210 likes | 234 Views
2016 TRB Annual Meeting. Cyber Risk Management CAPT Verne Gifford (CG-5PC). Quote from Rear Admiral Paul Thomas, Assistant Commandant for Prevention Policy.
E N D
2016 TRB Annual Meeting Cyber Risk Management CAPT Verne Gifford (CG-5PC)
Quote from Rear Admiral Paul Thomas, Assistant Commandant for Prevention Policy “There were questions from the audience about timelines and incentives that I’d like to address. The Coast Guard just recently conducted a study about the cost burden to industry of all the regulations that we have published since 1973. We found that 88% of the entire cost burdens of all regulations, over all those years, were due to two regulations, OPA 90 and MTSA. Both of these regulations followed predictable disasters. The lesson learned should be that we should not wait for an incident to occur that will make us move forward on reactive, more expensive, regulations; we need to be proactive in approaching this. We are here to have a discussion with industry so we can develop a standardtogether, one that works and is reasonable in terms of the cost benefit. If we wait until an incident occurs,that opportunity goes away.” https://www.youtube.com/watch?v=rzOVc1ZOuvY&feature=player_embedded#t=9568
Loss of PII • Loss of intellectual property • Direct and indirect financial loss • Reputation loss • Threat to human life/injury • Harm to the marine environment • Harm to property • Disruptions to the MTS Why Cyber Risks Matter The Coast Guard’s mission is to address these risks – whether from cyber or other sources.
What Makes Cyber Risk Special? Vulnerability increases with every new device Threat is unlimited Likelihood of an incident is near certain Detection is a factor rapidly growing portion of our total risk exposure
Cyber Security Risk Model All activities must take place against a backdrop of the training, education, and policies needed to promote a culture of cyber security Various Attack Types PREVENTION/PROTECTION MEASURES MITIGATION MEASURES Impacts APT/Organized Crime MTS Disruption Recovery & Continuity of Business Planning Technical controls Hacktivists Environmental SYSTEM FAILURE Manual Back ups Policy controls Notifications & Communications Insider Threats Physical controls Property Damage Defense in depth Exercises & Contingency Plans Technical Error Human life, safety, health
United States Coast Guard Cyber Strategy
Cyber Strategy Three Strategic Priorities 1. Defending Cyberspace 2. Enabling Operations 3. Protecting Infrastructure
3. Protecting Infrastructure • Goal 1. Risk Assessment – Promote Cyber Risk Awareness and Management • Cyber Security Assessment & Risk Management Approach 1. Defending Cyberspace 2. Enabling Operations 3. Protecting Infrastructure
3. Protecting Infrastructure • Goal 2. Prevention – Reduce Cybersecurity Vulnerabilities in the MTS. 1. Defending Cyberspace 2. Enabling Operations 3. Protecting Infrastructure
Ongoing Initiatives • Working with NIST to develop MTS Implementation Guide • Review existing policy for cyber updates • Drafting NVIC for domestic policy • IMO Proposal • Standardize terms/definitions • Clarify notification procedures • Collaboration with the NIST CCOEEvaluate guidance & tools for industry on risk reduction processes
By creating a Subsector level Cybersecurity Framework Profile, we are: • Minimizing future work by each organization • Decreasing the chance that organizations accidentally omit a requirement • Reducing errors due to varying interpretations NIST Collaboration on MTS Profile
Profile: Cybersecurity Framework Component Identify • Ways to think about a Profile: • A customization of the Core for a given sector, subsector, or organization • A fusion of business/mission logic and cybersecurity outcomes Protect Detect Respond Recover • An alignment of cybersecurity requirements with operational methodologies • A basis for assessment and expressing target state • A decision support tool for cybersecurity risk management
Industry Engagement USCG engaging with multiple industry groups on cyber Held a Public Meeting on January 15 100 in attendance, 300 watched online. Purpose of outreach is develop guidelines for industry Working with FACA committees to address cyber concerns (NMSAC, NOSAC) Actively involved in industry IT Subcommittees (AAPA, API) Transportation Systems Sector Cyber Working Group (TSS-CWG)
IMO Proposal In January 2016, submitted a paper to IMO proposing the development of guidelines on managing cyber related risks in the maritime The paper proposed: Establish procedures to identify & evaluate cyber related risks. Establish procedures that to reduce the vulnerabilities through well-recognized practices, including training. Establish procedures to reduce the potential consequences of a cyber attack or incident by promoting recovery and resilience. Establish procedures to incorporate the risk assessment and mitigation process into vessel and port facility security plans, or into other recognized protocols.
Academia Engagement USCG is collaborating with academia and DHS University Programs: Look to identify Recommended Practices Support Research for Maritime Community Ensure USCG Policies reflect latest knowledge of cyber risks and technology
Available resources • https://homeport.uscg.mil/ • http://www.nist.gov/cyberframework/ • https://www.us-cert.gov/
Thank You for your time! Further inquiries: LCDR Josh Rose Joshua.d.rose@uscg.mil 202-372-1106 Questions?