On February 12, 2014, the National Institute of Standards and Technology NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity or Cybersecurity Framework CSF [1].

The Cybersecurity Framework CSF is intended to enable organizations regardless of sector, size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles and best practices of risk management for improving the security and resilience of critical infrastructure.

The CSF relies on a variety of existing cybersecurity standards, guidelines, and best practices to enable critical infrastructure providers to achieve resilience against cybersecurity incidents.

Building from those standards, guidelines, and best practices, the CSF provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture.
  • Describe their target state for cybersecurity.
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
  • Assess progress toward the target state.
  • Communicate among internal and external stakeholders about cybersecurity risk.

The CSF is intended to complement, not replace, an organization’s risk management process and cybersecurity program.

It is expected that the organization can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry best practices.

Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference to establish one.

On March 2014, the US Coast Guard released a message on Cybersecurity and the Marine Transportation System.

In this message several key ideas were highlighted [2]:

  • Cyber related vulnerabilities are a growing portion of the total risk exposure facing the Marine Transportation System (MTS).
  • Cyber threats to critical infrastructure continue to grow and represent one of the most serious national security challenges we must confront.
  • It is recommended to work with industry partners and government to identify, evaluate, and address cyber security risks.
  • National Institute of Standards and Technology (NIST) recently released the Cyber Security Framework (CSF).
  • Coast Guard strongly encourages vessel and facility security operators to voluntarily review the CSF to determine how it might help them improve their cyber security posture.
  • Vessel and facility operators are not required to incorporate cyber risks into their security assessments or security plans at this time, but may do so on a voluntary basis.
  • Captains of the Ports COTPs should encourage vessel and facility operators to inventory their cyber systems, identify those that could potentially contribute to a Transportation Security Incident TSI.

The Transportation Systems Sector-Specific Plan defines cybersecurity as the prevention of damage to, unauthorized use of, or exploitation of, and, if needed, the restoration of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability [3].

In July 2015 the USCG published its Cyber strategy identifying three priorities critical to defending the maritime domain [4]:

  • Defend cyberspace – Ensure the full scope of the Coast Guard’s capabilities are effective and efficient by building and maintaining secure and resilient Coast Guard information networks.
  • Enable operations – Detect, deter, disable and defeat adversaries by developing and leveraging a diverse set of cyber capabilities and authorities.
  • Protect critical infrastructure through a unity of effort to protect maritime infrastructure from attacks, disasters and accidents.

Although the first two priorities refer mainly to USCG resources, the third one includes the critical commercial maritime infrastructure and transportation systems.

The Maritime critical infrastructure and the MTS are considered vital to the economy of the nation. The MTS includes ocean carriers, coastwise shipping along the shores and inland, and the Nation’s ports and terminals.

Cyber systems enable the MTS to operate with unprecedented speed and efficiency. Those same cyber systems also create potential vulnerabilities.

Although vessel and facility operators are not required to incorporate cyber risks into their security assessments or security plans at this time, in my opinion, given the potential high impacts to human life, operations and the environment, all security plans and Safety Management Systems SMS should consider cyber risks and how to respond to cyber incidents.

For ideas on how to incorporate cyber risk in maritime operations you can check the blog articles Maritime cybersecurity using ISPS and ISM codes and Vessel cybersecurity risk analysis.