Spotlight: Cyber Risk Management

An increasing number of systems on ships and at marine facilities depend on cyber technologies for routine operations.

While cyber technology has improved efficiencies in the marine industry and around the world, it has also created potential vulnerabilities.
For example, the towboats that move goods through the Western Rivers and along our coasts rely heavily on electronic navigation systems, including Automatic Identification System (AIS) and Global Positioning System (GPS), to safely transit around riverbends, capes, and shoals. In addition to signal interference, such as jamming, the software systems that integrate and display the signals are vulnerable to various types of malware. Propulsion, cargo, ballast, communications, and other systems on vessels and shore facilities have similar vulnerabilities. Even systems “not connected to the internet” are vulnerable if a careless employee plugs in an infected phone or thumb drive to an USB port. 
Mariners and facility operators are learning to include ‘cyber’ in the risk assessment activities they perform on every watch and shift.  Understanding the interconnectedness of cyber with vessel operations illustrates the relationship of dependence and vulnerability we all face with regards to a cyber failure or attack. To help picture this relationship, think of your vessel’s cyber risk management plan as the preventive measures and incentives you take to ensure your personal health and well-being. In general, a healthy lifestyle includes preventative measures, assessing risks, and coverage for life threatening events. These activities correlate to cyber risk measures you can enact to safeguard your vessel.

Protection of Vital Systems
Parents stress to their children the importance of washing their hands, not talking to strangers, and eating fruits and vegetables. Like washing your hands, practicing cyber hygiene reduces risk of infection to your IT infrastructure. Not talking to strangers is the equivalent of not opening emails or attachments from unknown sources. In addition to your own security practices, scrutinize any outside organization’s security practices that might be tied to your own system. Just as it is important to put healthy foods in your body, it is equally important for operating systems to have updated software and security programs. Educating employees on proper cyber practices is a proactive approach to increase your vessel’s cyber resilience. The U.S. Department of homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) (https://ics-cert.us-cert.gov/) offers information and recommended practices on many of these topics.

Risk & Vulnerability Assessment
Assessing your vessel’s cyber vulnerabilities is like getting regular check-ups to identify your risk factors towards certain health conditions. For example, early detection of high cholesterol will help you to modify your diet or habits to help lower your risk of further health issues. Fortunately, there are measures that companies can and should consider to reduce their cyber risk. For example, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has developed the NIST Framework (http://www.nist.gov/cyberframework/), a voluntary collection of industry standards and best practices to address cyber risk. The U.S. Coast Guard encourages maritime companies to review the Framework and use it to identify, evaluate and address cyber risks within their organization. 
Assessing cyber risks should not be left only to IT professionals. Vessel and facility operators and security personnel must be part of the process. They understand the mechanical systems the cyber systems control and will have to deal with the consequences should they fail. Each individual offers a unique perspective on consequences of any incidents and how cyber incidents can be prevented. This can make a substantial difference in reducing the risk of a transportation security incident, safety, or pollution incident that could harm people, the environment, property, or otherwise disrupt business activity.

Planning for the Future
Anticipating your vessel’s future cyber needs can have a positive influence to its future infrastructure health. Vessel and facility owners should carefully plan the installation of any new cyber systems, identify connections, ensure they are compatible with other systems, and establish appropriate technical and operating/training procedures to ensure they are secure. Planning and investing in your future can provide peace of mind for both your health and well-being, and your cyber infrastructure.  As the future unfolds, so will cyber risks. Vessels should exercise their cyber risk management plan as they would any other operational plan they use.

When to call the Doctor?
In general, we understand when it’s time to see our doctor if injured or ill. Coast Guard regulations require vessel and facility operators to notify the Coast Guard of a breach in security and of suspicious activity. These requirements apply equally for cyber and non-cyber related incidents, provided the cyber activity could plausibly lead to a TSI, pollution incident or marine casualty. Attacks or unexplained failures of industrial control and SCADA systems with connections to the MTS fall within this category. Reporting informs the Captain of the Port of the potential for more widespread cyber and physical attacks and to take appropriate action.   
As cyber risks are real and growing, so too is our commitment to address them. The U.S. Coast Guard is working to develop voluntary risked-based vulnerability assessment tools and standards for ports, vessels and facilities to help industry address cyber risk management in a systematic way. We are also taking measures to protect our own systems, and to address cyber at the Port level through Area Maritime Security Committees (AMSCs). Participation in your local AMSC is an excellent way to learn more about cyber risks and to promote cyber security and resilience in the maritime domain. For more information, go to the cyber security section of Homeport on www.uscg.mil.
While cyber is a new type of risk, it is also just the latest in a long line of challenges that the marine industry and the Coast Guard have addressed and solved together. In order to produce the best policies, we need the help of professional mariners and the public. Please reach out to your local U.S. Coast Guard units and begin the discussion about cyber as it relates to your operations. Let us know about best practices that can be shared with other partners, and recommendations you have to increase cyber awareness within the port. Also, visit https://homeport.uscg.mil/ for up-to-date cybersecurity information from the U.S. Coast Guard. Just as your healthcare is a team effort, so, too, is cyber risk management. By working together, we can reduce the risk to our country’s cyber health.

The Authors

LCDR  Josh Rose is the Critical Infrastructure Branch Chief within the Office of Port & Facility Compliance. Rose graduated from the U.S. Coast Guard Academy in 2002 with a BS in Management and has earned an MA from University of North Florida in Public Administration.

Lieutenant Commander Jennifer Osburn is assigned to Coast Guard Headquarters in the Cargo and Facility Security Branch where she is responsible for, among other things, enforcement of the Maritime Transportation Security Act. Osburn joined the Coast Guard in 1992 and completed Officer Candidate School in 2003. She has earned a BS in Business Management and a Masters in Management.

(As published in the August 2015 edition of Marine News - http://magazines.marinelink.com/Magazines/MaritimeNews)