US raises bar on maritime cyber reporting

Vessel and terminal operators are required to report cyber threats and suspicious activity to the NRC (above). Credit: USCG
Vessel and terminal operators are required to report cyber threats and suspicious activity to the NRC (above). Credit: USCG

Vessels and terminals operating in the United States are now under more pressure to report cyber threat activity to federal agencies through a new directive issued by the US Coast Guard (USCG).

In a six-page policy letter made public this week, the agency underscored requirements within the US Maritime Transportation Security Act obligating vessel and facility operators to report “without delay” suspicious cyber activity and security breaches to the USCG National Response Center (NRC).

“The primary purpose of this requirement is to allow the [captain of the port] opportunity to understand and respond to potential threats to the port area upon receipt of a report from the NRC, and to assess the adequacy of security plans” to prevent a cyber security incident, according to the letter.

The policy includes a list of examples of both breaches of security and suspicious activity. It also gives owners and operators the option of reporting to the National Cybersecurity and Communications Integration Center (NCCIC), the federal government’s clearing house for cyber incidents across all industry sectors, depending on the nature of the threat.

“I’d say this is a significant step for the US Coast Guard to articulate their cyber policy as they’ve done here,” Norma Krayem, a maritime cyber security specialist with the law firm Holland and Knight, told IHS IHS Markit.

“This guidance reflects the systemic concerns regarding cyber security generally in the US, and the Coast Guard is emphasising that breaches of security fall under its existing regulatory authority and have decided to make clear that these cyber threats require immediate action.”

Mitigating cyber risks in the maritime sector is evolving quickly. The USCG published in 2015 a cyber security strategy that included guidelines designed to address cyber incidents. In early 2016 a consortium of cargo vessel groups that included BIMCO, INTERCARGO, and INTERTANKO published guidelines on addressing cyber incidents onboard ships. The International Maritime Organization also approved its own set of interim guidelines in 2016.

The ramped-up attention is proving warranted by shipowners. In a maritime cyber security survey conducted by IHS IHS Markit and BIMCO, 20% of respondents revealed they had been a victim of a cyber attack.

In a 10 January research note, Krayem said she expected cyber security to be a top priority of incoming US president Donald Trump’s administration, and that the US Congress “has become focused on concerns to supply chain systems and recently mandated a US analysis of cyber security threats specifically for the maritime sector”.

She told IHS IHS Markit, “On a go-forward basis the goal is to make reporting for cyber incidents much more streamlined, which would allow the federal government to have a better view into cyber attacks across all sectors, including maritime.”