Port Facility Cyber Securityportalcip.org/wp-content/uploads/2017/05/C08-Cyber-and-the-PFSP.pdf ·...

U. S. COAST GUARD

MAR'01 1

Port Facility Cyber Security

International Port Security Program

Cyber Security and Port Facility

Security Plans (PFSP)

U. S. COAST GUARD

Lesson Topics

• Purpose of the PFSP

• Developing the PFSP

• Role of Facility Personnel

• Role of an RSO

• Basis for the PFSP

• Elements included in the PFSP

• Format of the PFSP

U. S. COAST GUARD

Lesson Topics

• Elements included in the PFSP (cont’d)

• Port Facility Security Organization

• Communications (Systems and Processes)

• Security Procedures/Measures

• Review and Audit Procedures

• Reporting requirements

• Approval and updates

U. S. COAST GUARD

Purpose of the PFSP

The aim of the PFSP is to mitigate the risks identified in the PFSA. While the PFSA is meant to identify the assets at a port that are important to protect, the PFSP outlines how they will be protected.

U. S. COAST GUARD

PFSP

The PFSP should address:

• potential security risks identified in the PFSA

• countermeasures to mitigate those risks

• local and national security considerations

• security measures for each security level (1-3)

U. S. COAST GUARD

Developing the PFSP

Preparation of an effective PFSP will rest on a thorough assessment of all issues that relate to the security of the port facility. This includes, in particular, a thorough appreciation of the physical and operational characteristics of the individual port facility.

U. S. COAST GUARD

Developing the PFSP

As the head of the port facility’s security organization, the PFSO is responsible for the development (and later revision) of the PFSP, using the PFSA as a guide.

U. S. COAST GUARD

Developing the PFSP

The PFSO can also engage other port facility personnel to assist with plan development.

U. S. COAST GUARD

PFSP Development

Role of RSOs:

• Can prepare the PFSP but cannot be engaged in the plan approval process

• Plan must be for a specific port facility

U. S. COAST GUARD

Basis for the PFSP

The PFSA cannot be viewed separately from the PFSP since it is the basis for developing an effective and comprehensive security plan.

U. S. COAST GUARD

Basis for the PFSP

Using the PFSA as a guide, the PFSP must include:

• Policies and procedures to address identified vulnerabilities.

• Security countermeasures to address the highest risk threat scenarios identified in the PFSA.

U. S. COAST GUARD

Basis for the PFSP

The content of the PFSP will vary, depending on the operations of the port facility and the content of the PFSA.

U. S. COAST GUARD

Basis for the PFSP

Not only must the PFSP address the assets, threats and vulnerabilities mentioned in the PFSA, it must also be compliant with the ISPS Code.

PFSP

PFSA ISPS Code

U. S. COAST GUARD

Basis for the PFSP

Even in addressing the ISPS Code requirements, the security measures outlined in the PFSP should always point back to the elements in the PFSA.

U. S. COAST GUARD

ISPS Code Requirements

1. Port Facility Security Organization

2. Communications

3. Security Procedures/Measures

4. Review and Audit Procedures

5. Reporting Requirements

6. Approval and Updates

U. S. COAST GUARD

Elements of the PFSP

The PFSP should establish the organization and performance of port facility security duties.

• Role and structure

• Duties, responsibilities and training requirements

• Description of the links to other national and local authorities

U. S. COAST GUARD


Having established the cyber security management framework through inclusion in the PFSP or the creation of the CSA and CSP, it is important that appropriate management and operational arrangements are in place, including:

U. S. COAST GUARD


• The identification of the individual(s) responsible for the cyber security of the port and port facilities, with individuals fulfilling these roles being designated as a cyber security officer (CSO);

U. S. COAST GUARD


• The establishment of a security operations centre (SOC);

• The arrangements for providing information to third parties; and

• The arrangements for managing security incidents or breaches.

U. S. COAST GUARD


The CSO should be responsible for:

• Ensuring the development and maintenance of the PFSP/CSP; and

• Implementing and exercising the PFSP/CSP.

U. S. COAST GUARD


The CSO should maintain awareness of legal and regulatory changes that could affect the cyber security of port assets and, where necessary, make adjustments in policies, processes and procedures to comply with those changes.

U. S. COAST GUARD


For the PFSP/CSP and associated security policies, processes and procedures to be effective, it is essential that there is a top-down flow of responsibility within both the organization and the contracts/supply chain. Responsibility for cyber security may be shared by the CSO with other managers and service providers, although ultimate responsibility should be retained by the CSO.

U. S. COAST GUARD


Security operations centre (SOC):

• A SOC acts as a centralized unit dealing with security issues that affect a port/port facility, including those relating to cyber security, and may form part of an operations centre supervising the port, controlling access and managing business continuity and disaster recovery activities.

U. S. COAST GUARD


The key functions of a SOC are to:

• Observe, by maintaining situational awareness, i.e. understand potential, emerging and actual threats to the port/port facility operations. Observation includes detection of unauthorized changes to port systems or port data, non-secure modes of operation and unauthorized access to port assets.

U. S. COAST GUARD


• Orient, by analyzing the risk to operations from new or changed threats and determine whether proactive measures are required to reduce the risk to an acceptable level.

