The ABS (American Bureau of Shipping) Regulatory News report provides the necessary guidance document introduced to enhance cybersecurity measures and reporting requirements for breaches, suspicious activity, transportation security incidents and cyber incidents.
The growing utilization of networked technology in the maritime industry amplifies threats and vulnerabilities across telecommunications equipment, computers, and networks. To tackle this issue, the United States Coast Guard (USCG) authority has expanded to include cyber threats at sea. Vessels and offshore and port facilities will be required to strengthen their cyber defenses and comply with cybersecurity incident reporting rules.
Executive order augments USCG Authorities
On February 21, 2024, President Joe Biden signed an executive order which amended regulations regarding the safeguarding of vessels, harbors, ports and waterfront facilities of the United States (U.S.). The order specifically requires cyber threats to be considered through its updates to Part 6 of Title 33 of the Code of Federal Regulations (CFR).
Under the new regulations, the Captain of the Port (COTP) and the Commandant of the United States Coast Guard (USCG) are granted additional authorizations and powers to enhance cybersecurity measures.
Prevention of unauthorized access |
The COTP has the authority to prevent the access of persons or things, including any data, information, network, program, system or other digital infrastructure to vessels or waterfront facilities. This measure aims to secure vessels and prevent damage or injury, including potential harm to digital infrastructure. |
Establishment of security zones |
Security zones can be established by the COTP, and entry into these zones without permission is prohibited. No person can board a vessel within a security zone or place any article or digital infrastructure on board without the COTP’s authorization. |
Inspection and search authority |
The COTP, in accordance with the law, can conduct inspections and searches of vessels, waterfront facilities, security zones and persons. This includes examining any digital infrastructure, such as data, information, networks, programs, or systems, within the jurisdiction of the United States. The COTP can also place guards on vessels, waterfront facilities or security zones and remove unauthorized persons, articles or digital infrastructure. |
Possession and control of vessels |
The COTP has the power to supervise and control the movement of any vessel that presents a known or suspected cyber threat to U.S. maritime infrastructure. This authority allows the COTP to take full or partial possession or control of a vessel or its parts within U.S. territorial waters to secure it from damage or injury, including potential harm to digital infrastructure. |
Safety measures | The Commandant is authorized to prescribe conditions and restrictions pertaining to the safety of waterfront facilities and vessels in port. Additionally, the Commandant has the authority to impose measures necessary to prevent, detect, assess, and remediate actual or threatened cyber incidents that could cause harm to vessels, harbors, ports, or waterfront facilities. |
The executive order defines “cyber incident” and establishes a reporting requirement for these cyber incidents. Any evidence of sabotage, subversive activity, or an actual or threatened cyber incident endangering vessels, harbors, ports or waterfront facilities must be immediately reported to the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the COTP. The introduction of cyber incidents and the comprehensive scope of 33 CFR Part 6 led to an overlap with the existing reporting requirements outlined in the Maritime Transportation Security Act of 2002 (MTSA). To address
this issue, the USCG issued Navigation and Vessel Inspection Circular (NVIC) 02-24, which offers clarification and voluntary guidance on reporting obligations specified in both 33 CFR Part 101 and 33 CFR Part 6.
USCG NVIC 02-24
NVIC 02-24 serves as a guidance document for complying with reporting requirements related to Breaches of Security (BOS), Suspicious Activity (SA), Transportation Security Incidents (TSI) and Cyber Incidents. NVIC 02- 24 replaces the USCG’s previous incident reporting guidance provided in CG-5P Policy Letter 08-16. NVIC 02-24 specifies the following reporting procedures:
- Marine transportation system (MTS) stakeholders (i.e. any vessel, harbor, port or waterfront facility) are required to report acts of sabotage, subversive activity, or actual or threatened cyber incidents to the FBI, CISA and COTP, as per 33 CFR Part 6. They are also encouraged to report activities that could lead to a TSI to the National Response Center (NRC).
- MTSA-regulated entities (i.e. owners or operators of vessels, facilities or OCS facilities, regulated under MTSA in accordance with 33 CFR Parts 104, 105 or 106) must promptly report a BOS or SA to the NRC by dialing 1-800-424-8802, as per 33 CFR §101.305. Furthermore, owners or operators of vessels or
facilities regulated under MTSA must immediately report a TSI to the local COTP and then follow the procedures outlined in their security plan, which may involve contacting the NRC. Owners or operators of OCS facilities regulated under MTSA must report a TSI to their respective District Commander without delay and then follow the procedures outlined in their security plan, which may involve contacting the NRC.