Vessel operators have stake in USCG cyber guidance

New cyber guidelines issued by the USCG's Paul Thomas address port terminal operations. Credit: USCG
New cyber guidelines issued by the USCG's Paul Thomas address port terminal operations. Credit: USCG

The US Coast Guard’s (USCG’s) new cyber risk guidance is aimed specifically at ports, but vessel operators will indirectly benefit from the measures, according to an operator group.

The proposed guidelines, which were rolled out for comment on 12 July, apply to port facilities and offshore oil platforms regulated under the federal Maritime Transportation Security Act, a 2002 law created in the aftermath of the 9/11 attacks. Terminals affected by the guidance include those that serve foreign cargo vessels greater than 100 gt, and terminals that service passenger ships with more than 150 passengers.

Paul Thomas, the USCG’s Assistant Commandant for Prevention Policy, revealed in March that the coastguard would begin strengthening its cyber risk oversight beginning with port terminals, potentially following up with vessel operators at a later date.

However, cyber connections between vessels and terminals are so intertwined that ships will benefit from any risk mitigation conducted among terminal operators, said Sean Kline, director of maritime affairs for Washington, DC-based Chamber of Shipping of America, which represents US and foreign-flagged vessel operators.

“Even though we’re a ship operators’ group, the [new coastguard guidelines] are important to us,” Kline told IHS Markit. “Any time a ship pulls into a port there’s an exchange of data,” Kline said, whether it be through cargo stowage plans, crew status, or other information. “So it would certainly help the vessel operator to know, for example, if a particular terminal is not operating a computer system that’s not supported.”

Kline added, “What everyone is concerned about now are insider threats from employees who innocently click on a link that causes malware to infiltrate IT systems and delete commercially sensitive files.”

Among the recommendations in the new USCG guidelines, which were issued as a draft Navigation and Vessel Inspection Circular (NVIC), is a framework for establishing a cyber risk management team (CRMT). The guidelines note that a CRMT “with a variety of perspectives and expertise” is best able to identify safety and security critical systems, as well as recognise if those have been hacked by outside parties.

“While [IT] specialists should be part of this effort, they may not fully recognise the various operational systems on a waterfront, the potential consequences should they fail, or have an operator’s perspective on potential non-technical [and lower cost] solutions,” the NVIC pointed out. “In short, a team consisting only of IT professionals will only identify IT related threats and IT-related solutions.”

A risk management team would therefore ideally include – in addition to IT personnel – facility operators, port engineers, industrial safety experts, and terminal facility security officers, the guidelines pointed out.

The coastguard issues NVICs as policy guidance with the purpose of letting the maritime industry know the agency’s expectations on a particular issue. While NVICs can sometimes be precursors to more formal regulations, they cannot themselves be enforced as regulatory requirements.

The cyber NVIC, for which the coastguard has requested industry comment (deadline 11 September), is not the first time it has published official guidance on cyber risk management. The agency issued its Cyber Strategy in June 2015, a document that outlines how it will address cyber threats.

Also, the International Maritime Organization’s Maritime Safety Committee approved in June a resolution that would place cyber risk management under the auspices of the International Safety Management code. The resolution encourages flag administrations to “ensure that cyber risks are appropriately addressed in safety management systems” no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

Visit IHS Markit’s dedicated cyber security page