September 8, 2017
Docket Clerk
RE: Docket No. USCG–2016–1084, Notice of availability and request for comments
To whom it may concern,
Thank you for the opportunity to comment on Navigation and Vessel Inspection Circular 05–17; Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act Regulated Facilities.
In the NVIC, the Coast Guard recommends that industry plan for changing MARSEC levels with respect to cybersecurity (ref. Drills and Exercises and Response to Change in MARSEC levels). We do not believe that there is a logical link between the current MARSEC level definition and/or intention and cybersecurity. Any system connected to the Internet should be considered under constant attack; and therefore under this logic, any regulated facility with systems connected to the Internet could therefore be considered to be continuously at MARSEC level 3 with respect to cybersecurity.
Therefore, the requirement in the NVIC that requires facilities to plan for different security measures under the three MARSEC levels is unnecessary. For example, under the section “Security Measures for Handling Cargo,” the NVIC states:
“Describe security measures to protect cargo handling at all MARSEC levels to include measures that protect cargo manifests and other cargo documentation to deter tampering and prevent cargo that is not meant for carriage from being accepted . . .”
Whether the facility is at MARSEC level 1 or 3, in theory the facility should always be operating under the tightest controls to ensure only authorized electronic transactions and access occur. Therefore separate plans and drills for every MARSEC level are unnecessary.
Additional Info
Attachment : CYBER-NVIC-Comments-9-7-17-web.pdf