The US Coast Guard released the Maritime Cybersecurity Assessment & Annex Guide (MCAAG), to help Maritime Transportation Security Act (MTSA)-regulated facilities and other Marine Transportation System (MTS) stakeholders address cyber risks.
This voluntary guide serves as a resource for baseline cybersecurity assessments and plan development, particularly the Facility Security Assessments (FSA) and Facility Security Plans (FSP) required by MTSA.
The MCAAG may be also a resource for Area Maritime Security Committees in assessing overall port area cybersecurity risk and development of cyber annexes of Area Maritime Security Plans and is useful for any other MTS stakeholders interested in conducting a baseline cybersecurity risk assessment, developing plans, as well as the continued improvement of existing plans.
#1 Identify a Cybersecurity Officer
Creating a Cyber Annex requires a thorough understanding of the cyber-enabled systems that affect facility security, the networks those systems are connected to, the cyber threats that affect those systems and networks, and the cyber protections available to the facility.
It is recommended a Cybersecurity Officer (CySO) be identified to provide support to the FSO during the entirety of the Cyber Annex development process. The CySO may be a single person, a group of people, or the FSO. The guidance provided in the MCAAG is intended to aid FSOs in their collaboration with a CySO to produce the Cyber Annex.
Portions of this guide, particularly the technical aspects, assume a CySO with the appropriate cybersecurity experience has been identified and is a part of the Cyber Annex development process.
#2 Determine Scope
Facility security processes and functions are increasingly reliant on computers or computer-based systems, such as networked video monitors and electronic badge systems.
Typically, these systems are attached to networks. If these networks are attached to the internet, even in an indirect manner, cyber-attackers can penetrate the facility’s networks and subvert the facility’s security processes and functions by disabling or altering the systems they rely upon.
When a physical vulnerability involves one or more cyber-enabled systems, there is a challenge in determining the scope of any cybersecurity plan to protect those specific systems.
Most cyberattacks on facilities involve a cyber attacker making an initial entry on a facility network by way of a system that connects to the internet and then moving internally from system to system until they can compromise the targeted system.
Thus, there is a strong argument to be made that any plan to protect a particular system relies on the protection plan for the entirety of the facility’s networks.
The recommended approach to determine the scope of the cybersecurity protections contained in the Cyber Annex is as follows:
- Identify all cyber-enabled systems associated with physical security controls or physical vulnerabilities
- Identify the networks these systems attach to. If two networks have a physical network connection between them, consider them to be a single network (even if there are robust boundary protections such as firewalls between them). Note, for many facilities, there will be only one network
- When describing cybersecurity protections to remediate vulnerabilities, describe the plan to protect the network the associated systems operate on
#3 Establish Cybersecurity Vulnerability Definition
It is strongly recommended that the FSO and CySO establish and agree upon an approach to define and identify cybersecurity vulnerabilities in the context of the FSA and that this approach is reviewed and endorsed by the facility’s senior leadership and relevant risk managers.
It is recommended that the facility have a formal risk management process by which senior leaders and risk managers can describe acceptable and unacceptable levels of risk and through which the definition of FSA-related cybersecurity vulnerabilities can be determined.
Two observations may be helpful:
- NVIC 01-20 asserts that “It is up to each facility to determine how to identify, assess, and address the vulnerabilities of their computer systems and networks.”
- “Cybersecurity vulnerability” is a flexible concept that can be understood at the programmatic and policy level, the system design and configuration level, and all the way down to the level of individual exploitable software flaws in an operating system or application.
To create a Cyber Annex to support an FSP, it is recommended that cybersecurity vulnerability be defined at the program and policy levels, not at the individual system configuration or patch level. For example, if one or more systems critical to the security of the facility are not correctly patched, then possible vulnerabilities to address in the Cyber Annex might include:
- The facility does not have a defined patching policy
- The facility does not have defined patching procedures and/or assigned personnel
- The facility’s patching procedures are not fully implemented
#4 Determine the Cybersecurity Vulnerabilities for the FSA
After the FSO and CySO have determined how to define cybersecurity, effective identification of vulnerabilities can be done in three steps:
- Step 4(a): Assemble a team of subject matter experts with adequate knowledge of the facility’s physical security, IT, OT, and cybersecurity operations
- Step 4(b): Collect sufficient organizational information to ensure the cybersecurity vulnerability assessment team has adequate visibility and awareness
- Step 4(c): Collaboratively compile a list of cybersecurity vulnerabilities and crossreference them to the physical security vulnerabilities in the FSA
#5 Create Remediation Plans
Each vulnerability addressed in the Cyber Annex should be accompanied by a plan to remediate it. In the same way, it is recommended to describe vulnerabilities at the programmatic, policy, and procedure levels, it is recommended protections be articulated at the same level.
For the purpose of the MCAAG, the term cybersecurity protection will be defined as a discrete unit of a facility’s cybersecurity protection plan12. Examples of cybersecurity protections include, but are not limited to cybersecurity:
- Program capabilities
- Policies
- Procedures
#6 Create the Cyber Annex
The recommended Cyber Annex template is structured as follows:
- List the physical security vulnerabilities from the FSA and FSP with identifiers;
- List the cybersecurity vulnerabilities to be addressed in the Cyber Annex with identifiers;
- List the cybersecurity protections that will collectively address the identified cybersecurity vulnerabilities.