Ports are the entry and egress for seaborne commerce, and defense is a critical part of U.S. supply chain infrastructure. Thus, cyber threats to maritime facilities and assets are a national security concern.
In an attempt to reduce cybersecurity threats, the United States Coast Guard has issued in February a Notice of Proposed Rulemaking to fight potential cyber risks in the shipping industry and prepare mariners with the knowledge to combat them.
Specifically, the Coast Guard proposes to update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations.
This proposed rule would help to address current and emerging cybersecurity threats in the marine transportation system.
Before the final rulemaking the Coast Guard will consider all comments and material received from the public participation as essential.
This proposed rule seeks public comments on whether the USCG should use and define the term “reportable cyber incident” to limit cyber incidents that trigger reporting requirements, on whether to use alternative methods of reporting such incidents, and amend the definition of hazardous condition.
The comment period has now expired, as April 22 was the deadline for submissions, and responses will then be considered before final rules are adopted.
The proposed rulemaking on the cybersecurity in the marine transportation system is lengthy, and is based on US Coast Guard’s observation that: “The maritime industry is undergoing a significant transformation that involves increased use of cyber-connected systems. While these systems improve commercial vessel and port facility operations, they also bring a new set of challenges affecting design, operations, safety, security, training, and the workforce.”
Dozens of responses have come in from the maritime industry. The USCG received feedback from the U.S. Waterways Transportation LLC., Maersk Line, RINA Italian Register of Shipping, tug operators, barge firms, and many others expressing their concerns and recommendations.
In the various responses received, there was also a comment mentioning that the proposed regulations are ‘financially burdensome,’ and ‘impractical in terms of timelines and ultimate implementation.’
However, many companies considered this step as significant toward strengthening security within the marine transportation system.
Maersk Line, Limited offered a commentary on the U.S. Coast Guard’s proposed cybersecurity rule, mentioning that: “We consider this a significant step toward enhancing the cybersecurity posture of this critical infrastructure sector. However, to maximize its impact and feasibility, we recommend further enhancements in the areas of clarity, efficiency, and alignment with existing programs,” the container giant said.
“We believe this can be achieved through clear, standardized, risk-based, and practical measures that leverage existing industry best practices and avoid creating undue burdens.”
In another response, RINA Italian Register of Shipping referred to the pressing need for a unified cyber security framework on board of existing vessels. “We would ask to open a “discussion table” on two primary areas of focus, particularly emphasizing future onboard tests and verifications during Port State Control inspections. RINA, as an IACS society, is actively collaborating with clients to identify critical controls and develop applicable checkpoint lists for tests and verifications to be implemented onboard existing units.”