New Cyber Security Rules For Maritime Shipping

Uploaded on 2024-06-07 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Transport & Travel

 In late February 2024, the US Coast Guard (USCG) issued a Notice of Proposed Rulemaking (NPRM) regarding cyber security for US flagged vessels. When NPRM’s are issued, comments from affected parties are solicited; the comment period has now expired, and responses will then be considered before the final wording of the new regulations is put in place.  

Industry feedback on the propsed new cyber-security regulations for US flagged vessels is critical of the level of burden, the practicality of implementation, and lack of alignment to existing measures

The proposed changes to Federal Regulations are described as an action to: “update maritime security regulations by adding regulations specifically focused on establishing minimum cyber security requirements for US-flagged vessels, facilities on the Outer Continental Shelf, and US facilities subject to regulations under the Maritime Transportation Security Act of 2002.”  The proposed wording of the new regulatory language is lengthy, building on the USCG observation that:  “The maritime industry is undergoing a significant transformation that involves increased use of cyber-connected systems.... 

“While these systems improve commercial vessel and port facility operations, they also bring a new set of challenges affecting design, operations, safety, security, training, and the workforce.”  
  
Referring to a Spring 2021 hack of the Colonial Pipeline connecting the US Gulf region to the Northeast, which led to temporary waivers of the Jones Act to allow coastwise moves of petroleum products), the USCG opines in its NPRM, that:  

“Every day, malicious actors (including, but not limited to, individuals, groups, and adversary nations posing a threat) attempt unauthorised access to control system devices or networks using various communication channels.” 

Dozens of comments have come in from industry. At a very practical level, smaller companies, such as those in the coastwise or inland river tug and barge trades do not have large Information Technology (IT) departments, and often hire external consultants to assist in cyber-related matters.  In the NPRM responses, a number of tug boat  operators expressed the following concerns: 

  • Develop risk-based plans with applicability scaled to the companies’ actual business profile.
  • Add cybersecurity to Alternative Security Plans filed by those invited to respond.
  • Streamline incident reporting through the National Response Center and set thresholds for reportable incidents.
  • Rethink the role of cyber-security officers (not practical to have aboard every vessel).
  • Reduce the frequency of proposed cyber security drills.

The Maersk shipping company, a prevoius high profile victim of the NotPetya exploit, offered a detailed response, “We consider this a significant step toward enhancing the cyber security posture of this critical infrastructure sector... However, to maximise its impact and feasibility, we recommend further enhancements in the areas of clarity, efficiency, and alignment with existing programs.”    

In another company-crafted response, Liberty Global Logistics (LGL) suggested that “the regulations as proposed are extremely onerous, financially burdensome, and impractical in terms of timelines and ultimate implementation.”  

On the subject of ransom attacks, LGL said  “A company’s decision as to how to respond to a ransomware attack is its own subjective prerogative and if a company opts to pay a ransom, it should not be required to report that information, as the very act requiring reporting may ultimately discourage certain companies from making ransom payments, which may actually increase the overall number of cyber incidents and ransomware attacks.”  

Seatrade-Maritime   |     Darktrace   |    LGL   |   Valour Consultancy   |   Maersk 

Image: Unsplash

You Might Also Read: 

A Database Tracking Maritime Cyber Attacks:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Donald Trump & Social Media
Original Darktrace Investor Found Not Guilty »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

European Internet Forum (EIF)

European Internet Forum (EIF)

EIF’s mission is to help provide European political leadership for the political, economic and social challenges of the worldwide digital transformation.

Fidelis Security

Fidelis Security

Fidelis Security is a leading provider of extended threat detection and response (XDR) solutions for your security operations.

Prim'X Technologies

Prim'X Technologies

Prim'X Technologies provides information protection solutions to prevent unauthorised access to sensitive data.

Shadowserver Foundation

Shadowserver Foundation

Shadowserver Foundation aims to improve internet security by raising awareness of compromised servers, malicious attackers and the spread of malware.

Guidewire

Guidewire

Guidewire Cyence™ Risk Analytics is a cloud-native economic cyber risk modeling solution built to help the insurance industry quantify cyber risk exposures.

TokenOne

TokenOne

TokenOne is a Cyber Security software company that makes it easy to replace passwords, tokens and other forms of authentication with a more secure solution.

HoxHunt

HoxHunt

HoxHunt is an automated cyber training program that transforms the way your employees react and respond to the growing amount of phishing emails.

Belden

Belden

Belden is a global leader in signal transmission and security solutions for mission-critical applications in enterprise and industrial markets. Belden brands include Hirschmann and Tofino Security.

African Cyber Security

African Cyber Security

African Cyber Security and it's partners, have the expertise and skills to provide holistic solutions for companies, institutions and government.

Real Protect

Real Protect

Real Protect is a Brazilian provider of managed security (MSS) and cyber defense services.

WhizHack Technologies

WhizHack Technologies

WhizHack's mission is to not only create a pipeline of cyber security products but also to empower people to sustainable innovation in securing digital assets of tomorrow.

Parablu

Parablu

Parablu is a leading provider of data security and resiliency solutions for the digital enterprise.

OryxLabs

OryxLabs

OryxLabs provide advanced enterprise digital risk protection solutions. Learn more about how 24x7 continuous assessment, monitoring, and improvement can secure your network.

Sweet Security

Sweet Security

Sweet Security delivers Runtime Attack Security for Cloud Workloads.

InnovateHer

InnovateHer

At InnovateHer, our vision is to make the tech sector more equitable, by increasing diversity across the spectrum and creating more inclusive workplaces.

Qi An Xin (QAX)

Qi An Xin (QAX)

QAX is a listed company based in China, and a leader in cybersecurity industry, providing new generation enterprise-level and national-level cybersecurity solutions.