U. S. COAST GUARD

MAR'01 1

Port Facility Cyber Security

International Port Security Program

Cyber Security Assessment

U. S. COAST GUARD

Lesson Topics

• ISPS Code Requirement

• The Assessment Process

U. S. COAST GUARD

ISPS Code Requirements

What is the purpose of a Port Facility Security Assessment (PFSA)?

U. S. COAST GUARD

ISPS Code Requirements

Who is able to conduct a Port Facility Security Assessment under the ISPS Code?

U. S. COAST GUARD

ISPS Code Requirements

Who is responsible for reviewing and approving a Port Facility Security Assessment (PFSA) under the ISPS Code?

U. S. COAST GUARD

ISPS Code Requirements

ISPS Code Part A Section 15.1: The port facility security assessment is an essential and integral part of the process of developing and updating the port facility security plan.

U. S. COAST GUARD

ISPS Code Requirements

ISPS Code Part A Section 15.2: The port facility security assessment shall be carried out by the Contracting Government within whose territory the port facility is located. A Contracting Government may authorize a recognized security organization to carry out the port facility security assessment of a specific port facility located within its territory.

U. S. COAST GUARD

ISPS Code Requirements

ISPS Code Part A Section 15.2.1: When the port facility security assessment has been carried out by a recognized security organization, the security assessment shall be reviewed and approved for compliance with this section by the Contracting Government within whose territory the port facility is located.

U. S. COAST GUARD

ISPS Code Requirements

• Responsible for PFSA

• May delegate to DA

CG

• May conduct PFSA or delegate to an RSO

DA • May conduct PFSA

• Must return to DA for approval

RSO

U. S. COAST GUARD

ISPS Code Requirements

ISPS Code Part A Section 15.3: The persons carrying out the assessment shall have appropriate skills to evaluate the security of the port facility in accordance with this section, taking into account the guidance given in part B of this Code.

U. S. COAST GUARD

ISPS Code Requirements

ISPS Code Part A Section 15.4: The port facility security assessments shall periodically be reviewed and updated, taking account of changing threats and/or minor changes in the port facility and shall always be reviewed and updated when major changes to the port facility take place.

U. S. COAST GUARD

ISPS Code Requirements

Does the ISPS Code require the PFSA to cover telecommunication systems, including computer systems and networks?

U. S. COAST GUARD

ISPS Code Requirements

ISPS Code Part A Section 15.5: The port facility security assessment shall include, at least, the following elements:

• Identification and evaluation of important assets and infrastructure it is important to protect;

U. S. COAST GUARD

ISPS Code Requirements

• Identification of possible threats to the assets and infrastructure and the likelihood of their occurrence, in order to establish and prioritize security measures;

• Identification, selection and prioritization of counter measures and procedural changes and their level of effectiveness in reducing vulnerability; and

U. S. COAST GUARD

ISPS Code Requirements

• Identification of weaknesses, including human factors in the infrastructure, policies and procedures.

U. S. COAST GUARD

ISPS Code Requirements

ISPS Code Part B Section 15.3: A PFSA should address the following elements within a port facility:

• Physical security.

• Structural integrity.

• Personnel protection systems.

• Procedural policies.

U. S. COAST GUARD

ISPS Code Requirements

• Radio and telecommunication systems, including computer systems and networks.

• Relevant transportation infrastructure.

• Utilities.

• Other areas that may, if damaged or used for illicit observation, pose a risk to persons, property, or operations within the port facility.

U. S. COAST GUARD

The Assessment Process

U. S. COAST GUARD

Step 1: Identification of Assets

To properly identify and evaluate important assets and infrastructure, it will first be necessary to have an understanding of:

• How the different assets support the port's operational use;

U. S. COAST GUARD

Step 1: Identification of Assets

• The criticality of different areas within the port/port facility; and

• The systems that support or protect these critical assets or areas.

U. S. COAST GUARD

Step 1: Identification of Assets

From a cyber security perspective, the business critical and/or sensitive elements of a port are likely to include:

U. S. COAST GUARD

Step 1: Identification of Assets

1. Those assets that have been judged to have the potential to be used to significantly compromise the integrity of the port. Consideration should be given to:

a) Cabling routes and their containment (for example, ducts and trunking);

U. S. COAST GUARD

Step 1: Identification of Assets

b) Configuration, identification and use of control systems;

c) Critical permanent plant or machinery;

U. S. COAST GUARD

Step 1: Identification of Assets

d) Security or other control rooms, including guarding;

e) Security, alarm and access control systems, CCTV and video processing.

U. S. COAST GUARD

Step 1: Identification of Assets

2. Key spaces and facilities used by law enforcement and security service personnel operating in, or visiting, the port.

U. S. COAST GUARD

Step 1: Identification of Assets

3. Port data relating to the location, identification, technical specification and operation of business critical and sensitive assets.

U. S. COAST GUARD

Step 1: Identification of Assets

4. Port systems, wherever they are hosted, used for planning, scheduling and receipt of ships and cargo.

U. S. COAST GUARD

Step 1: Identification of Assets

5. Assets or systems upon which the business critical and/or sensitive elements are dependent for their normal operation and resilience.

