U.S. Issues Landmark Cybersecurity Rule for Marine Transportation

The US Coast Guard has published its final rule on January 17 to update cybersecurity requirements for U.S.-flagged vessels, outer continental shelf facilities, and facilities subject to Maritime Transportation Security Act of 2002.

This final rule addresses current and emerging cybersecurity threats in the marine transportation system by adding minimum cybersecurity requirements to help detect risks and respond to and recover from cybersecurity incidents. 

These requirements include developing and maintaining a Cybersecurity Plan, designating a Cybersecurity Officer, and taking various measures to ensure cybersecurity is maintained.

This final rule, which is effective on July 16, 2025, requires that owners or operators of U.S.-flagged vessels, facilities, or outer continental shelf facilities required to have a security plan to develop and maintain a Cybersecurity Plan and Cyber Incident Response Plan.

The US Coast Guard noted that owners or operators must designate a Cybersecurity Officer (CySO) who must ensure that U.S.-flagged vessel, facility, or OCS facility personnel implement the Cybersecurity Plan and the Cyber Incident Response Plan.

The CySO must also ensure that the Cybersecurity Plan is up to date and undergoes an annual audit.

The CySO must arrange for cybersecurity inspections, ensure that personnel have adequate cybersecurity training, record and report cybersecurity incidents to the owner or operator, and take steps to mitigate them.

As it is reported, every day malicious actors attempt unauthorized access to control system devices or networks using various communication channels.

The US Coast Guard referred to a cyber-attack which occurred in 2017 against a major global shipping company. Computer hackers, based on public reports, exploited the company’s computer systems because of vulnerabilities in Microsoft’s Windows operating system. The malware was disguised as ransomware, which created more damage to the company’s computer systems.

In 2016, one year before the attack, IT professionals at the shipping company highlighted imperfect patching policies, outdated operating systems, and a lack of network segmentation as the largest holes in the company’s cybersecurity.

“While there were plans to implement measures to address these concerns, they were not undertaken, leaving the company exposed and underprepared for the attack it faced in 2017,” the US Coast Guard says.

The Coast Guard emphasizes that this final rule might have quantifiable benefits from reducing or preventing lost productivity from a cyber incident and possibly lost revenues from the time that critical IT and OT systems are inoperable as a result of a cyber incident, if one occurs.

The Coast Guard is seeking comments on a potential delay for the implementation periods for U.S.-flagged vessels. Comments on a potential 2-to-5-year delay for the implementation periods for U.S.-flagged vessels must be submitted by March 18, 2025.