New Cyber Security Rules For Maritime Shipping

 In late February 2024, the US Coast Guard (USCG) issued a Notice of Proposed Rulemaking (NPRM) regarding cyber security for US flagged vessels. When NPRM’s are issued, comments from affected parties are solicited; the comment period has now expired, and responses will then be considered before the final wording of the new regulations is put in place.  

Industry feedback on the propsed new cyber-security regulations for US flagged vessels is critical of the level of burden, the practicality of implementation, and lack of alignment to existing measures

The proposed changes to Federal Regulations are described as an action to: “update maritime security regulations by adding regulations specifically focused on establishing minimum cyber security requirements for US-flagged vessels, facilities on the Outer Continental Shelf, and US facilities subject to regulations under the Maritime Transportation Security Act of 2002.”  The proposed wording of the new regulatory language is lengthy, building on the USCG observation that:  “The maritime industry is undergoing a significant transformation that involves increased use of cyber-connected systems.... 

“While these systems improve commercial vessel and port facility operations, they also bring a new set of challenges affecting design, operations, safety, security, training, and the workforce.”  
  
Referring to a Spring 2021 hack of the Colonial Pipeline connecting the US Gulf region to the Northeast, which led to temporary waivers of the Jones Act to allow coastwise moves of petroleum products), the USCG opines in its NPRM, that:  

“Every day, malicious actors (including, but not limited to, individuals, groups, and adversary nations posing a threat) attempt unauthorised access to control system devices or networks using various communication channels.” 

Dozens of comments have come in from industry. At a very practical level, smaller companies, such as those in the coastwise or inland river tug and barge trades do not have large Information Technology (IT) departments, and often hire external consultants to assist in cyber-related matters.  In the NPRM responses, a number of tug boat  operators expressed the following concerns: 

  • Develop risk-based plans with applicability scaled to the companies’ actual business profile.
  • Add cybersecurity to Alternative Security Plans filed by those invited to respond.
  • Streamline incident reporting through the National Response Center and set thresholds for reportable incidents.
  • Rethink the role of cyber-security officers (not practical to have aboard every vessel).
  • Reduce the frequency of proposed cyber security drills.

The Maersk shipping company, a prevoius high profile victim of the NotPetya exploit, offered a detailed response, “We consider this a significant step toward enhancing the cyber security posture of this critical infrastructure sector... However, to maximise its impact and feasibility, we recommend further enhancements in the areas of clarity, efficiency, and alignment with existing programs.”    

In another company-crafted response, Liberty Global Logistics (LGL) suggested that “the regulations as proposed are extremely onerous, financially burdensome, and impractical in terms of timelines and ultimate implementation.”  

On the subject of ransom attacks, LGL said  “A company’s decision as to how to respond to a ransomware attack is its own subjective prerogative and if a company opts to pay a ransom, it should not be required to report that information, as the very act requiring reporting may ultimately discourage certain companies from making ransom payments, which may actually increase the overall number of cyber incidents and ransomware attacks.”  

Seatrade-Maritime   |     Darktrace   |    LGL   |   Valour Consultancy   |   Maersk 

Image: Unsplash

You Might Also Read: 

A Database Tracking Maritime Cyber Attacks:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Donald Trump & Social Media
Original Darktrace Investor Found Not Guilty »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Grid32

Grid32

Grid32 provides independent computer system and physical security audit services to government and corporate clients of all sizes.

Sistem Integra (SISB)

Sistem Integra (SISB)

SISB provide IT Security Infrastructure & Development, Mechanical & Electrical Services, Fire Safety & Detection Services, Facilities Management & Application Development.

Cyber Base

Cyber Base

Cyber Base is an Information Technology company based in Uganda providing software and hardware solutions to clients.

Protergo

Protergo

Protergo is the first integrated provider of cybersecurity solutions in Indonesia. We proactively protect our clients from cyber threats.

BHC Laboratory

BHC Laboratory

BHC Laboratory is a cyber capabilities’ development company for a wide range of global customers.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Iron Bow Technologies

Iron Bow Technologies

Iron Bow Technologies is a leading IT solution provider dedicated to successfully transforming technology investments into business capabilities for government, commercial and healthcare clients.

Cyber Insurance Academy

Cyber Insurance Academy

Cyber Insurance Academy was founded to provide insurance professionals with the knowledge needed to work in cyber-insurance and cyber-related insurance fields.

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL) is the largest integrated Information Communication Technology (ICT) company of Pakistan.

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

Lumifi

Lumifi

Lumifi provide end-to-end cybersecurity resilience solutions with a specialty in managed detection and response (MDR) services.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

Pillr

Pillr

Pillr is a cybersecurity operations platform capable of adapting to the demands of your business and team — and the global threat landscape.

ITQ Latam

ITQ Latam

ITQ Latam are specialists in cybersecurity, in a convergent ecosystem of technological solutions in infrastructure, cloud and security networks.

Pistachio

Pistachio

Pistachio is the new evolution of cybersecurity awareness training and attack simulations.

Rootly

Rootly

Rootly is an incident management platform on Slack that helps automate manual admin work during incidents.