April 15, Re: Docket Number USCG Dear Captain Tucci,

Transcription

1 April 15, 2015 Captain Andrew Tucci Chief, Office of Port & Facility Compliance, U.S. Coast Guard U.S. Department of Transportation, West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue SE Washington, DC Re: Docket Number USCG Dear Captain Tucci, Thank you for the opportunity to submit comments pertaining to cybersecurity as the U.S. Coast Guard develops relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure. The American Association of Port Authorities (AAPA), is the unified and collective voice of the seaport industry in the Americas. AAPA empowers port authorities, maritime industry partners and service providers to serve their global customers and create economic and social value for their communities. Our activities, resources and partnerships connect, inform and unify seaport leaders and maritime professionals in all segments of the industry who deliver prosperity around the western hemisphere. Safety and security is a key priority of our member ports. These comments are on behalf of our U.S. Members. As an industry, we have concerns on how a cybersecurity policy would be implemented by the U.S. Coast Guard. Ports are unique entities that have differing governing structures as well as different business models, which change often. It has been said about ports that if you have been to one portyou have been to one port. We also have concerns on whether the Coast Guard has the needed resources, both technical expertise and funding, to oversee a cybersecurity policy. Many of our ports are landlords, meaning they lease space to terminal operators who in turn conduct the business that moves through the ports. We have ports that are operated by state authorities, operating ports that are a part of larger state and regional government infrastructure; we have small, large and medium ports as well as ports that specialize in container, energy, break bulk and Roll on/roll off cargo. At our core, ports are facilitators of partnerships that further the global, regional and national economies. At any one time our ports will be accessed by vessel, truck and rail lines, creating a complex, yet efficient center of economic activity. Ports are living and evolving entities that directly reflect the economic health of our nation. It is vital that our ports continue to have the flexibility and fluidity to meet the changing global trading trends and dynamics, while ensuring that our communities and commerce remain safe and secure. The port industry has followed Executive Order Improving Critical Infrastructure Cybersecurity, since it was released in February 2013, which calls for the voluntary cybersecurity framework. We have also tracked and commented on the February 2014 release of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (NIST).

2 2 AAPA Comments on Coast Guard Docket No. USCG As the Coast Guard seeks to develop best practices and guidance for a maritime cyber security policy, we believe it is important to keep in mind the following description from the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology: The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks different threats, different vulnerabilities, different risk tolerances and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks. If the Coast Guard decides to require protection of cyber assets in a facility security plan, it should adopt a flexible performance-based system like the Maritime Transportation Security Act (MTSA) and Safe Port Act regulations. It should also be risk based. A cyber threat that interferes with the delivery of bulk commodities should be addressed differently than an incident that relates to the movement of a container. Coast Guard should determine what risks warrant reporting and what to not when they clarify what a transportation security incident is. Additionally, if the Coast Guard requires maritime security plans to have a cybersecurity assessment and a plan, then the federal Port Security Grant program should help pay for these mandates and time must be awarded to carry out this plan. The current Port Security Grant program requires a cyber assessment first before grants will pay for improvements and implementation of a cyber plan. This might be a model that works, if it is flexible on how the cyber assessment is done, similar to how MTSA security assessments are completed. AAPA also encourages additional port security grant funding to help ports conduct cyber security assessments and make improvements. It is not clear that all facilities will need a comprehensive cyber plan, just as the U.S. Coast Guard has proposed that not all ports need a TWIC reader. AAPA also believes that there needs to be more clarity and communication regarding what a Transportation Security Incident (TSI) entails. There appears to be a lack of understanding within the industry regarding what constitutes a TSI in terms of cybersecurity. The following are some initial responses to questions put forth by the Coast Guard: What cyber dependent systems, commonly used in the maritime industry, could lead or contribute to a Transportation Security Incident (TSI) if they failed, or were exploited by an adversary? SECURITY 1. Digital Video Surveillance Management Systems 2. Access Control Systems (Card Reader Systems (TWIC) 3. Vehicle Registration Systems 4. Radar/Sonar Systems

