The US Coast Guard addresses how vessel and facility owners and operators can enhance their cyber security by discussing their issues with Coast Guard inspectors, as well as the Area Maritime Security Committees.
Cyber-based technology is used widely in the marine industry, and frequently is associated with critical functions such as propulsion, navigation, cargo control and safety and security monitoring.
The Coast Guard is working to increase our understanding of these systems. This understanding is critical in enabling us to assess and compare both cyber and non-cyber related risks. This information, in turn, enables the service to meet our responsibilities to the public in assuring that those risks are properly managed.
As part of this process, Coast Guard marine inspectors and facility inspectors may ask operators about what cyber systems they employ and what functions they perform. They may also ask operators if they are aware of cyber best practices, such as the NIST Framework, and information provided by DHS CERT and ICS-CERT.
USCG’s goal in these conversations is to raise awareness and promote a mutual understanding of potential cyber risks in the maritime domain. They are not seeking technical, detailed or proprietary information about any organization’s cyber practices. Indeed, few, if any, Coast Guard personnel posses the technical knowledge to evaluate such issues.
Despite any shortfalls in cyber technicalities, like their industry counterparts, USCG facility and vessel inspectors are maritime professionals who understand the potential consequences should a cyber system be deliberately exploited, subjected to the inadvertent introduction of malware or misused. Operator-to-operator discussions between the Coast Guard and industry can help us work together to build a safer, more resilient, marine transportation system.
USCG encourages facility and vessel operators to consider how they can incorporate cyber risks into Safety Management Systems, security plans required by the Maritime Transportation Security Act, as well as other existing systems. Note that these are performance-based systems, in which industry conducts a risk assessment and proposes general mitigation measures without disclosing the details of identified vulnerabilities
Source: USCG Blog