US Coast Guard Increases Maritime Cybersecurity Criteria For Commercial Vessels

3098 0

The increasing number of cyber incidents against commercial vessels and port authorities has led the US Coast Guard to publish updated guidelines for mitigating cyber risks and vulnerabilities in the shipping sector.

In March 2020, the US Coast Guard issued new “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA)-regulated facilities”. The Guidelines are intended to assist facility owners and operators in complying with the requirements to assess, document, and address system and network risks. 

The Maritime Cybersecurity Guidelines were mandated by the increasing number of cybersecurity incidents on shipping companies as well as port facilities. But the root cause behind all US Coast Guard efforts to raise awareness of imminent cyber threats is the expanding maritime cyber threat landscape because of the proliferation of emerging technologies and the digitalization of devices onboard vessels. Heavily digitized vessels introduce new cybersecurity vulnerabilities that increase operational risk.  Exploitation, misuse, disruption, or simple failure of cyber systems can cause injury or death, harm the marine environment, disrupt vital trade activity, and degrade the ability to respond to other emergencies.

The European Union also enforces maritime cybersecurity requirements

These risks are even more crucial to national economies because the shipping sector is part of the national critical infrastructures. For example, the European Union has recognized the importance of commercial vessels to the EU digital market and has mandated the operators and owners of the vessels to abide by the security requirements of the Network and Information Systems Security Directive (NIS Directive).

To address these challenges and risks, national and transnational organizations have developed sets of best practices and recommendations. ENISA, the European Union Cybersecurity Agency, published in November 2019 the report “Port Cybersecurity – Good practices for cybersecurity in the maritime sector.” The United Kingdom Department of Transport released in January 2020 a practice guide on “Cyber Security for Ports and Port Systems.”

Effective maritime cybersecurity is mission-critical 

Today more than ever, Facility operators use computers and cyber-dependent technologies for communications, engineering, cargo control, environmental control, access control, passenger and cargo screening, and many other purposes. Not just operational technologies are computerized but also facility safety and security systems such as security monitoring, fire detection, and general alarm installations increasingly rely on computers and networks. 

Maintaining effective cybersecurity is no longer just an IT issue but is rather a fundamental operational imperative in the 21st-century maritime environment. 

According to Nir Ayalon, the CEO of Cydome, a maritime cybersecurity solution company, “Commercial vessels can no longer rely on an IT cyber solution and ensure the full coverage on all operational systems to be resilient from cyber-attacks. We at Cydome acknowledged the importance of having a holistic cybersecurity solution to address all risks of highly digitalized vessels and help vessel operators be compliant with cybersecurity requirements. Cydome’s unique cybersecurity solution is positioned on board of both IT and OT systems to provide a wider spectrum of defense against different types of cyber-attacks (both internal and external threats). Clients that use Cydome solution receive a better picture of their current assets onboard and use it to improve the vessel’s cybersecurity and safety at sea”.

The US Coast Guard instructs Commercial vessels’ operators and owners to perform a Facility Security Assessment (FSA) to assess and document risks and cybersecurity vulnerabilities associated with their computer systems and networks. Identifying and assessing cybersecurity vulnerabilities is the foundation of an efficient cybersecurity program. You can’t protect what you don’t know.

When cybersecurity vulnerabilities are identified in the Facility Security Assessment, an owner or operator may demonstrate compliance with the regulations by providing its cybersecurity mitigation procedures in a variety of formats. The information may be provided in a stand-alone cyber annex to the FSP or incorporated into the FSP together with the physical security measures.

While vessel owners need not identify a specific technology or business model, they are required to provide documentation to show how they are addressing the cybersecurity risks identified. Facility operators may elect to demonstrate mitigation of identified vulnerabilities by employing the many available best practices, such as the NIST Cybersecurity Framework.

The ultimate goal of cybersecurity programs in the shipping sector should be cyber resilience, to ensure business continuity and reliable operations even after a cyber-attack. Cyber resilience has emerged over the past few years because traditional cybersecurity measures are no longer enough to protect organizations from sophisticated and persistent cyber-attacks. Both cybersecurity and cyber safety are important because of their potential effect on personnel, the ship, environment, company, and cargo.

Anastasios Arampatzis
Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years’ worth of experience in managing IT projects and evaluating cybersecurity. During his service in the Armed Forces, he was assigned to various key positions in national, NATO and EU headquarters and has been honoured by numerous high-ranking officers for his expertise and professionalism. He was nominated as a certified NATO evaluator for information security. Anastasios’ interests include among others cybersecurity policy and governance, ICS and IoT security, encryption, and certificates management. He is also exploring the human side of cybersecurity – the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic and cognitive) in applying cybersecurity policies and integrating technology into learning. He is intrigued by new challenges, open-minded and flexible. Currently, he works as a cybersecurity content writer for Bora and is a member of the non-profit organization Homo Digitalis. 

Anastasios Arampatzis Web Site

In this article