Category: Security Concepts

All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 3

0

New Rulemaking Alert: Updates to 33 CFR Part 101 — General Maritime Security Provisions

The U.S. Coast Guard has issued a new rulemaking impacting 33 CFR Part 101, the foundational section that defines the general provisions under the Maritime Transportation Security Act (MTSA). These changes reflect the evolving nature of maritime threats, particularly those involving cybersecurity, supply chain disruption, and the need for enhanced coordination between industry and federal stakeholders.

Even though we covered 33 CFR Part 101 in the previous part, here is a more detailed breakdown:

Part 101 serves as the cornerstone of the MTSA regulatory framework. It defines:

  • General maritime security policies
  • Definitions and responsibilities for key personnel (e.g., COTP, FSO, FMSC)
  • The MARSEC (Maritime Security) level system
  • National and Area Maritime Security Planning
  • Requirements for incident reporting, including Transportation Security Incidents (TSIs)

This section applies broadly to all MTSA-regulated vessels, facilities, and Outer Continental Shelf (OCS) activities. It also serves as the cornerstone of the MTSA regulatory framework.
It defines the following:

  • General maritime security policies
  • Definitions and responsibilities for key personnel (e.g., COTP, FSO, FMSC)
  • The MARSEC (Maritime Security) level system
  • National and Area Maritime Security Planning
  • Requirements for incident reporting, including Transportation Security Incidents (TSIs)

Note: This section applies broadly to all MTSA-regulated vessels, facilities, and Outer Continental Shelf (OCS) activities.

Why This Matters to Facilities and FSOs?

These rule changes will directly impact how Facility Security Officers (FSOs) and regulated facilities approach:

  • Cybersecurity planning
  • Incident reporting
  • Annual reviews of Facility Security Plans (FSPs)
  • Participation in port-wide exercises and tabletop scenarios

If your facility is located along a navigable waterway especially in high-traffic zones like the Houston Ship Channel you must stay current with these evolving requirements. And if you dont, then the consequences can be as follows:

  • Civil Penalties: Fines can range from thousands to hundreds of thousands of dollars per violation, depending on severity.
  • Operational Restrictions: The Coast Guard (COTP) can impose restrictions or even shut down port operations or vessel movements until compliance is restored.
  • Criminal Liability: In extreme cases, especially where negligence leads to safety or security incidents, criminal charges may be pursued.
  • Reputational Damage: Non-compliance can severely damage a company’s reputation with regulators, customers, and partners.
  • Increased Scrutiny: The facility may be subject to more frequent inspections, audits, and enforcement actions.

Who is utimately responsible?

The primary legal responsibility lies with the Facility Owner and/or Operator.

  • They must ensure all MTSA security requirements, including those under Part 101, are implemented.
  • The Facility Security Officer (FSO) manages day-to-day compliance and acts as the liaison with the Coast Guard but does not bear ultimate legal liability.
  • Owners/operators are accountable for ensuring resources, training, and security measures are adequate and maintained.

Now for the meat on the bone! The actual CFR which is in Subpart F—Cybersecurity and is found in the last part of this article – [All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 4]

Categories , Tags , , , , , , , , , , , , , , , , , ,

All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 2

0

33 CFR stands for Title 33 of the Code of Federal Regulations, which governs Navigation and Navigable Waters in the United States. It contains rules and regulations issued primarily by the U.S. Coast Guard and U.S. Army Corps of Engineers (USACE), along with other federal maritime authorities.

As of 2025, Title 33 CFR contains over 200 parts, divided into subchapters based on subject area, see table 2-1.

