US Coast Guard Issue further guidance on Cyber Security

  This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security. The United States Coast Guard recently issued Navigation and Vessel Inspection Circular No. 01-20 which outline guidelines for assessing cyber risks to all facilities regulated by the Maritime Transportation Security Act (MTSA). To give you some scope as to who that affects, when the MTSA came into force in 2004 it impacted 587 ports, 469,686 facilities (oil rigs etc) and 778,633 vessels. NVIC 01-20 provides guidance to facility owners and operators in complying with the requirements to assess, document, and address computer system or network vulnerabilities. Each entity to which the requirements apply is required to:- • Identify and assess their radio and telecommunication equipment, including computer systems and networks (See 33 CFR 105.305(c)(1)(v) and 33 CFR 105.405(a)(17) for Facilities and 106.305(c)(1)(v) and 33 CFR 106.405(a)(16) for OCS Facilities). • Update or produce a Facility Security Assessment (FSA) and Facility Security Plan (FSP) • Mitigate any identified cyber vulnerabilities Specifically the guidance highlights the requirements contained in 33 CFR sections 105 and 106. These are:- Security administration and organization – You are required to describe the roles and responsibilities of cyber security personnel for the facility, including how and when physical security and cyber security personnel will coordinate activities and conduct notifications for suspicious activity, breaches of security, or heightened security levels. Personnel training – Describe how cyber security is included as part of personnel training, policies, and procedures, and how this material will be kept current and monitored for effectiveness. Drills and exercises – Describe how drills and exercises will test cyber security vulnerabilities of the FSP. Facility owners and operators may wish to meet this requirement by employing combined cyber-physical scenarios. In general, drills and exercises must test the proficiency of personnel assigned to security duties and enable the Facility Security Officer (FSO) to identify any related security deficiencies that need to be addressed. Records and documentation – Maintain records of training, drills, exercises, security incidents (including cyber security incidents), and other events. Electronic records should be protected against unauthorized deletion, destruction, or amendment. Communications – Describe how security conditions are communicated to and between vessels and facilities, to the Captain of the Port, and to national and local authorities. To the extent that cyber dependent systems are used to perform this function, describe how those systems are protected, an alternative means of communication, and the personnel communication responsibilities should the system be compromised or degraded. Describe how physical security and cyber security personnel will communicate cyber security conditions and threats to one another, and how cyber-related suspicious activity and breaches of security will be communicated to the Coast Guard. During crew or shift changes, handover notes should include cyber security related information and updates. Procedures for interfacing with vessels – Describe cyber-related procedures for interfacing with vessels to include any network interaction, portable media exchange, remote access, or other wireless access sharing. Security systems and equipment maintenance – Describe cyber-related procedures for managing software updates and patch installations on systems used to perform or support functions identified in the FSP (e.g. identification of needed security updates, planning and testing of patch installations). Security measures for access control – Establish security measures to control access to the facility. This includes cyber systems that control physical access devices such as gates and cameras, as well as cyber systems within secure or restricted areas, such as cargo or industrial control systems. Describe the security measures for access control. Security measures for restricted areas – Describe measures to limit unauthorized access to all of the restricted areas and systems to include those controlled by cyber networks. Unauthorized access might be possible either by manipulating a cyber-controlled gate, allowing physical access, or by accessing the protected system via cyber means, such as by hacking into files that contain sensitive security information. If the area or function has no cyber nexus, indicate “N/A” in the FSA and FSP. Security measures for handling cargo – Describe measures to protect cargo handling to include measures that protect cargo manifests and other cargo documentation to deter tampering, prevent unauthorized loading/unloading of cargo, and prevent acceptance of cargo that is not meant for carriage. Security measures for delivery of stores – Describe measures to protect delivery of vessel stores and bunkers to include procedures that protect electronic files to deter tampering and ensure integrity of stores. Security measures for monitoring – Describe security measures to continuously monitor the facility and its approaches on land and water; restricted areas within the facility; vessels at the facility; and, areas surrounding the vessels. Facility Security Plan – Ensure the FSO develops and implements an FSP that addresses each cyber security vulnerability identified in the FSA. Audits and security plan amendments – Conduct an annual audit of FSPs. Facility owners and operators may choose to conduct the cyber security portion of their audits with either the aid of cyber security specialists from a third party or within the organization. The audit report should clearly indicate that the cyber security provisions detailed in the FSP are in place and are considered to be appropriate and effective. The audit should include the name, position, and qualification of the person conducting the audit. Eazi Security are well placed to facilitate all of the above requirements with proven world leading cyber security products. If you wish to know more about Eazi Security and their world leading cyber security software solutions please contact David Clayden Email Tel +44 (0)7711 351463