Today the Coast Guard published a notice in the Federal Register (79 FR 75574-75575) requesting comments on the development of guidance for maritime cybersecurity standards. This RFI is closely associated with last Friday’s meeting notice (79 FR 73896-73897) about a January 15th public meeting in Washington, DC on the same topic.
The summary for the RFI notes that:
The Coast Guard is developing policy to help vessel and facility operators identify and address cyber-related vulnerabilities that could contribute to a Transportation Security Incident. Coast Guard regulations require certain vessel and facility operators to conduct security assessments, and to develop security plans that address vulnerabilities identified by the security assessment. The Coast Guard is seeking public input from the maritime industry and other interested parties on how to identify and mitigate potential vulnerabilities to cyber-dependent systems. The Coast Guard will consider these public comments in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure.
The Coast Guard is focusing their cybersecurity concerns on the prevention of Transportation Security Incidents (TSI). A TSI is defined in 33 CFR 101.105 to be “a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area”. This would probably indicate a more specific focus on cyber-physical systems rather than the mainly informational system focus of the NIST Cybersecurity Framework.
In requesting this information the Coast Guard is looking for answers to some specific questions. They include:
• What cyber-dependent systems, commonly used in the maritime industry, could lead or contribute to a TSI if they failed, or were exploited by an adversary?
• What procedures or standards do vessel and facility operators now employ to identify potential cybersecurity vulnerabilities to their operations?
• Are there existing cybersecurity assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI?
• To what extent do current security training programs for vessel and facility personnel address cybersecurity risks and best practices?
• What factors should determine when manual backups or other non-technical approaches are sufficient to address cybersecurity vulnerabilities?
• How can the Coast Guard leverage Alternative Security Programs to help vessel and facility operators address cybersecurity risks?
• How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber-systems meet appropriate technical or procedural standards?
• Do classification societies, protection and indemnity clubs, or insurers recognize cybersecurity best practices that could help the maritime industry and the Coast Guard address cybersecurity risks?
Public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2014-1020). Comments should be submitted by February 17th, 2015. Reservations will be required for the January 15th public meeting. Reservations can be made via email (Josephine.A.Long@uscg.mil) and should be submitted by January 5th. There will be a live video feed available; access may be requested via the same email address.