SubchapterRangeDescription
AParts 1–199U.S. Coast Guard general navigation rules, aids to navigation, bridges, boating safety, marine environmental protection
BParts 200–399U.S. Army Corps of Engineers (USACE) regulations on navigation, locks, dam operations, and permitting
CParts 400–499Saint Lawrence Seaway regulations
EParts 500–599U.S. Coast Guard regulations on Great Lakes Pilotage
F–GVariesRegs covering Outer Continental Shelf activities, deepwater ports, and marine pollution

Table 2-1: High-level breakdown of the major subchapters and example parts

Parts that Apply for MTSA Facilities:

As my focus is for MTSA Regulated Facilities, out of the various parts, only the following SUBCHAPTER applies, see Table 2-2:

Parts in Subchapter H (MTSA-Related)

PartSubject
101General Provisions (security terms, MARSEC levels)
102National Maritime Transportation Security Incident Response
103Area Maritime Security Committees (AMSCs)
104Vessel Security
105Facility Security
106Outer Continental Shelf (OCS) Facility Security

Table 2-2: Parts in Subchapter H

More specifically, the following applies to a MTSA regulated facility:

TopicReferenceApplies ToAuthority
Facility Security Plans33 CFR 105MTSA-regulated terminalsCOTP
Port Authority & Control33 CFR 160Ships & FacilitiesCOTP
Cyber Incident ReportingNVIC 01-20, 33 CFR 101.305OT/IT systemsNRC & COTP
AMSC Participation33 CFR 103Stakeholders in the portFMSC
MTSA Requirements33 CFR 101–106Maritime sector securityDHS & USCG

Table 2-3: Parts (from the Subchapter H) that applies to MTSA Facilities such as a Chemical Plant.

This article however focuses mainly on the 33 CFR Part 101, which falls under the MTSA Requirements. Hence We will explore this topic. If you need more information on other topics in Table 2-3, refer to the post [Understanding U.S. Coast Guard Maritime Security: What Facilities and Stakeholders Need to Know], also you can view all of 33 CFR online via ecfr.gov (Electronic Code of Federal Regulations), updated regularly by the National Archives and Office of the Federal Register.

Now lets get back to the new rule making , check out the Part 3 of the post
[All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 3]

Categories , Tags , , , , , , , , , , , , , , , , , , , , , , , , ,

Understanding U.S. Coast Guard Maritime Security: What Facilities and Stakeholders Need to Know

0

The U.S. Coast Guard (USCG) plays a vital role in ensuring maritime safety, security, and environmental protection along the navigable waters of the United States. For operators of port facilities, terminals, chemical plants along waterways, and vessel owners, compliance with Coast Guard regulations is not optional—it’s a fundamental responsibility. This post provides a practical overview of key U.S. Coast Guard maritime security mandates and how they apply to real-world operations, particularly those regulated under the Maritime Transportation Security Act (MTSA).

Key Regulatory Authority you need to know:

The legal backbone for maritime security in the U.S. is found in Title 33 of the Code of Federal Regulations (33 CFR). Several key parts define the obligations for facilities and vessels:

  • 33 CFR Part 105 – Facility Security
    This part applies to MTSA-regulated port facilities. It mandates the development of Facility Security Plans (FSPs), the appointment of a Facility Security Officer (FSO), and the execution of security measures aligned with MARSEC levels. Facilities handling chemicals, petroleum, or maritime cargo are typically covered.
  • 33 CFR Part 160 – Port Operations
    This part outlines the broad authority of the Captain of the Port (COTP), including vessel control, port access, and the ability to create safety or security zones during emergencies or heightened threat conditions.
  • 33 CFR Part 101.305 – Incident Reporting
    This section details the requirement for reporting Transportation Security Incidents (TSIs)—including cyber-related events (TSI-C)—to the National Response Center (NRC) within 12 hours of occurrence.
  • 33 CFR Part 104 – Vessel Security
    While Part 104 sets requirements for Vessel Security Plans (VSPs), it applies only to vessels such as tankers, cargo ships, and barges. It does not apply to land-based facilities unless they own or operate MTSA-regulated vessels.

MTSA Requirements You Need to Understand

Passed in the wake of the 9/11 attacks, the Maritime Transportation Security Act of 2002 created the foundation for modern port security regulations. MTSA requires that:

  • All designated facilities and vessels have security plans (FSPs/VSPs).
  • Workers in secure areas must hold a valid TWIC (Transportation Worker Identification Credential).
  • Facilities participate in coordinated Area Maritime Security Committees (AMSCs).

These provisions are enforced by the U.S. Coast Guard and monitored via inspections, audits, and security exercises.

What Is a Facility Security Plan (FSP)?

