R 251503Z MAR 14

ALCOAST 122/14
COMDTNOTE 5510
SUBJ: Cyber Security and the Marine Transportation System (MTS),
Update 1
A. COMDT COGARD WASHINGTON DC 022017Z AUG 13
B. COMLANTAREA COGARD PORTSMOUTH VA 041351Z NOV 13
C. COMPACAREA COGARD ALAMEDA CA 082335Z NOV 13
D. Executive Order (EO) 13636 Improving Critical Infrastructure
E. Presidential Policy Directive/PPD-21
1. Cyber related vulnerabilities are a growing portion of the total
risk exposure facing the Marine Transportation System (MTS). The
Coast Guard is working to develop the tools and policies that will
enable us to identify, evaluate, and address those risks, and to
incorporate those policies into our existing operations and
activities. The purpose of this ALCOAST is to provide guidance to
Coast Guard field units on emerging tools and policies that address
MTS related cyber security risks, and to outline our intentions to
grow that capability in the future. Refs (A-C) remain in effect.
2. The Coast Guard ensures the safety, security, and stewardship of
the nations waterways against all threats and all hazards. This
includes safety and security measures to protect the MTS, Maritime
Critical Infrastructure/Key Resources (MCI/KR), the mariners and
workers who operate that infrastructure, and the people who live near
and depend on the MTS for their livelihoods. Those security measures
have traditionally focused on physical and personnel security. As
noted in references (D and E), cyber threats to critical
infrastructure continue to grow and represent one of the most serious
national security challenges we must confront.  Consequently, the
Coast Guard must increase our awareness and engagement on cyber
vulnerabilities, and work with our partners in industry and
government to identify, evaluate, and address cyber security risks.
It is important to understand that cyber systems are vulnerable to
accidents, unintentional misuse, simple breakdown, and natural
disasters as well as deliberate exploitation. In assessing cyber
related risks, the all hazards approach of PPD-21 will guide Coast
Guard policies.
3. Captains of the Port (COTP), in their role as Federal Maritime
Security Coordinators (FMSC), and Area Maritime Security Committees
(AMSCs) should consider the risks a cyber incident or attack could
have on the MTS, and the potential that a cyber incident could cause
a Transportation Security Incident (TSI), as defined by 33 CFR
101.105. Cyber systems can pose an independent risk, or may increase
the vulnerability of a physical system or the consequences of a
kinetic attack scenario, even where the failure or exploitation of
the cyber system itself poses relatively minor risk. For example,
access control and CCTV systems often include a cyber component. As
the principal maritime public-private collaborative security
organization for our waterways, AMSCs should consider how the
dependency on cyber systems impacts port risk when conducting Area
Maritime Security Assessments and reviewing Area Maritime Security
plans, and shall take measures outlined in NVIC 9-02, Change 4 if the
COTP and AMSC identifies a cyber related scenario as one of the three
most likely TSIs to occur within the COTP Zone.
4. The National Institute of Standards and Technology (NIST) recently
released the Cyber Security Framework (CSF). It is posted at
http://www.nist.gov/cyberframework/. The CSF, one of the key
deliverables required by reference (D), was a collaborative effort
among a wide group of government and industry experts. While it is
NOT a requirement, the Coast Guard strongly encourages vessel and
facility security operators to voluntarily review the CSF to
determine how it might help them improve their cyber security
posture. COTPs should share the CSF widely with industry via AMSCs
and other forums. The Coast Guard is seeking general feedback from
industry concerning the CSF and its applicability to the MTS.
Industry representatives may submit comments to the local COTP or via
e-mail to cyberMTS(at)uscg.mil.
5. Vessel and facility operators are NOT required to incorporate
cyber risks into their security assessments or security plans at this
time, but may do so on a voluntary basis. COTPs should encourage
vessel and facility operators to inventory their cyber systems,
identify those that could potentially contribute to a TSI, and
evaluate the degree to which such systems are protected from attack,
misuse, or failure. In many cases, manual backups, training
employees/crew on basic cyber practices such as use of passwords and
flash drives, and similar non-technical mitigation measures may be
sufficient and will increase the resiliency of the MTS. In discussing
the CSF and related voluntary cyber security measures, which we
cannot mandate at this time, COTPs should encourage facility and
vessel operators to work with both their security and IT personnel.
The Coast Guard has not yet developed policies or job aids that guide
vessel and facility security officers on how to methodically
identify, evaluate, and address cyber risks, or to select recognized
alternatives for addressing those risks. As the Coast Guard develops
such policies, it will do so with MTS stakeholders and provide
opportunities for public comment. Additionally, the Coast Guard will
be looking to develop greater cyber workforce competencies to
facilitate expanded engagement with the maritime industry.
6. There are a number of resources available that can help industry
address cyber risks, including post incident assistance from
ICS-CERT. A list of these resources is available at
www.homeport.uscg.mil. The Cybersecurity page is accessed by clicking
on cybersecurity along the left hand side of the missions tab of the
Homeport home page.
