What are the reporting requirements for an MTSA regulated facility when dealing with a Cyber Security Incident?
First off, we need to define what the U.S. Coast Guard outlines as a cyber security incident. The U.S. Coast Guard has outlined the reporting procedures for breaches of security and suspicious activity in CG Policy-5 dated 14 December 2016. We know in accordance with 33CFR101.305, an owner or operator of a vessel or facility that is required to maintain an approved security plan in accordance with parts 104, 105 or 106 of Reference shall, without delay, report activities that may result in a Transportation Security Incident (TSI) to the National Response Center (NRC), including SA or a BoS.
But when it comes to cyber security, what is considered a breach of security or suspicious activity? The U.S. Coast Guard regulations define a breach of security as “an incident that has not resulted in a TSI but in which security measures have been circumvented, eluded, or violated.” This definition includes the breach of telecommunications equipment, computer, and networked system security measures where those systems conduct or suppo1t functions described in a vessel or facility security plans or where successful defeat or exploitation of the systems could result or contribute to a TSI. BoS incidents may include, but are not limited to, any of the following:
- Intrusion into telecommunications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring), unauthorized root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems that are linked to the MTS
- Instances of viruses, Trojan Horses, worms, zombies or other malicious software that have a widespread impact or adversely affect one or more on-site mission-critical servers that are linked to security plan functions
- Any denial of service attacks adversely affects or degrade access to critical services linked to security plan functions.
However, routine spam, phishing attempts, and other nuisance events that do not breach a system’s defenses are NOT BoS. Furthermore, breaches of telecommunications equipment, computer, and networked systems that clearly target business or administrative systems unrelated to safe and secure maritime operations are outside the U.S. Coast Guard’s authority. Therefore, they need not be reported to the U.S. Coast Guard. Let us take, for example, phishing emails. They happen all the time. However, it is only when a phishing campaign is successful at extending its campaign from your network to outside entities that it would be considered a breach of security.
For Suspicious activity, the U.S. Coast Guard defines it as “observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.”
- Computer-related suspicious activity presents additional vulnerabilities, and companies should be able to distinguish untargeted cyber incidents from targeted incidents on vessel or waterfront facility computer-related systems. Untargeted cyber incidents are part of the normal information technology landscape and commonly include “phishing” or persistent scanning of networks, and these are not considered SA or BoS.
- In contrast, targeted incidents may be large, sustained attacks on important cyber systems in an apparent attempt to exploit them for nefarious purposes. For example, phishing campaigns, a marked increase in network scanning, or other attacks may be considered SA if the attacks’ volume, persistence, or sophistication is out of the ordinary.
- Unsuccessful but targeted incidents may be SA if they threaten systems that could contribute to a TSI, have a link to the MTS portion of the facility or are otherwise related to systems, personnel, and procedures addressed by security plans or MTSA requirements.
- Unsuccessful attempts to access telecommunication, computer, and network systems linked to security plan functions.
To the question at hand, “What are the reporting requirements for an MTSA regulated facility when dealing with a Cyber Security Incident?”
If an MTSA regulated facility reports Suspicious activity or a Breach of Security BoS or a situation that could result in a TSI that is cyber-related only and it is reported to the NCCIC (National Cybersecurity and Communications Integration Center) at 888-282-0870; the MTSA regulated facility must state to the NCCIC they are an MTSA regulated entity in order to satisfy the reporting requirements of 33CFR101.305.
Suppose the cyber-related SA, BoS or situation that could result in a TSI has another effect (i.e., overtaking badge system and loss of access to a secured area). In that case, the report must be made to the NRC at 800-424-8802.
If you are unsure, the MTSA regulated entity is advised to make the report directly to the NRC (National Response Center) at 800-424-8802; the NRC will notify the NCCIC appropriately.
All non-cyber-related Suspicious Activity, Breach of Security or situations that could result in a TSI should continue to be reported to the NRC at 800-424-8802. An MTSA regulated entity reporting to a local COTP DOES NOT satisfy the reporting requirement of 33CFR101.305.
In some cases, it may be appropriate for an organization to provide only the most basic information to the NRC and provide further details directly to the COTP, Federal Bureau of Investigation (FBI), and other organizations needing to know. The details of any security vulnerabilities revealed by the event need not be discussed during an initial report. The Coast Guard will work with the reporting source and other appropriate authorities to assess and respond to the report.
If you need further assistance in understanding what makes up Breaches of Security or Suspicious Activity, don’t hesitate to get in touch with us today.
Stay tuned for next week’s blog post: “The disconnect between the IT departments and the Facility Security Officer.”