Wednesday, July 12, 2017

Draft Navigation and Vessel Inspection Circular No. 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Facilities

In the July 12, 2017 Federal Register, the Coast Guard posted the notice of the publication of Draft Navigation and Vessel Inspection Circular (NVIC) No. 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Facilities.  The NVIC is available at Comments must be submitted to the online docket via, or reach the Docket Management Facility, on or before September 11, 2017.

Facility Security Officers (FSOs) are advised that this is a draft NVIC, posted for review, to allow industry an opportunity to give feedback and commentary which the Coast Guard will evaluate and incorporate in the final version of the NVIC. This is a richly detailed performance standard on implementation of security measures to ward off the worst threat looming over us.

It is possible that Facility Security Plan sections 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, and 16 as well as the Facility Security Assessment may be affected by this NVIC. This is not a lengthy document (37 pages) so FSOs are encouraged to read it in its entirety. The amount of detail was difficult to summarize, especially Enclosure 2, and only the organization and main points are described below.

SUMMARY OF THE NVIC (largely taken from the text. My words are in italics) The NVIC has two enclosures.
(1) Cyber Security and MTSA
(2) Cyber Governance and Cyber Risk Management Program Implementation Guidance

Purpose:  MTSA-regulated facilities are instructed to analyze vulnerabilities with computer systems and networks in their Facility Security Assessments. This NVIC will assist FSOs in completing this requirement. Additionally, this NVIC provides guidance and recommended practices for MTSA regulated facilities to address cyber related vulnerabilities. Until specific cyber risk management regulations are promulgated, facility operators may use this document as guidance to develop and implement measures and activities for effective self governance of cyber vulnerabilities.

Background: The Coast Guard currently has the regulatory authority to instruct facilities and Outer Continental Shelf (OCS) facilities regulated under MTSA to analyze computer systems and networks for potential vulnerabilities within their required FSA and, if necessary, FSP.

DISCLAIMER. This guidance is not a substitute for applicable legal requirements, nor is it itself a rule. It is not intended to nor does it impose legally binding requirements on any party. It represents the Coast Guard’s current thinking on this topic and may assist industry, mariners, the general public, and the Coast Guard, as well as other federal and state regulators, in applying statutory and regulatory requirements.

Enc. 1 Cyber Security and MTSA:  33 CFR Parts 105 and 106.

The Coast Guard interprets (threats) to specifically include threats to computer systems and attacks in the electronic (cyber) domain.

In this draft document, the Coast Guard is laying out its interpretation of regulatory provisions in parts 105 and 106 as applicable to electronic and cybersecurity systems. This enclosure discusses the specific regulatory provisions that instruct owners/operators of a Maritime Transportation Security Act (MTSA) regulated facility to address cyber/computer system security in the Facility Security Assessment (FSA) and, if applicable, provide guidance within their FSPs to address any vulnerabilities identified in the Facility Security Assessment (FSA). This document intends to assist the owner/operator in identifying cyber systems that are related to MTSA regulatory functions, or whose failure or exploitation could cause or contribute to a Transportation Security Incident. If there are electronic or cybersecurity-related vulnerabilities identified in an FSA, an owner/operator may choose to provide this information in a variety of formats, such as a stand-alone cyber annex to their FSP, or by incorporating cybersecurity procedures alongside the physical security measures of their FSP.

For facilities with strong cyber programs - In many cases, companies have established cybersecurity and risk management programs that provide for strong cyber defense. For those situations, the owner/operator may demonstrate that those policies meet or exceed the requirements of 33 CFR parts 105 and 106. Owners/operators that already employ a comprehensive cybersecurity plan for their organization, or who wish to apply a standard security program that incorporates cybersecurity to multiple facilities, may wish to submit a security plan under the Alternative Security Program, 33 CFR 101.120.

How detailed does the FSA or FSP need to be? Owners/operators do not need to indicate specific or technical controls, but should provide general documentation on how they are addressing their cyber risks.

Cyber components for 33 CFR:
Recommended Cyber Analysis as part of the FSA:  The NVIC gives information on how to provide the cyber component for 105.305 (d)(2)(v).

UnderRecommendation to Address Identified Cyber Vulnerabilities (as applicable)” the NVIC gives  general, recommended guidance on how to mitigate cyber vulnerabilities determined during the FSA by regulation/FSP section. I can see most facilities describing cyber measures for most of the sections, which will require FSP amendments. There is guidance here on what the Coast Guard wants to see in the FSP sections as relating to cyber. 

Enc. 2 Cyber Governance and Cyber Risk Management Program Implementation Guidance. The Coast Guard details how the NIST Cybersecurity Framework (CSF) can be implemented in the maritime environment. Sections 1 – 4 of this enclosure utilize the NIST CSF as the recommended foundation for development of a cyber risk management program. Facility owner/operators should consider these guidelines in conjunction with their own risk management policies to help ensure they account for cyber risks. The four sections of this enclosure are:
1.       Establishing Cyber Risk Management: Forming a Cyber Risk Management
       Team (CRMT), Defining Cyber Risk Management Policy, and Establishing a
       Cyber Risk Management Program
2.       Enterprise-Wide Inventory and Analysis
3.       Consequence Analysis, Vulnerability Analysis, and Prioritization
4.       Protect, Detect, Respond, and Recover.

These are the nuts and bolts of the cyber security measures, so to speak: how the USCG suggests that the NIST Framework can be translated over into the MTS. Each section is detailed and written in plain understandable English, unlike many cyber publications. Throughout these sections, where appropriate, the NVIC gives examples of suggested procedures to follow. There’s a lot of what-to-do and why-we-do-it. The 4.1 Protect Section is particularly rich with bulleted lists.

Appendix A contains tables and metrics - methods for measuring and scoring cyber vulnerability. Table 1 is a Consequence Evaluation Guide for vulnerability assessments, linking how bad it is to a number. Table 2 is a Consequence Score Action (document/consider/mitigate as relates to cyber, using the score from Table 1) matrix, for scoring scenarios for Facility Security Assessments. Table 3 is a Connective Vector Assessment and will assist operators in determining which systems perform or are related to these critical security and safety functions by examining the purposes and connections of each system. “Yes” responses from Table 3 are then evaluated using Table 4, the Cyber Infrastructure Vulnerability Assessment. Each system that receives a “no” in Table 4 should be evaluated through Table 5, the Vulnerability Severity Assessment, where it will receive a vulnerability score. Systems with the highest TOTAL score (at the bottom of Table 5) should be considered the most vulnerable.