Presentation is loading. Please wait.

Presentation is loading. Please wait.

United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System.

Published byJoella Hancock Modified over 5 years ago

Similar presentations

Presentation on theme: "United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System."— Presentation transcript:

1 United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System

2 Overview __________________________________________________
Coast Guard Cyber Security Strategy Cyber Security Framework (CSF) What does it mean for Industry? Cyber Suspicious Activity/Cyber Incident Reporting Cyber Security Resources Q & A

3 USCG Cyber Security Strategy
USCG Cyber Security Strategy has three parts: Computer Network Defense Decision Advantage MTS Cyber Security Protecting internal Coast Guard Networks Using intelligence to enhance Coast Guard Missions The first 2 are simpler because that is all in the Coast Guard’s control. This third piece is most complex and dynamic part because it could involve proprietary systems, quickly evolving technologies and global supply chain implications.

4 USCG Cyber Security Strategy
MTS Cyber Security incorporates cyber aspects across USCG missions: Assessments Standards Response This third piece is most complex and dynamic part because it could involve proprietary systems, quickly evolving technologies and global supply chain implications. Three main categories: Assessments- Establishing where your company is at and where it needs to be is the basic foundation for any short and long term plan. Standards and regulations- currently none that the Coast Guard enforces. If and when it does develop policies and regs, it will include engage and input from domestic and international maritime stakeholders. The Coast Guard understands that with industry collaboration & cooperation, policies and regs will always be better. It will also provide avenues for public comments to ensure there is transparency. Response- work with our partners to take initial actions, investigate and take appropriate action.

5 Cyber Security Framework (CSF)
__________________________________________________ CSF Consists of established and widely accepted IT industry: Standards Guidelines Best Practices Adoption is NOT mandatory, but PROMOTED by USCG Requires interface between Operations and IT leadership and management to effectively adopt. CSF adoption occurs when an organization uses the framework as a key part of its systematic process to ID, assess, prioritize, and/or communicate cyber risk The NIST Cybersecurity Framework (CSF) will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties. To promote cybersecurity practices and develop these core capabilities, DHS worked with critical infrastructure owners and operators to create a Cybersecurity Framework – a set of core practices that industry can use to develop cybersecurity risk-management capabilities. The Framework lays out the known practices that many firms already do, in part or across the enterprise and across a wide range of sectors. Was released on Feb and was a collaborative effort among a wide group of government and industry experts. The Coast Guard has had discussions with some industry partners and learned that some organizational cultures separate security from its IT workforce. The Coast Guard encourages high levels of cooperation from the executive level to the field for cyber to become another aspect of security.

6 CSF Adoption Tools __________________________________________________
Cyber security Assessment Tools Cyber Resiliency Review (CRR) is a DHS assessment tool that measures the implementation of key cyber security capacities and capabilities. The goal of the CRR is to ensure that core process-based capabilities exist, are measureable, and are meaningful as predictors for an organization‘s ability to manage cyber risk.. For more information about the CRR, contact the DHS Computer Security Evaluation Program (CSEP) at Cybersecurity Capability Maturity Model (C2M2) a self-administered or facilitated mechanism to evaluate, prioritize, and improve cyber security capabilities. The model enables organizations to score their cyber security practices against the model process. Scores are used to determined risk tolerance for each domain and influence organizational efforts to improve scoring thus improving cyber security. This model is based on the electricity subsector’s model. Coast Guard is working with the Dept of Energy to retool the model for the maritime industry. Cybersecurity Evaluation Tool (CSET) is a desktop software tool that guides users through a step-by-step process for basic assessment of the cyber security posture of their industrial control system and enterprise information technology networks. CSET is available for download or in DVD format. To learn more or download a copy, visit To obtain a DVD copy, send an with your mailing address to These are some tools available that industry can use to assess where it is at and how to get where it wants to be.

