On Friday, Jan. 17, the U.S. Coast Guard issued its final rule for Cybersecurity in the Maritime Transportation System.
The Coast Guard is updating its maritime security regulations by establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities and facilities subject to the Maritime Transportation Security Act of 2002 regulations.
The 370-page final rule addresses current and emerging cybersecurity threats in the marine transportation system by adding minimum cybersecurity requirements to help detect risks and respond to and recover from cybersecurity incidents.
It applies only to U.S.-flagged vessels that must comply with 33 CFR Part 104, for example, cargo ships greater than 100 gross tons.
These include requirements to develop and maintain a cybersecurity plan, designate a cybersecurity officer and take various measures to maintain cybersecurity within the marine transportation system.
The Coast Guard is also seeking comments on a potential delay for the implementation periods for U.S.-flagged vessels.
This final rule is effective July 16. From that date, it will become mandatory for covered organizations to submit a report to the National Response Center at (800) 424-8802 should a reportable cyber incident be identified.
Background and Need for the Rule
The maritime industry faces more cybersecurity threats as it increasingly relies on cyber-connected systems.
The final rule’s purpose is to safeguard the marine transportation system against current and emerging threats associated with cybersecurity by adding minimum cybersecurity requirements to help detect, respond to and recover from cybersecurity risks that may cause security incidents.
This final rule addresses risks from the increased interconnectivity and digitalization of the maritime transportation system that results in new vulnerabilities.
This rule is based on the Maritime Transportation Security Act of 2002. In the 2018 amendments, Congress specifically required covered entities to include provisions for addressing cybersecurity risks that may cause security breaches.
The rule emphasizes that cybersecurity is not just an industry concern but also a national security issue. Cyberattacks on the maritime environment can result in severe consequences including collisions, groundings, environmental disasters (e.g., chemical/oil spills) and economic losses to both the shipping entity and the nation.
Of note, while previous Coast Guard cybersecurity guidance—Navigation and Vessel Inspection Circular No. 01-20—addressed cybersecurity for facilities, it was non-binding and did not extend to vessels. This new rule establishes mandatory minimum cybersecurity requirements to close these gaps.
Key Provision—Cybersecurity Plan
First, the final rule requires that owners or operators of U.S.-flagged vessels, facilities or Outer Continental Shelf (OCS) facilities are required to have a Cybersecurity Plan and Cyber Incident Response Plan.
The plan must include seven account security measures for covered entities, including the following:
- Enabling of automatic account lockout after repeated failed log-in attempts on all password-protected information technology (IT) systems.
- Changing default passwords (or implementing other compensating security controls if unfeasible) before using any IT or operational technology (OT) systems.
- Maintaining a minimum password strength on all IT and OT systems technically capable of password protection.
- Implementing multifactor authentication on password protected IT and remotely accessible OT.
- Applying the principle of least privilege to administrator or otherwise privileged accounts on both IT and OT systems.
- Maintaining separate user credentials on critical IT and OT systems, and
- Removing or revoking user credentials when a user leaves the organization.
The Cybersecurity Plan also must include four security measure requirements:
- Develop and maintain a list of any hardware, firmware and software approved by the owner or operator that may be installed on IT or OT systems.
- Ensure that applications running executable code are disabled by default on critical IT and OT systems.
- Maintain an accurate inventory of network-connected systems including those critical IT and OT systems, and
- Develop and document the network map and OT device configuration information.
- In addition, the cybersecurity plan must include two data security measure requirements: ensuring that logs are securely captured, stored and protected and accessible only to privileged users, and deploying effective encryption to maintain confidentiality of sensitive data and integrity of IT and OT traffic when technically feasible.
Owners and operators must submit the cybersecurity plan to the Coast Guard for approval within 24 months of the effective date of the Final Rule.
Key Provision—Cybersecurity Officer Designation
Owners or operators must also designate a cybersecurity officer (CySO) who must ensure that U.S.-flagged vessel, facility or other covered facility personnel implements the cybersecurity plan and the Cyber Incident Response Plan.
The CySO also must ensure that the Cybersecurity Plan is up to date and undergoes an annual audit, arrange for cybersecurity inspections, ensure that personnel have adequate cybersecurity training, record and report cybersecurity incidents to the owner or operator and take steps to mitigate them.
The CySO can serve multiple vessels or facilities. Also, the position does not require a Merchant Marine Credential unless other duties require it.
Key Provision—Cybersecurity Assessment
The cybersecurity assessment is an appraisal of risks facing a covered entity, asset, system or network. The assessment must be completed within 24 months of the effective date of the Final Rule and annually thereafter. Sooner than annually, however, if there’s a change in ownership.
Each covered owner or operator must ensure that the cybersecurity portion of their plan and penetration test results are available to the Coast Guard upon request.
In this final rule, the Coast Guard considers penetration testing, cybersecurity assessments, and audits to be distinct actions. They are not interchangeable and each serves specific functions as part of the comprehensive cybersecurity requirements of this final rule.
Additionally, penetration testing must be completed in conjunction with renewing the cybersecurity plan and to specify that the CySO must submit a letter verifying that the test was conducted, as well as all vulnerabilities identified from the penetration testing.
Key Provision—Cyber Incident Response Plan
Owners or operators of U.S.-flagged vessels, facilities or OCS facilities must prepare and document a Cyber Incident Response Plan that outlines instructions on how to respond to a cyber incident and identifies key roles, responsibilities and decision-makers amongst personnel.
Implementation Requirements
Following the effective date of the final rule, personnel must complete certain training requirements and owners or operators must sequentially complete a cybersecurity assessment and submit the cybersecurity plan to the Coast Guard for review and approval within 24 months.
These implementation periods allow time for the owners and operators of applicable U.S.-flagged vessels, facilities and OCS facilities to comply with the requirements of this final rule.
All personnel must complete the training specified in the Final Rule within 60 days of receiving approval of the cybersecurity plan.
Owners and operators must conduct cybersecurity drills at least twice each calendar year. Owners and operators must also conduct cybersecurity exercises at least once each calendar year with no more than 18 months between the exercises.
The Coast Guard is offering the public the chance to comment by March 18 on whether they should delay the implementation periods for U.S.-flagged vessels for a period of 2 to 5 years beyond what is specified in the Final Rule.
After reviewing any comments and supporting information received, the Coast Guard may issue a future rulemaking to implement this additional delay to provide time for U.S.-flagged vessels to comply with these requirements.
Further Reading
Federal Register / Vol. 90, No. 11 / Friday, January 17, 2025 / Rules and Regulations, Pages 6298-6453
US Coast Guard Fact Sheet https://bit.ly/42zRTkK
US Coast Guard—“Final Rule: Cybersecurity in the Marine Transportation System” https://bit.ly/42EaY58
US Coast Guard Maritime Industry Cybersecurity Resource Center https://www.uscg.mil/MaritimeCyber/
Ernie Hayden’s background includes management and technical roles focused on cyber and physical security since the 9/11 attacks. He was previously a U.S. Navy Nuclear and Surface Warfare Officer and has published a book, Critical Infrastructure Risk Assessment—The Definitive Threat Identification and Threat Reduction Handbook, that was named the 2021 ASIS Security Book of the Year. Please send your questions or suggested article ideas to enhayden1321@gmail.com.