The US coast Guard (USCG) Issued Cyber Risk Management Guidelines
Updated: Nov 20, 2020
The USCG issued in November 2020 new cybersecurity management guidelines. The USCG key points are:
All ship owners, rigs owners, and offshore units, of any flag state, that trade or operate in US must have a cybersecurity management program under the USCG guidelines.
Ship owners, rigs owners, and offshore units' operators will need to provide evidence for conducting cybersecurity program.
The US Coast Guard document focuses on safety and security. Environmental protection remains in scope but appears deemphasized in the USCG document.
If during USCG inspection or in other case that cyber deficiencies will be revealed:
Serious deficiencies will require fixing and an external audit within 90 days or risk detention;
Minor deficiencies will need an internal audit within 90 days and the deficiencies to be fixed prior to departure.
USCG inspections will only cover networked systems directly relevant to vessel safety.
Where faults have occurred in systems critical for vessel safety the inspector/port security control officer is mandated to investigate if the cause was ‘cyber -related’, and if so whether the right procedures were followed prior to that fault occurring.
If the inspector believes there are clear grounds for an expanded inspection, and clear evidence is gathered of poor implementation of the cyber risk management element of the SMS, further deficiencies may be issued.
USCG inspectors have been tasked to look out for evidence of poor cyber hygiene problems, including but not limited to the following:
Poor cyber hygiene (such as password and/or logins on open display, generic logins or no logins, no automatic logout after a period of inactivity, heavy reliance on USB drives and no obvious means of virus checking prior to use);
Evidence of malware on ship computers – popups /any ransomware;
Records or complaints of unusual network activity / reliability issues impacting shipboard systems;
Spoofed/phishing e-mails purporting to come from skipper/crewmembers.
Should there be any indications of compromise, inspectors are mandated to enquire further as to whether a deficiency exists, but only on systems required for the safe operation or navigation of the vessel. Standalone systems or other systems ‘which do not affect the safe operation or navigation of the vessel” are not to be inspected or examined.
Owners are reminded of the eight critical systems within the ship: ballast control, engine & propulsion control, rudder control, cargo control, navigation (ECDIS /GPS), radar, satellite & 3/4/5G comms, and on-board welfare systems.
Most critically, if the MI/PSCO find a deficiency that has been poorly handled or as a result they are able to conclude that the vessel no longer complies with SOLAS and is therefore unseaworthy, she is likely to be detained.
When deficiencies have been either revealed or identified, the inspector has three choices:
If cyber security risk management has not been incorporated into your SMS, the inspector can issue a deficiency with an action code 30 – ship detained.
If it is clear to the MI that while there is a cyber component to the ship’s SMS, it is not being followed (as evidenced by poor cyber hygiene), The inspector can issue a deficiency in action code 17 – rectify prior to departure.
If or where there is evidence which suggests there has been a serious breach of cyber security in a vessel that has already incorporated cyber security into its SMS, the Marine inspector can issue a deficiency with the action code 30 – ship detained.
If cyber risk management is not implemented or implemented in such a way that allows, or fails to prevent a cyber incident, the ship will either be subject to remediation of the deficiency before next US port visit “CODE 17- RECTIFY PRIOR TO DEPARTURE” or detained until remediation completed USCG will issue a A “CODE-30 SHIP DETAINED”.
Where there is a deficiency, the owner will need to undertake an external audit within 3 months, and in any case, prior to re-entry into the US. If the deficiency is more about occasional lapses the owner will have to undertake an internal audit within 90 days. Or in the most serious cases prior to departure.
What is helpful is the US Coast Guard has recognized that other frameworks for cyber risk assessment are in use (mention the work done by BIMCO for example and international organizations such as ISO/IEC). While they clearly prefer the NIST standard, they recognize that the IMO assessment follows the broad direction of this framework and therefore are prepared to work with it.
The USCG guidance is less helpful in that it only focuses on the ships only and fails to recognize the threat vector the head office represents. Nonetheless, it is clear what is expected – and clear about the consequences.
This instruction has real teeth. Owners should ensure that every ship has clear documentation, standards, and processes in place to ensure that Marine Inspector (“MI”)/Port State Control Officer (“PTSC”) has confidence in their approach to cybersecurity risk management. Even the smallest failure in a critical system requires urgent and professional remediation. If you arrive in the US port with a malfunctioning critical system, you will be required to fix it there and then, be audited, and be able to reassure the PSCO on your next visit that the issue has been rectified. If you cannot do this your vessel will be detained.