US outlines cyber path forward at CMA

Speaking at CMA
Speaking at CMA

Fast-approaching governance over maritime cyber risk management by US regulators took centre stage on the first day of Connecticut Maritime Association (CMA) annual shipping conference in Stamford, Connecticut.

Speaking during CMA’s opening session on 20 March, Paul Thomas, the US Coast Guard’s (USCG’s) Assistant Commandant for Prevention Policy, alerted attendees that his agency would be publishing in the coming weeks highly anticipated policy guidance that will begin moving the coast guard’s oversight of cyber risk from awareness and recommendations to actual regulations.

“This new phase beyond awareness is focused on the basic components of governance that we can all use to get at the risks associated with the operations and maintenance of existing cyber systems, and can help mitigate the risks inherent in these systems because of how they were designed and integrated into your ships before you were focused on cyber,” Thomas said.

The policy, which will be published in the form of a Navigation and Vessel Inspection Circular (NVIC), will provide guidelines for cyber risk management and for the installation of governance at regulated port facilities, Thomas said. “Our intention is to require that the basic components of governance, including the identification of critical cyber systems that are used today to meet coast guard regulatory requirements, are addressed in the next facilities security plan for our highest risk facilities,” he explained.

An NVIC does not have the force of law. However, not complying with an NVIC could mean that vessel operators are not complying with a related law or regulation.

Thomas pointed out that while the impending cyber NVIC will not apply directly to vessels, “it will be a useful reference for ship operators who are looking to install governance over cyber risk management particularly through a safety management system”, said.

Guidance over cyber management in the maritime sector has ramped up significantly during the past two years, both at the international level through the International Maritime Organization (IMO) and domestically within federal administrations.

Earlier this year the USCG issued a directive exerting more pressure on vessels and terminal operators in the United States to report suspicious cyber threat activity to the agency’s National Response Center.

Charles Ray, the USCG’s deputy commandant for Operations, said during his keynote address earlier in the day that “few challenges present more complexity than cyber risk management” for shipowners. Ray predicted that the industry could see enacted in the current US Congress legislation that would require the development of guidelines for voluntary reporting of maritime-related cybersecurity risks and incidents.

The USCG, which leads the United States delegation at the IMO, will be ramping up its cyber oversight internationally as well. Thomas revealed that the United States will be submitting a paper for consideration at the IMO’s 98thMaritime Safety Committee session in June, which will make the case for installing governance over cyber risk as part of the safety management systems that are already required by the international safety management (ISM) code.

“Our paper will suggest a timeline for port state control officers to begin asking how are cyber risks managed within your safety management system, as required by ISM.”

Thomas said that the next step in the USCG’s cyber oversight regime will be to mitigate the inherent risk in cyber systems “by putting in place standards for the design and construction and integration of shipboard cyber systems, in the same way that we currently set standards for the design and construction of propulsion and electrical systems. How fast we get there is up for debate, but we need to move that way”.