Proceedings Of The Marine

WIN 2015

Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.

Issue link: https://uscgproceedings.epubxp.com/i/436751

Contents of this Issue

Navigation

Page 11 of 94

9 Winter 2014 – 2015 Proceedings www.uscg.mil/proceedings Legal Authority Coast Guard personnel can draw upon various authori- ties to effectively prevent cyber attacks and accomplish cybersecurity framework goals. The Maritime Transportation Security Act of 2002 Congress passed the Maritime Transportation Security Act (MTSA) 1 of 2002 in response to the large-scale, nationwide vulnerabilities that were exposed by the 9/11 attacks, with the goal to improve the physical and personnel security stan- dards for ports, facilities, and vessels. 2 MTSA focuses on prevention and response to transporta- tion security incidents (TSIs), which are security incidents resulting in a signifcant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area. 3 U.S. facilities and vessels are required to conduct security assessments and implement security plans to address how they will deter a transportation security incident to the maximum extent practicable. 4 The security plan must address how the facility or vessel will communicate with the federal government in the event of a security incident and include provisions for: maintaining physical, passenger, cargo, and personnel security; controlling access to security areas of the vessel or facility; and maintaining communications within the facility or vessel and with frst responders. 5 The Coast Guard implemented the Maritime Transportation Security Act through regulations in 33 CFR Sub chapter H — Maritime Securit y. 6 Cybersecurit y is not specif ically mentioned in MTSA or its regulations; however, many of the terms and requirements in MTSA and its regulations do encompass cybersecurity issues and cyber events. The reporting requirements in 33 CFR§101.305 illustrate this. Facility and vessel personnel are required to report suspi- cious activities, breaches of security, and TSIs immediately to the Coast Guard. Suspicious activities are described as those activities that may result in a transportation security inci- dent, 7 and a breach of security is an incident that, although it has not resulted in a TSI, security measures have been circum- vented, eluded, or violated. 8 The same holds true for vessel security assessments, which must evaluate many potential vulnerabilities, including the actual or potential vessel access points, the overall threat assessments for areas in which the vessel operates, security and safety equipment, communications systems, surveillance systems, and access control systems. 9 This also applies to outer continental shelf facilities, which have proven to be vulnerable to cyber attack, due in part to their increased automation, which often includes wireless network access between shore operations and the facility. 10 Although the Maritime Transportation Security Act does not prescribe specifc measures that vessel and facility opera- tors must take to protect cyber networks from attack, it does require that vessel and facility operators undertake the neces- sary measures to prevent transportation security incidents. Many other parts of MTSA regulations address areas that are increasingly dependent on computer technology and are potentially vulnerable to cyber attack. For example, the Maritime Transportation Security Act requires vessel and facility operators to implement security measures for cargo handling that will deter tampering, prevent cargo not meant for carriage from being accepted and loaded, and identify cargo that is approved for loading on vessels. 11 In 2011, two major container terminals in Belgium were infiltrated by hackers who manipulated data about cargo containers to ship large quantities of drugs. 12 In that case, the hackers phys- ically intruded the facilities and installed keystroke loggers onto terminal operating systems using USB drives. 13 In the future, it is not difcult to imagine a scenario where this level of intrusion is achieved without ever physically encoun- tering the computer terminals being hacked. 14 Therefore, it is imperative that vessel and facility operators consider the cyber vulnerabilities of these systems. Magnuson Act First passed by Congress in 1950, the Magnuson Act autho- rizes the president to "safeguard against the destruction, loss, or injury from sabotage or other subversive acts," and from accidents to "vessels, harbors, ports, and waterfront facilities." 15 As directed by President Johnson's EO 11249, the regula- tions of the Magnuson Act were amended in 1965 to allow the captain of the port (COTP) to control or limit any "person, article, or thing" from gaining access to any vessel or maritime facility if such person, article, or thing is considered to be a danger to the safety and security of the involved vessel or waterfront facility. 16 The Magnuson Act also allows the COTP to establish a security zone around any afected or potentially endangered vessel or waterfront facility when such a threat exists, and prohibits any person or object from entering a security zone without captain of the port permission. 17 Further, the Commandant of the Coast Guard has the ability under the Magnuson Act to prescribe safety and security measures for vessels in port and waterfront facilities as he or she fnds to be necessary to maintain vessel or facility security and safety. 18 Under these provisions, a cyber attack or intrusion would certainly qualify as a potential danger and threat to a vessel or waterfront facility. An individual conducting a cyber attack against a facility by introducing a virus into a vessel's control continued on page 10

Articles in this issue

Links on this page

Archives of this issue

view archives of Proceedings Of The Marine - WIN 2015