Each MTSA-regulated facility must maintain a Coast Guard-approved Facility Security Plan. This plan is a detailed, living document that defines how the facility will:

  • Control access to restricted areas
  • Monitor and secure the perimeter
  • Conduct regular training and drills
  • Respond to security threats and cyber incidents

Another important term you will often hear in meetings is Area Maritime Security Committees (AMSCs),

AMSCs:

These commitees are led by the Federal Maritime Security Coordinator (FMSC) usually the local Sector Commander, AMSCs are forums where industry and government stakeholders collaborate to:

  • Share threat intelligence
  • Conduct risk assessments
  • Develop and maintain Area Maritime Security Plans (AMSPs)

For example, the Houston-Galveston AMSC includes chemical plant operators, terminal managers, law enforcement, and emergency services throughout the Houston Ship Channel region.

A designated Facility Security Officer (FSO) is responsible for maintaining and implementing the FSP and communicating with the local COTP. If you are the new CySO, then you will be coordinating tighly with the FSO. Which means, you may be in the same AMSC meetings etc.

Understanding and adhering to maritime security requirements under the U.S. Coast Guard’s authority is critical for protecting infrastructure, people, and commerce. From FSP development to participating in the local AMSC and reporting TSI-C events, facility operators and stakeholders must be proactive, informed, and collaborative.

For information on the new rule making. Refer to the following Posts
Introduction
[All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 1]

A little dive into CFR- What is a CFR etc:
[All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 2]

Introduction to the New Rulemaking 33 CFR Part 101 — General Maritime Security Provisions
[All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 3]

The Cybersecurity Plan from Subpart F of the New Rulemaking 33 CFR Part 101
[All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 4]

Categories , Tags , , , , , , , , , , , , , , , , , , ,

All about the Cyber Security Plan (CSP), CySO and MTSA Facility – Part 1

0

Introduction
As there are a lot of terms and definitions and some background information that is required to understand the new rule making, I have divided this article into 4 parts.

This article:
[ Part 1]

A little dive into CFR- What is a CFR etc:
[ Part 2 ]

Introduction to the New Rulemaking 33 CFR Part 101 — General Maritime Security Provisions
[ Part 3 ]

The Cybersecurity Plan from Subpart F of the New Rulemaking 33 CFR Part 101
[ Part 4 ]

Cybersecurity for critical infrastructure has become one of the biggest challenges for the nation and in order to protect our national security interests, That’s why agencies like the U.S. Coast Guard now treat cyber incidents as Transportation Security Incidents (TSI-C) and require them to be reported—highlighting the urgent need for strong cyber risk management in maritime and industrial environments.
If you are a owner / operator of US Flagged vessels, facilities or Outer Continental Shelf (OCS) facilitiy then these new requirements mandate you to have a security plan under the 33 CFR parts 104, 105 and 106. What is a 33 CFR or more specifically what is a CFR?

CFR

A CFR stands for Code of Federal Regulations. It’s the official compilation of all the rules and regulations issued by federal agencies of the United States government.

CFR 33

CFR Title 33 refers to Title 33 of the Code of Federal Regulations, which governs Navigation and Navigable Waters in the United States.

It includes the rules and regulations issued primarily by the U.S. Coast Guard and other federal agencies responsible for protecting U.S. waters, maritime operations, and port security.

Some key areas include:

⚓ Maritime Transportation Security (MTSA) Regulations

Part 101 – General security regulations (definitions, responsibilities, reporting, etc.)

Part 104 – Vessel security regulations

Part 105 – Facility security regulations (includes chemical, port, and energy infrastructure)

Part 106 – Offshore facility security regulations (e.g., OCS platforms)

These parts were updated in 2025 to include minimum cybersecurity requirements.

In the context of the U.S. Coast Guard’s cybersecurity rule going into effect on July 16, 2025, the CFR contains the final rule that legally mandates what U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and MTSA-regulated terminals must do to comply. This is pivotal and timely as maritime industry faces increasing cybersecurity threats as it increasingly relies on cyber-connected systems. The purpose of this final rule is to safeguard the marine transportation system (MTS) against current and emerging threats.

This new rule adds minimum cybersecurity requirements to 33 CFR part 101 to help detect, respond to, and recover from cybersecurity risks that may cause transportation security incidents (TSIs).

