
Op-Ed: Addressing cyber threats to maritime
Written by Heather Ervin
Credit: Shutterstock
By Andrew R. Lee & Jim Kearns, Jones Walker LLP
In fall 2022, our firm published a survey of 125 senior leaders at U.S. ports and terminals that gave insight into the state of cybersecurity in this critical sector of our nation’s transportation infrastructure. We discussed our findings with Marine Log, and we concluded our summary with a look to the future: Cybersecurity challenges will increase at a rapid pace. With clear, committed leadership engagement, however, much can be done to address this ever-expanding threat.
The rapid escalation of cyber threats targeting our nation’s critical infrastructure has become an increasingly urgent concern. In response to this growing menace, particularly with regard to the maritime transportation system, the US Coast Guard has recently taken crucial steps to bolster its ability to address these challenges.
On February 22, 2024, in a significant move to enhance cybersecurity measures, the Coast Guard issued a Notice of Proposed Rule Making (NPRM) that outlines comprehensive updates to the cybersecurity requirements for US-flagged vessels, Outer Continental Shelf (OCS) facilities, and marine facilities subject to the Maritime Transportation Security Act of 2002 (MTSA). The 100-page NPRM extensively references the Jones Walker senior leader survey and provides valuable insights into the current state of cybersecurity measures at marine facilities across the country.
So what does the Coast Guard propose to regulate? The proposed rule would establish consistent cybersecurity requirements across vessels, marine facilities, and OCS facilities. Owners and operators would be obligated to appoint qualified personnel to develop a robust cybersecurity plan incorporating detailed preparation, prevention, and response activities for cybersecurity threats and vulnerabilities. The rule outlines stringent minimum requirements for the plan’s content and its submission to and approval by the Coast Guard. Additionally, owners or operators would be required to designate a “Cybersecurity Officer” by name and title, who must be accessible to the Coast Guard 24/7.
The proposed rule outlines comprehensive cybersecurity measures to identify risks, detect threats and vulnerabilities, protect critical systems, and facilitate recovery from cyber incidents. These measures include specific requirements for securing accounts, devices, and data, as well as mandating cybersecurity training for personnel and implementing robust risk management practices, such as conducting cybersecurity assessments and addressing cybersecurity risks within the supply chain. The proposed activities aim to ensure that vessels, marine facilities, and OCS facilities can swiftly recover from cyber incidents while minimizing the impact on critical operations. Additionally, the rule proposes supplemental physical security measures that would complement the security assessments already required under existing regulations.
The proposed rule mandates the execution of drills and exercises to assess the proficiency of personnel in their assigned cybersecurity duties and to verify the effective implementation of both the cybersecurity plan and the overall security plan for the vessel or facility. To ensure compliance with all requirements, owners and operators will be required to maintain comprehensive records documenting their adherence to the stipulated measures.
The deadline for submitting comments on the NPRM is April 22, 2024, a date that may well be extended. One of many questions raised by the scope of the NPRM is why foreign-flagged vessels are excluded from the regulation, given the potential risks and vulnerabilities they pose to the US maritime system.
A day before the Coast Guard issued the NPRM, the White House issued an Executive Order that introduced a requirement for reporting any evidence of actual or threatened cyber incidents involving or endangering vessels, harbors, ports, or waterfront facilities to the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the relevant Captain of the Port. This requirement overlapped with existing regulations that obligate MTSA-regulated entities to report security breaches, suspicious activities, or transportation security incidents to the Coast Guard. To clarify the reporting requirements, the Coast Guard issued Navigation and Vessel Inspection Circular (NVIC) 02-24, also on February 21. NVIC 02-24 specified that the existing reporting requirements for MTSA-regulated entities encompass cyber incidents as defined in the executive order. Furthermore, the NVIC emphasized that any vessel, harbor, port, or waterfront facility, regardless of its status as an MTSA-regulated entity, should also report any cyber incident to the Coast Guard.
These actions by the president and the Coast Guard demonstrate that significant progress can be achieved in addressing evolving cyber threats to our maritime transportation infrastructure. But it is equally evident that cybersecurity challenges persist and are rapidly escalating and that there is a need for clear, committed leadership to confront these challenges head-on.