IT personnel.
However, to answer the question, FSOs must be willing to understand that cyber security is not complicated; it is tedious. By correlating their existing duties over to cyber security, through use of the NVIC and recognized industry references (NIST SP 800-53, Rev 4 and NIST SP 800-82, Rev 2), a cyber security program can be easily established and maintained, beyond 2020.