American ports, terminals, ships, refineries, and support systems are vital components of our nation’s critical infrastructure, national security, and economy. Cyber attacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyber attack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into the country.
In short, there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems. While only some cyber attack scenarios in the maritime sector could credibly lead to a Transportation Security Incident, we must identify and prioritize those risks, take this threat seriously, and work together to improve our defenses.
Fortunately, the men and women of the United States Coast Guard take our responsibility to protect the nation from threats seriously. As in other areas, we will work with the private sector, and with other federal, tribal, state, and local agencies to address this new threat. The President’s recently signed cyber security Executive Order sets requirements for executive branch agencies to address cyber risks. We have started that work already, and will keep the private sector informed of our progress. We will also be asking for advice and cooperation.
Fortunately, the process for doing so is parallel in structure to that of other security and safety efforts: assess risk, adopt measures to reduce that risk, assess progress, revise, and continue. These processes, taken together, can significantly improve an organization’s risk reduction efforts and increase resilience through continuity of business planning.
Looking specifically at cyber security, consider the following steps:
• Conduct a Risk Assessment – begin by assessing what parts of your enterprise are controlled or supported by computer systems. What are the consequences should those systems become inoperable, controlled by outside parties, or misused by internal parties?
• Identify and Adopt Best Practices – what information technology security standards are most applicable to your systems? Are your systems meeting those standards, are your employees familiar with them? When were they last updated? What backup systems, redundancies, or replacements are available?
• Secure Your Supply Chain – As with just-in-time inventory and production systems, consider the cyber vulnerabilities and practices of your suppliers, customers, and other organizations critical to your company’s profitability. Discuss cyber security with those organizations and consider incorporating good cyber practices into marketing and contracting.
• Measure Your Progress – Test your cyber practices through drills and exercises. Identify any gaps or lessons learned, and set specific goals with timelines for making needed improvements.
• Revise and improve security – Review your latest risk assessment, evaluate any new cyber systems you may have added since that time, incorporate lessons learned and revise your cyber security policies and procedures accordingly.
One way to start this process is to take advantage of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICSCERT). ICS-CERT provides a wide range of information, tools, and services that can help companies assess their security, identify recommended practices, and improve their cyber security. http://ics-cert.us-cert.gov/
On February 19, 2012 NYTimes.com posted the following article (a version of this article also appeared in print on February 19, 2013, on page A1 of the New York edition with the headline: China's Army Seen as Tied To Hacking Against U.S.)
The article written by David E. Sanger, David Barboza, Nicole Pelroth begin, "On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China's growing corps of cyberwarriors... " Please click here for the full story.
The National Institute of Standards and Technology (NIST) will be hosting a 2nd Public Workshop in support of the Cybersecurity framework development in response to Executive Order 13636 and Presidential Policy Directive 21. The Public meeting will be sponsored by Carnegie Mellon and will be hosted at Carnegie Mellon University in Pittsburgh, PA on May 29-31, 2013.
Start Date: Wednesday, May 29, 2013
End Date: Friday, May 31, 2013
Location: Pittsburgh, PA 9:00am - 4:00pm
Audience: Industry, Government, Academia, Healthcare Providers
On February 12, 2013, the President signed Executive Order (E.O.) 13636 to Improve Critical Infrastructure (CI) Cybersecurity and Presidential Policy Directive 21 - Critical Infrastructure Security and Resilience (PPD-21). PPD-21 cancels PPD-7 and establishes an All Hazards approach to critical infrastructure security and resilience. The Cybersecurity E.O. establishes a requirement for federal agencies to collaborate with their respective industry sectors to identify Critical Infrastructure that can be impacted by cyber activity.
The Executive Order directs the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The National Institute of Standards and Technology (NIST) is conducting a comprehensive review to support development of the voluntary framework. During development of the framework NIST will consult with the Secretary of Homeland Security, the National Security Agency, Sector-Specific Agencies and other interested agencies including the Office of Management and Budget, owners and operators of critical infrastructure, and other stakeholders including other relevant agencies, independent regulatory agencies, State, local, territorial and tribal governments.
The framework will consist of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework will be developed through an open public review and comment process that will include workshops and other opportunities to provide input. When completed, NIST will have developed a prioritized, flexible, repeatable, and cost-effective approach that will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.
In addition please see the HOMEPORT Cyber Security Page.
Facility security -
(202) 372-1132 or 1131
Facility safety and environmental protection - (202) 372-1130