The U.S. Coast Guard has released the Maritime Cybersecurity Assessment & Annex Guide (MCAAG), to help Maritime Transportation Security Act (MTSA)-regulated facilities and other Maritime Transportation System (MTS) stakeholders address to cyber risks.

JThis voluntary guide serves as a resource for basic cybersecurity assessments and plan development, specifically the Facility Security Assessments (FSA) and Facility Security Plans (FSP) required by the MTSA.

The MCAAG can also be a resource for Area Marine Security Committees in assessing the overall port area cybersecurity risk and developing cyber annexes to Area Marine Security Plans and is useful for any other party. MTS stakeholder interested in performing a baseline cybersecurity risk assessment, developing plans, as well as the continuous improvement of existing plans.

#1 Identify a cybersecurity manager

Creating a cyber annex requires a thorough understanding of the cyber systems that affect facility security, the networks to which those systems are connected, the cyber threats that affect those systems and networks, and the cyber protections available to the facility.

It is recommended that a Cyber ​​Security Officer (CySO) be identified to provide support to the FSO during the entire Cyber ​​Annex development process. The CySO can be a single person, a group of people or the FSO. The guidance provided in the MCAAG is intended to assist FSOs in working with a CySO to produce the Cyber ​​Annex.

Parts of this guide, especially the technical aspects, assume that a CySO with the appropriate cybersecurity experience has been identified and is part of the Cyber ​​Annex development process.

#2 Determine the scope

Facility security processes and functions are increasingly dependent on computers or computerized systems, such as network video monitors and electronic badge systems.

Generally, these systems are attached to networks. If these networks are connected to the Internet, even indirectly, cyberattackers can penetrate facility networks and subvert facility processes and security features by disabling or modifying the systems they rely on.

When a physical vulnerability involves one or more cyber-enabled systems, it is difficult to determine the scope of any cybersecurity plan to protect those specific systems.

Most cyberattacks on facilities involve a cyberattacker making initial entry into a network of facilities using a system that connects to the Internet, then internally moving from system to system until that it can compromise the targeted system.

Thus, there is a strong argument to be made that any protection plan for a particular system is based on the protection plan for all networks in the facility.

The recommended approach for determining the extent of the cybersecurity protections contained in the Cyber ​​Annex is as follows:

  • Identify any cyber-enabled systems associated with physical security controls or physical vulnerabilities
  • Identify the networks to which these systems connect. If two networks have a physical network connection between them, consider them as one network (even if there are strong boundary protections such as firewalls between them). Note that for many installations there will only be one network
  • When describing cybersecurity protections to address vulnerabilities, describe the protection plane of the network on which the associated systems operate

#3 Establish the definition of cybersecurity vulnerability

It is strongly recommended that the FSO and CySO establish and agree on an approach to define and identify cybersecurity vulnerabilities in the context of the FSA and that this approach be reviewed and approved by senior facility management and managers. of risks involved.

It is recommended that the facility have a formal risk management process by which senior executives and risk managers can describe acceptable and unacceptable levels of risk and by which the definition of FSA-related cybersecurity vulnerabilities can be determined.

Two observations may be useful:

  • NVIC 01-20 states that “it is up to each facility to determine how to identify, assess, and address vulnerabilities in their computer systems and networks.”
  • “Cybersecurity vulnerability” is a flexible concept that can be understood at the programmatic and policy level, at the level of system design and configuration, and down to the level of individual exploitable software flaws in an operating system or device. application.

To create a cyber annex to support an FSP, it is recommended to define the cyber security vulnerability at the program and policy level, not at the individual system configuration or patch level. For example, if one or more of the facility’s security-critical systems are not properly patched, possible vulnerabilities to be addressed in the cyber annex may include:

  • Installation does not have a patch policy defined
  • Facility does not have defined remediation procedures and/or assigned personnel
  • Installation remediation procedures are not fully implemented

#4 Determine cybersecurity vulnerabilities for the FSA

Once the FSO and CySO have determined how to define cybersecurity, effective identification of vulnerabilities can be done in three steps:

  • Step 4(a): Assemble a team of subject matter experts with adequate knowledge of physical, IT, OT and cyber security operations of the facility
  • Step 4(b): Gather enough organizational information to ensure the cybersecurity vulnerability assessment team has adequate visibility and awareness
  • Step 4(c): Collaboratively compile a list of cybersecurity vulnerabilities and cross-reference them with physical security vulnerabilities in the FSA

#5 Create remediation plans

Each vulnerability discussed in the Cyber ​​Annex should be accompanied by a plan to address it. In the same way, it is recommended that vulnerabilities be described at programmatic, policy and procedural levels, it is recommended that protections be articulated at the same level.

For the purposes of the MCAAG, the term cybersecurity protection will be defined as a separate unit of a facility’s cybersecurity protection plan12. Examples of cybersecurity protections include, but are not limited to cybersecurity:

  • Program Capabilities
  • Strategies
  • Procedures

#6 Create the Cyber ​​Annex

The recommended e-Annex template is structured as follows:

  • List FSA and FSP physical security vulnerabilities with identifiers;
  • List cybersecurity vulnerabilities to be addressed in the Cyber ​​Annex with identifiers;
  • List the cybersecurity protections that will collectively address the identified cybersecurity vulnerabilities.