The US Coast Guard released the Maritime Cybersecurity Assessment & Annex Guide (MCAAG), to help Maritime Transportation Security Act (MTSA)-regulated facilities and other Marine Transportation System (MTS) stakeholders address cyber risks.
This voluntary guide serves as a resource for baseline cybersecurity assessments and plan development, particularly the Facility Security Assessments (FSA) and Facility Security Plans (FSP) required by MTSA.
The MCAAG may be also a resource for Area Maritime Security Committees in assessing overall port area cybersecurity risk and development of cyber annexes of Area Maritime Security Plans and is useful for any other MTS stakeholders interested in conducting a baseline cybersecurity risk assessment, developing plans, as well as the continued improvement of existing plans.
#1 Identify a Cybersecurity Officer
Creating a Cyber Annex requires a thorough understanding of the cyber-enabled systems that affect facility security, the networks those systems are connected to, the cyber threats that affect those systems and networks, and the cyber protections available to the facility.
It is recommended a Cybersecurity Officer (CySO) be identified to provide support to the FSO during the entirety of the Cyber Annex development process. The CySO may be a single person, a group of people, or the FSO. The guidance provided in the MCAAG is intended to aid FSOs in their collaboration with a CySO to produce the Cyber Annex.
Portions of this guide, particularly the technical aspects, assume a CySO with the appropriate cybersecurity experience has been identified and is a part of the Cyber Annex development process.
#2 Determine Scope
Facility security processes and functions are increasingly reliant on computers or computer-based systems, such as networked video monitors and electronic badge systems.
Typically, these systems are attached to networks. If these networks are attached to the internet, even in an indirect manner, cyber-attackers can penetrate the facility’s networks and subvert the facility’s security processes and functions by disabling or altering the systems they rely upon.
When a physical vulnerability involves one or more cyber-enabled systems, there is a challenge in determining the scope of any cybersecurity plan to protect those specific systems.
Most cyberattacks on facilities involve a cyber attacker making an initial entry on a facility network by way of a system that connects to the internet and then moving internally from system to system until they can compromise the targeted system.
Thus, there is a strong argument to be made that any plan to protect a particular system relies on the protection plan for the entirety of the facility’s networks.
The recommended approach to determine the scope of the cybersecurity protections contained in the Cyber Annex is as follows:
#3 Establish Cybersecurity Vulnerability Definition
It is strongly recommended that the FSO and CySO establish and agree upon an approach to define and identify cybersecurity vulnerabilities in the context of the FSA and that this approach is reviewed and endorsed by the facility’s senior leadership and relevant risk managers.
It is recommended that the facility have a formal risk management process by which senior leaders and risk managers can describe acceptable and unacceptable levels of risk and through which the definition of FSA-related cybersecurity vulnerabilities can be determined.
Two observations may be helpful:
To create a Cyber Annex to support an FSP, it is recommended that cybersecurity vulnerability be defined at the program and policy levels, not at the individual system configuration or patch level. For example, if one or more systems critical to the security of the facility are not correctly patched, then possible vulnerabilities to address in the Cyber Annex might include:
#4 Determine the Cybersecurity Vulnerabilities for the FSA
After the FSO and CySO have determined how to define cybersecurity, effective identification of vulnerabilities can be done in three steps:
#5 Create Remediation Plans
Each vulnerability addressed in the Cyber Annex should be accompanied by a plan to remediate it. In the same way, it is recommended to describe vulnerabilities at the programmatic, policy, and procedure levels, it is recommended protections be articulated at the same level.
For the purpose of the MCAAG, the term cybersecurity protection will be defined as a discrete unit of a facility’s cybersecurity protection plan12. Examples of cybersecurity protections include, but are not limited to cybersecurity:
#6 Create the Cyber Annex
The recommended Cyber Annex template is structured as follows:
Source: Safety4Sea