The Coast Guard released a new guide to help maritime transportation system stakeholders establish baseline cybersecurity assessments and develop cybersecurity planning and response to meet the challenges posed by evolving threats.
The Maritime Cybersecurity Assessment & Annex Guide will assist Maritime Transportation Security Act (MTSA)-regulated facilities in meeting the Facility Security Assessments (FSA) and Facility Security Plans (FSP) required by MTSA, USCG said.
As requirements for FSAs and FSPs were implemented last year, “stakeholder feedback reflected a desire for continued development of guidance and support from the Coast Guard,” USCG said. “MCAAG offers an additional resource for MTSA-regulated facilities to enhance and expand on their current efforts as they continually assess cyber risks and vulnerabilities.”
The guide, which was developed in collaboration with the maritime industry, “may be also a resource for Area Maritime Security Committees in assessing overall port area cybersecurity risk and development of cyber annexes of Area Maritime Security Plans, and is useful for any other MTS stakeholders interested in conducting a baseline cybersecurity risk assessment, developing plans, as well as continued improvement of existing plans.”
A cyber attack on the port environment can compromise physical facility access control systems, manipulate terminal and gate operating systems for the purpose of leaking sensitive supply chain data or facilitating smuggling or cargo theft, stop port operations by compromising the terminal headquarters, compromise operational technology systems such as cranes in a way that leads to loss of life or property, tamper with PNT so that vessels cannot safely navigate a port, and compromise shipboard systems with impacts to safety or cargo.
A U.S. Coast Guard Cyber Command report released in August on cybersecurity trends in the maritime environment said the significance of cyber hygiene, detection, and response “grew exponentially” in 2021 due to a 68 percent increase in reported maritime cyber incidents and USCG efforts to ensure maritime facilities are complying with cyber regulations.
Maritime environment incidents reported to the Coast Guard in 2021 included phishing at sectors Guam, Columbia River, Los Angeles/Long Beach, Corpus Christi, Houston/Galveston, Mobile, Charleston, Maryland/NCR, New York, and New England, as well as MSU Port Arthur. Ransomware was reported at sectors Columbia River, Los Angeles/Long Beach, New Orleans, Virginia, Delaware Bay, Maryland/NCR, Long Island Sound, and New England. Sector Puget Sound reported an incident related to authorized access, while Columbia River reported a suspected snitch device. Sector Delaware Bay reported an AIS spoof.
The three most popular ransomware-as-a-service variants targeting the maritime transportation system in 2021 were Maze, Sodinokibi, and Ryuk.
The stated goal of the new guidance is to provide a voluntary framework for producing a cyber annex “achievable for the smallest of facilities” and “scalable to the largest and most complex of facilities” that will provide Facility Security Officers (FSOs) “with assurance the facility’s cybersecurity protections and mitigation efforts are relevant and sufficient regarding the facility’s physical security and safety.”
“Achieving this goal requires addressing three challenges,” the guide states. “What can be done to facilitate effective collaboration between the FSO (who may not have deep cybersecurity experience), and the information technology (IT) and cybersecurity subject matter experts supporting them? How should cybersecurity vulnerabilities and protections be defined? What is the relationship between physical vulnerabilities identified in the Facility Security Assessment (FSA) and the cybersecurity vulnerabilities and protections described in the Cyber Annex?”
The guide centers around three primary recommendations to address these challenges: first, identifying a Cybersecurity Officer (CySO) in the organization “who can speak authoritatively about the cyber enabled systems, networks and cybersecurity protections in the facility, and who can partner with the FSO to create the Cyber Annex.”
“The CySO may be a single person from the information technology or cybersecurity organization of the facility, or it may be a group of people,” the guide adds. “There is nothing precluding the FSO and the CySO from being the same person, provided they have adequate cybersecurity training and knowledge.”
Second, “define cybersecurity vulnerabilities and protections based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).”
“The concepts of ‘cybersecurity vulnerability’ and ‘cybersecurity protection’ are flexible and can be understood at the level of the cybersecurity program and policy level, the system design and configuration level and all the way down to the level of individual exploitable software flaws and patches in an operating system or application,” the guide says. “It is recommended the Cyber Annex addresses vulnerabilities and protections primarily at the programmatic and policy level. While certain vulnerabilities and protections will require more specific language to be used in the Cyber Annex, NIST CSF subcategories provide a standardized vocabulary that is easily aligned with a facilities cybersecurity programs and policies.”
The final recommendation is that maritime entities “map physical security vulnerabilities to related cybersecurity vulnerabilities, then map the identified cybersecurity vulnerabilities to cybersecurity protections.”
“Two things are true at the same time. On the one hand, the Cyber Annex is not intended to address all possible cybersecurity vulnerabilities in a facility. Instead, it should at least address those cybersecurity vulnerabilities related to physical vulnerabilities identified in the FSA in accordance with 33 CFR 105 and 106,” the guide states. “On the other hand, the typical way cyber attackers subvert systems directly affecting physical security and safety, is by first gaining access to the facility’s IT systems and then moving through the network until they gain access to their intended target. Thus, credible protection for relevant cybersecurity vulnerabilities can only be achieved if the facility’s network meets or exceeds a minimum level of cyber hygiene.”
“To achieve the correct scope of cybersecurity vulnerabilities addressed in the Cyber Annex, the CySO should determine or establish whether all cyber security vulnerabilities necessary to address the physical vulnerabilities have been identified and addressed, and the FSO should determine or establish whether each cybersecurity vulnerability in the Cyber Annex is relevant to the physical vulnerabilities in the FSA.”