Last week Rep. Rutherford (R,FL) introduced HR 2831,
the Maritime Security Coordination Improvement Act. The bill makes a number
of changes to laws pertaining to port security operations conducted by the
Coast Guard. Changes of specific interest to readers of this blog would be
increased emphasis on cybersecurity and changes to Maritime Transportation
Security Act (MTSA) inspection requirements.
Cybersecurity
Section 4 of the bill address three separate issues related
to port cybersecurity related to different levels of cybersecurity interest;
DHS/CG, Captain of the Port (COTP), and MTSA covered facility owner.
Section 4(b) of the bill specifically adds cybersecurity to
the areas of potential weakness that DHS/CG is required to look at when they
are assessing the “detailed vulnerability assessment of the facilities and
vessels that may be involved in a transportation security incident” 46
USC 70102(b)(1)(C).
Section 4(a) addresses cybersecurity at the COTP level by
adding a new requirement for Area Maritime Security Advisory Committees (AMSAC)
under 46
USC 70112(a)(2)(A). The AMSACs would be specifically required to “shall
facilitate the sharing of information relating to cybersecurity risks and
incidents (as such terms are defined in section 227 of the Homeland Security
Act of 2002 (6 U.S.C. 148)) to address port-specific cybersecurity risks and
incidents, which may include the establishment of a working group of members of
such committees to address such port-specific cybersecurity risks and incidents”
{§70112(a)(2)(A)(i)}.
At the facility owner level the bill would require vessel
and facility security plans under 46
USC 70103(c) to specifically address “prevention, management, and response
to cybersecurity risks and incidents (as such terms are defined in section 227
of the Homeland Security Act of 2002 (6
U.S.C. 148) [link added])” {new §70103(c)(3)(C)(v)}.
Facility Inspections
Section 5 of the bills makes a change to the requirements
for the Coast Guard to inspect MTSA covered facilities under 46
USC 70103(c)(4)(D). Instead of inspecting at least twice a year (one
conducted without advanced notice), the new requirement would reduce that to at
least once a year without notice.
Moving Forward
Rutherford and all three of his cosponsors {including
Chairman McCaul (R,TX)} are members of the House Homeland Security Committee,
one of the two committees to which the bill was assigned for consideration.
This bill will almost certainly be considered (and approved) in the Homeland
Security Committee; consideration by the Transportation and Infrastructure
Committee is much less assured.
There does not appear to be anything in the bill that would
raise any significant opposition in the House. If McCaul can get the bill to
the floor of the House, it is likely to eventually reach the President’s desk.
Discussion
There are no cybersecurity definitions in the bill beyond
reference to the terms ‘cybersecurity risks’ and ‘incident’ from §148(a). Those
definitions both rely on the definition of ‘information system’ which §148 takes from 44
USC 3502(8). That definition is very IT-centric; “the term ‘information
system’ means a discrete set of information resources [emphasis
added] organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information”. Thus, it could be argued that
these cybersecurity requirements do not address control system, security
system, or building maintenance system security issues.
In many industries (finance, commercial sales, and
healthcare for example) protecting information is the paramount concern when we
talk about cybersecurity. In port operations, however, the operational side of
the house is probably more significant than is the need to protect just information.
Thus, it would behoove Congress to ensure that the language in this bill
reflects the importance of operational cybersecurity.
The only place that currently expands the IT-centric
definitions of cybersecurity to include operations technology is 6
USC 1501(9). There the definition of ‘information system’ is still based on
a reference to §3502,
but it was specifically expanded by adding subparagraph (B) “includes
industrial control systems, such as supervisory control and data acquisition systems,
distributed control systems, and programmable logic controllers”.
The problem is, however, that §1501 does not also include the terms ‘cybersecurity
risks’ or ‘incident’. One could use the current reference to §148 for those terms but
specify that the term ‘information system’ is based upon §1501. Doing that in both
instances where the first two terms are currently used would be very wordy and
potentially confusing.
It would probably be better to add a new paragraph to §4 of the bill that
provides definitions that would be used in the Port Security chapter of the US
Code (46
USC 70101). If I were doing this, I would add the following definitions:
(1) The term ‘information system’ has
the meaning given the term in section 3502 of title 44;
(2) The term ‘control system’ means
a discrete set of information resources, sensors, communications interfaces and
physical devices organized to monitor, control and/or report on physical
processes, including manufacturing, transportation, access control, and
facility environmental controls;
(3) The term ‘cybersecurity risk’ means:
(A) threats to and vulnerabilities
of information, information systems, or control systems and any related
consequences caused by or resulting from unauthorized access, use, disclosure, degradation,
disruption, modification, or destruction of such information, information systems,
or control systems, including such related consequences caused by an act of
terrorism; and
(B) does not include any action
that solely involves a violation of a consumer term of service or a consumer
licensing agreement;
(4) The term ‘incident’ means an
occurrence that actually, or imminently jeopardizes, without lawful authority:
(A) the integrity,
confidentiality, or availability of information on an information system,
(B) the timely availability of
accurate process information, the predictable control of the designed process
or the confidentiality of process information, or
(C) an information system or a
control system;
With these definitions in place the references to §148 are superfluous and
should be removed. Then the intent would be clear that the bill would be
addressing both the information and control system cybersecurity of port
operations. And that is almost certainly the intent of the crafters of this
bill.
Posts
1 comment:
PJ, as always, thanks for watching the Hill for us! Re inspections, as far as I can see this bill doesn't really change anything. The SAFEPort Act mandated that at least one of the inspections be conducted without notice. That's also what this bill says. Practically there will still have to be two inspections because it would be really hard to conduct the annual compliance inspection unannounced. The USCG might not find the appropriate people on hand if they don't arrange for the inspection ahead of time which would be a real time waster for them. Or if the appropriate people are on hand they may be unable to perform the inspection due to participating in other agencies' inspections, performing critical facility operations,conducting employee disciplinary hearings, etc.
This bill is saying that not less than one inspection must be without notice. The USCG is using spotchecks as equivalent to the "inspection without notice" and every facility is getting at least one annually if not a lot more frequently than that. For the difference between spotcheck and annual compliance inspection, see NVIC 03-03 ch. 2 enclosures 7 and 11.
Post a Comment