UNCLASSIFIED Homeland Security 2016 TRB Annual Meeting Cyber Risk Management CAPT Verne Gifford (CG-5PC) 1

UNCLASSIFIED Homeland Security “THERE WERE QUESTIONS FROM THE AUDIENCE ABOUT TIMELINES AND INCENTIVES THAT I’D LIKE TO ADDRESS. THE COAST GUARD JUST RECENTLY CONDUCTED A STUDY ABOUT THE COST BURDEN TO INDUSTRY OF ALL THE REGULATIONS THAT WE HAVE PUBLISHED SINCE WE FOUND THAT 88% OF THE ENTIRE COST BURDENS OF ALL REGULATIONS, OVER ALL THOSE YEARS, WERE DUE TO TWO REGULATIONS, OPA 90 AND MTSA. BOTH OF THESE REGULATIONS FOLLOWED PREDICTABLE DISASTERS. THE LESSON LEARNED SHOULD BE THAT WE SHOULD NOT WAIT FOR AN INCIDENT TO OCCUR THAT WILL MAKE US MOVE FORWARD ON REACTIVE, MORE EXPENSIVE, REGULATIONS; WE NEED TO BE PROACTIVE IN APPROACHING THIS. WE ARE HERE TO HAVE A DISCUSSION WITH INDUSTRY SO WE CAN DEVELOP A STANDARD TOGETHER, ONE THAT WORKS AND IS REASONABLE IN TERMS OF THE COST BENEFIT. IF WE WAIT UNTIL AN INCIDENT OCCURS, THAT OPPORTUNITY GOES AWAY.” EDDED#T= EDDED#T= EDDED#T= Quote from Rear Admiral Paul Thomas, Assistant Commandant for Prevention Policy

UNCLASSIFIED Homeland Security Ships Then

UNCLASSIFIED Homeland Security Ships Now

UNCLASSIFIED Homeland Security Cargo Operations Then

UNCLASSIFIED Homeland Security Cargo Operations Now

UNCLASSIFIED Homeland Security Why Cyber Risks Matter Loss of PII Loss of intellectual property Direct and indirect financial loss Reputation loss Threat to human life/injury Harm to the marine environment Harm to property Disruptions to the MTS The Coast Guard’s mission is to address these risks – whether from cyber or other sources.

UNCLASSIFIED Homeland Security What Makes Cyber Risk Special? Vulnerability increases with every new device Threat is unlimited Likelihood of an incident is near certain Detection is a factor rapidly growing portion of our total risk exposure

UNCLASSIFIED Homeland Security Cyber Security Risk Model APT/Organized Crime Insider Threats Technical Error MTS Disruption Human life, safety, health SYSTEM FAILURE Environmental PREVENTION/PROTECTIONMEASURES Various Attack Types Impacts MITIGATIONMEASURES Property Damage All activities must take place against a backdrop of the training, education, and policies needed to promote a culture of cyber security Hacktivists Technical controls Policy controls Defense in depth Physical controls Recovery & Continuity of Business Planning Manual Back ups Exercises & Contingency Plans Notifications & Communications

UNCLASSIFIED Homeland Security United States Coast Guard Cyber Strategy

UNCLASSIFIED Homeland Security Cyber Strategy Three Strategic Priorities 1. Defending Cyberspace 2. Enabling Operations 3. Protecting Infrastructure

UNCLASSIFIED Homeland Security  Goal 1. Risk Assessment – Promote Cyber Risk Awareness and Management Cyber Security Assessment & Risk Management Approach 3. Protecting Infrastructure 1. Defending Cyberspace 2. Enabling Operations 3. Protecting Infrastructure

UNCLASSIFIED Homeland Security  Goal 2. Prevention – Reduce Cybersecurity Vulnerabilities in the MTS. 3. Protecting Infrastructure 1. Defending Cyberspace 2. Enabling Operations 3. Protecting Infrastructure

UNCLASSIFIED Homeland Security Ongoing Initiatives Working with NIST to develop MTS Implementation Guide Review existing policy for cyber updates –Drafting NVIC for domestic policy –IMO Proposal Standardize terms/definitions Clarify notification procedures Collaboration with the NIST CCOEEvaluate guidance & tools for industry on risk reduction processes

UNCLASSIFIED Homeland Security NIST Collaboration on MTS Profile 15 By creating a Subsector level Cybersecurity Framework Profile, we are: Minimizing future work by each organization Decreasing the chance that organizations accidentally omit a requirement Reducing errors due to varying interpretations

UNCLASSIFIED Homeland Security Profile: Cybersecurity Framework Component 16 Identify Protect Detect Respond Recover Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization A fusion of business/mission logic and cybersecurity outcomes An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management

UNCLASSIFIED Homeland Security Industry Engagement USCG engaging with multiple industry groups on cyber Held a Public Meeting on January in attendance, 300 watched online. Purpose of outreach is develop guidelines for industry Working with FACA committees to address cyber concerns (NMSAC, NOSAC) Actively involved in industry IT Subcommittees (AAPA, API) Transportation Systems Sector Cyber Working Group (TSS-CWG)

UNCLASSIFIED Homeland Security IMO Proposal In January 2016, submitted a paper to IMO proposing the development of guidelines on managing cyber related risks in the maritime The paper proposed: Establish procedures to identify & evaluate cyber related risks. Establish procedures that to reduce the vulnerabilities through well-recognized practices, including training. Establish procedures to reduce the potential consequences of a cyber attack or incident by promoting recovery and resilience. Establish procedures to incorporate the risk assessment and mitigation process into vessel and port facility security plans, or into other recognized protocols.

UNCLASSIFIED Homeland Security Academia Engagement USCG is collaborating with academia and DHS University Programs: Look to identify Recommended Practices Support Research for Maritime Community Ensure USCG Policies reflect latest knowledge of cyber risks and technology

UNCLASSIFIED Homeland Security Available resources

UNCLASSIFIED Homeland Security QUESTIONS? Thank You for your time! Further inquiries: LCDR Josh Rose