Page 28: of Maritime Reporter Magazine (September 2017)

Maritime Security

USCG Releases Draft Cyber

Guide for Maritime Facilities

Cyber risk has hit a critical peak within risk management regulations are put into foundational pillars:

About the Author the maritime industry, and the signi? cant place. Industry stakeholders have until I. Cybersecurity is an organizational

James Espino is president of Gnostech impact of the Petya ransomware attack September 11 to provide comments on culture that allows technologies to suc-

Inc. A career Coast Guard Of? cer, he on scores of maritime entities only am- the draft NVIC. ceed; not a technological solution that worked in maritime law enforcement, pli? es it. The attack effectively shut Enclosure I, “Cybersecurity and results in organizational success.

defense operations, and C4ISR devel- down major ocean carriers, including MTSA,” states that the “existing MTSA II. A holistic and risk management opment and procurement. shipping conglomerate Maersk, and im- requirements are applicable to cyberse- based systems solution is needed - no pacted marine terminal operations across curity related threats.” The NVIC makes single application, tool, or methodology the globe. Every maritime company, no clear that cybersecurity is part of the vul- will adequately secure your system.

matter the size or business function, is a nerabilities assessment and mitigation III. Implement state-of-the-market in many industries but particularly for potential target. measures that must be part of existing solutions, but remain current. the maritime industry. There are known

The industry has seen a recent wave Facility Security Assessments (FSAs) IV. A comprehensive maintenance exploitations within Windows XP and of guidelines and resolutions from mari- and Facility Security Plans (FSPs). As and sustainment program is a critical since Microsoft no longer supports this time regulatory bodies related to mari- with existing MTSA requirements, regu- component of keeping a high cybersecu- operating system, maritime industry time security and cyber risk mitigation. lated entities will need to demonstrate rity posture which minimizes cyber risk. companies still using this operating sys-

The International Maritime Organization how they are addressing cyber risks. The V. Automate as many processes as you tem are vulnerable to attack. Addition- (IMO)’s Maritime Safety Committee ap- guidance cites existing requirements for can to minimize human error. ally, state-of-the-market solutions pro- proved a resolution in June that would FSAs under MTSA to provide structure This philosophy is based on our 35 vide all facets of the industry a means to require ship owners and managers to for the review of the NVIC. Enclosure plus years of experience as a technology seamlessly and more easily implement incorporate cyber risk management II, “Cyber Governance and Cyber Risk services provider for the defense indus- NIST CSF into their FSP. Likewise, rec- into their safety management systems Management Implementation Guide- try, in particular improving the security ommending the use of automated pro- by 2021. BIMCO released the second lines”, describes best practices and ex- posture of our Navy and Coast Guard cesses for cybersecurity related activities edition of “The Guidelines on Cyber pectations for all MTSA regulated en- customers. can contribute to reducing a company’s

Security Onboard Ships” the following tities. The guidelines cite the National NVIC 05-17 addresses Pillars I and long-term need to maintain a robust cy- month. In proper suit, the U.S. Coast Institute of Standards and Technology’s II extensively since cybersecurity is as bersecurity workforce; thereby, reducing

Guard (USCG) announced a draft Navi- Cybersecurity Framework (NIST CSF) much cultural as it is technical. labor costs. Including both state-of-the- gation and Inspection Circular (NVIC) to promote effective self-governance. For instance, the guidelines recom- market solutions and automated pro- 05-17 entitled “Guidelines for Address- Cybersecurity challenges are a sys- mend the creation of a multi-discipline cesses within NVIC 05-17 provide the ing Cyber Risks at Maritime Transpor- temic risk to the maritime industry with cyber risk management team. maritime industry the needed guidance tation Security Act (MTSA) Regulated the use of cyber technologies for com- Likewise, Pillar IV is somewhat ad- to build a robust cybersecurity program

Facilities” on July 12. munications, access control and other dressed through the need to protect within their FSP. This also facilitates im-

In accordance with existing MTSA re- integrated control systems. Vulnerabili- equipment and implement hardware and plementation of commercially available quirements, regulated facilities, includ- ties within these technologies increase software updates and obsolesce manage- cybersecurity measures into day-to-day ing port terminals and offshore oil plat- their risk for cyberattacks. Attacks tar- ment programs. However, not enough operations, determines a more accurate forms, must identify and assess security geting industrial control systems (ICS) emphasis is placed on (III) implement- cyber risk posture, and ensures continu- threats and develop a Facility Security increased more than 110% in 2016, per ing state-of-the-market cybersecurity ous monitoring of their cybersecurity

Plan (FSP) that addresses and mitigates IBM. NVIC 05-17 is consistent with solutions and (V) automated processes program vice a periodic snapshot of their those threats. The USCG has interpreted the U.S. government’s effort to increase to protect maritime systems. With the cyber risk posture at a given moment in these provisions to include cyber threats. private sector preparedness for cyberat- understanding that this is a regulatory time.

The NVIC aims to provide guidance on tacks and re? ects a trend towards using a document versus a technical implemen- Regulatory bodies across the global incorporating cybersecurity risks into an risk management based approach to cy- tation guide, we believe that incorporat- maritime ecosystem are increasing their effective Facility Security Assessment bersecurity. It references existing MTSA ing these two items within the regulation commitment to implement cybersecurity (FSA), in addition to recommendations implementation and its corresponding can be a catalyst toward reducing long- organizations, processes, and systems, for policies and procedures that may re- processes as well as using the NIST term cybersecurity costs while at the and the trend will only continue. NVIC duce cyber risk to operators of maritime framework as guidance for the industry, same time methodically increasing the 05-17 is an excellent ? rst step towards- facilities. It explains (I) the USCG’s in- which is consistent with recently pub- maritime industry’s security posture. de? ning cybersecurity requirements terpretation of the existing regulatory lished guidelines. Requiring or recommending the need similar to industries such as ? nance and requirements under MTSA with respect NVIC 05-17 should take the additional to implement state-of-the-market solu- healthcare. More precise technical cy- to cybersecurity measures; and (II) the step of detailing speci? c aspects of an tions to the maritime industry is a step to- ber recommendations and requirements implementation of a “cyber risk manage- organization’s technical implementation wards eliminating obsolete software and should be outlined in the same fashion as ment governance program.” While not of cybersecurity safeguards. This belief equipment that have contributed to many the organizational and physical security legally binding, facility operators can is rooted in our company’s cybersecurity cyberattacks in recent years. For exam- requirements are addressed in this and utilize this guidance until speci? c cyber philosophy consisting of the following ple, Windows XP is still very prevalent other regulations.

28 Maritime Reporter & Engineering News • SEPTEMBER 2017

MR #9 (26-33).indd 28 MR #9 (26-33).indd 28 9/6/2017 10:38:04 AM9/6/2017 10:38:04 AM