During the April 25-26 2017 meeting of the National Maritime
Security Advisory Committee (NMSAC), the Committee was given a regulatory
update by U.S. Coast Guard personnel. During this update, the Committee was
advised that the draft Navigation and Vessel Inspection Circular (NVIC) on
cybersecurity would soon be published. Below are some thoughts on this NVIC and
what the Coast Guard has said about the need for a proactive approach to
cybersecurity.
During the Maritime Cyber Security Standards Public Meeting
on January 15, 2015, discussing the need for voluntary cyber standards, Rear
Admiral Paul Thomas, Assistant Commandant for Prevention Policy, stated, “The
Coast Guard just recently conducted a study about the cost burden to industry
of all the regulations that we have published since 1973. We found that 88% of
the entire cost burdens of all regulations, over all those years, were due to
two regulations, OPA 90 and MTSA. Both of these regulations followed
predictable disasters. The lesson
learned should be that we should not wait for an incident to occur that will
make us move forward on reactive, more expensive, regulations; we need to be
proactive in approaching this. We are here to have a discussion with industry
so we can develop a standard together, one that works and is reasonable in
terms of the cost benefit. If we wait
until an incident occurs, that opportunity goes away.” (as quoted in Cyber Risk
Management, by LCDR Josh Rose & LT Josie Long, http://aapa.files.cms-plus.com/SeminarPresentations/2015Seminars/2015Cybersecurity/Rose%20USCG%20CYBER.pdf)
In the Rose/Long AAPA presentation, there was a slide concerning the
cybersecurity NVIC. Bullet points about this NVIC content include:
• How do we incorporate cyber into risk assessments?
•What tools are available for industry to use for risk assessments?
•MTS standard terms (definitions)
•What are examples of industrial control systems in the maritime
environment (what is the scope of NVIC)?
I think one issue that may be addressed in the NVIC is the link
between the NIST framework and the Facility Security Plan (FSP) – incorporation of cyber into facility
security assessments; guidance for construction of a possible voluntary cyber
annex or new FSP section that directly addresses the Framework elements of identify,
protect, detect, respond, and recover; guidance for inspectors who encounter
these new sections or annexes in annual compliance inspections or during
incident post-review. (We'll see how well my crystal ball is functioning.)
This will be a draft NVIC, probably titled “For review and
comment only. Not to be used as final guidance.” As a draft NVIC, it will
probably be numbered 17-XX, rather than receiving two numbers as the terminal
designation. In the Federal Register notice of its publication, there will
probably be a section titled Public Participation and Request for Comments. In this section, there will probably be sub-sections
explaining how to submit comments ad how to view comments and documents. (Lots
of probably’s!)