US Coast Guard proposes cybersecurity regulations for maritime sector, seeks feedback by Apr. 22

The U.S. Coast Guard (USCG) published a Notice of Proposed Rulemaking (NPRM) that will provide baseline cybersecurity requirements to protect the MTS from cyber threats. The Coast Guard proposes to update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. The proposed rule would help to address current and emerging cybersecurity threats in the marine transportation system.

In a notice published in the Federal Register, the agency invites public comments on this proposed rule until April 22, 2024. The USCG is seeking input from the industry regarding developing cybersecurity plans. These plans should encompass details on conducted drills and exercises, training initiatives, and a range of cybersecurity measures to protect critical IT and OT (operational technology) systems against cyber incidents. Additionally, the request includes information on amendments to Cybersecurity Plans and the process for reporting cyber incidents to the National Response Center (NRC).

The USCG also explores the necessity of using and defining the term ‘reportable cyber incident’ to narrow down the range of cyber incidents that activate reporting obligations, considers employing alternative methods for reporting such incidents, and suggests revising the definition of a hazardous condition.

Last week, U.S. President Joe Biden signed an executive order aimed at enhancing the capabilities of the Department of Homeland Security (DHS) to counter maritime cyber threats. The action is in response to increasing concerns over threats to U.S. critical infrastructure from nation-states and broader security issues related to the reliance on overseas supply chains. Additionally, it addresses worries about cyber risks to port facilities and maritime transportation, prompting a shift in crane manufacturing back to the U.S., particularly due to concerns regarding threats from China.

The Coast Guard is interested in the potential impacts of this proposed rule on small entities (businesses and governments) and requests public comment on these potential impacts. “If you think that this proposed rule will have a significant economic impact on you, your business, or your organization, please submit a comment to the docket at the address under ADDRESSES in this proposed rule. In your comment, explain why, how, and to what degree you think this proposed rule would have an economic impact on you,” the notice added.

Across the sector, the USCG and the Transportation Security Administration (TSA) utilize regulatory and voluntary approaches, such as stakeholder participation in advisory committees and adopting U.S. government best practices, to work with stakeholders to strengthen their cybersecurity posture. 

Following extensive collaboration with aviation partners, rapport-building with industry, and feedback from stakeholders over the past two years, the TSA has issued cybersecurity requirements for airport and aircraft operators, pipeline operators, and passenger and freight railroad carriers, as part of the Department’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure. 

Like those issued by the TSA, the requirements being proposed by the USCG are performance-based and variable according to the risk profile and capability of the entity. The USCG NPRM proposes regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. 

Consistent with the Administration’s goal of regulatory harmonization, DHS has leveraged common frameworks from the National Institute of Standards and Technology (NIST) and CISA to inform both voluntary cybersecurity practices and relevant regulatory requirements. Key USCG and TSA baseline cybersecurity elements are aligned with the NIST Cybersecurity Framework and CISA’s cross-sector cybersecurity performance goals. 

The purpose of this NPRM is to safeguard the marine transportation system (MTS) against current and emerging threats associated with cybersecurity by adding minimum cybersecurity requirements to part 101 of title 33 of the Code of Federal Regulations (CFR) to help detect, respond to and recover from cybersecurity risks that may cause transportation security incidents (TSIs). This proposed rule would help address current and emerging cybersecurity threats to maritime security in the MTS.

Cybersecurity risks result from vulnerabilities in the operation of vital systems, which increase the likelihood of cyber-attacks on facilities, Outer Continental Shelf (OCS) facilities, and vessels. Cyber-related risks to the maritime domain are threats to the critical infrastructure that citizens and companies depend on to fulfill their daily needs. Additionally, the proposed rule is necessary because it would create a regulatory environment for cybersecurity in the maritime domain to assist facilities, OCS facilities, and vessel firms that may not have taken cybersecurity measures on their own, for various reasons.

Based on CISA’s cross-sector CPGs, these newly proposed regulations would require a number of cybersecurity measures including account security, device security, network segmentation, data security, training, incident response planning, and drills and exercises. Additionally, regulated entities would also be required to identify a cybersecurity officer responsible for overseeing the implementation of the new requirements. 

The NPRM would include provisions to specify measures for managing supply chain risk. This would not create any additional hour burden, as owners and operators would only need to consider cybersecurity capabilities when selecting third-party vendors for IT and OT systems or services. 

In addition, based on information from CGCYBER, most third-party providers have existing cybersecurity capabilities and already have systems in place to notify the owners and operators of facilities, OCS facilities, and U.S.-flagged vessels of any cybersecurity vulnerabilities, incidents, or breaches that take place. Therefore, the Coast Guard does not estimate a cost for this proposed provision.

The NPRM would require owners and operators of facilities, OCS facilities, and U.S.-flagged vessels to segment their IT and OT networks and log and monitor all connections between them. Based on information from CGCYBER, CG–CVC, and NMSAC, network segmentation can be particularly difficult in the MTS, largely due to the age of infrastructure in the affected population of facilities, OCS facilities, and U.S.-flagged vessels. The older the infrastructure, the more challenging network segmentation may be. 

“Given the amount of diversity and our uncertainty regarding the state of infrastructure across the various groups in our affected population, we are not able to estimate the regulatory costs associated with this proposed provision,” the notice disclosed. “The Coast Guard requests public comment on the anticipated costs of network segmentation within the affected population, especially from those who have previously segmented networks at their organizations.”

The NPRM would require owners and operators of facilities, OCS facilities, and U.S.-flagged vessels to limit physical access to IT and OT equipment; secure, monitor, and log all personnel access; and establish procedures for granting access on a by-exception basis. The Coast Guard assumes that owners and operators have already implemented physical access limitations and systems, by which access can be granted on a by-exception basis, based on requirements established for vessels, facilities, and OCS facilities. 

Commenting on the Executive Order, Itay Glick, OT expert and vice president of products at OPSWAT, highlighted that OT cybersecurity is often overlooked, leaving critical maritime systems susceptible to exploitation and attack. “For example, look at the incident from last July when Japan’s port of Nagoya fell victim to the LockBit 3.0 ransomware attack. The incident brought operations to a standstill for several days, impeding the loading and unloading of cargo from ships. This type of threat gains entry into victim networks through various means, including exploitation of Remote Desktop Protocol (RDP), phishing campaigns, abuse of valid accounts, and the exploitation of public-facing applications,” he added.

Glick pointed out that the OT network for a maritime port is no different than an OT network for other critical infrastructure verticals. “On ships, data diodes have been deployed to securely get data off of ships without compromising critical systems like navigation, weapons, and operational control.”

He added, “While the Coast Guard is in the process of accepting comments on establishing minimum cybersecurity requirements for the maritime industry, the Executive Order signifies an important step towards enhancing the security of one of the nation’s most critical industries and our supply chain.” 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.