3 AAPA Comments on Coast Guard Docket No. USCG Emergency Communication Systems (radios) 6. Port wide Emergency Notification Systems 7. Maritime Domain Awareness Systems 8. Command and Control Systems 9. Physical Security Information Systems CARGO 1. Crane Control Systems 2. Manifest Control Systems 3. Miscellaneous Data Bases (Private Industry and Government) to include intelligence data bases (U.S. Intelligence Community/U.S Coast Guard-Customs and Border Protection and State fusion centers VESSEL MOVEMENTS 1. Vessel Traffic Systems or Vessel Traffic Information Systems 2. Automated Information Systems (AIS- Vessel Tracking) ENGINEERING SYSTEMS 1. GIS Management ADMINISTRATIVE 1. Accounting Systems 2. Property Management Systems What procedures or standards do vessel and facility operators employ to identify potential cyber security vulnerabilities to their operations? Private industry remains reluctant to share their cyber defense mechanisms. Private industry primarily contracts with a computer management entity to manage and/or oversee their computer systems. Over the past 20 years private industry has been extremely reluctant to report cyber breaches. Cyber risks are not inherently maritime related, however, we do know that many owners/ operators have conducted vulnerability assessments and many have employed anti-virus, antispam, anti-malware programs, and firewalls. Some owner/operators have invested in software, such as intrusion detection programs and have developed policies and procedures for requiring: the use of strong passwords, that these be changed regularly, that employees use different passwords for different systems, and that passwords are not shared. Additionally, industry regularly implements procedures to prevent users from downloading software onto company-owned devices, and some have implemented multi-factor authentication for system access to their networks. While these are all necessary initial first steps, what we hear repeatedly from members and industry partners is that the strongest cybersecurity program is creating an awareness among employees and management on what a cyberattack might look like and how to report cyber

4 4 AAPA Comments on Coast Guard Docket No. USCG breaches. Rather than mandating particular standards, we recommend DHS should strengthen existing grant programs to provide financial assistance for cybersecurity programs. Are there existing cyber security assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI? To our knowledge there is not a single recognized program consistently implemented and/or utilized by private industry, but rather many variations of programs crafted specifically for individual needs and concerns. Industry programs typically utilize resources from many sources when crafting policy, including governmental agencies (NIST Cybersecurity Framework), and public sector recommendations given by non-profit organizations such as Information Systems Audit and Control Association (ISACA), International Information Systems Security Certification Consortium (ISC2), and National Cyber Security Alliance (NCSA) to name a few. To our knowledge these programs do not specifically address vessel or facility systems directly, but best practices can be tailored for the port industry. To what extent do current security training programs for vessel and facility personnel address cyber security risks and best practices? To our knowledge there is not a recognized facility and vessel training program that addresses cyber security risks and best practices to the port industry specifically. What factors should determine when manual backups or other non-technical approaches are sufficient to address cyber security vulnerabilities? An initial approach could be a table top exercise that could possibly highlight the pros and cons in determining the sufficiency of determining when manual or non-technical cyber vulnerability backstops. How can the Coast Guard leverage the Alternative Security Plan program to help vessel and facility operators address cyber security risks? Develop a best practices approach addressing the requirements for Cyber Security Assessments using both Penetration testing (PEN Testing) and Risk Based Assessment Approach which could be added to 33 Code Part (8) mandating procedures based on the network, communications and computer systems at each port or facility. Mandating prescriptive measures in a one size fits all approach would not be beneficial.

5 AAPA Comments on Coast Guard Docket No. USCG How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber systems meet appropriate technical or procedural standards? Add an addendum to 33 CFR Part (c) clarifying that a cybersecurity assessment is a component of the Facility Security Assessment (FSA) which should be conducted every five years for regulated facilities. Protection of systems documentation and internal testing and oversight of social media polices would be verified during the annual audit process and 5 year Facility Security Assessment. The addition of the cyber assessment to the FSA should include both PEN testing and a risk based assessment once a standard is established under 33 CFR Part 305 (c). Additionally, annual audits are currently required, in part for, record keeping, maintenance and testing of systems in 33 CFR Part which could then include the cyber component by reference in Security systems and equipment maintenance [ (c)]. Do classification societies, protection & indemnity clubs, or insurers recognize cyber security best practices that could help the maritime industry? We are unaware of any best practices recognized by port specific classification societies, protection and indemnity clubs or insurers, however, there are many organizations that give guidance and provide standards in the information systems cyber field. Below includes a sampling, but is not limited to: The American Society for Industrial Security (ASIS), Information Systems Audit and Control Association (ISACA) International Information Systems Security Certification Consortium (ISC2) National Cyber Security Alliance (NCSA). Center for Internet Security (CIS) If you have additional questions or would like further input on AAPA members concerns, please do not hesitate to contact me directly. Sincerely yours, Kurt J. Nagle President