Last month Rep. Torres (D,CA) introduced HR 3101,
the Strengthening Cybersecurity Information Sharing and Coordination in Our
Ports Act of 2017. The bill establishes a number of modest cybersecurity
requirements for (and in support of) port operations.
Federal Requirements
Section 2 of the bill establishes federal requirements for
cybersecurity risk assessments, information sharing and coordination. First it
requires DHS to conduct (and subsequently evaluate) a risk assessment for
maritime cybersecurity based upon the NIST Cybersecurity Framework. Next, it
requires DHS to ensure that at least one maritime information sharing analysis
committee (ISAC) participates in the National Cybersecurity and Communications
Integration Center.
Paragraph (4) requires DHS to establish “guidelines for
voluntary reporting of maritime-related cybersecurity risks and incidents (as
such terms are defined in section 227 of the Homeland Security Act of 2002 (6
U.S.C. 148)) to the Center [NCCIC]”. The next paragraph then requires DHS to “to
report [on] and make recommendations to the Secretary on enhancing the sharing
of information related to cybersecurity risks and incidents between relevant
Federal agencies and State, local, and tribal governments”.
Local Requirements
Section 3 of the bill establishes local cybersecurity
requirements. First it requires each Maritime Security Advisory Committee “to
facilitate the sharing of cybersecurity risks and incidents to address port-specific
cybersecurity risks, which may include the establishment of a working group of
members of Area Maritime Security Advisory Committees to address port-specific
cybersecurity vulnerabilities” {§2(1)}.
Next it requires all new maritime or facility security plan (under 46
USC 70103) to “include a mitigation plan to prevent, manage, and respond to
cybersecurity risks” {§2(2)}.
Specifically §4
amends two separate provision of 46 USC {§70102(b)(1)(C) – facility and vessel assessments –
and §70103(c)(3)(C) –
vessel and facility security plans} by adding the word “cybersecurity”
after “physical security”. It would also add a requirement for vessel and
facility security plans to address the “prevention, management, and response to
cybersecurity risks” {new §70103(c)(3)(C)(v)}.
Moving Forward
While Torres is not a member of either committee to which
the bill has been assigned for consideration, two of her cosponsors are {Rep.
Correa (D,CA) – Homeland Security; and Rep. Wilson (D,FL) – Transportation and
Infrastructure}. This means that there is at least a chance that either or both
of these committees could consider HR 3101.
I do not see anything in the bill that would engender any significant
opposition. If the bill were to be considered on the floor of the House it is
likely that it would pass, probably under the suspension of the rules
provision.
Commentary
Once again, the provisions of this bill rely on the 6 USC
148(a)(1) definition of ‘cybersecurity risk’, a definition that is limited to
information systems and does not include control systems. This would mean that
the requirements of this bill would not apply to operation of any of the many
critical control systems found on vessels or in maritime facilities.
I would again like to point to a solution to this
definitional problem in port cybersecurity legislation that I proposed in an earlier
blog post. It would still use the existing, IT-centric, definition of ‘information
system’, but would add a new definition for ‘control system’ and then combine
both terms in the definition of ‘cybersecurity risk’.
Posts
No comments:
Post a Comment