7. Reference (A) noted that Coast Guard regulations require MTSA
regulated vessels and facilities to report suspicious activity,
breaches of security, and TSIs in accordance with 33 CFR 101.305.
These requirements apply equally for cyber and non-cyber related
incidents, provided the activity has a plausible link to the MTS
portion of a facility, could lead to a TSI, or is otherwise related
to systems, personnel, and procedures addressed by facility and
vessel security plans. Attacks or unexplained failures of industrial
control and SCADA systems with connections to the MTS do fall in this
category. COTPs should encourage FSOs and VSOs to report incidents to
the NRC whenever they are in doubt. There have been recent cyber
related events that facilities have reported. These actions should be
lauded for improving maritime cyber security awareness.
8. COTPs should consider the following in preparing for and
responding to cyber incidents in the MTS:
a. Ensure vessel inspectors, facility inspectors, Port Security
Specialists, Command Center personnel, and other appropriate
personnel are familiar with the contents of this message.
b. Ensure vessel and facility operators, security officers, and IT
staff are aware of the resources and services described in this
message, and encourage them to consider voluntarily adopting
appropriate provisions of the CSF and other standards to reduce their
vulnerability.
c. CG-FAC, CG CYBERCOM, and CG-741 are developing a standard MTS
Cyber incident QRC for use by Command Centers. For known or suspected
cyber attacks on the MTS, COTPs shall notify CGIS and other local
port partners in accordance with their Area Maritime Security Plan.
Units are also strongly encouraged to notify CG CYBER. CG CYBER can
assist field units with evaluating technical matters relating to
cyber events and their potential impact on the MTS, and may have
intelligence relating to the activity occurring at other critical
infrastructure(s) or on DOD/DHS networks. This reporting aids in
creating cyber situational awareness for the maritime domain. The
Coast Guard Cyber Security Operations Center (CSOC), CG CYBERs 24
hour coordination hub can be reached at (703) 313-5678, additional
information can be found on the CG Portal site identified below.
d. Units can provide non-technical assistance, help criminal
investigators understand how the attack impacted the MTS, and may
require the vessel or facility operator to implement alternative
security or safety procedures needed to address remaining risks.
e. Coast Guard response actions to a known or suspected cyber attack
to the MTS should be discussed by the AMSC, and should include the
full range of activities typically considered to decrease
vulnerabilities, increase protection and deterrence, and mitigate
consequences from conventional attacks and natural disasters. These
may include, as applicable, directing the vessel or facility operator
to implement security measures outlined in their VSP or FSP,
increased patrols by Coast Guard and other port partners,
establishing a unified command and incident action plan, and
potential changes in MARSEC level.
f. In contrast to physical attack scenarios, the nature and impact of
some cyber attack scenarios may be difficult to discern, even for the
affected facility or vessel. COTPs should work with intelligence and
law enforcement partners (like the FBI or DHS Protective Security
Advisors) to gain the best understanding of an incident. While in
some situations immediate response actions may be required, in
others, a more deliberative approach may be appropriate to avoid
unintended disruptions to the MTS.
g. When preparing for and responding to significant disruptions to
the MTS, COTPs should consider cyber attacks within the construct of
all-hazard all-risk MTS Recovery plans.
h. Coast Guard units may view additional material for internal CG use
at: https://cglink.uscg.mil/5PMCWGPortal and
https://cgportal2.uscg.mil/units/cybercom/MCIKR/default.aspx
9. The Commandant of the Coast Guard directed appropriate
Headquarters Directorates to develop a Coast Guard Cyber Strategy.
This strategy will inform the development of additional programs and
policies needed to accomplish the technical, resource, training, and
policy tasks the Coast Guard must complete to incorporate cyber into
all our mission support and mission execution activities. We are
coordinating closely with DHS and other government agencies to
leverage each agencys expertise and programs and to avoid conflicts
and duplications. As described in paragraph (5), we will work with
stakeholders and provide opportunities for public comment on all
actions that may affect the private sector.
10. The Winter 2014-2015 edition of The Coast Guard Proceedings
publication will focus on cyber. Coast Guard units, industry,
academic, and other government agency partners wishing to submit an
article on cyber should contact Commander Wong no later than 4 April,
2014 with a proposed topic and author.
11. This message was developed through the collaborative efforts of
CG-2, CG CYBER, and CG-5P. Questions regarding this message should be
directed to Captain Andrew Tucci, CG-FAC, Andrew.E.Tucci(at)uscg.mil
or Commander Nick Wong, Nicholas.L.Wong(at)uscg.mil.
12. RDML J.A. Servidio, Assistant Commandant for Prevention Policy
and RADM R. E. Day, Commander Coast Guard Cyber Command send.
13. Internet release authorized.