Cyber risk profile scheme unveiled for liquid bulk operators

Oil and gas terminals are at the top the USCG's list for assessing cyber risk. Credit: Joseph Davisson
Oil and gas terminals are at the top the USCG's list for assessing cyber risk. Credit: Joseph Davisson

Oil and gas vessel and terminal operators can now access a voluntary cyber-security prototype for use in planning against a cyber attack.

The Cybersecurity Framework Profile, unveiled 10 November at the American Petroleum Institute’s Cybersecurity Conference in Houston, is the first of its kind for maritime transport, according to the US Coast Guard (USCG). The 150-page document was created by the coastguard and the National Institute of Standards and Technology (NIST), with input from private companies.

The profile works in combination with NIST’s Cybersecurity Framework, developed in 2014 to address and manage cyber-security risk based on business needs without the burden of costly new regulatory requirements. The profile gives maritime liquid bulk transfer (MBLT) facilities a way to integrate the NIST cyber framework into their operations.

“This first Cybersecurity Framework Profile for the maritime transportation sector is the culmination of hard work from industry stakeholders, the coastguard, and NIST to provide guidance to the MBLT industry to adapt their risk management processes to include cyber risk management,” said Ryan Manning, head of the USCG’s Office of Port & Facilities Compliance.

“While these profiles are voluntary in nature, I highly encourage industry to consider using this to achieve optimal cyber security for their respective organisation.”

The USCG said it plans to work with NIST to build four additional profiles that will include passenger vessels, cargo vessels, navigation, and offshore facilities.

Cyber security has become a major concern for the maritime sector globally as the costs that could result from outside hacking into terminal or vessel operating systems become better understood. US ports have pointed out that one of the biggest challenges to addressing cyber threats is eliminating organisational barriers that separate traditional port security personnel and those responsible for the port’s IT management.

Over the last two years, regulatory authorities have been issuing guidance to address the problem. In 2015, the USCG published a formal Cyber Strategy to help guide the agency as cyber security becomes a bigger part of its oversight responsibilities. This year the IMO’s Maritime Safety Committee approved interim guidelines on maritime cyber risk management.

The USCG is in the process of developing separate cyber risk guidelines to be published in a Navigation and Inspection Circular (NVIC), with the intent of giving industry the opportunity to provide feedback. The NVIC could be published by the end of the year.