In the July 12, 2017 Federal
Register, the Coast Guard posted the notice of the publication of Draft
Navigation and Vessel Inspection Circular (NVIC) No. 05-17, Guidelines for Addressing
Cyber Risks at Maritime Transportation Security Act (MTSA) Facilities. The NVIC is available at https://www.regulations.gov/document?D=USCG-2016-1084-0002.
Comments must be submitted to the online docket via http://www.regulations.gov, or reach the Docket
Management Facility, on or before September 11, 2017.
Facility Security Officers (FSOs) are advised that this is a draft NVIC, posted for
review, to allow industry an opportunity to give feedback and commentary which
the Coast Guard will evaluate and incorporate in the final version of the NVIC.
This is a richly detailed performance standard on implementation of security
measures to ward off the worst threat looming over us.
It is possible that Facility Security Plan sections 2, 3, 4, 5, 6, 8, 9,
10, 11, 12, 13, and 16 as well as the Facility Security Assessment may be
affected by this NVIC. This is not a lengthy document (37 pages) so FSOs are
encouraged to read it in its entirety. The amount of detail was difficult to
summarize, especially Enclosure 2, and only the organization and main points
are described below.
__________________________________________________________
SUMMARY OF THE NVIC (largely taken from the text. My words are in italics) The NVIC has two enclosures.
(1) Cyber Security and MTSA
(2) Cyber Governance and Cyber Risk Management Program Implementation
Guidance
Purpose: MTSA-regulated
facilities are instructed to analyze vulnerabilities with computer systems and
networks in their Facility Security Assessments. This NVIC will assist FSOs in
completing this requirement. Additionally, this NVIC provides guidance and
recommended practices for MTSA regulated facilities to address cyber related
vulnerabilities. Until specific cyber risk management regulations are
promulgated, facility operators may use this document as guidance to develop
and implement measures and activities for effective self governance of cyber vulnerabilities.
Background: The Coast Guard currently has the regulatory authority to
instruct facilities and Outer Continental Shelf (OCS) facilities regulated
under MTSA to analyze computer systems and networks for potential vulnerabilities
within their required FSA and, if necessary, FSP.
DISCLAIMER. This guidance is not a substitute for applicable legal
requirements, nor is it itself a rule. It is not intended to nor does it impose legally binding
requirements on any party. It represents the Coast Guard’s current thinking on this topic and may
assist industry, mariners, the general public, and the Coast Guard, as well as other federal and state
regulators, in applying statutory and regulatory requirements.
Enc. 1 Cyber Security and
MTSA: 33 CFR Parts 105 and 106.
The Coast Guard interprets (threats) to specifically include threats to
computer systems and attacks in the electronic (cyber) domain.
In this draft document, the Coast Guard is laying out its
interpretation of regulatory provisions in parts 105 and 106 as applicable to
electronic and cybersecurity systems. This enclosure discusses the specific
regulatory provisions that instruct owners/operators of a Maritime
Transportation Security Act (MTSA) regulated facility to address cyber/computer
system security in the Facility Security Assessment (FSA) and, if applicable,
provide guidance within their FSPs to address any vulnerabilities identified in the Facility Security Assessment (FSA). This document intends to assist
the owner/operator in identifying cyber systems that are related to MTSA
regulatory functions, or whose failure or exploitation could cause or
contribute to a Transportation Security Incident. If there are electronic or
cybersecurity-related vulnerabilities identified in an FSA, an owner/operator
may choose to provide this information in a variety of formats, such as a stand-alone cyber annex to their FSP, or
by incorporating cybersecurity procedures alongside the physical security measures of
their FSP.
For facilities with strong cyber
programs - In many cases, companies have established cybersecurity and risk
management programs that provide for strong cyber defense. For those
situations, the owner/operator may demonstrate that those policies meet or
exceed the requirements of 33 CFR parts 105 and 106. Owners/operators that
already employ a comprehensive cybersecurity plan for their organization, or who wish to apply a standard security program that
incorporates cybersecurity to multiple facilities, may wish to submit a security
plan under the Alternative Security Program, 33 CFR 101.120.
How detailed does the FSA or FSP
need to be? Owners/operators do not need to indicate specific or technical
controls, but should provide general documentation on how they are addressing
their cyber risks.
Cyber components for 33 CFR:
Recommended Cyber Analysis as part of the FSA: The
NVIC gives information on how to provide the cyber component for 105.305
(d)(2)(v).
Under “Recommendation to Address Identified Cyber Vulnerabilities (as
applicable)” the NVIC gives general, recommended guidance on how to
mitigate cyber vulnerabilities determined during the FSA by regulation/FSP
section. I can see most facilities describing cyber measures for most of the
sections, which will require FSP amendments. There is guidance here on what the
Coast Guard wants to see in the FSP sections as relating to cyber.
Enc. 2 Cyber Governance and
Cyber Risk Management Program Implementation Guidance. The Coast Guard details how the NIST Cybersecurity Framework (CSF) can
be implemented in the maritime environment. Sections 1 – 4 of this
enclosure utilize the NIST CSF as the recommended foundation for development of
a cyber risk management program. Facility owner/operators should consider these
guidelines in conjunction with their own risk management policies to help
ensure they account for cyber risks. The
four sections of this enclosure are:
1. Establishing Cyber Risk Management: Forming
a Cyber Risk Management
Team
(CRMT), Defining Cyber Risk Management Policy, and Establishing a
Cyber Risk Management Program
2. Enterprise-Wide Inventory and Analysis
3. Consequence Analysis, Vulnerability
Analysis, and Prioritization
4. Protect, Detect, Respond, and Recover.
These are the nuts and bolts of
the cyber security measures, so to speak: how the USCG suggests that the NIST Framework
can be translated over into the MTS. Each section is detailed and written in
plain understandable English, unlike many cyber publications. Throughout these
sections, where appropriate, the NVIC gives examples of suggested procedures to
follow. There’s a lot of what-to-do and why-we-do-it. The 4.1 Protect Section
is particularly rich with bulleted lists.
Appendix A contains tables and metrics
- methods for measuring and scoring cyber vulnerability. Table 1 is a Consequence
Evaluation Guide for vulnerability assessments, linking how bad it is to a
number. Table 2 is a Consequence Score Action (document/consider/mitigate as
relates to cyber, using the score from Table 1) matrix, for scoring scenarios
for Facility Security Assessments. Table 3 is a Connective Vector Assessment
and will assist operators in determining which systems perform or are related
to these critical security and safety functions by examining the purposes and
connections of each system. “Yes” responses from Table 3 are then evaluated
using Table 4, the Cyber Infrastructure Vulnerability Assessment. Each system
that receives a “no” in Table 4 should be evaluated through Table 5, the Vulnerability
Severity Assessment, where it will receive a vulnerability score. Systems with
the highest TOTAL score (at the bottom of Table 5) should be considered the
most vulnerable.