MARITIME CYBERSECURITY PROJECT 1. Risk-Based Performance Standards Recommendation 2. Framework for Cyber Policy 3. Critical Points of Failure 4. Requirements for Maritime Cyber Range 5. Framework for Point of Failure Detection Methodology 6. Maritime Cyber Deterrent Strategy Effectiveness MARCH 9, 2018 This material is based upon work funded by the U.S. Department of Homeland Security under Cooperative Agreement No. 2014-ST-061-ML0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security. Maritime Cybersecurity Project Contents 1. Introduction .......................................................................................................................................... 1 1.1. Intended Audiences ...................................................................................................................... 1 1.2. Intended Processes ....................................................................................................................... 2 1.3. Guiding Principles ......................................................................................................................... 2 2. U.S. Marine Transportation System (MTS) ........................................................................................... 2 3. Analytical Scope .................................................................................................................................... 5 3.1. Asset Classes ................................................................................................................................. 5 3.2. Systems ......................................................................................................................................... 6 3.3. Threats ........................................................................................................................................ 10 3.4. Vulnerabilities ............................................................................................................................. 10 3.5. Consequences ............................................................................................................................. 10 4. Common IT/OT Systems ...................................................................................................................... 10 4.1. Vessel Systems ............................................................................................................................ 10 4.2. Facility/Infrastructure Systems ................................................................................................... 11 5. Literature Review ................................................................................................................................ 12 6. NIST Framework Core Mapping .......................................................................................................... 40 7. Recommended Risk-based Performance Standards (RBPSs) .............................................................. 44 7.1. Owner/Operator Has Not Yet Developed a Cybersecurity Program .......................................... 44 7.2. Owner/Operator Has Implemented an IT Cybersecurity Program ............................................. 45 7.3. Owner/Operator Has Implemented an IT/OT Cybersecurity Program ....................................... 46 8. Regulatory Oversight .......................................................................................................................... 50 8.1. Security Management Systems ................................................................................................... 52 8.2. Safety Management Systems ...................................................................................................... 55 9. Framework for Point of Failure Detection Methodology ................................................................... 59 9.1. Background ................................................................................................................................. 59 9.2. Engineering Principles ................................................................................................................. 60 9.3. Framework .................................................................................................................................. 61 9.3.1. Cyber Complexity ................................................................................................................ 62 9.3.2. Business Attributes ............................................................................................................. 63 9.3.3. Cybersecurity Documentation Attributes ........................................................................... 64 10. Critical Points of Failure ................................................................................................................. 67 i Maritime Cybersecurity Project 10.1. Background ............................................................................................................................. 67 10.2. Risk Assessment ...................................................................................................................... 70 10.2.1. Security Risk Assessment Methodologies ........................................................................... 70 10.2.2. Challenges in Cybersecurity Risk Assessment ..................................................................... 72 10.3. Reference Model ..................................................................................................................... 74 10.3.1. Triads ................................................................................................................................... 74 10.3.2. Taxonomy ............................................................................................................................ 75 10.4. Calculation............................................................................................................................... 79 10.4.1. Special Case of the VLN Connection .................................................................................... 79 10.5. Application .............................................................................................................................. 88 10.6. Conclusion ............................................................................................................................... 89 11. Maritime Cyber Deterrent Strategy Effectiveness ......................................................................... 90 11.1. USCG Risk Assessment Models ............................................................................................... 90 11.1.1. Port Security Risk Assessment Tool (PSRAT) ....................................................................... 91 11.1.2. National Risk Assessment Tool (NRAT) ............................................................................... 91 11.1.3. National Maritime Strategic Risk Assessment (NMSRA) ..................................................... 92 11.1.4. MSRAM ............................................................................................................................... 93 11.1.5. Layered Return-on-Investment (L-ROI) Model ................................................................... 93 11.1.6. PWCS Risk-Based Performance Model ............................................................................... 94 11.2. Cyber Decision Support Requirements ................................................................................... 94 11.2.1. Needed Information ............................................................................................................ 96 11.3. Application .............................................................................................................................. 96 11.4. Model ...................................................................................................................................... 97 11.4.1. Scenarios ............................................................................................................................. 97 11.4.2. Threat ................................................................................................................................ 100 11.4.3. Vulnerability ...................................................................................................................... 101 11.4.4. Consequences ................................................................................................................... 104 11.4.5. Types of Consequences & Results..................................................................................... 104 11.4.6. Outputs & Results ............................................................................................................. 105 11.4.7. Cyber Deterrent Strategy Development ........................................................................... 107 12. Requirements for Maritime Cyber Range .................................................................................... 107 12.1. Strategic Priorities ................................................................................................................. 107 12.2. Cyber Ranges ........................................................................................................................