January 22, With this in mind, following are our responses to the questions posed in the December 18 Federal Register.

Transcription

1 Docket Management Facility (M 30) U.S. Department of Transportation West Building Ground Floor Room W New Jersey Avenue SE Washington, DC Re: Guidance on Maritime Cybersecurity Standards Dear Sir or Madam: Thank you for the opportunity to provide comment on proposed maritime cybersecurity standards. As a non-profit trade association representing regulated vessels and facilities as well as the hundreds of businesses which interact with them electronically, the Maritime Exchange for the Delaware River and Bay shares your concern over the rapidly increasing rate of cyber incursions and threats. In addition to our advocacy role, the Exchange also operates a community-based regional information system which collects, houses and transmits conveyance, cargo and crew data among port stakeholders throughout the Delaware River port region and beyond. As a result, we are keenly aware of the potential detrimental impacts a major cybersecurity breach could engender. With this in mind, following are our responses to the questions posed in the December 18 Federal Register. (1) What cyber-dependent systems, commonly used in the maritime industry, could lead or contribute to a TSI if they failed, or were exploited by an adversary? Note: It is our belief that an answer to this question would warrant a designation on this document, which would thus preclude it from public viewing on the docket. (2) What procedures or standards do vessel and facility operators now employ to identify potential cybersecurity vulnerabilities to their operations? Needless to say, the depth and breadth of procedures related to cybersecurity risk mitigation are as diverse as are the vessels and facilities themselves. Many owners/operators have conducted vulnerability assessments. And most, if not all, have employed anti-virus, anti-spam, anti-malware programs, and firewalls. Some have invested in other software, such as intrusion detection programs. They have developed policies and procedures for requiring: the use of strong passwords, that these be changed regularly, that employees use different passwords for different systems, and that passwords are not shared. Industry regularly implements procedures to prevent users from downloading software onto company-

2 Page 2 owned devices, and some have implemented multi-factor authentication for system access to their networks. As required under Coast Guard regulations, regulated vessels and facilities have implemented physical access control measures to ensure their computer and telecommunications systems are protected. At this time, no single standard is in use within the maritime industry. In a very informal survey conducted last summer among 20 facility IT and security personnel throughout the U.S., for example, the Exchange found that only one had implemented the National Institute of Science & Technology (NIST) framework, several had reviewed it and were planning to implement some or all of its components, and a few were not aware of it. We do not believe the Department of Homeland Security (DHS) should mandate a particular protocol or list of acceptable standards to which regulated entities must comply. First, as we all know, cyber risks are not inherently maritime related, thus agencies such as Coast Guard do not bring any unique expertise to bear in mitigation efforts. More importantly, however, cybersecurity is an overall threat to business operations; for owners and operators, there are strong economic considerations which drive preparedness. They are already taking steps necessary to protect their own businesses based on their scope of operations, desired level of customer service, level of risk tolerance, and financial constraints. Rather than mandating particular standards, we believe DHS should strengthen existing grant programs to provide financial assistance for cybersecurity programs. These should be expanded to make eligible the diverse array of businesses, such as ship agents, brokers and importers, and the host of others who communicate electronically with regulated vessels and facilities. In addition, to the extent there are maritime-specific cybersecurity best practices, Coast Guard would provide a valuable service by facilitating the sharing of this type of information among port stakeholders. (3) Are there existing cybersecurity assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI? We are not aware of any such programs in the U.S. and would recommend that the Department of Homeland Security work closely with surety firms to develop such programs not only for regulated entities but also for all businesses operating in critical infrastructure sectors. (4) To what extent do current security training programs for vessel and facility personnel address cybersecurity risks and best practices? Typical maritime security training programs do not, as a rule, focus intently on cyber issues. In most instances, the information technology (IT) staff, not the vessel/facility security officers, are responsible for the security of information systems within their organizations. This, in our view, is as it should be, and we would not recommend additional cybersecurity training requirements for security personnel

3 Page 3 beyond general awareness. Further, cybersecurity is not a single program or set of procedures which can be learned in a one- or multi-day training session. Cyber preparedness requires a constant vigilance, and IT professionals must daily keep themselves abreast of current trends, new mitigation technologies, possible threats and emerging risks. The latter concern is an area where DHS can, in fact, be extremely helpful. Industry would benefit greatly if DHS were to ensure information concerning cybersecurity threats were shared on a timely and comprehensive basis. To be effective, this type of information sharing cannot be made through a Sector Coordinating Council (SCC) or Information Sharing and Analysis Center (ISAC). Clearly, it is implausible that every entity with a need for this type of information could participate in these groups; there is simply no way for DHS to communicate with every cybersecurity stakeholder via committee. Further, those who are group members would of necessity be restricted with regard to information they could further share with their trading partners, vendors and customers, thus limiting the effectiveness of the effort. Finally, it is our understanding that participation in the maritime ISAC requires that members pay dues to join; information from DHS should not be restricted to paying customers. Rather, DHS should endeavor to create a mechanism for sharing cybersecurity risk/threat information directly with all affected owners/operators and others who communicate electronically with them. We realize the magnitude and challenges associated with such an initiative are daunting; however we strongly believe that this is among the most important roles DHS should play in helping arm the public- and private-sector businesses against the growing threats. In the short term, access to a secure single-portal Web site where information is posted would be of value, however ideally such information would be proactively pushed to stakeholders in real-time. (5) What factors should determine when manual backups or other nontechnical approaches are sufficient to address cybersecurity vulnerabilities? Backup systems and recovery are undoubtedly important parts of any cybersecurity plan. However, as previously discussed, the diversity of systems varies immensely; thus while reverting to a manual backup, paper environment, or other non-technical solution might suffice for one company, another might not be able to conduct any operations without full technical capabilities. As a result, it is very difficult to define a specific set of factors that could apply equally to the industry as a whole. That said, DHS must be cognizant of the fact that in an increasingly hostile electronic environment, no system, private or public, is invulnerable. Those federal agencies requiring advance transmission of electronic information (e.g., Notice of Arrival/Departure) should develop alternate reporting and communication methods to be used in the event of a major cyber incident in order to facilitate the safe and timely movement of cargo through our ports. (6) How can the Coast Guard leverage Alternative Security Programs to help vessel and facility operators address cybersecurity risks?

