The Coast Guard this month began deploying inspectors to maritime facilities nationwide to ensure that the maritime transportation entities are integrating cybersecurity into their plans, part of the service’s efforts to operationalize its responsibilities in helping to protect the maritime transportation system from cyber threats, a Coast Guard officer said on Thursday.
The Coast Guard’s Cyber Command is also starting to get out to U.S. ports to conduct assessments, give feedback and develop products on gain a “better baseline understanding of where our vulnerabilities and risks are,” Capt. Andrew Meyers, chief of the Office of Port and Facility Compliance, said during a virtual meeting of the inaugural meeting of the National Maritime Security Advisory Committee (NMSAC).
In addition to the efforts by facilities inspectors and Cyber Command, Meyers said that Area Maritime Security Committees across the U.S. are working with their members to ensure that cybersecurity is part of their plans, that they are exercising these plans, and sharing threat information across all federal, state and local government partners and with industry. Membership on the committees in each area consist of government officials at all levels, local public safety and emergency response agencies, maritime industry, and other port stakeholders.
The Coast Guard is also hiring cybersecurity officers at its dozens of captains of the port zones, district office and area commands to coordinate cybersecurity functions, he said.
The ongoing inspections, assessments and hiring are all part of operationalizing the Coast Guard’s new Cyber Strategic Outlook, which was published in August, that includes protecting the maritime transportation system (MTS) as one of the key lines of effort, Meyers said.
The NMSAC met to organize its leadership and begin considering its first tasks from the Coast Guard, which include receiving industry input on cybersecurity vulnerability assessments that are currently being done by the marine industry, and obtain recommendations and feedback on the Maritime Cyber Risk Analysis Model (MCRAM), which is required to be consistent with a voluntary cybersecurity framework developed by the National Institute of Standards and Technology, the private sector and other partners.
The MITRE Corp. has already provided a proof-of-concept MCRAM to the Coast Guard and is now working on a broader model for applying to maritime transportation stakeholders, Meyers said. The model will help MTS stakeholders “develop baseline cyber assessments and support their facility security assessments and facility security plans,” he said.
A third task that the Coast Guard hopes to give the NMSAC in early December relates to the sharing of cyber threat information to address cybersecurity threats. Meyers said there is little in the way of required information sharing now, although there is a lot of voluntary sharing happening.
Some feedback already is that there are “frustrations” within industry that it provides the government with threat information but doesn’t share back in a “timely way” on findings, actions being taken, and with information that is actionable for stakeholders to better defend themselves, Meyers said.
“The tasks are work we need to grow into as we try to shape the Coast Guard’s position on cybersecurity,” he said.
The focus of the NMSAC is not just on cybersecurity but the issue is a priority for the Biden administration and federal government, which is why the Coast Guard wants to begin in this area, Meyers said. He added that the White House National Security Council is interested in receiving “impact assessments” about cyber incidents on the MTS and as part of the “larger economy.”
The Department of Homeland Security has already done cyber sprints related to ransomware and the workforce and is in the middle of a sprint on transportation security, Meyers said. This week, the Secretaries of Homeland Security and Transportation held a CEO-level roundtable with the maritime industry to discuss how their respective departments can better communicate with industry on their intentions related to cybersecurity and ways to improve communications and information sharing around cybersecurity, he said.