Saturday, June 17, 2017

HR 2831 Introduced – Port Security Corrections

Last week Rep. Rutherford (R,FL) introduced HR 2831, the Maritime Security Coordination Improvement Act. The bill makes a number of changes to laws pertaining to port security operations conducted by the Coast Guard. Changes of specific interest to readers of this blog would be increased emphasis on cybersecurity and changes to Maritime Transportation Security Act (MTSA) inspection requirements.

Cybersecurity


Section 4 of the bill address three separate issues related to port cybersecurity related to different levels of cybersecurity interest; DHS/CG, Captain of the Port (COTP), and MTSA covered facility owner.

Section 4(b) of the bill specifically adds cybersecurity to the areas of potential weakness that DHS/CG is required to look at when they are assessing the “detailed vulnerability assessment of the facilities and vessels that may be involved in a transportation security incident” 46 USC 70102(b)(1)(C).

Section 4(a) addresses cybersecurity at the COTP level by adding a new requirement for Area Maritime Security Advisory Committees (AMSAC) under 46 USC 70112(a)(2)(A). The AMSACs would be specifically required to “shall facilitate the sharing of information relating to cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148)) to address port-specific cybersecurity risks and incidents, which may include the establishment of a working group of members of such committees to address such port-specific cybersecurity risks and incidents” {§70112(a)(2)(A)(i)}.

At the facility owner level the bill would require vessel and facility security plans under 46 USC 70103(c) to specifically address “prevention, management, and response to cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148) [link added])” {new §70103(c)(3)(C)(v)}.

Facility Inspections

Section 5 of the bills makes a change to the requirements for the Coast Guard to inspect MTSA covered facilities under 46 USC 70103(c)(4)(D). Instead of inspecting at least twice a year (one conducted without advanced notice), the new requirement would reduce that to at least once a year without notice.

Moving Forward


Rutherford and all three of his cosponsors {including Chairman McCaul (R,TX)} are members of the House Homeland Security Committee, one of the two committees to which the bill was assigned for consideration. This bill will almost certainly be considered (and approved) in the Homeland Security Committee; consideration by the Transportation and Infrastructure Committee is much less assured.

There does not appear to be anything in the bill that would raise any significant opposition in the House. If McCaul can get the bill to the floor of the House, it is likely to eventually reach the President’s desk.

Discussion


There are no cybersecurity definitions in the bill beyond reference to the terms ‘cybersecurity risks’ and ‘incident’ from §148(a). Those definitions both rely on the definition of ‘information system’ which §148 takes from 44 USC 3502(8). That definition is very IT-centric; “the term ‘information system’ means a discrete set of information resources [emphasis added] organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. Thus, it could be argued that these cybersecurity requirements do not address control system, security system, or building maintenance system security issues.

In many industries (finance, commercial sales, and healthcare for example) protecting information is the paramount concern when we talk about cybersecurity. In port operations, however, the operational side of the house is probably more significant than is the need to protect just information. Thus, it would behoove Congress to ensure that the language in this bill reflects the importance of operational cybersecurity.

The only place that currently expands the IT-centric definitions of cybersecurity to include operations technology is 6 USC 1501(9). There the definition of ‘information system’ is still based on a reference to §3502, but it was specifically expanded by adding subparagraph (B) “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.

The problem is, however, that §1501 does not also include the terms ‘cybersecurity risks’ or ‘incident’. One could use the current reference to §148 for those terms but specify that the term ‘information system’ is based upon §1501. Doing that in both instances where the first two terms are currently used would be very wordy and potentially confusing.

It would probably be better to add a new paragraph to §4 of the bill that provides definitions that would be used in the Port Security chapter of the US Code (46 USC 70101). If I were doing this, I would add the following definitions:

(1) The term ‘information system’ has the meaning given the term in section 3502 of title 44;

(2) The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(3) The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(4) The term ‘incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;


With these definitions in place the references to §148 are superfluous and should be removed. Then the intent would be clear that the bill would be addressing both the information and control system cybersecurity of port operations. And that is almost certainly the intent of the crafters of this bill.

1 comment:

Laurie Thomas said...

PJ, as always, thanks for watching the Hill for us! Re inspections, as far as I can see this bill doesn't really change anything. The SAFEPort Act mandated that at least one of the inspections be conducted without notice. That's also what this bill says. Practically there will still have to be two inspections because it would be really hard to conduct the annual compliance inspection unannounced. The USCG might not find the appropriate people on hand if they don't arrange for the inspection ahead of time which would be a real time waster for them. Or if the appropriate people are on hand they may be unable to perform the inspection due to participating in other agencies' inspections, performing critical facility operations,conducting employee disciplinary hearings, etc.

This bill is saying that not less than one inspection must be without notice. The USCG is using spotchecks as equivalent to the "inspection without notice" and every facility is getting at least one annually if not a lot more frequently than that. For the difference between spotcheck and annual compliance inspection, see NVIC 03-03 ch. 2 enclosures 7 and 11.

 
/* Use this with templates/template-twocol.html */