Cybersecurity Requirements for Offshore Facilities Guidance
ABS Group Marine and Offshore Services
MTSA-regulated facilities must implement effective cybersecurity programs following Coast Guard guidance.
A single cybersecurity incident can result in persistent, costly service disruption. Many hackers today seek not only to gain unauthorized access to company data, but to manipulate operational technology (OT) and cause damage or physical disruption to important industrial systems or processes.
In March 2020, the U.S. Coast Guard (USCG) enforced Navigation and Inspection Circular (NVIC) 01-20, confirming that the assessment and planning for cyber vulnerabilities is now a requirement under the nation's Maritime Transportation Security Act (MTSA) regulations for Outer Continental Shelf (OCS) facilities. This NVIC provides guidance to facility owners and operators on complying with the requirements to assess, document and address computer system and network vulnerabilities in accordance with 33 CFR parts 105 and 106 of the MTSA regulations. MTSA regulations require that any cybersecurity vulnerabilities identified in the facility security assessment (FSA) must be addressed in the facility security plan (FSP) or alternative security program.
NVIC 01-20 marks the agency's position on cybersecurity for maritime assets and OCS facilities: assessment and planning for cyber vulnerabilities is now a requirement under existing MTSA regulations.
In NVIC 01-20, USCG points to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as the selected guidance for facility cybersecurity assessments and cyber risk management. Originally published by the U.S. Department of Commerce in 2014, NIST CSF sets out a series of outcomes that assist organizations in assessing their cybersecurity maturity and identifying gaps in their cyber systems.
It is therefore important that MTSA-regulated facilities implement effective cybersecurity programs following USCG guidance. For those facilities that have already taken steps to assess their cybersecurity gaps, they must also work to ensure that identified cyber vulnerabilities are properly addressed in their FSP.
Applying a Cyber Risk Framework
During its creation in 2014, the drafters of NIST CSF carefully considered several existing national and international standards compiling best practices from each. The result is a framework that has rapidly gained acceptance and is in use both in the U.S. and internationally.
NIST CSF is a non-prescriptive set of outcomes that, if achieved, result in a secure cyber system. With 23 categories of outcomes and 108 subcategories, all aspects of cybersecurity will be considered during the assessment and implementation phases. NIST CSF is designed to work in any business or industry cyber system and is effective for offshore facilities. Additionally, it is flexible enough to scale up or down depending on the size and complexity of the facility.
To effectively address cybersecurity, consideration must be given to all aspects of facility operations from pre-construction or installation, through the operational stage, and on to recovery should a cyber event occur. Therefore, NIST CSF breaks cybersecurity into five (5) functions: Identify, Protect, Detect, Respond and Recover.
In addition to providing a thorough framework for assessing all cybersecurity systems, NIST CSF aligns with a number of cyber maturity models to provide the end user with a detailed report of vulnerabilities within their cyber system, allowing for effective decision making in determining which vulnerabilities to address first. Not all categories and subcategories of the NIST CSF will apply to every facility, but the framework will help ensure that all functional areas are carefully considered.
Does Your Facility Security Plan Measure Up?
A critical concept in the guidelines available to develop effective cybersecurity is "defense in depth and breadth." This simply means having an in-depth understanding of all the necessary actions a facility must implement to establish and maintain an appropriate level of security, including understanding who will be responsible for managing the cybersecurity program and developing multiple layers of protection and detection measures to carefully monitor your defenses.
It is important to protect critical systems and data with multiple layers of protection measures to increase the probability of detecting a cyber incident. These preventative measures will reduce risk exposure throughout the asset lifecycle.
Through a defense in depth and breadth approach, asset owners and operators are advised to consider a combination of protection and detection layers. These range from the physical security of the facility (in accordance with the FSA and FSP) to network protection and intrusion detection, through penetration testing of cyber controls during the design and construction phases, and also include periodic scanning during operations.
Behind this invisible threat are human factors driving the need for more training in the field of cyber risk management. Whether caused by human error, the revolving nature of staffing an offshore facility, or because a human adversary intentionally targeted an operation, exposure points emerge without a clear path to good cyber hygiene. A comprehensive industrial cybersecurity portfolio is available to help you get started.
Included are custom solutions and training courses to help the marine and offshore industries implement a robust cybersecurity program using the NIST CSF and best practices across industry.