Strengthening Maritime Cybersecurity

Written By Chris Wolski

The maritime industry, which is responsible for moving the majority of the world's goods, is increasingly reliant on digital systems for operations, safety, and efficiency. However, with this reliance comes vulnerability to cyber threats. To address these risks, the U.S. Coast Guard (USCG) has introduced a Notice of Proposed Rulemaking (NPRM) under the framework of the Maritime Transportation Security Act of 2002 (MTSA). This NPRM aims to enhance cybersecurity within the Marine Transportation System (MTS) by establishing minimum cybersecurity requirements for U.S.-flagged vessels, U.S. facilities, and Outer Continental Shelf (OCS) facilities.

The Foundation: Maritime Transportation Security Act (MTSA)

Enacted in 2002, the MTSA provided a legal framework for addressing security threats within the MTS. It empowered the Secretary of Homeland Security, through the Coast Guard, to develop and enforce standards for Facility Security Plans (FSPs), OCS Facility Security Plans (OCS FSPs), and Vessel Security Plans (VSPs). These plans have long been required to address physical security threats, but as cyber threats have become more prevalent, the MTSA has evolved to incorporate cybersecurity risks.

Cybersecurity in the Maritime Domain

The maritime industry has seen significant digital transformation, with IT and operational technology (OT) systems playing critical roles in daily operations. This transformation, while beneficial, has opened the door to cyber vulnerabilities. Recognizing this, Congress amended the MTSA in 2018 to specifically require VSPs and FSPs to include measures for detecting, responding to, and recovering from cybersecurity risks that could lead to Transportation Security Incidents (TSIs).

The Coast Guard’s NPRM builds on these amendments by proposing detailed cybersecurity requirements. The regulations would apply to a range of U.S.-flagged vessels and facilities, focusing on protecting critical IT and OT systems from cyber threats. These measures are essential to prevent disruptions that could affect not only the maritime industry but also national and economic security.

Presidential Policies and Strategic Initiatives

The proposed rule aligns with various presidential policies aimed at strengthening cybersecurity across critical infrastructure. Executive Orders such as EO 13636 (Improving Critical Infrastructure Cybersecurity) and EO 14028 (Improving the Nation’s Cybersecurity) have emphasized the importance of public-private partnerships in addressing cyber threats. The Coast Guard’s efforts are also supported by the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals (CPGs), which provide a baseline for cybersecurity practices in critical infrastructure sectors.

In 2021, the Coast Guard published its Cyber Strategic Outlook, which highlighted the need to protect the MTS from cyber threats. The NPRM reflects this strategic outlook by proposing a risk-based regulatory approach that incorporates industry-recognized cybersecurity standards.

Key Components of the Proposed Rule

The NPRM introduces several key components that will strengthen cybersecurity within the MTS:

  1. Cybersecurity Plans: U.S.-flagged vessels and facilities would be required to develop and implement Cybersecurity Plans. These plans must address the identification, protection, detection, response, and recovery from cyber incidents.

  2. Cybersecurity Officer (CySO): Each vessel and facility must designate a CySO responsible for overseeing cybersecurity measures. The CySO would ensure compliance with the Cybersecurity Plan and act as a liaison with the Coast Guard.

  3. Cybersecurity Assessments: Regular cybersecurity assessments would be mandatory to identify and mitigate vulnerabilities. These assessments must be conducted annually or sooner in certain circumstances, such as changes in ownership.

  4. Training and Drills: Personnel must receive cybersecurity training tailored to their roles and responsibilities. Additionally, regular drills and exercises would be required to test the effectiveness of cybersecurity measures.

  5. Incident Reporting: The NPRM proposes clear guidelines for reporting cyber incidents to the Coast Guard and CISA. This reporting is critical for coordinated responses to cyber threats.

  6. Supply Chain Security: The rule would require measures to manage cybersecurity risks in the supply chain, ensuring that third-party vendors do not become vectors for cyberattacks.

The Importance of Compliance

Cyberattacks on the maritime industry can have far-reaching consequences, from disrupting global trade to endangering lives. The NPRM emphasizes the need for a proactive approach to cybersecurity, with compliance serving as a crucial element in safeguarding the MTS.

The Coast Guard’s proposed rule is a significant step towards enhancing the resilience of the maritime industry against cyber threats. By establishing clear cybersecurity requirements, the NPRM aims to protect the MTS and ensure that it remains a vital part of the nation’s critical infrastructure.

As the maritime industry continues to evolve, staying ahead of cyber threats will require ongoing collaboration between the Coast Guard and maritime stakeholders. The NPRM provides a framework for this collaboration, ensuring that the industry is prepared to face the challenges of the digital age.

For maritime professionals, staying informed about these proposed changes and participating in the public comment process will be essential. The Coast Guard’s NPRM represents a critical opportunity to shape the future of maritime cybersecurity and protect the vital systems that keep the world’s goods moving.

Secure Your Maritime Operations with Applied Security Convergence

As cyber threats in the maritime industry continue to evolve, the need for robust cybersecurity measures has never been more critical. The recent Notice of Proposed Rulemaking from the U.S. Coast Guard emphasizes the importance of comprehensive cybersecurity plans for U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities. Compliance with these regulations is not just a legal requirement—it’s essential to safeguarding your operations and protecting your assets.

At Applied Security Convergence, we specialize in helping maritime, oil & gas, and defense industries navigate the complex world of cybersecurity compliance. Our team of experts offers tailored assessments and consulting services designed to ensure your organization meets the latest cybersecurity standards and regulations.

Contact Applied Security Convergence today for a consultation and ensure your maritime operations are secure, compliant, and ready for the future.

Chris Wolski
Previous

Singapore's Operational Technology Cybersecurity Masterplan 2024: Key Points for Everyone
Next

Strengthening Cybersecurity Compliance: What You Need to Know About the Proposed DFARS Changes