TSI

Transportation security incidents are a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area.

So what qualifies as a TSI? This is a great question to ask your security group becuase, an incident that has the potential to cause a TSI or an incident that causes a TSI has to be reported to the National Response Center https://nrc.uscg.mil/

For example, a cyberattack that disables critical systems at a fuel terminal, halting port operations can be considered a TSI.

Could phishing qualify as a Transportation Security Incident (TSI)?, Yes but only if it leads to significant consequences. Phishing on its own (like a user clicking a malicious email) is not automatically a TSI. However, if the phishing attack results in:

Operational shutdown of a regulated facility or port
Unauthorized access to OT systems controlling hazardous materials
Disruption of cargo operations leading to economic or transportation impacts
Release of hazardous chemicals or safety systems being disabled
Critical infrastructure services being affecte

.. then it could escalate to a TSI.

To get more context on this new rule for cyber, we need to look at what MTSA facilities have been doing. For years, Facility Security Officers (FSOs) have been on the front lines maintaining Facility Security Plans (FSPs), running drills, managing access controls, and ensuring MTSA compliance for physical security in these facilities.

Now, with the new USCG cybersecurity rule taking effect July 16, 2025, we’re entering a new phase and just like FSPs protect our perimeter, we now need a Cybersecurity Plan (CSP) to protect our networks, control systems, and digital operations.

And just like the FSO owns the FSP, the new rule requires appointing a Cybersecurity Officer (CySO) someone with both authority and technical insight to manage cyber risks, lead response efforts, and coordinate with the FSO when incidents overlap.

So then the next question is, what is CySO? CySO is a person who is designated by the owner or operator to develop , implement and maintain the cybersecurity portions of the Vessel Security Plan (VSP), Facility Security Plan (FSP) or Outer Continental Shelf (OCS) FSP. He/She will act as a liason between the Captain of the Port (COTP) and other security officers, coordinating activities and responses. There can be one CySO, multiple CySOs or an alternate CySO or primary and secondary CySO or you can also call them Main CySo and assistant CySO. The most important thing to note is that you may be able to designate multiple individuals to this role, this way you have a backup and coverage. We will look at the requirements for the CySO role in the later section.

The most important dates for this rule making is as follows. This is very important as it will help you plan your next steps. Also, considering you are an existing MTSA regulated facility, you may already have an established FSP.

what is FSP?
A Facility Security Plan (FSP) is a comprehensive, site-specific document required by the Maritime Transportation Security Act (MTSA) and codified in 33 CFR Part 105. It outlines the security measures a maritime facility must implement to prevent, detect, and respond to security threats. Now to maintain this FSP, you have an FSO. The Facility Security Officer (FSO) is responsible for:

Ensuring compliance with 33 CFR Part 105. Developing and maintaining the FSP. Training facility personnel on security roles. Conducting drills and exercises. He/She also serves as the point of contact for the U.S. Coast Guard. CySO is technical under FSO, but has more jurisdiction over the Cyber aspects.

The final rule making went live July 16,2025. Let us look at some of the other deadlines that are coming up.
[source: https://www.news.uscg.mil/maritime-commons/Article/4247529/final-rule-cybersecurity-in-the-marine-transportation-system-implementation-tim/)

  • Immediately upon the effective date of July 16, 2025, all reportable cyber incidents must be reported to the National Response Center. 
  • By January 12, 2026, and annually thereafter, all personnel must complete the training specified in 33 CFR 101.650.
  • By July 16, 2027, owners and operators must designate the Cybersecurity Officer, conduct the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval. 

We will explore the requirements in detail in the part: 33 CFR part 101.

Categories Tags , , , , , , , , , , ,

Risk in Security

0

I typically don’t dwell into this topic until unless I was told to speak about it in a conference / group discussion. While I admit, I do not have all the necessary certifications in place to be a subject matter expert, I certainly feel to understand the importance of Cybersecurity Frameworks in OT Security , you will need to understand some basic math and statistics. This post is to introduce you to these fundamental concepts.

Where do I begin?