7 What does this mean to industry?
Recommends: Weighing cyber risks into assessments Take advantage of the tools that are available to you Make your concerns known to the Coast Guard and DHS Stay proactive! Even though there are no requirements, taking an active stance IRT cyber provides many benefits. The Coast Guard views cyber security as one of many threat vectors that the MTS faces and one that industry should consider in its daily and long term business plan. The Coast Guard strongly urges commercial vessel and facility operators to consider cyber related risks in their operations, and the potential risk that a cyber incident could cause a TSI, or which would adversely affect vital safety and security systems. Cyber systems present unique risk assessment challenges that are not present in more traditional physical and personnel related risks. The Coast Guard has not developed specific requirements, policies that guide vessel and facility security officers to consistently identify and evaluate address cyber risks, or well recognized alternatives for addressing those risks. Accordingly, vessel and facility operators are not required to incorporate cyber risks into their security assessments or security plans at this time, but may do so on a voluntary basis. If and when the Coast Guard develops such policies, it will do so with the cooperation of MTS stakeholders and provide opportunities for public comment. Until such policies are in place, the Coast Guard encourages vessel and facility security officers to improve their knowledge about their own cyber systems and how they might mitigate known or suspected vulnerabilities that might contribute to a TSI. There are a number of resources available that can help industry address these risks, including post incident assistance from ICS-CERT.

8 Cyber Suspicious Activity/Incident Reporting & Mitigation
__________________________________________________ Report Cyber suspicious activity and security incidents (breaches of security) to the NRC at or Reporting is REQUIRED for incidents meeting the definition in CFR Industry can seek assistance from US-CERT or ICS-CERT for reducing the opportunity for & mitigating cyber attacks The Coast Guard understands that industry can be hesitant to report a cyber incident because of business implications. There is a distinction with how a report of a pollution event is treated compared to security incident. Laws and regulations are in place to safeguard SSI and PCII information from improper disclosure.  Report- It is important to follow existing regulations when it comes to reporting incidents. There are thousands of unsuccessful attempts to hack into firewalls. While it is important to realize those things are going on, that is something the Coast Guard can not take action on and probably shouldn’t be reported to the NRC. Nor should spam s to invest in the latest scam. But if in doubt, please report it. When reporting required incidents such as a marine casualty, pollution event or event that could lead to a TSI and you feel there is a cyber nexus to it, it is critical that you make that distinction. So we can treat that report properly and get the information out to the right partners.

9 Questions? cyberCIP@uscg.mil USCG - MTS Cyber Security
__________________________________________________ Questions? On behalf of Coast Guard, I would like to thank you for your efforts not only make your company and agency safe and secure, but especially for the time you volunteer and dedicate to your AMSC more resilient and prepared for All-threat and all hazards.

Download ppt "United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System."

Similar presentations

1 Title Goes Here Canadas Maritime Security Threats and Responses.

1 Title Goes Here Canadas Maritime Security Threats and Responses.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
1 Pipeline Security Presented to: Pipeline Safety Trust New Orleans, Louisiana November 5, 2010.

1 Pipeline Security Presented to: Pipeline Safety Trust New Orleans, Louisiana November 5, 2010.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
The U.S. Coast Guard’s Role in Cybersecurity

The U.S. Coast Guard’s Role in Cybersecurity
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.

National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.
PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.

PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.
National Cybersecurity Management System

National Cybersecurity Management System
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Outcomes of Public Health

Outcomes of Public Health
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT

BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.

Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.
Critical Infrastructure Protection: Program Overview

Critical Infrastructure Protection: Program Overview
Australia Cybercrime Capacity Building Conference 27-28 April 2010 Brunei Darussalam Ms Marcella Hawkes Director, Cyber Security Policy Australian Government.

Australia Cybercrime Capacity Building Conference April 2010 Brunei Darussalam Ms Marcella Hawkes Director, Cyber Security Policy Australian Government.

Similar presentations

Ads by Google