Nearly a year after issuing its most direct broad-scale guidance on maritime cybersecurity in the context of certain shoreside facilities, the U.S. Coast Guard has followed up with guidance and compliance parameters for vessels as well – an apropos event given that the etymology of the word “cyber” has direct, deep-seated maritime roots. The word itself derives from the term “cybernetics,” a neologism coined by Norbert Weiner in his 1948 book about the science and architecture of biological and technical control systems. This word in turn was derived from the ancient Greek word (kubernētēs), the ancient Greek word for “helmsman” or “pilot” of a vessel. Thus, in a very real linguistic sense, the much-discussed buzz-word “cyber” and related “cybersecurity” have their roots in the age-old operations of maritime trade.
The USCG’s recent action comes in the form of a February 18, 2021 update to its “Vessel Cyber Management Risk Work Instruction” (“Cyber WI”), originally issued in October 2020 by the USCG Office of Commercial Vessel Compliance (CG-CVC). The updated Cyber WI specifies a December 31, 2021 compliance date for certain vessels to include cyber risk assessments in their domestic regulatory compliance documentation. This deadline is a year later than the similar deadline of January 1, 2021 for certain vessels subject to international regulations requiring compliance with cyber risk assessment.
By way of context, the CG-CVC issues Work Instructions to assist USCG vessel inspectors during compliance inspections for various vessels under various domestic and international regulatory regimes. These Work Instructions are not formal, notice-and-comment regulatory actions, but instead are intended to provide internal guidance to USCG inspectors on how conduct inspections. Indeed, as the Cyber WI itself states at the outset, its “guidance is not a substitute for applicable legal requirements, nor is it itself a rule[, and] [i]t is not intended to nor does it impose legally binding requirements on any part[y].” However, as an obvious practical matter, these Work Instructions determine the methods by which USCG inspectors will gauge compliance with otherwise binding regulatory requirements. Thus, while they may not be binding on their own, they are extremely important indicators for how regulatory compliance will be determined.
This vessel-specific cyber guidance was previewed in the USCG’s Navigation and Vessel Inspection Circular (NVIC 20-01) concerning “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities” issued in March of 2020. Like Work Instructions, USCG NVICs are not necessarily binding requirements, but do provide critically important context for how the USCG will apply/determine compliance. NVIC 20-01 had a long path to finalization via a notice-and-comment period, and the USCG expressly noted in NVIC 20-01 that it would “consider addressing cyber security vulnerabilities for vessels in the future.” 85 Fed. Reg. at 16114.
In turn, in October 2020, the USCG originally issued the Cyber WI to provide guidance for certain foreign-flag vessels and U.S.-flag vessels subject to the International Safety Management Code (ISM Code) in advance of the January 1, 2021 deadline for cyber risk assessments required for these categories of vessels under International Maritime Organization (IMO) Resolution 428(98) and MSC-FAL.1/Circ 3. This resolution mandates that cyber risks must be appropriately addressed in existing safety management systems (SMS) (as defined in the ISM Code) as of January 1, 2021. Accordingly, the Cyber WI provides guidance to USCG inspectors to ensure they conduct inspections consistent with the recently effective IMO cyber risk SMS mandate.
Likewise, the Cyber WI also provides guidance to USCG inspectors with respect to non-ISM-Code regulated vessels (i.e. vessels not required to maintain an SMS) that are nonetheless governed by the provisions of the Maritime Transportation Safety Act (MTSA) maritime security (MARSEC) statutes and regulations. Generally speaking, the MTSA MARSEC regulations apply to specified categories of vessels, including mobile drilling units, larger cargo vessels, vessels (including tugs/barges) carrying hazardous cargos, and passenger vessels. See 33 C.F.R. §104.105. These MTSA-regulated vessels are required to maintain Vessel Security Plans (VSPs) and perform period Vessel Security Assessments (VSAs) to ensure safety of operations consistent with MTSA/MARSEC requirements. The Cyber WI confirms and clarifies that these VSPs and VSAs must take into account cyber risk as part of their scope, and directs USCG inspectors to verify compliance with this mandate. Notably, different from the IMO resolution mandate, there is no explicit regulation or other notice-and-comment rulemaking document that requires cyber risk assessment under the MTSA/ MARSEC provisions. Nonetheless, the broad provisions of those regulations clearly encompass cyber risks, and the Cyber WI confirms as much.
