Port Facility Cyber Securityportalcip.org/wp-content/uploads/2017/05/C08-Cyber-and-the-PFSP.pdf ·...
Transcript of Port Facility Cyber Securityportalcip.org/wp-content/uploads/2017/05/C08-Cyber-and-the-PFSP.pdf ·...
U. S. COAST GUARD
MAR'01 1
Port Facility Cyber Security
International Port Security Program
Cyber Security and Port Facility
Security Plans (PFSP)
U. S. COAST GUARD
Lesson Topics
• Purpose of the PFSP
• Developing the PFSP
• Role of Facility Personnel
• Role of an RSO
• Basis for the PFSP
• Elements included in the PFSP
• Format of the PFSP
U. S. COAST GUARD
Lesson Topics
• Elements included in the PFSP (cont’d)
• Port Facility Security Organization
• Communications (Systems and Processes)
• Security Procedures/Measures
• Review and Audit Procedures
• Reporting requirements
• Approval and updates
U. S. COAST GUARD
Purpose of the PFSP
The aim of the PFSP is to mitigate the risks identified in the PFSA. While the PFSA is meant to identify the assets at a port that are important to protect, the PFSP outlines how they will be protected.
U. S. COAST GUARD
PFSP
The PFSP should address:
• potential security risks identified in the PFSA
• countermeasures to mitigate those risks
• local and national security considerations
• security measures for each security level (1-3)
U. S. COAST GUARD
Developing the PFSP
Preparation of an effective PFSP will rest on a thorough assessment of all issues that relate to the security of the port facility. This includes, in particular, a thorough appreciation of the physical and operational characteristics of the individual port facility.
U. S. COAST GUARD
Developing the PFSP
As the head of the port facility’s security organization, the PFSO is responsible for the development (and later revision) of the PFSP, using the PFSA as a guide.
U. S. COAST GUARD
Developing the PFSP
The PFSO can also engage other port facility personnel to assist with plan development.
U. S. COAST GUARD
PFSP Development
Role of RSOs:
• Can prepare the PFSP but cannot be engaged in the plan approval process
• Plan must be for a specific port facility
U. S. COAST GUARD
Basis for the PFSP
The PFSA cannot be viewed separately from the PFSP since it is the basis for developing an effective and comprehensive security plan.
U. S. COAST GUARD
Basis for the PFSP
Using the PFSA as a guide, the PFSP must include:
• Policies and procedures to address identified vulnerabilities.
• Security countermeasures to address the highest risk threat scenarios identified in the PFSA.
U. S. COAST GUARD
Basis for the PFSP
The content of the PFSP will vary, depending on the operations of the port facility and the content of the PFSA.
U. S. COAST GUARD
Basis for the PFSP
Not only must the PFSP address the assets, threats and vulnerabilities mentioned in the PFSA, it must also be compliant with the ISPS Code.
PFSP
PFSA ISPS Code
U. S. COAST GUARD
Basis for the PFSP
Even in addressing the ISPS Code requirements, the security measures outlined in the PFSP should always point back to the elements in the PFSA.
U. S. COAST GUARD
ISPS Code Requirements
1. Port Facility Security Organization
2. Communications
3. Security Procedures/Measures
4. Review and Audit Procedures
5. Reporting Requirements
6. Approval and Updates
U. S. COAST GUARD
ISPS Code Requirements
1. Port Facility Security Organization
2. Communications
3. Security Procedures/Measures
4. Review and Audit Procedures
5. Reporting Requirements
6. Approval and Updates
U. S. COAST GUARD
Elements of the PFSP
The PFSP should establish the organization and performance of port facility security duties.
• Role and structure
• Duties, responsibilities and training requirements
• Description of the links to other national and local authorities
U. S. COAST GUARD
Elements of the PFSP
Having established the cyber security management framework through inclusion in the PFSP or the creation of the CSA and CSP, it is important that appropriate management and operational arrangements are in place, including:
U. S. COAST GUARD
Elements of the PFSP
• The identification of the individual(s) responsible for the cyber security of the port and port facilities, with individuals fulfilling these roles being designated as a cyber security officer (CSO);
U. S. COAST GUARD
Elements of the PFSP
• The establishment of a security operations centre (SOC);
• The arrangements for providing information to third parties; and
• The arrangements for managing security incidents or breaches.
