New Cyber Security Rules For Maritime Shipping

 In late February 2024, the US Coast Guard (USCG) issued a Notice of Proposed Rulemaking (NPRM) regarding cyber security for US flagged vessels. When NPRM’s are issued, comments from affected parties are solicited; the comment period has now expired, and responses will then be considered before the final wording of the new regulations is put in place.  

Industry feedback on the propsed new cyber-security regulations for US flagged vessels is critical of the level of burden, the practicality of implementation, and lack of alignment to existing measures

The proposed changes to Federal Regulations are described as an action to: “update maritime security regulations by adding regulations specifically focused on establishing minimum cyber security requirements for US-flagged vessels, facilities on the Outer Continental Shelf, and US facilities subject to regulations under the Maritime Transportation Security Act of 2002.”  The proposed wording of the new regulatory language is lengthy, building on the USCG observation that:  “The maritime industry is undergoing a significant transformation that involves increased use of cyber-connected systems.... 

“While these systems improve commercial vessel and port facility operations, they also bring a new set of challenges affecting design, operations, safety, security, training, and the workforce.”  
  
Referring to a Spring 2021 hack of the Colonial Pipeline connecting the US Gulf region to the Northeast, which led to temporary waivers of the Jones Act to allow coastwise moves of petroleum products), the USCG opines in its NPRM, that:  

“Every day, malicious actors (including, but not limited to, individuals, groups, and adversary nations posing a threat) attempt unauthorised access to control system devices or networks using various communication channels.” 

Dozens of comments have come in from industry. At a very practical level, smaller companies, such as those in the coastwise or inland river tug and barge trades do not have large Information Technology (IT) departments, and often hire external consultants to assist in cyber-related matters.  In the NPRM responses, a number of tug boat  operators expressed the following concerns: 

  • Develop risk-based plans with applicability scaled to the companies’ actual business profile.
  • Add cybersecurity to Alternative Security Plans filed by those invited to respond.
  • Streamline incident reporting through the National Response Center and set thresholds for reportable incidents.
  • Rethink the role of cyber-security officers (not practical to have aboard every vessel).
  • Reduce the frequency of proposed cyber security drills.

The Maersk shipping company, a prevoius high profile victim of the NotPetya exploit, offered a detailed response, “We consider this a significant step toward enhancing the cyber security posture of this critical infrastructure sector... However, to maximise its impact and feasibility, we recommend further enhancements in the areas of clarity, efficiency, and alignment with existing programs.”    

In another company-crafted response, Liberty Global Logistics (LGL) suggested that “the regulations as proposed are extremely onerous, financially burdensome, and impractical in terms of timelines and ultimate implementation.”  

On the subject of ransom attacks, LGL said  “A company’s decision as to how to respond to a ransomware attack is its own subjective prerogative and if a company opts to pay a ransom, it should not be required to report that information, as the very act requiring reporting may ultimately discourage certain companies from making ransom payments, which may actually increase the overall number of cyber incidents and ransomware attacks.”  

Seatrade-Maritime   |     Darktrace   |    LGL   |   Valour Consultancy   |   Maersk 

Image: Unsplash

You Might Also Read: 

A Database Tracking Maritime Cyber Attacks:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Donald Trump & Social Media
Original Darktrace Investor Found Not Guilty »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CyTech Services

CyTech Services

CyTech provides unique services and solutions complemented with professional subject matter experts to both the Federal and Commercial sectors.

Avanan

Avanan

Avanan is The Cloud Security Platform. Protect all your SaaS applications using tools from over 60 industry-leading vendors in just one click.

GuardiCore

GuardiCore

GuardiCore is an innovator in internal data center security and breach detection and is transforming security inside data centers and clouds.

Signifyd

Signifyd

Signifyd is the world's largest provider of Guaranteed e-Commerce Fraud Protection.

Salt Communications

Salt Communications

Salt communications is a global leader in secure communications. Our bespoke platform is the secure communications solution that uniquely gives complete control to our customers.

CETIC

CETIC

CETIC is an applied research centre in the field of ICT. Key technologies include Big Data, Cloud Computing, the Internet of Things, software quality, and trust and security of IT systems.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

Estio Training

Estio Training

Estio Training is a specialist digital and IT apprenticeships provider, dedicated to introducing new skills and developing existing talent in businesses across the UK.

Tabidus Technology

Tabidus Technology

Tabidus Technology is a cybersecurity association that unites and provides the global protection options against cyber threats.

Matrium Technologies

Matrium Technologies

Matrium Technologies has been a leading provider of technology solutions since 1991, with a strong industry background in Network Testing, Network Visibility and Security.

SubCom

SubCom

How Much Do You Trust Your Endpoint? With our ‘Habituation Neural Fabric’ based endpoint security platform, you can observe and manage the Trust Score of your endpoints in real-time.

Anjuna Security

Anjuna Security

Software from Anjuna Security effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud.

CyberMaxx

CyberMaxx

At CyberMaxx, our approach to cybersecurity provides end-to-end coverage for our customers – we use offense to fuel defense.

Ark Technology Consultants

Ark Technology Consultants

Ark Technology Consultants is a unique IT Services Firm which blends technology solutions with consultative insight around governance and process management.

SecureFlag

SecureFlag

SecureFlag is dedicated to enhancing secure coding across all technical profiles within the Software Development Lifecycle.

Surf Security

Surf Security

SURF Security has transformed the browser into your strongest security asset while providing complete end-user privacy – all with full compliance.