4/15/2014: NIST Cybersecurity Framework Shop

Recently, Capt. Verne Gifford, director of inspections and compliance for the Coast Guard, participated in a panel called ‘U.S. Coast Guard Maritime Profile Strategy’ at the NIST Cybersecurity Framework Workshop in Gaithersburg, Maryland.

The purpose of the workshop was to provide a sampling of the Cybersecurity Framework use and work products as well as gather input to help NIST understand stakeholder awareness and current use of the Framework. The workshop also served to identify the need for an update to the Framework, cybersecurity best practices sharing as well as the future governance of the Framework.

Gifford is providing a summary of the panel, as well as the questions asked of him, for your informational purposes. His comments focused on the work done by the Coast Guard and partner organizations on building security profiles, based on the Framework, to secure the bulk liquid transport sector.

From the desk of Capt. Verne Gifford, director of Coast Guard inspections and compliance

I’ve spent a good part of my career worrying about the contents of large tanks, specifically when those tanks carry or store oil or hazardous materials. Safety or security incidents involving bulk liquids, such as these, could have significant impacts on human life and safety, the environment and the marine transportation system as a whole.

Historically, the Coast Guard and industry have focused on physical threats to these materials when considering safety and security risks. For example, a vessel running aground, a fire at a waterfront terminal, operators misaligning valves or using inferior equipment, a natural disaster or even a terrorist attack on a waterfront terminal. The Coast Guard and industry have well established safety and security procedures to mitigate these risks.

More recently, the Coast Guard and the industry have recognized the growing potential for cyber-based systems to impact bulk liquid and other elements of the marine transportation system. Computers operate valves and pumps, monitor sensors, control gates and cameras, perform many other vital safety and security functions. Cyber attacks could lead to significant consequences. Cyber accidents, such as software problems, non-targeted malware, or technical errors could be equally serious.

The Coast Guard is working with the industry and the National Institute of Standards and Technology to address these risks. There’s been great work on this through terminal operators, the American Petroleum Institute and others. We are well on our way to developing a profile, using this Cyber Framework, and I think it’s going to be a great first step to trying to achieve voluntary compliance and ensure that they are taking appropriate measures.

Editor’s note: A Framework “Profile” represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. Profiles can be used to identify opportunities for improving cybersecurity posture and support prioritization and measurement of progress while factoring in other business needs including cost-effectiveness and innovation. (www.nist.gov)

Using the Cybersecurity Framework is a very effective way of trying to ensure that the business requirements, cyber risks and resources of a company are aligned with what they are doing.

Some specific initiatives that the Coast Guard has underway…

Reporting: The Coast Guard has a detailed instruction that describes a physical breach of security or suspicious activity event and what is required to be reported to the Coast Guard through the National Response Center. In the cyber-world, there are additional nuances surrounding what might define a reportable incident. The Coast Guard is developing an instruction to identify a cyber security breach and cyber suspicious activity. Our responsibilities are to address cyber incidents that impact, or may threaten, the marine transportation system or that might otherwise have the potential to impact human life, safety or the marine environment. The industry now reports incidents of this nature to the National Response Center. The Coast Guard also encourages industry to report other significant cyber events, even if unrelated to marine transportation concerns, to the National Cybersecurity Communications and Integration Center, or NCCIC. We are working with the NCCIC to identify ways of streamlining reporting and information sharing.

Risk Assessments and Security Plans: Waterfront facilities, and most commercial vessel operators, already conduct rigorous physical security assessments and develop security plans to address those risks. The Coast Guard reviews and approves those plans, and works with industry to ensure the plans are maintained, exercised and updated as needed. We are also working on guidelines to help industry incorporate cyber risks into that process. To address risks associated with the many foreign flag ships that visit our ports, we are working with the International Maritime Organization to establish cyber risk management guidelines for the international shipping community.

Questions from the workshop

Attendees of the panel were given time to ask questions. I wanted to share the questions asked of the Coast Guard here, for larger sharing of information.

Question: How does the profile help inform policy making and does it influences the companies that you oversee?

I look first at how we do physical security and I think everyone has a pretty good understanding of what risks are associated with this. Industry has done a very good job of mitigating these risks. There’s an awareness of what must be done and an existing enforcement mechanism for the Coast Guard in terms of visiting facilities and making sure that they’re meeting the expectations placed on them. This is not the case, yet, with cybersecurity. When you look at what’s out there, you get a very wide range of how different facilities and platforms are implementing cybersecurity risk measures. Some, especially larger companies, have the resources to ensure that any significant vulnerabilities have been addressed and are being mitigated. Others, perhaps, don’t. You also see a difference between informational technology and operational technology (OT- the industrial control systems). A lot of times OT isn’t necessarily handled at a corporate level; they are handled at a much lower, or local, level. And often times, you wonder if we are adequately handling the vulnerabilities that may be involved with those systems. So, for us, it’s really a desire to make sure, just as our Cyber Strategy indicates, that we are addressing risk and having people assess what sort of vulnerability is out there and then taking those vulnerabilities and developing a plan for how they’re going to do it.