For both ISM-Code and non-ISM-Code MTSA/MARSEC vessels, the Cyber WI parameters only apply to systems affecting safe operation and navigation: “USCG vessel compliance activities are only directed towards cyber risk management on systems that are critical to the safe operation and navigation of the vessel. Stand-alone computers or other systems which do not affect the safe operation or navigation of the vessel are not to be inspected or examined.”
As to ISM-Code regulated vessels, the Cyber WI provides the following guidance for cyber hygiene inspection/verification and identifying shipboard cyber risks:
|Poor cyber hygiene
1) Username / Password openly displayed
2) Computer system appears to require a generic login or no login for access
3) Computer system does not appear to automatically log out after extended period of user inactivity
4) Heavy reliance on flash drive/USB media use
b. Shipboard computers readily appear to have been compromised by ransomware/excessive popups
c. Officers/crew complain about unusual network issues and reliability impacting shipboard systems
d. Unit/vessel screener received potential ‘spoofed’ email from master/crew onboard.
As to MTSA/MARSEC regulated vessels, the Cyber WI provides the following suggested questions for inspectors to ask to ensure that VSPs adequately address cyber hygiene risks:
|a. Does your VSP address measures taken to address cybersecurity vulnerabilities?
1) If yes: No further action/questions.
2) If no, then ask: Have you communicated that issue to your CSO?
i. If yes: No further action/questions required.
ii. If no: Issue deficiency ….
1) If yes, then ask: Have you reported these cybersecurity incidents to your CSO?
i. If yes: Reasonably verify reporting to CSO, then no further action.
ii. If no: Issue deficiency ….
2) If no: No further action/question required.
As noted earlier, the February 2021 update to the Cyber WI clarifies that for non-ISM-Code regulated vessels subject to the MTSA/MARSEC requirements, “[o]wners and operators … have until December 31, 2021 to implement measures to mitigate cyber related vulnerabilities [in their VSPs].”
Finally, the Cyber WI clarifies procedural options that the USCG may implement when a vessel’s operation/navigation systems have been comprised by a cybersecurity event (i.e. with potential to affect shipboard operational safety) or incident (i.e. with actual affects on shipboard operational safety), up to and including a potential cybersecurity-influenced reportable “marine casualty” as defined at 46 CFR §4.05. These actions may include involvement of the USCG Cyber Protection Team (CPT) for shipboard investigation, and/or a USCG Captain of the Port (COTP) order restricting/limiting vessel operations.
And while the Cyber WI is technically limited in scope to ISM-Code and MTSA/MARSEC-regulated vessels, as a practical matter it provides insight as to how the USCG may ultimately consider cybersecurity issues more generally, and may constitute evidence of reasonable practices for cyber hygiene in terms of a reasonable standard of care.
As a specific example, under USCG Subchapter M regulations, towing vessels may opt for the Towing Safety Management System compliance regime (TSMS, 46 C.F.R. Part 138) in lieu of USCG inspections. Under this TSMS process, towing vessel operators are required to develop and maintain a TSMS that specifically addresses inter alia “ensuring vessel compliance, including, but not limited to, policies on maintenance and survey, safety, the environment, security, and emergency preparedness.” 46 C.F.R. §138.220. Likewise, Subchapter M requires specific record keeping regarding “[o]perative navigational safety equipment”; and “failure and subsequent repair or replacement of navigational safety equipment must be recorded” in a vessel’s log book or Towing Vessel Record. 46 C.F.R. §§140.915, 140.620. Thus, cybersecurity events/incidents affecting operation/ navigation would appear to be encompassed within the Subchapter M TSMS framework. In turn, the Cyber WI may provide persuasive (if not directly governing) guidance on how to effectively address cybersecurity concerns under Subchapter M.
Further, in a July 8, 2019 Marine Safety Alert, ostensibly directed to vessel of all types regardless of regulatory framework, the USCG made the sweeping statement that “[m]aintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational imperative in the 21st century maritime environment.” Thus, the USCG “strongly encourages all vessel and facility owners and operators [emphasis added] to conduct cybersecurity assessments to better understand the extent of their cyber vulnerabilities.”
The USCG’s cybersecurity approach will likely continue evolve in terms of scope and sophistication as more and more vessel inspections focus on cyber hygiene in the wake of the January 1, 2021 and December 31, 2021 compliance deadlines outlined in the Cyber WI. In the meantime, vessel operators should be staying ahead of the curve by ensuring cyber hygiene is part of their routine, intentional, documented vessel safety practices.