CYBERSECURITY Maritime cybersecurity information sharing
Work locally with global connectedness By Christy Coffey, Vice President of Operations Maritime Transportation System ISAC
F
irst, we would like to thank the Association of Pacific Ports for requesting a blog. We are looking forward to speaking at their 107th annual event in 2021. The concept of collaborating as a maritime community to identify, detect and protect against threats to the maritime transportation system (MTS) has a long tradition in the Pacific. This has been true whether facing a wide variety of threats and hazards and continues today. Look at the COVID-19 virus and how communities are using crowdsourcing, with public and private sector organizations working together locally and globally, to identify and move muchneeded supplies and perform research. Another example we regularly see relates to weather-related emergency response scenarios. These events are an excellent example of how public and private sector organizations work together to address and recover from the threat. While storms are not entirely predictable, we are aware that they occur, we understand the range of their potential impacts, and understand that there are actions that both sets of stakeholders are responsible for taking. So, the MTS develops and exercises plans to ensure preparedness.
Cyber risk management and the MTS
When cybersecurity professionals in the Pacific apply the maritime community traditions with their own best practices from the NIST Cybersecurity Framework (www.nist.gov/cyberframework/online-learning/five-functions) — Identify, Protect, Detect, Respond, and Recover — the community can become more resilient to cyber risks in the face of motivated cyber adversaries. While information security professionals, or their organizational team, often focus on internal, individual activities to manage 14 — PACIFIC PORTS — August 2020
Rather than each individual stakeholder trying to counter cyber-attacks on their own, we can more efficiently tackle challenges at the community level for multiple reasons. cyber risk, the sharing of threat information can serve as a force multiplier. Sharing information allows multiple organizations to more quickly identify vulnerabilities, threat activity and effective countermeasures. Rather than each individual stakeholder trying to counter cyber-attacks on their own, we can more efficiently tackle challenges at the community level for multiple reasons. First, given the resources that cyber threat actors are pouring into their capabilities, the resources required to defend against threats is currently insufficient, especially when efficient use of those resources is not maximized. We believe the maritime community well understands the resource challenges that are present. Second, the MTS continues to rapidly apply new technologies to port environments to increase operational efficiencies. Information technology (IT), operational technology (OT), and Internet of Things (IoT) technologies are being quickly integrated in port operations. These technologies are being integrated less often by single organizations, but frequently across the MTS ecosystem by multiple stakeholders including suppliers, vendors, and operators of other modes of transportation. As a result, IT, OT, and IoT cybersecurity challenges have become community challenges. However, we often try to address them as individual organizational challenges. Third, we know that there is a shortage of cybersecurity expertise around the globe, and even fewer professionals that are focused on the specific challenges of maritime environments. This shortage
places additional pressure on organizations. While the initial reaction to this pressure might be to focus those resources internally, we understand the efficiencies generated by pooling resources into a larger community effort. A team of resources can accomplish more than the sum of its parts.
U.S. Government is adjusting its focus
Well, we’re starting to see government actions to focus resources on these maritime community cybersecurity challenges. In February, the Department of Homeland Security’s (DHS) Federal Emergency Management Agency (FEMA) released the Port Security Grant Program (PSGP) Notice of Funding Opportunity which prioritized cybersecurity as the one area that “attracts the most concern” and subsequently included it as a funding priority for this year’s grants. This is certainly a welcome reprioritization. A month later, the U.S. Coast Guard published the Navigation and Vessel Inspection Circular (NVIC) No. 01-20: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities which requires regulated facilities to address cyber risk in their Facility Security Assessments (FSAs) and Facility Security Plans (FSPs). Industry had been eagerly awaiting this NVIC. While it provides some clarification regarding MTSA requirements, the Coast Guard also released a “Cyber Job Aid” to “provide the service’s marine safety personnel with additional guidance as they address facilities’ documented cyber vulnerabilities.”
