On July 12, 2017, the United States Coast Guard (USCG) announced a draft Navigation and Inspection Circular (NVIC) 05-17 entitled “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities.” In accordance with 33 CFR parts 105 and 106, regulated facilities must identify and assess security threats and develop a Facility Security Plan (FSP) that addresses and mitigates those threats. The USCG has interpreted these provisions to include cyber threats. The NVIC aims to provide guidance on incorporating cybersecurity risks into an effective Facility Security Assessment (FSA), in addition to recommendations for policies and procedures that may reduce cyber risk to operators of maritime facilities. The draft NVIC consists of two enclosures providing guidance regarding (I) the USCG’s interpretation of the existing regulatory requirements under MTSA with respect to cybersecurity measures; and (II) the implementation of a “cyber risk management governance program.” While not legally binding, facility operators can utilize this guidance until specific cyber risk management regulations are put into place. USCG is currently seeking public comment on the proposed guidelines.
USCG’s guidelines come at an opportune time as the issue of cyber risk has hit a critical peak within the maritime industry. Every maritime organization, no matter the size, is a potential target. Cybersecurity challenges are a systemic risk to the maritime industry with the use of cyber technologies for communications, access control, and other integrated control systems. Vulnerabilities within these technologies increase their risk for cyberattacks. Large-scale attacks, such as the Maersk Petya Ransomware attack, have proven to carry economic, financial, and safety impacts across all corners of the industry, from port facilities to shipping to off-shore activities.
Enclosure I, “Cybersecurity and MTSA,” states that the “existing MTSA requirements are applicable to cybersecurity related threats.” The NVIC makes clear that cybersecurity is part of the vulnerabilities assessment and mitigation measures that must be part of existing Facility Security Assessments (FSAs) and Facility Security Plans (FSPs). As with existing MTSA requirements, regulated entities will need to demonstrate how they are addressing cyber risks. The guidance cites existing requirements for FSAs under MTSA to provide structure to the review of the NVIC. Enclosure II, “Cyber Governance and Cyber Risk Management Implementation Guidelines,” describes best practices and expectations for all MTSA regulated entities. The guidelines cite the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to promote effective self-governance.
The NVIC 05-17 is consistent with the U.S. government’s concerted effort to increase private sector preparedness for cyberattacks and reflects a trend towards using a risk management based approach to cybersecurity. NVIC 05-17 references existing MTSA implementation and its corresponding processes as well as using the NIST framework as guidance for the industry. In our view, NVIC 05-17 should take the additional step of detailing specific aspects of an organization’s technical implementation of cybersecurity safeguards. This belief is rooted in our company’s cybersecurity philosophy consisting of the following foundational pillars:
I. Cybersecurity is an organizational culture that allows technologies to succeed; not a technological solution that results in organizational success.
II. A holistic and risk management based systems solution is needed – no single application, tool, or methodology will adequately secure your system.
III. Implement state-of-the-market solutions, but remain current.
IV. A comprehensive maintenance and sustainment program is a critical component of keeping a high cybersecurity posture which minimizes cyber risk.
V. Automate as many processes as you can to minimize human error.
NVIC 05-17 addresses Pillars I and III to a great extent since cybersecurity is as much cultural as it is technical. Likewise, Pillar IV is somewhat addressed through the need to protect equipment and implement hardware and software updates and obsolesce management programs. However, we do not believe enough emphasis is placed on (III) implementing state-of-the-market cybersecurity solutions and (V) automated processes to protect maritime systems. With the understanding that this is a regulatory document versus a technical implementation guide, we believe that incorporating these two items within the regulation can be a catalyst towards reducing long-term cybersecurity costs while at the same time methodically increasing the maritime industry’s security posture.
Requiring or recommending the need to implement state-of-the-market solutions to the maritime industry is a step towards eliminating obsolete software and equipment that have contributed to many cyberattacks in recent years. For example, Windows XP is still very prevalent in many industries but particularly for the maritime industry. There are known exploitations within Windows XP and since Microsoft no longer supports this operating system, maritime industry companies still using this operating system are vulnerable to attack. Additionally, state-of-the-market solutions provide all facets of the industry a means to seamlessly and more easily implement NIST CSF into their FSP. Likewise, recommending the use of automated processes for cybersecurity related activities can contribute to reducing a company’s long-term need to maintain a robust cybersecurity workforce; thereby, reducing labor costs. Including both state-of-the-market solutions and automated processes within NVIC 05-17 provide the maritime industry the needed guidance to build a robust cybersecurity program within their FSP. This also facilitates implementation of commercially available cybersecurity measures into day-to-day operations, determines a more accurate cyber risk posture, and ensures continuous monitoring of their cybersecurity program vice a periodic snapshot of their cyber risk posture at a given moment in time.
Regulatory bodies across the global maritime ecosystem are becoming aware and increasing their commitment on implementing cybersecurity organizations, processes, and systems and the trend will only continue. Gnostech is in full support of NVIC 05-17 and it is an excellent first step towards defining cybersecurity requirements similar to industries like finance and healthcare. We feel more precise technical cyber recommendations and requirements should be outlined in the same fashion as the organizational and physical security requirements are addressed in this and other regulations.
About Gnostech Inc.:
Gnostech Inc. is an applied engineering and consulting company that has provided technology services for the Department of Defense (DoD) and Department of Homeland Security (DHS) for over 35 years. Our tailored services and solutions first and foremost secure the systems and data of our customers. We have improved the security posture of our Navy and Coast Guard customers with capabilities that span the cybersecurity and information assurance spectrum. Founded in 1981, Gnostech serves clients in San Diego, the National Capital Region, Colorado Springs, and the greater Philadelphia area.