Math Concepts:

It all starts with understanding that there are many thoughts, ideas and methodologies in cybersecurity practice. One thing is for sure, you will need some basic understanding of math. If I were starting from no where, then I would pick up a book on statistics and probability however, some basic concepts such as uncertainty and risk are important.

There is one important and vital concept that you need to have a very good understanding, it is called uncertainty. As in the case of a data breach, we are not certain or we lack data / information to calculate the true outcome of a data breach or when the data breach will actually occur. For example.

“There is a 35% chance that company ABC will have a data breach / data leak incident sometime in the next four years”

The objective is to be able to measure something and predict an outcome. In this particular example, we are very certain when something will happen.

There is a 30% chance that company ABC will have a cyberattack in the form of data breach or data leak in the next three years”

Here is the same example with certainty that something will result (loss) from the data breach to the organization.

There is a 20% chance that a data breach or data leak will result in a fine from GDPR regulation in the amount of $5 million dollars for the company ABC”

Risk Terminologies

For cybersecurity and other risk management methodologies, understanding the terms such as Vulnerability (V) , Threat (T), Impact (I) and Likelihood (L) is very essential to be able to measure risk and apply counter measures. Also I want to point that there are two important methods to risk management , a qualitative approach (subjective) and a quantitative approach. Which approach is good? There are studies out there that suggest otherwise. Read What’s Wrong with Risk Matrices? by Tony Cox (Link to original publication)

However, if you are a beginner in Risk Analysis, I certainly recommend you start with qualitative analysis for your understanding and also, choosing between the two is like choosing between a scoop of vanilla ice cream in a cup and spoon of vanilla ice Dippin’ Dots.

In order to understand both qualitative and quantitative approaches of risk analysis, we have some key risk terminologies that one needs to understand.

The case of the Sandwich Theif.

Let us say I have a special sandwich- my asset, which is very valuable, may have some secret sauce or ingredient. The value of this asset is $10, this is how much it cost for me to make it. Now, if I really want to protect this from a sandwich thief, I would like to know how valuable it is, did I not say $10, but it is not the true value. If I were to loose the $10 sandwich, it might cost me $30, why? Well, you see the sandwich when it was made, the ingredients were cheaper, may be I got a discounted price or I might spend $20 for the its shelf life on refrigeration. So understanding this value is very important because, if I were to put a counter measure, such as a lock on a cabinet or something more secure than that, then I want to make sure I am spending more than what is worth. Who makes that decision?

Vulnerability (V):

In cybersecurity, a vulnerability is a flaw, a weakness, a missing defense. This can be accidental or intentionally put in place.

An analogy to real world is “Padlocks are easiest to pick as they have a massive vulnerability in the form of easy access to locking pin and cylinder mechanism which can be aligned to pop open the lock”

Threat (T):

A threat is potential of exploiting a vulnerability which could result in a negative outcome. In cybersecurity, a threat is an exploitation of a vulnerability in a network, software or hardware that will allow a threat actor to gain privileged access to the system.

For example, a sandwich thief (threat actor) is a threat to your sandwich that is stored in a kitchen cabinet with a pad lock. How do we compute risk from threat and vulnerability?

Impact:(I)

Before we are able to define the risk, we need to also know what impact would this incident cost? Impact is the magnitude of harm that can be expected to result from a threat exploiting a vulnerability.

A sandwich stolen from the locked kitchen cabinet will result in a loss of $30 to your net worth.

We are almost ready to calculate risk, however, for the thief to exploit the vulnerability which is to pick the pad lock may seem easy enough but what if I told you, the kitchen is located in a armed location with 24 hours / 7 days a week surveillance and monitoring. Then what is the likely hood of such an event (incident) to even take place? You could say improbable or no chance at all and the impact would be moderate (subjective analysis).

We can express impact subjectively as follows:

Example 1:
Negligible-1, Minor-2, Moderate-3, Significant-4, Severe-5

Example 2:
Low-1, Moderate-2, High-3

Likelihood (L):

This is the probability that a threat will exploit the vulnerability. It is usually not a specific number but a range.

Example 1:
Frequently – 5, Likely-4, Occasionally-3, Very Seldom-2, Not Likely at all-1

Example 2: 
1=very unlikely, 2=low likelihood, 3=likely, 4=highly likely, and 5=near certain.