U. S. COAST GUARD
Elements of the PFSP
The CSO should be responsible for:
• Ensuring the development and maintenance of the PFSP/CSP; and
• Implementing and exercising the PFSP/CSP.
U. S. COAST GUARD
Elements of the PFSP
The CSO should maintain awareness of legal and regulatory changes that could affect the cyber security of port assets and, where necessary, make adjustments in policies, processes and procedures to comply with those changes.
U. S. COAST GUARD
Elements of the PFSP
For the PFSP/CSP and associated security policies, processes and procedures to be effective, it is essential that there is a top-down flow of responsibility within both the organization and the contracts/supply chain. Responsibility for cyber security may be shared by the CSO with other managers and service providers, although ultimate responsibility should be retained by the CSO.
U. S. COAST GUARD
Elements of the PFSP
Security operations centre (SOC):
• A SOC acts as a centralized unit dealing with security issues that affect a port/port facility, including those relating to cyber security, and may form part of an operations centre supervising the port, controlling access and managing business continuity and disaster recovery activities.
U. S. COAST GUARD
Elements of the PFSP
The key functions of a SOC are to:
• Observe, by maintaining situational awareness, i.e. understand potential, emerging and actual threats to the port/port facility operations. Observation includes detection of unauthorized changes to port systems or port data, non-secure modes of operation and unauthorized access to port assets.
U. S. COAST GUARD
Elements of the PFSP
• Orient, by analyzing the risk to operations from new or changed threats and determine whether proactive measures are required to reduce the risk to an acceptable level.
• Decide what action may be appropriate either to deny further access to the port asset or to respond to the event by identifying suitable countermeasures.
U. S. COAST GUARD
Elements of the PFSP
U. S. COAST GUARD
ISPS Code Requirements
1. Port Facility Security Organization
2. Communications
3. Security Procedures/Measures
4. Review and Audit Procedures
5. Reporting Requirements
6. Approval and Updates
U. S. COAST GUARD
ISPS Code Requirements
The PFSP should address communications measures including:
• Systems provided to allow effective and continuous communication
• How the cyber security of security and communications systems and equipment will be maintained.
U. S. COAST GUARD
ISPS Code Requirements
A key asset to any port facility would be its communications system and devices. If unreliable, this presents a vulnerability to the security of the facility.
U. S. COAST GUARD
ISPS Code Requirements
PFSA entry:
“RFID cards are subject to cyber attack.”
U. S. COAST GUARD
ISPS Code Requirements
“Port facility security guards will positively identify 10% of individuals swiping into facility by a government issued ID at security level 1.”
U. S. COAST GUARD
ISPS Code Requirements
1. Port Facility Security Organization
2. Communications
3. Security Procedures/Measures
4. Review and Audit Procedures
5. Reporting Requirements
6. Approval and Updates
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures:
• Information on cyber security responsibilities and links to organizations that will assist the port/port facility in the event of a cyber security incident.
• How the cyber security of security and communications systems and equipment will be maintained.
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures (cont):
• The cyber security drills to be practiced to test the port's response to cyber security incidents.
• Cyber security measures required for any connection between ship systems and those of the port/port facility.
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures (cont):
• The cyber security of communications, including those:
a) between personnel with security responsibilities;
b) between those responsible for technical security and the wider security team; and
c) that provide information about the port and port assets to third parties.
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures (cont):
• Processes and procedures for approving the electronic or wireless connection of ship and port systems.
• Access control measures to sensitive IT systems and accommodation, for example, networking, communications and server rooms.
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures (cont):
• Any changes to systems or system operations required at higher security levels, including any increased security measures required for admission of IT and systems maintenance contractors to the port and port facilities when the port is operating at security levels 2 and 3.