• Decide what action may be appropriate either to deny further access to the port asset or to respond to the event by identifying suitable countermeasures.

U. S. COAST GUARD


U. S. COAST GUARD



2. Communications





U. S. COAST GUARD


The PFSP should address communications measures including:

• Systems provided to allow effective and continuous communication

• How the cyber security of security and communications systems and equipment will be maintained.

U. S. COAST GUARD


A key asset to any port facility would be its communications system and devices. If unreliable, this presents a vulnerability to the security of the facility.

U. S. COAST GUARD


PFSA entry:

“RFID cards are subject to cyber attack.”

U. S. COAST GUARD


“Port facility security guards will positively identify 10% of individuals swiping into facility by a government issued ID at security level 1.”

U. S. COAST GUARD



2. Communications





U. S. COAST GUARD


Cyber Security Procedures:

• Information on cyber security responsibilities and links to organizations that will assist the port/port facility in the event of a cyber security incident.

• How the cyber security of security and communications systems and equipment will be maintained.

U. S. COAST GUARD


Cyber Security Procedures (cont):

• The cyber security drills to be practiced to test the port's response to cyber security incidents.

• Cyber security measures required for any connection between ship systems and those of the port/port facility.

U. S. COAST GUARD



• The cyber security of communications, including those:

a) between personnel with security responsibilities;

b) between those responsible for technical security and the wider security team; and

c) that provide information about the port and port assets to third parties.

U. S. COAST GUARD



• Processes and procedures for approving the electronic or wireless connection of ship and port systems.

• Access control measures to sensitive IT systems and accommodation, for example, networking, communications and server rooms.

U. S. COAST GUARD



• Any changes to systems or system operations required at higher security levels, including any increased security measures required for admission of IT and systems maintenance contractors to the port and port facilities when the port is operating at security levels 2 and 3.

U. S. COAST GUARD



• Cyber security measures pertinent to the protection/assurance of cargo-related data and the systems that process, store and transmit it. Where the port has automated systems handling cargo, the plan should address the security measures required to protect the operational IT/cyber-physical systems.

U. S. COAST GUARD



• Cyber security measures pertinent to the protection and assurance of ships' stores and bunkering data and any systems that process, store and transmit it.

• Response to cyber security threats, breaches and security incidents.

U. S. COAST GUARD



• Arrangements for auditing of cyber security measures.

• Contractual measures for the adoption of relevant cyber security measures within the supply chain to the port/port facility.

• Cyber security awareness and training required by staff.

U. S. COAST GUARD


Security Procedures/Measures:

• Procedures to maintain and update records of dangerous goods and hazardous substances to include their location on the port facility

• Means for alerting and obtaining the services of specialized response resources

U. S. COAST GUARD


Security Procedures/Measures:

• Procedures for assisting Ship Security Officers with access control

• Procedures for facilitating the shore leave of shipboard personnel and access to the ship for visitors

U. S. COAST GUARD


Remember that the security measures contained in the PFSP must address how they will be implemented at all three security levels.

U. S. COAST GUARD



2. Communications





U. S. COAST GUARD


The PFSP should describe how it will be audited to ensure the continued effectiveness of the plan.

U. S. COAST GUARD


The PFSP can be reviewed at the discretion of the PFSO and in the following instances:

• If the PFSA is altered

• If an audit identifies failings or issues with the PFSP

U. S. COAST GUARD


• Following security incidents or threats to the port facility

• If there is a change of ownership or operational control at the port facility

U. S. COAST GUARD


Amendments to the PFSP should be:

• Recommended by the PFSO following any review of the plan

• Approved by the Contracting Government if they alter the security approach at the port facility or involve the removal, alteration, or replacement of essential security equipment and/or systems.

U. S. COAST GUARD



2. Communications





U. S. COAST GUARD


The PFSP should outline the reporting requirements for each security level.

• What is reported to the CG POCs?

• Specific types of security incidents?

• What is the reporting schedule?

U. S. COAST GUARD



2. Communications





U. S. COAST GUARD


PFSP Approval by the Contracting Government should consider:

• Submission Process

• Approval Process

• Approval of Amendments

• Audit Procedures

U. S. COAST GUARD

PFSP Formats

There are several PFSP formats available; however, there is no one preferred format. The important thing to note is that the PFSP should mirror the PFSA. All areas of the PFSA should have a corresponding section in the PFSP.

U. S. COAST GUARD

PFSP Formats

Any threats, vulnerabilities, key assets or critical infrastructure mentioned in the PFSA should be addressed in the PFSP with specific security measures outlined for each at all security levels.

U. S. COAST GUARD

Questions

U. S. COAST GUARD

Works Cited

Code of Practice Cyber Security for Ports and Port Systems

Authors: Hugh Boyes, Roy Isbell and Alexandra Luck

Published by: Institution of Engineering and Technology, London, United Kingdom

First published 2016

Port Facility Cyber Securityportalcip.org/wp-content/uploads/2017/05/C08-Cyber-and-the-PFSP.pdf ·...

Documents

Transcript of Port Facility Cyber Securityportalcip.org/wp-content/uploads/2017/05/C08-Cyber-and-the-PFSP.pdf ·...