Risk Matrix / Risk Heat Map:

As you can see, we can then draw this Risk Matrix, also called as a Risk Heat Map.

As you can see, the qualitative analysis process involves judgment, intuition, and experience. For example, if I am a CSSP – Certified Sandwich Security Professional, with my intuition and judgement, I can categorize the risk of a sandwich thief stealing the sandwich to be LOW based on my understanding that it is unlikely for the sandwich thief to get into the kitchen and steal the sandwich which could have a protentional loss of $30 dollars, which is moderate. So, would I invest in putting any counter measures? As this is Risk is low, I would not consider it and accept this low risk.

End of this lesson, keep an eye out for more. Next- Quantitative Approach.

Categories Tags , , ,

Contingency Planning – Huh?

0

Before you start reading and understanding the core concepts in the context of BCP – Business Continuity Planning, DRP – Disaster Recovery Planning and Contingency Planning, make sure you understand that these are very important concepts and are interpreted differently by different organizations, individuals and security professionals. The main reason is that we as humans may think differently in terms of countermeasures, we have different risk appetite and so are the organizations that the individuals are made of and are in key positions to propose, accept and finalize on various business and operational contingency plans. 

Before we begin, let us understand some of the core concepts. 

What is a Plan?

Oxford Dictionary defines Planning as “an intention or decision about what one is going to do”.

So what is Contingency planning?

“A contingency plan is a plan devised for an outcome other than in the usual (expected) plan” – From Wikipedia. 

Before we get into what is included in each of the plans, let us look into some definitions.

According to the NIST Special Publication 800-34,  IT contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption. 

Contingency planning generally includes one or more of the approaches to restore disrupted IT services:
ƒ- Restoring IT operations at an alternate location  (Example: Hot Site, Warm Site and Cold Site)
ƒ- Recovering IT operations using alternate equipment  (Example: Secondary Server, High Availability Configuration)
ƒ- Performing some or all of the affected business processes using non-IT (manual) means. (Example: Manually collect a customer’s credit card information through phone)

Because Contingency Plan includes broad scopes for recovery, continuity and response to business needs, business threats and emergencies, it is important to note that an organization may choose to implement the Contingency Plan in many different ways. This is when we start talking about BCP, DRP, COOP, IRP, etc. There are more. See Appendix A for expansion of these acronyms.

For a CISSP, it is important to understand the main differences between various types of plans.

What is a BCP?

Business Continuity Planning (BCP) is a process of creating or putting in place, systems and mechanisms for prevention and recovery of business systems to deal with potential threats to a business goal.

Business Continuity Plan is a formal document consisting of a set of processes, drawings, flow charts, ordered lists etc. that will help a business navigate through a business interruption(s) by providing tested and proven methods to recover and prevent a potential threat to the existence of the business. A BCP can have other plans included as part of its scope.

What is a DRP?

Disaster Recovery Plan (DRP) is a very detailed, hands on plan when compared to a Business Continuity Plan. It is highly reactive. It contains detailed instructions on how to respond to unplanned incidents such as hurricanes, flooding, earthquakes, power outages, cyber attacks and any other event that will cause disruptions to the business operations. The plan contains strategies on minimizing the effects of a disaster, so an organization will continue to operate – or quickly resume key operations.

CISSP Tip

Contingency plans help you continue to operate or sustain your business goals and can be reactive such as BCP, DRP and BRP. Parts of these plans can be proactive as well. For example, if you have servers configured in the High Availability (HA) mode, then you will limit downtime and improve performance. This is a proactive approach. If you have a backup server or a warm site, then you are making sure you can continue to operate when servers are down, this represents a reactive approach.

Appendix A

  1. BCP : Business Continuity Planning
  2. DRP : Disaster Recovery Planning 
  3. BRP : Business Recovery Planning
  4. COOP : Continuity of Operations Plan
  5. IRP : Incident Response Plan
  6. OEP: Occupant Emergency Plan

This was chapter 1 on Contingency Planning. If you have any comments or questions, leave them below or message me!

Over and Out! Stay safe, think before you click (anywhere).