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures (cont):
• Cyber security measures pertinent to the protection/assurance of cargo-related data and the systems that process, store and transmit it. Where the port has automated systems handling cargo, the plan should address the security measures required to protect the operational IT/cyber-physical systems.
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures (cont):
• Cyber security measures pertinent to the protection and assurance of ships' stores and bunkering data and any systems that process, store and transmit it.
• Response to cyber security threats, breaches and security incidents.
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures (cont):
• Cyber security measures pertinent to the protection and assurance of ships' stores and bunkering data and any systems that process, store and transmit it.
• Response to cyber security threats, breaches and security incidents.
U. S. COAST GUARD
ISPS Code Requirements
Cyber Security Procedures (cont):
• Arrangements for auditing of cyber security measures.
• Contractual measures for the adoption of relevant cyber security measures within the supply chain to the port/port facility.
• Cyber security awareness and training required by staff.
U. S. COAST GUARD
ISPS Code Requirements
Security Procedures/Measures:
• Procedures to maintain and update records of dangerous goods and hazardous substances to include their location on the port facility
• Means for alerting and obtaining the services of specialized response resources
U. S. COAST GUARD
ISPS Code Requirements
Security Procedures/Measures:
• Procedures for assisting Ship Security Officers with access control
• Procedures for facilitating the shore leave of shipboard personnel and access to the ship for visitors
U. S. COAST GUARD
ISPS Code Requirements
Remember that the security measures contained in the PFSP must address how they will be implemented at all three security levels.
U. S. COAST GUARD
ISPS Code Requirements
1. Port Facility Security Organization
2. Communications
3. Security Procedures/Measures
4. Review and Audit Procedures
5. Reporting Requirements
6. Approval and Updates
U. S. COAST GUARD
ISPS Code Requirements
The PFSP should describe how it will be audited to ensure the continued effectiveness of the plan.
U. S. COAST GUARD
ISPS Code Requirements
The PFSP can be reviewed at the discretion of the PFSO and in the following instances:
• If the PFSA is altered
• If an audit identifies failings or issues with the PFSP
U. S. COAST GUARD
ISPS Code Requirements
• Following security incidents or threats to the port facility
• If there is a change of ownership or operational control at the port facility
U. S. COAST GUARD
ISPS Code Requirements
Amendments to the PFSP should be:
• Recommended by the PFSO following any review of the plan
• Approved by the Contracting Government if they alter the security approach at the port facility or involve the removal, alteration, or replacement of essential security equipment and/or systems.
U. S. COAST GUARD
ISPS Code Requirements
1. Port Facility Security Organization
2. Communications
3. Security Procedures/Measures
4. Review and Audit Procedures
5. Reporting Requirements
6. Approval and Updates
U. S. COAST GUARD
ISPS Code Requirements
The PFSP should outline the reporting requirements for each security level.
• What is reported to the CG POCs?
• Specific types of security incidents?
• What is the reporting schedule?
U. S. COAST GUARD
ISPS Code Requirements
1. Port Facility Security Organization
2. Communications
3. Security Procedures/Measures
4. Review and Audit Procedures
5. Reporting Requirements
6. Approval and Updates
U. S. COAST GUARD
ISPS Code Requirements
PFSP Approval by the Contracting Government should consider:
• Submission Process
• Approval Process
• Approval of Amendments
• Audit Procedures
U. S. COAST GUARD
PFSP Formats
There are several PFSP formats available; however, there is no one preferred format. The important thing to note is that the PFSP should mirror the PFSA. All areas of the PFSA should have a corresponding section in the PFSP.
U. S. COAST GUARD
PFSP Formats
Any threats, vulnerabilities, key assets or critical infrastructure mentioned in the PFSA should be addressed in the PFSP with specific security measures outlined for each at all security levels.
U. S. COAST GUARD
Questions
U. S. COAST GUARD
Works Cited
Code of Practice Cyber Security for Ports and Port Systems
Authors: Hugh Boyes, Roy Isbell and Alexandra Luck
Published by: Institution of Engineering and Technology, London, United Kingdom
First published 2016