Tuesday, July 18, 2017

HR 3101 Introduced – Port Cybersecurity

Last month Rep. Torres (D,CA) introduced HR 3101, the Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017. The bill establishes a number of modest cybersecurity requirements for (and in support of) port operations.

Federal Requirements


Section 2 of the bill establishes federal requirements for cybersecurity risk assessments, information sharing and coordination. First it requires DHS to conduct (and subsequently evaluate) a risk assessment for maritime cybersecurity based upon the NIST Cybersecurity Framework. Next, it requires DHS to ensure that at least one maritime information sharing analysis committee (ISAC) participates in the National Cybersecurity and Communications Integration Center.

Paragraph (4) requires DHS to establish “guidelines for voluntary reporting of maritime-related cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148)) to the Center [NCCIC]”. The next paragraph then requires DHS to “to report [on] and make recommendations to the Secretary on enhancing the sharing of information related to cybersecurity risks and incidents between relevant Federal agencies and State, local, and tribal governments”.

Local Requirements


Section 3 of the bill establishes local cybersecurity requirements. First it requires each Maritime Security Advisory Committee “to facilitate the sharing of cybersecurity risks and incidents to address port-specific cybersecurity risks, which may include the establishment of a working group of members of Area Maritime Security Advisory Committees to address port-specific cybersecurity vulnerabilities” {§2(1)}. Next it requires all new maritime or facility security plan (under 46 USC 70103) to “include a mitigation plan to prevent, manage, and respond to cybersecurity risks” {§2(2)}.

Specifically §4 amends two separate provision of 46 USC {§70102(b)(1)(C) – facility and vessel assessments – and §70103(c)(3)(C) – vessel and facility security plans} by adding the word “cybersecurity” after “physical security”. It would also add a requirement for vessel and facility security plans to address the “prevention, management, and response to cybersecurity risks” {new §70103(c)(3)(C)(v)}.

Moving Forward


While Torres is not a member of either committee to which the bill has been assigned for consideration, two of her cosponsors are {Rep. Correa (D,CA) – Homeland Security; and Rep. Wilson (D,FL) – Transportation and Infrastructure}. This means that there is at least a chance that either or both of these committees could consider HR 3101.

I do not see anything in the bill that would engender any significant opposition. If the bill were to be considered on the floor of the House it is likely that it would pass, probably under the suspension of the rules provision.

Commentary


Once again, the provisions of this bill rely on the 6 USC 148(a)(1) definition of ‘cybersecurity risk’, a definition that is limited to information systems and does not include control systems. This would mean that the requirements of this bill would not apply to operation of any of the many critical control systems found on vessels or in maritime facilities.


I would again like to point to a solution to this definitional problem in port cybersecurity legislation that I proposed in an earlier blog post. It would still use the existing, IT-centric, definition of ‘information system’, but would add a new definition for ‘control system’ and then combine both terms in the definition of ‘cybersecurity risk’.

No comments:

 
/* Use this with templates/template-twocol.html */