U. S. COAST GUARD

The Assessment Process

U. S. COAST GUARD

Step 2: Identify Port Business Processes

The operation of a port/port facility will depend upon a set of business processes that rely upon port data for the safe, secure and efficient movement of cargo through the port and enable supporting processes such as asset management, resource scheduling, financial and business planning, procurement, and the human resource processes.

U. S. COAST GUARD

Step 2: Identify Port Business Processes

This information should be used to assess the criticality of assets and to understand the interdependencies of the data and systems within the overall business processes of the port. By so doing, the real impact of failure or compromise of individual components can be understood.

U. S. COAST GUARD

The Assessment Process

U. S. COAST GUARD

Step 3: Identify and Access Risks

The next step in the process is to identify and access risks.

U. S. COAST GUARD

Step 3: Identify and Access Risks

What elements make up Risk?

Threat Vulnerability Consequences

(Impact)

U. S. COAST GUARD

Step 3: Identify and Access Risks

The potential threats should have already been identified in the PSA and PFSA. However, it will be necessary to understand the degree to which individual threats and combinations of them may impact on the cyber security of the port and/or port facility.

U. S. COAST GUARD

Step 3: Identify and Access Risks

When considering threat scenarios and types of undesired events, the port/port facility operator should include incidents such as:

• Unauthorized access to sensitive port data (commercial, personal or security-related);

• Theft of sensitive port data;

• Deletion, unauthorized modification or corruption of port data;

U. S. COAST GUARD

Step 3: Identify and Access Risks

• Infection with malware;

• Loss of service from systems due to loss of connectivity or power;

U. S. COAST GUARD

Step 3: Identify and Access Risks

• Loss of service from systems due to software and hardware failures;

• Compromise of port security systems;

• Denial of service – externally hosted systems;

U. S. COAST GUARD

Step 3: Identify and Access Risks

The identification of vulnerabilities should include consideration of:

• The relationships between systems;

• The technical composition of systems in terms of hardware and software components and the builds or revisions that are being used;

U. S. COAST GUARD

Step 3: Identify and Access Risks

• Physical robustness of enclosures (for example, cabinets, ducts, trunking, etc.);

• The relationships between systems and associated business processes;

U. S. COAST GUARD

Step 3: Identify and Access Risks

• Reliance on automation of equipment;

• The level of resilience within the port/port facility, including the level of dependency of systems on infrastructure, for example, utilities;

U. S. COAST GUARD

Step 3: Identify and Access Risks

• Existing security measures and procedures, including the presence and permeability of any secure perimeter that prevents or limits access to the port, port facility and associated utilities, plant and machinery;

U. S. COAST GUARD

Step 3: Identify and Access Risks

• Any conflicting policies between safety and security measures and procedures;

• Any enforcement and personnel constraints; and

• Any deficiencies identified during daily operation, following incidents or alerts, the report of security concerns, the exercise of control measures, audits etc.

U. S. COAST GUARD

Step 3: Identify and Access Risks

The risk assessment should consider the nature of harm that could be caused to: personnel and other occupants or users of the port and its services; the port and port assets; and/or the benefits the port exists to deliver, be they societal, environmental and/ or commercial.

U. S. COAST GUARD

Step 3: Identify and Access Risks

The cyber security risk will depend on the likelihood that a threat actor can exploit one or more vulnerabilities and cause the nature of harm identified.

Throughout the process it will be essential for the port and port facility to liaise with each other to identify common risks, as well as where a risk in one may compromise the security of the other.

U. S. COAST GUARD

The Assessment Process

U. S. COAST GUARD

Step 4: Identify and Access Countermeasures

The next step in the assessment process is to identify and record possible mitigation or countermeasures for every cyber security vulnerability.

U. S. COAST GUARD

Step 4: Identify and Access Countermeasures

The assessment of each countermeasure should identify and record:

1. The cost of the countermeasure and its implementation.

2. Other impacts the countermeasure might have, for example, on asset or system usability and efficiency, business processes and port operations.

U. S. COAST GUARD

Step 4: Identify and Access Countermeasures

3. Wherever possible, to support the business justification for investment in the countermeasure:

a) The risk reduction that could be achieved; and

b) The predicted cost saving.

U. S. COAST GUARD

Step 4: Identify and Access Countermeasures

4. The potential for the countermeasure to create further vulnerabilities.

5. Whether the countermeasure delivers any other business benefits, for example:

a) Reduction of overall business risk; and

b) Aiding the development of efficient, robust and repeatable business processes.

U. S. COAST GUARD

The Assessment Process

U. S. COAST GUARD

Step 5: Review Acceptability of Overall Risk

The final step in the process is to review and evaluate the remaining risks.

U. S. COAST GUARD

Step 5: Review Acceptability of Overall Risk

• Was the port facility able to buy down risk to an acceptable level through the implementation of countermeasures?

• Who has the responsibility under the ISPS Code to determine what is an acceptable risk?

U. S. COAST GUARD

Summary

U. S. COAST GUARD

Cyber Security Seminar

U. S. COAST GUARD

Works Cited

Code of Practice Cyber Security for Ports and Port Systems

Authors: Hugh Boyes, Roy Isbell and Alexandra Luck

Published by: Institution of Engineering and Technology, London, United Kingdom

First published 2016