Washington DC: Industry Feedback on New Cybersecurity Regulations we The regulations for flagged vessels have been criticised for their level of burden, practicality of implementation and lack of consistency with existing measures.
Late February, United States Coast Guard (USCG) The Code of Federal Regulations has issued a proposed rulemaking (NPRM) on cybersecurity for U.S.-flagged vessels. More formally, the Code is described as a measure to “update maritime security regulations by adding rules specifically establishing minimum cybersecurity requirements for U.S.-flagged vessels, high-ocean continental shelf facilities, and U.S. facilities subject to regulation under U.S. law.” “Maritime Transportation Security Act of 2002”
Once the NPRM is published, comments will be solicited from affected parties. The comment period is now closed, and responses will be considered before the final language of the new regulations is implemented.
The proposed new regulatory language is lengthy and is based on the following observation from the USCG: “The maritime industry is undergoing a period of significant transformation involving the increased use of cyber-connected systems. While these systems improve the operation of commercial vessels and port facilities, they also bring with them a new set of challenges that impact design, operations, safety, security, training, and the workforce.”
Citing the spring 2021 cyber hack of the Colonial Pipeline (a pipeline connecting the U.S. Gulf Coast to the Northeast) that temporarily exempted the Jones Act and permitted the coastal movement of petroleum products, the USCG stated in the NPRM: “Every day, malicious actors (including, but not limited to, threatening individuals, groups, and hostile nation states) attempt to gain unauthorized access to control system devices or networks using a variety of communications channels.”
Numerous comments were received from the industry. On a very practical level, smaller companies, such as those in the coastal and inland river tug and barge trades, do not have large information technology (IT) departments and often hire outside consultants to assist with cyber-related issues. In their responses to the NPRM, numerous tug operators, including Florida Maritime Transportation, Western Towboat Company, Dann Marine Towing, Golding Barge Lines, and Andrie (a member of the American Waterway Operators (AWO) that may have recommended language for members to respond individually), expressed the following concerns:
- Develop risk-based plans that are adaptable to the company's actual business profile
- Adding cybersecurity to alternative security plans submitted by members of AWO (and other groups)
- Streamlining incident reporting through a National Response Centre and setting thresholds for reportable incidents
- Rethink the role of cybersecurity personnel (it is not feasible to have one on every ship)
- Reduce the frequency of cybersecurity drills
Maersk Line, which has a large presence in the non-Jones Act trade of US-flagged vessels, provided a well-crafted commentary that touched on similar points but went into great detail, stating: “We believe this is an important step toward strengthening the cybersecurity posture of this critical infrastructure sector. However, to maximize its impact and feasibility, we would recommend further enhancements in the areas of clarity, efficiency, and alignment with existing programs.”
They believed that the USCG’s objectives could be achieved by providing “clear, standardized, risk-based, actionable measures that leverage existing industry best practices and avoid undue burdens.”
Liberty Global Logistics (LGL), which also operates U.S.-flagged ships internationally, suggested in a separate self-prepared response that “the proposed regulations are highly burdensome, financially burdensome and impractical in terms of timeline and ultimate implementation.”
Regarding ransomware attacks (a primary motivation for cyber attacks), LGL states: “How to respond to a ransomware attack is a subjective decision for companies, and if a company chooses to pay the ransom, it should not be required to report that information, as the very act of mandatory reporting could ultimately discourage certain companies from paying ransoms and increase the overall number of cyber incidents and ransomware attacks.”
