Vessel operators could face new federal regulations aimed at preventing cyber security attacks against the maritime industry.
On the horizon are regulations that would create minimum cybersecurity requirements for U.S.-flagged vessels and maritime facilities that are now regulated under the Maritime Transportation Security Act.
In a recently published Notice of Proposed Rulemaking, the Coast Guard states that vessel and facility operators would be required to conduct a cybersecurity assessment and develop and implement a Coast Guard-approved cybersecurity plan that could be incorporated into an existing vessel’s security plan.
The new security plan would touch on a broad area of operations, including personnel training, drills and exercises, device and data security, reporting, and risk and supply chain management, among other areas that are vulnerable to infiltration from malicious cyberattacks.
Offshore drilling units, cargo vessels, and most passenger vessels, barges, towing vessels and tankships would fall under the proposed rule. Each owner or operator would be required to assign a qualified individual to develop and implement the cybersecurity plan.
“This proposed rule would help to address current and emerging cybersecurity threats in the marine transportation system,” according to the proposed rule, which was published in the Federal Register on Feb. 22.
The Coast Guard said changes necessary to protect the maritime industry as it “undergoes a significant transformation that involves increased use of cyber-connected systems. While these systems improve commercial vessel and port facility operations, they also bring a new set of challenges affecting design, operations, safety, security, training and the workforce.”
Increased reliance on information technology systems, the agency said, also makes the maritime domain vulnerable to potential cyberattacks that could disable U.S. facilities and U.S.-flagged vessels.
“Autonomous vessel technology, automated operational technology systems and remotely operated machines provide further opportunities for cyber attackers,” the proposed rule said. “These systems and equipment are prime targets for cyberattacks stemming from insider threats, criminal organizations, nation-state actors and others.”
In addition, as the industry goes increasingly digital in its operations, cyberattacks could alter a vessel’s navigational system, causing accidents or groundings, disrupt communications with ports, and interrupt national and global maritime commerce and transportation.
The Coast Guard said the maritime industry would be better equipped to detect, respond to and recover from cybersecurity breaches by adopting new cyber risk management measures proposed under the rule. “Updating regulations to include minimum cybersecurity requirements would strengthen the security posture and increase resilience against cybersecurity threats,” the agency stated.
The Coast Guard said vessel owners and operators would have flexibility to determine the best way to implement and comply with new requirements over 12-18 months following the effective date of a final rule.
The Coast Guard is seeking comments from the maritime industry on this proposal until April 22.
Meanwhile, another notice from the Coast Guard clarifies existing reporting requirements for security breaches and suspicious activity to include cyber incidents.
It also stated that owners or operators of a vessel or facility that maintains an approved security plan must immediately report evidence of an actual or threatened cyber incident “involving or endangering any vessel, harbor, port or waterfront facility” to the FBI, the Cybersecurity and Infrastructure Security Agency, and the local Coast Guard Captain of Port.
When in doubt as to whether an incident or situation meets any of the requirements of a security breach, maritime stakeholders are encouraged to contact the Coast Guard’s National Response Center without delay at 1-800-424-8802.
