Cybersecurity Requirements for US Port and Marine Terminal Facilities
By Matt Mowrer, Director of Applied Technology and Data Analytics at ABS Group
Recent high-profile cyber attacks have shown that U.S. port and maritime terminals are not immune from this emerging threat. Marine asset/facility owners and operators must now manage cyber risk as well as other major threats, such as physical security, natural disasters and industrial accidents, to maintain safer, more efficient operations. Through our technical advisory services and industry research efforts, we are assisting the marine industry with designing cybersecurity programs, which are tailored to port/marine terminal operations and requirements, in order to facilitate compliance with new cybersecurity policy guidance.
Implications of the 2017 USCG Cyber Strategy/Policy
The U.S. Coast Guard (USCG) recognized the emerging cyber threats to its regulated community, and in response, issued new draft guidance in July 2017 for regulated port and marine facilities in an effort to safeguard critical infrastructure and port operations. The USCG Navigation and Vessel Inspection Circular (NVIC) 05-17 titled "Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities" directs regulated marine facilities to include cybersecurity in their facility security assessments and address any vulnerabilities in their facility security plans. Since the plans are focused on reducing risks associated with safety, port disruption and environmental concerns, a traditional IT-centric cybersecurity assessment may not suffice. Rather, a comprehensive approach that assesses IT and OT may be needed.
The policy recommends implementing a cybersecurity program that includes:
- establishing a cyber risk management team, policies and programs
- identifying critical systems based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
Guidance for Implementing Cybersecurity Programs
Our marine cybersecurity experts can help plan a course of action to (1) proactively manage cyber risk to your networks and assets and (2) comply with the latest USCG policy guidance. ABS Group has a unique understanding of marine terminals and their associated facilities to provide guidance on a broad range of threats that can impact operations. We apply more than 40 years of experience working with the marine industry and regulators to help contextualize and prioritize cyber threats across the enterprise risk portfolio.
Our experience includes researching and assisting with the development of a wide range of cyber security best practices and standards for both IT and OT systems. While we have published our own cybersecurity guidance, our team can help organizations choose the most appropriate standard(s) on which to build their cybersecurity programs based on the nature of their operations. We have mapped the requirements of numerous other standards to the NIST CST to enable demonstration of compliance with the new policy guidance, including:
- ISO 27001: Information Security Management Standard
- NIST SP 800-82: Guide to Industrial Control Systems Security
- ISA 62443: Industrial Network and System Security
- ABS Guidance Notes on the Application of Cybersecurity Principles to Marine and Offshore Operations
- NIST Maritime Bulk Liquids Transfer Cybersecurity Framework Profile
- Control Objectives for Information & Related Technology (COBIT) 5 A Business Framework for the Governance and Management of Enterprise IT
As the maritime industry grows increasingly competitive, ports and marine terminals turn to risk management now more than ever for opportunities to improve performance. Leveraging our research and years of experience, we help our port clients assess their exposure to a wide variety of risk – including safety, security, environmental and enterprise – by identifying threats, vulnerabilities and consequences to personnel, assets, operations, critical infrastructure and the surrounding environment. Due to our extensive background in the marine industry working with our parent organization, American Bureau of Shipping (ABS), together with our risk management expertise, our Safety, Risk and Compliance and Government advisors are uniquely qualified to work with port and marine terminal facility operators to identify, prioritize and mitigate cybersecurity risk.
Through a joint research project with ABS, we are leading research efforts on behalf of U.S. government authorities to analyze cybersecurity in the marine industry and build a comprehensive risk framework for U.S. port and marine terminal facilities.
To share this information, use the email option below or download our Cybersecurity Requirements for US Port and Marine Terminal Facilities Factsheet.