US Coast Guard urges offshore industry to take proactive approach to cyber risks
By Alex Endress, Editorial Coordinator
Cyber risks are increasing on a daily basis in the offshore industry. A potential attack could arise from a multitude of vulnerabilities, such as from an employee’s malware-infected USB drive or from an improperly protected internet router. “The threat is unlimited,” Lt. Cmdr. Josh Rose with the US Coast Guard (USCG) said at the 2016 IADC HSE&T Conference in Houston on 2 February. “There are statistics out there that people have been hacked for seven to nine months before they find out. That’s pretty staggering when you think about someone walking around your oil rig for seven to nine months before you realize they are not supposed to be there.”
In June 2015, the USCG released a cyber strategy that is divided into three categories – defending cyber space, enabling operations and protecting critical infrastructure. Lt. Cmdr. Rose highlighted the third category and noted that two main goals would be to promote cyber risk awareness and to reduce cybersecurity vulnerabilities offshore. “We have to get out there and let people know that there are threats,” he said, urging the offshore drilling industry to engage in more discussions on the topic.
Aside from the cyber strategy, the USCG is also undertaking several initiatives to address cyber risks. First, the USCG is working with the National Institute of Standards and Technology (NIST) to develop a cyber protection implementation guide for marine transportation systems (MTS). Further, as part of an industry-driven process, the two organizations are working to create a cybersecurity framework profile. By applying lessons learned from companies that may have experienced cyber attacks in the past, this will help to minimize future work by other organizations. “If we can set that groundwork on the trials and errors that a company has went through as they built their program, maybe it can save some of the heartburn for some of the other programs of other companies that may not have the resources to go through all the trial and error,” he said.
Another ongoing initiative is the review of current policies and deciding whether a cyber component should be added. Lt. Cmdr. Rose cited the national vessel information circulars (NVICs) as an example. “We needed to take a step back and say, does the cyber aspect need to be included in this and recognized as a domain we’re facing?”
Other initiatives relate to the standardization of terms/definitions related to cyber risks, clarification of notification procedures when a cyber incident does occur, and potential collaboration with the IMO on development of guidelines to manage cyber-related risks in the maritime sector. Lt. Cmdr. Rose also pointed to existing resources and tools that companies can use to prevent cyber attacks. These can be found on the USCG website, the NIST website and the US-CERT website. “Let’s not wait for that big incident to hit our industry. Let’s work together and get ahead of it,” he said.