DK

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Categories , Tags , ,

Quick Reference for DR and BC Metrics – RPO, RTO & WRT Concepts

0

Post Views: 1,889
 

New Feature: Listen to this Article

How can I not have an article on Disaster Recovery and Business Continuity Planning? A must have understanding for anyone in Security.

If you are a security professional with years of experience, then you are very familiar with these important fundamental metrics that is used in developing a Business Impact Analysis (BIA) Report which will identity your business processes , identify resources required for recovering of these processes in the event of a disaster and a become part of your Business Continuity Plan (BCP).

The metrics I am referring to are RPORTO and WRT. Also, Maximum Tolerable Downtime. I hope someone who is just getting into security and trying to grasp this concept will find this explanation very useful.

Example:

Let us assume a business which is operating normally represented by the following chart. Note, the X axis represents Time. The concepts that we are going to learn are a function of time. Time scale = 1 hr

Normal Operation.


Figure 1

Disaster Strikes.


Figure 2

Recovery Efforts Begin

Figure 3

Normal Operation Resumes

Figure 4

A disaster hits a business which is under normal operation at 3 am, recovery starts at 6 am, normal operation resumes at 8 am. Then we can define the terms as follows:

  • Recovery point objective (RPO) is defined as Measures maximum acceptable data point to be recovered.
  • Recovery Time Objective (RTO) is defined as Maximum time needed for data recovery.
  • Work Recovery Time (WRT) is defined as Maximum amount of time needed to verify data integrity to resume operation.

Maximum Tolerable Downtime (MTD) is defined as The amount of time business process can be disrupted without causing significant harm to the organization’s mission.

For this particular example, from Figure 4 shows a RTO of 3 hrs and WRT of 2 hrs. The MTD is calculated as follows:
MTD RTO WRT
MTD = 3 hrs. + 2 hrs.
MTD = 5 hrs.

This is a very simple example for understanding the concept of calculating the Maximum Tolerable Downtime. For a deeper understanding I recommend indulging into books and materials written on DR and BC. Note that there is a very thin line and it can get blurred between resuming total business normal operation which may mean that you have switched back to the primary site for operation. For practical purposes , getting back to normal operation is more critical and important than returning to the primary site.

If you would like to get more understanding of these topics please see the following references:

A technical article on RTO Vs RPO by msp360.com

A blog post from Default Reasoning by Marek Zdrojewski

Categories Tags , , , , , ,

What is Operational Technology (OT)?

0

I have been asked several times, at several occasions about this mysterious term called OT. While it stands for Operational Technology, what is Operational Technology?

Few years ago, I stood in front of a large audience from diverse backgrounds such as Process control, Maintenance, IT and management and delivering a motivating speech on cybersecurity for manufacturing, while I had never used the word OT in the context of Industrial Control System, the word existed but not necessarily used as commonly as today.

While different individuals use it differently to describe their trade, especially in Industrial Cybersecurity practice, the word itself has become somewhat of a open secret, we think we know what it means, but do we really? So to tackle this problem, I asked a bunch of people in my closest professional circle and tried to define it myself. While the definition of OT might change, but as far as I am concerned, what I am about to tell you will still be relevant because instead of defining all the different systems that the Operational Technology represents, I will simply define what it represents.

So here you,

Operational technology (OT) is a set of hardware, software, and communication systems that are used to monitor, control, and automate industrial processes. OT systems are typically used in critical infrastructure industries such as manufacturing, energy, and transportation.

These can include IACS and Control System Components, Information Technology components that are part of the control systems etc., but are defined by the organization to appropriately apply the necessary security measures and controls.

Lets look at a diagram. Yes, that is MS Paint and I did create it 5 years ago. As you can see, OT, Operational Technology is an umbrella term defined by the organization to include systems such as Industrial Automation and Control systems (IACS), Fire Systems, Access Control Systems, Lighting Controls etc.

What is the relevance of defining Operational Technology?

The importance of defining OT for your organization is simply to be able to develop / design and implement appropriate security controls and measures to protect your business operations. Properly identifying what falls inside the OT environment and what falls outside, what is included and what is excluded, will provide you with the right information to develop your OT Cybersecurity Strategy.

Do you have any comments or suggestions to improve this definition? Send me a message.

Categories