Question: How has this helped to align your understanding of where the risk is and where to focus for cybersecurity vulnerabilities in the maritime environment?

One of the things we have looked at is to both qualify and quantify cyber risk as well as we currently do on the physical side. On the physical side, we have a tool, the Maritime Security Risk Analysis Model (MSRAM), which is a risk analysis tool that plugs in potential risk, in terms of vulnerabilities and consequence to likelihood, and then gives you a number. Not to say that life is that simple, but at least it gives us an idea of the corresponding risks associated with different possible scenarios. This allows us to focus resources to try and mitigate those that we determine to have the highest risk. On the cyber side, we just don’t have this yet, but things like the profile allow us to better quantify and qualify that risk. Much of this is compliance with business relationships. We regulate facilities but we don’t regulate third party contractors that deal with those facilities; so corporations requiring their contractors to meet these sorts of standards, I think it improves the entire process.

Question: Is the Coast Guard’s use of the profile externally facing or is it used internally within the Coast Guard? If it is internally used in the Coast Guard, for any of its own operations, how does the Coast Guard marry up the other guidance that comes out of NIST and the NIST Framework and the need to receive the authority to operate (ATO) with the work that the profile might provide from the Framework side?

The profile is unique to whatever organization or segment you are working for. And so, in this case, we are looking at bulk liquid transfer facilities and perhaps the supply chains that deal with those facilities. We are trying to establish a minimum standard for that industry segment. We are trying to give them what we expect, in terms of cybersecurity risk measures. It’s a first step; the desire is to eventually get to where it is more than just the bulk liquid transfer facilities to a larger segment of industry but still, I think it’s a good first step to try to effectively use the Framework and develop a profile.

NIST’s original plan was to develop five profiles for the Coast Guard; one for bulk liquid transfers and then, eventually, freight, passenger vessels, mobile offshore drilling units and navigation. This profile was the first one and it was specific to the bulk liquid sector.

Question: Did the Coast Guard dictate to the industry that this Cybersecurity Framework will be used? Is the profile is only addressing the commercial entity component? Not necessarily the Coast Guard’s integration with the commercial industry?

We don’t have any regulation pertaining specifically to cyber at the moment. That said, under the Maritime Transportation Security Act, a regulated entity, such as a vessel or individual waterfront facility, is required to do a risk assessment, and the intention of that requirement is to address all security related risks, not just those associated with a physical attack. Then they are required to develop plans specific to their operations that mitigate the risk identified by their assessment. At the port level, Coast Guard chaired Area Maritime Security Committees assess port wide risks and develop an Area Maritime Security Plan which guides federal, state and local agencies, as well as the local industry, in port security procedures. That’s the process for the physical security side. The NIST Framework, including this profile for the bulk liquid terminal industry, can help incorporate cyber into that process.

Question: What is the Coast Guard doing right now to integrate and keep safe in a cyber realm – to include informational technology and operational technology?

A lot of our efforts right now are focused on raising awareness of potential cyber risks, and to educate the industry on the great resources available from NIST and other organizations. We are also working at the Area Maritime Security Committee level to gain a better understanding of how cyber technology changes the risk profile of a port community, and how we might respond to a cyber incident, including an attack involving both cyber and physical vectors.

Question: What interaction has the Coast Guard had with international partners regarding the Framework? The Coast Guard deployed its Cyber Strategy about a year ago. How does that play into the policy level in terms of the Framework and profiles?

The Coast Guard submitted a paper to the International Maritime Organization on this topic. We’ve also been working with different organizations to come up with, on the vessel side, the very thing that we’re working toward on the facility side which is a minimum standard; the Framework has played part through all of the documents that have been proposed. The Coast Guard also authored a document, working with Canada with the functions of the Framework embedded. I think it establishes a common ground for how everyone looks at cybersecurity.

We published the Cyber Strategy in June of 2015 and it outlined our priorities; one of those was to protect critical infrastructure. The other two look mostly at the Coast Guard itself and enabling/defending our operations; they’re more internally focused. Protecting critical infrastructure looks externally and how we regulate industry or how we look to voluntary measures to set a minimum standard.

I highly encourage you to review the NIST Framework, the resources available at CERT and on Homeport (under the Cybersecurity tab) to focus on and improve cyber risk management practices.

We are having issues with the comment section on all Coast Guard blogs; the comments are currently closed. Please be assured we are working through the issue and will work to resolve this as soon as possible. In the meantime, please use the “Contact Us” page on the right-hand navigation column if you need to contact the Maritime Commons editor with a question or comment.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.

Tags: , , , ,