In 2013, President Obama issued Executive Order 13636 and directed the Director of the National Institute of Standards and Technology (NIST) to “lead the development of a framework to reduce cybersecurity risks to critical infrastructure” (Cybersecurity Framework). The Cybersecurity Framework was published in February 2014. A number of industries are integrating the Cybersecurity Framework, including by creating industry-focused Framework Profiles (Profiles) as described in the Cybersecurity Framework.
This month, NIST and the United States Coast Guard (USCG) released a “Maritime Bulk Liquids Transfer Cybersecurity Framework Profile” (Bulk Liquids Transfer Profile) to address the vulnerabilities in the transfer process of bulk hazardous liquids in the maritime industry. These transfers are often a part of a sophisticated supply chain that uses multiple networked systems, and is therefore vulnerable to attack. The new profile serves to assist in cybersecurity risk assessments for those entities involved in maritime bulk liquids transfer operations as overseen by the USCG, and is intended to act as “non-mandatory guidance to organizations conducting” maritime bulk liquids transfer operations within facilities and vessels under the regulatory control of the USCG under the Code of Federal Regulations 33 CFR 154-156.
The stated benefits of creating the new Bulk Liquids Transfer Profile include:
- Compliance reporting becoming a byproduct of running an organization’s security operation;
- Adding new security requirements will become more straightforward;
- Adding or changing operational methodology will be less intrusive to ongoing operations;
- Minimizing future work by future organizations;
- Decreasing the chance that organizations will accidentally omit a requirement;
- Facilitating understanding of the bulk liquid transfers environment to allow for consistent analysis of cybersecurity-risk; and
- Aligning industry and USCG cybersecurity priorities.
Other benefits include strengthening strategic communications between:
- Risk executives and operational technology integration of cybersecurity capabilities;
- Personnel involved in cybersecurity governance processes and operational technology oversight; and
- Enterprises who are just becoming aware of cybersecurity recommended practices with subject matter expertise and the collective wisdom of industry experts.
The new profile can be found here.