American ports, terminals, ships, refineries, and support systems are vital components of our nation’s critical infrastructure, national security, and economy. Cyber attacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyber attack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country.
In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyber attack scenarios in the maritime sector could credibly lead to a Transportation Security Incident, we must identify and prioritize those risks, take this threat seriously, and work together to improve our defenses.
Fortunately, the men and women of the United States Coast Guard take our responsibility to protect the nation from threats seriously. As in other areas, we will work with the private sector, and with other federal, tribal, state, and local agencies to address this new threat. The President’s recently signed cyber security Executive Order sets requirements for executive branch agencies to address cyber risks. We have started that work already, and will keep the private sector informed of our progress. We will also be asking for advice and cooperation.
Fortunately, the process for doing so is parallel in structure to that of other security and safety efforts: assess risk, adopt measures to reduce that risk, assess progress, revise, and continue. These processes, taken together, can significantly improve an organization’s risk reduction efforts and increase resilience through continuity of business planning.
Looking specifically at cyber security, consider the following steps:
• Conduct a Risk Assessment – begin by assessing what parts of your enterprise are controlled or supported by computer systems. What are the consequences should those systems become inoperable, controlled by outside parties, or misused by internal parties?
• Identify and Adopt Best Practices – what information technology security standards are most applicable to your systems? Are your systems meeting those standards, are your employees familiar with them? When were they last updated? What backup systems, redundancies, or replacements are available?
• Secure Your Supply Chain – As with just-in-time inventory and production systems, consider the cyber vulnerabilities and practices of your suppliers, customers, and other organizations critical to your company’s profitability. Discuss cyber security with those organizations and consider incorporating good cyber practices into marketing and contracting.
• Measure Your Progress – Test your cyber practices through drills and exercises. Identify any gaps or lessons learned, and set specific goals with timelines for making needed improvements.
• Revise and improve security – Review your latest risk assessment, evaluate any new cyber systems you may have added since that time, incorporate lessons learned and revise your cyber security policies and procedures accordingly.
One way to start this process is to take advantage of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICSCERT). ICS-CERT provides a wide range of information, tools, and services that can help companies assess their security, identify recommended practices, and improve their cyber security. http://ics-cert.us-cert.gov/
Summary: On December 12th, the Coast Guard published a notice in the Federal Register inviting the public to comment on cyber security risks to the Marine Transportation System at a public meeting. The meeting was held on January 15, 2015. Below is the video of this meeting:
Facility security -
(202) 372-1132 or 1131
Facility safety and environmental protection - (202) 372-1130