In late February, the United States Coast Guard (USCG) issued a Notice of Proposed Rulemaking (NPRM) regarding cybersecurity for U.S.-flagged vessels. More formally, the proposed federal rule changes would “specifically focus on establishing minimum cybersecurity requirements for U.S.-flagged vessels, facilities outside the continental shelf, and U.S. facilities subject to regulation.” It is described as a measure to “update maritime security regulations by adding additional regulations.” Under the Maritime Transport Security Act 2002. ”
Once the NPRM is published, comments will be solicited from affected parties. The comment period has now closed, and responses will be considered before the final language of the new regulations is enacted.
The proposed new regulatory language is lengthy and based on the following USCG observations: “The shipping industry is undergoing a major transformation with the increased use of cyber-connected systems. While these systems improve the operation of commercial vessels and port facilities, they also require significant improvements in design, operations, safety, security, training and workforce It also brings a new set of challenges that will impact the industry.”
Referring to the spring 2021 cyber hack of the Colonial Pipeline, which connects the U.S. Gulf Coast to the Northeast, which led to a temporary exemption to the Jones Act to allow coastward movement of petroleum products, the USCG opined in the NPRM: “Every day, malicious actors – including, but not limited to, threatening individuals, groups, and hostile nation states – attempt to gain unauthorized access to control system devices and networks using a variety of communications channels.”
Dozens of comments were received from industry. On a very practical level, smaller businesses, such as those operating the tugboat and barge trades on coastal and inland rivers, do not have large information technology (IT) departments and often hire outside consultants to assist with cyber-related issues. In their NPRM responses, many tugboat operators, including Florida Maritime Transportation, Western Towboat Company, Dann Marine Towing, Golding Barge Lines, and Andrie (members of American Waterway Operators, or AWO, which may have recommended language to encourage members to respond individually), expressed concerns such as:
- Create risk-based plans that can be adapted to fit your company's actual business profile
- Adding cybersecurity to alternative security plans submitted by members of AWO (and other groups)
- Streamline incident reporting through the National Response Center and set thresholds for reportable incidents.
- Rethinking the role of cybersecurity personnel (it is not practical to deploy them on every ship)
- Reduce the frequency of suggested cybersecurity training
Maersk Line, which has a large presence in the US-flagged Jones extralegal (foreign) trade, provides a deft commentary that touches on similar points but discusses them in great detail: “We believe this is an important step towards strengthening the cybersecurity posture of this critical infrastructure sector. However, to maximize its impact and feasibility, we need clarity, efficiency and We recommend further strengthening in the areas of consistency and alignment with existing programs.”
They believe the USCG's goals can be achieved by providing “clear, standardized, risk-based, practical measures that leverage existing industry best practices and avoid creating an undue burden.” Ta.
Liberty Global Logistics (LGL), which also operates U.S.-flagged ships in international territory, suggested in a separate company-prepared response that “the proposed regulations would be highly burdensome, financially burdensome and impractical from a timeline and ultimate implementation perspective.”
Regarding ransomware attacks (a primary motive for cyber attacks), LGL states: “How to respond to a ransomware attack is a subjective decision for companies, and if a company chooses to pay the ransom, it should not be required to report that information, as the very act of mandatory reporting could ultimately discourage certain companies from paying ransoms and increase the overall number of cyber incidents and ransomware attacks.”
resource:
The NPRM can be downloaded here: https://www.regulations.gov/document/USCG-2022-0802-0001
The industry comments mentioned in the article (and other responses) can be found at https://www.regulations.gov/document/USCG-2022-0802-0001/comment .
Copyright © 2024. All rights reserved. Seatrade, a trading name of Informa Markets (UK) Limited.
