A few months after a ransomware attack at a Maritime Transportation Security Act-regulated facility shut down operations for 30 hours, the Coast Guard today announced the issuance of new guidelines for confronting cyber risks at MTSA-regulated facilities.
“The cyber landscape in the Marine Transportation System (MTS) is continually evolving,” said the commandant’s notice. “Cybersecurity, safety, and risk management are of utmost importance as computer systems and technology play an increasing role in systems and equipment throughout the maritime environment.”
The USCG said it “worked closely with industry and other government agencies to provide guidance on complying with cybersecurity requirements” in order to lead to the release of REF (A).
“This NVIC provides guidance to facility owners and operators on complying with the requirements to assess, document, and address computer system and network vulnerabilities,” the notice continued. “In accordance with 33 CFR parts 105 and 106, which implement the MTSA of 2002, regulated facilities (including Outer Continental Shelf facilities) are required to assess and document vulnerabilities associated with their computer systems and networks in a Facility Security Assessment (FSA). … This NVIC is intended to assist regulated facility owners and operators in updating FSPs/ASPs to comply with the existing MTSA regulations. This guidance is intended to assist owners and operators in identifying computer systems and networks vulnerabilities which could cause or contribute to a Transportation Security Incident (TSI), a Breach of Security, and/or the identification of Suspicious Activity.”
“When cybersecurity vulnerabilities are identified in the FSA, an owner or operator may demonstrate compliance with the regulations by providing its cybersecurity mitigation procedures in a variety of formats. The information may be provided in a stand-alone cyber annex/addendum, incorporated into the FSP/ASP together with the physical security measures, or some other method identified by the owner or operator with concurrence from the local Captain of the Port (COTP), or in the case of ASPs with Coast Guard Headquarters. Facility owners and operators do not have to identify specific technology or a business model, but should provide documentation on how they are addressing their facility-specific cybersecurity vulnerabilities.”
The statement noted that “it is up to each facility to determine how to identify, assess, and address the vulnerabilities of their computer systems and networks.”
The implementation period will last a year and a half, with no submissions to update an FSA or FSP/ASP required until Sept. 30, 2021.
“This initial implementation period will allow MTSA-regulated facility owners or operators time to address cybersecurity vulnerabilities in their FSA and FSP/ASP by incorporating this guidance, or an alternative as best fits their need,” the USCG added. “Facility owners and operators who already address cybersecurity in their FSAs and FSPs/ASPs should continue doing so, while considering whether the guidance in NVIC 01-20 can improve their ongoing practices. Additionally, this period allows the Coast Guard time to conduct any necessary training of its field personnel, dissemination of best practices, or similar internal alignment before FSA and FSP/ASP amendments begin.”
The Coast Guard said in a Marine Safety Information Bulletin issued in December that Ryuk ransomware, which was the subject of a June advisory from the United Kingdom’s National Cyber Security Centre, may have entered the system of the unnamed facility through an email phishing campaign. The NCSC said in its original alert that Ryuk was first seen in August 2018 and was “responsible for multiple attacks globally” as a “persistent infection.”
“The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack,” the NCSC said. “But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.”
The Coast Guard said that an employee at the unidentified facility clicked on the malicious email link, allowing “a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files.”
“The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems,” the bulletin continued. “These combined effects required the company to shut down the primary operations of the facility for over 30 hours while a cyber-incident response was conducted.”
Measures including up-to-date antivirus software, real-time intrusion detection, monitored host and server logging, network segmentation to prevent IT systems from accessing operational technology, file and software backups, and up-to-date IT/OT network diagrams “at a minimum” may have “prevented or limited the breach and decreased the time for recovery,” USCG said.
The bulletin recommended that facilities use the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication 800-82 to craft a risk management program, and warned that people in the maritime sector must take caution opening emails from unfamiliar senders.