CG Publishes CSF Profile Document for Passenger Operations

Earlier this week the Coast Guard published on their Home Port web page (https://homeport.uscg.mil > Cybersecurity > Cyber News > Passenger Operations Cybersecurity Framework Profile Review; sorry the CG does not use links on its HomePort) a new cybersecurity guidance document and requested public comments on the document. The new document is the “Content Preview of the Passenger Operations Cybersecurity Framework Profile”. The Coast Guard’s blog did provide a real link to the document.

The Profile

This document is an attempt by the CG to help affected organizations (US passenger vessel operations) implement the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). According to the CG’s blog:

“A profile implements the NIST Cybersecurity Framework, which was developed in 2014 to address and manage cybersecurity risk in a cost-effective way based on business needs and without placing additional regulatory requirements on businesses. The profile is how organizations align the Framework’s cybersecurity activities, outcomes, and informative references to organizational business requirements, risk tolerances, and resource allocations.”

The Profile is a .PDF document that first provides a list of 13 passenger vessel mission objectives with a brief description of each. These objectives include:

• Maintain human safety;

• Maintain marine safety and resilience;

• Maintain environmental safety;

• Maintain guest support and basic hotel services;

• Maintain regulatory compliance;

• Assure secure communications by function and mode;

• Optimize guest experience and value;

• Maintain supply chain and turnaround;

• Disembarking, embarking, and turnaround;

• Coordinate port operations;

• Assure (optimize) lifecycle asset management;

• Maintain passenger information and accounting systems; and

• Manage, monitor and maintain non-guest-facing office technology

The Profile then provides a CSF matrix showing each of the functions, categories and subcategories listed in the CSF with a listing for each of the 13 mission objectives listed above; categorizing them as either ‘High Priority’, ‘Moderate Priority’ or ‘Other Implemented Categories’. It is interesting that they do not use the pejorative term ‘Low Priority’ in the categorization.

Public Comments

The Coast Guard is asking for public comments on the Profile. They have provided a comment submission form (download .XLS) very similar to the format used by NIST to request comments during the development of the CSF. Comments can be emailed to  HQS-SMB-CG-FAC-CYBER@uscg.mil. Comments should be submitted by September 7^th, 2017.

Commentary

I really do like the general format of this Profile document. The mission statement provides a general overview of what the affected organizations are supposed to be attempting to accomplish in the operations. Tying that back into the CSF matrix with a prioritization scheme provides a workable management tool for implementation of the CSF.

There are two specific areas where ‘process control systems’ (a very interesting substitute for the term ‘industrial control systems’ that I would typically use) are prominently discussed in the Mission Objective portion of the Profile. First in the description of ‘Maintaining Human Safety’ it starts: “Recognizing cybersecurity-effects on process control systems that impact personnel safety.” Similarly, in ‘Maintain environmental safety’ it addresses cybersecurity effects “on process control systems that impact environmental safety”. Additionally, there are at least two other mission objectives that include mention of “manage support systems security”, a clear reference to various process control systems.

I am more than a little surprised at the prioritization of these ‘process control systems’ in many areas of the CSF implementation matrix, but that may be more of reflection on my lack of familiarity with passenger vessel operations than anything else. I was pleased, however, to see both the human safety and environmental safety objectives receive ‘high profile’ rankings under two of the Risk Assessment subcategories:

ID.RA -3: Threats, both internal and external, are identified and documented; and

ID.RA - 5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Unfortunately, that pleasure was more than offset by the ‘other’ ranking across the board for the “ID.RA -2: Threat and vulnerability information is received from information sharing forums and sources” in the same Risk Assessment Category. That hardly supports the ‘high profile’ rankings noted above.

I really do recommend that everyone with an interest in maritime safety (not just passenger vessels) take a good look at this 16-page document. It provides an interesting perspective on CSF implementation in an often-overlooked area of operations. Likewise, the control system security community (particularly those with maritime experience) should also give the document a good review. The Coast Guard deserves a wide variety in the thoughtful comments it receives on this Profile.