4 Page 4 Based on the comments above, we do not believe there is a need to leverage Alternative Security Programs in this regard. (7) How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber-systems meet appropriate technical or procedural standards? Before answering that question, it is important to ascertain whether Coast Guard inspection personnel possess the knowledge and expertise to understand whether the regulated organizations are meeting such requirements. It is our belief, and the Government Accountability Office confirmed in recent studies, that neither DHS nor the Coast Guard does currently possesses the capability to effectively monitor or enforce such programs. That is not to say that the Coast Guard could not obtain such expertise. However, given the existing missions and already far too thinly-stretched resources, coupled with the sentiment expressed above that cybersecurity is in no way unique to the maritime domain, we believe it would be extremely ill-advised for the Coast Guard to allocate resources in this fashion. Rather, Coast Guard should focus on what it does best, and telecommunications and information systems security does not and should not fall within that realm. The question is made moot by the fact that there is no standard with which owners and operators must demonstrate compliance, as stated above. Just as with other security measures, such as physical access control or increased lighting and fencing, the needs of each vessel/facility will vary dramatically. Finally, it is generally expected that a successful cyber incursion is not a question of if but when. To the extent DHS is interested in ascertaining maritime infrastructure cybersecurity preparedness among regulated entities, the best it could consider would be to ensure that procedures and recovery plans have been developed and review documents showing steps that have been taken to implement those procedures. In no way, however, does it seem reasonable or practical at this time to mandate and enforce against a particular standard. In addition to the above, there is one additional issue to be addressed which was not encompassed within the questions presented. Cyber Activity Reporting We very much appreciate recent Coast Guard efforts to raise awareness about the importance of ensuring implementation of appropriate cybersecurity measures. And as stated above, making industry aware of some of the threats they are facing, many of which may currently be unknown, can go a long way toward providing port businesses with information they need to make informed decisions on how best to spend their security dollars. With that increased awareness has come a reminder to industry of the importance of reporting cyberrelated suspicious activity. Unlike suspicious activity in the physical world, attempted cyber incursions

5 Page 5 are multitudinous and constant. Coast Guard should provide industry with very specific guidance not only about how and when to report such suspicious activity but also specifically what information is desired. It is not sufficient, for example, to indicate that a suspicious cyber event should be reported if it will affect a large number of people or result in a significant loss of data. These terms are subjective, and given the potential of suspicious cyber incursion attempts, the reporting and analyzing activities could overwhelm both the owners/operators and receiving agencies. The Coast Guard should work with industry to very specifically define what actual and suspected activities ought to be reported. In addition, we request that Coast Guard clarify and document specifically what will transpire after events are reported. In addition to ensuring a mechanism to close the report with the filer, we are particularly interested in knowing which agencies will receive the information, at both the national and local levels, and what they will do with it. Compiling the information and returning it back to stakeholders in a way that is useful for future preparedness activities would be of substantial value. Further, we strongly urge DHS to adopt the Suspicious Activity Reporting recommendations adopted by the National Maritime Security Advisory Committee in 2014, which include a cybersecurity reporting component. One final comment. We are certainly aware that Coast Guard has a statutorily-mandated maritime security mission, and this includes cybersecurity. However, we caution the agency against overextending its attention to this issue. For example, during the January 15 public meeting, an example was noted wherein a software glitch created a safety problem on an oil rig. While clearly the Coast Guard would engage itself from a safety perspective, this should not be viewed as a cybersecurity incident. Similarly, if a bad actor gains access to a facility computer network but no harm is done, or if the effect is felt solely at the targeted facility, this ought not to require Coast Guard involvement. On the other hand, a cyber breach at a facility which causes outages on a more widespread basis or leads to environmental damage would certainly represent an appropriate circumstance for Coast Guard intervention. In our view, it would be an unwise utilization of limited resources to try to mirror physical security protocols in the cyber environment. Once again, please accept our thanks for this opportunity to express comment. The Maritime Exchange and its members appreciate the work of the Coast Guard on this and so many other issues of concern. Sincerely, Dennis Rochford President cc: Lisa B. Himber Vice President