The maritime industry is undergoing a significant transformation that involves increased use of cyber-connected systems, coinciding with increased nation-state and cybercriminal targeting of cyber systems in ports and maritime assets, argue K&L Gates experts.
Globally, a number of ports and other maritime assets have been targeted by ransomware attacks with serious disruptions to operations. In response to this trend, the US government has announced a series of regulatory actions to combat cyber threats in the maritime domain—broadly targeted at US flag commercial vessels, waterfront facilities, and certain offshore facilities regulated by the US Coast Guard (USCG).
First, the USCG issued Maritime Security Directive 105-4 (MARSEC Directive 105-4), which requires owners and operators of ship-to-shore cranes manufactured by Chinese companies (PRC-manufactured STS cranes) to take action to address cyber threats and vulnerabilities that have been identified by the USCG. PRC-manufactured STS cranes are reportedly used at ports throughout the United States.
Second, President Biden also issued an Executive Order on 21 February 2024 (Executive Order), updating regulations in 33 C.F.R. Part 6, to explicitly address cyber threats in the US maritime domain, resulting in expanded authorities for the USCG and additional cyber incident reporting requirements for the maritime industry, among other changes.
Third, the USCG has also issued a Notice of Proposed Rulemaking (NPRM or Proposed Regulations) to update its existing maritime security regulations issued under the Maritime Transportation Act of 2002 (MTSA), 33 C.F.R. Subchapter H, with an enhanced focus on cybersecurity requirements applicable to vessels and facilities under US jurisdiction.
These initiatives, described further below, build upon and expand the existing regulatory structure for maritime cybersecurity in the United States.
MARSEC Directive 105-4 – Chinese cranes at US ports
On 21 February 2024, the USCG issued MARSEC Directive 105-4, stating that additional measures must be undertaken to address vulnerabilities and threats in connection with PRC-manufactured STS cranes.
Specifically, the USCG determined that PRC-manufactured STS cranes may be “controlled, serviced, and programmed from remote locations” and are therefore potentially “vulnerable to exploitation, threatening the maritime elements of the national transportation system.”
The government has not disclosed further details regarding the basis for its determination, but the USCG has stated that additional actions are necessary due to “threat intelligence related to the PRC’s interest in disrupting US critical infrastructure, and the built-in vulnerabilities” in connection with the PRC-manufactured STS cranes. These threat assessments broadly align with reports of advance persistent threat actors, such as Volt Typhoon, targeting critical infrastructure.
The USCG has concluded that “additional measures” must be undertaken to address these cyber threats and vulnerabilities. It is estimated that PRC-manufactured STS cranes account for nearly 80% of all STS cranes5 used across 23 major ports around the United States.
As is typical, the text of the USCG’s MARSEC directive which contains the “additional measures” that port owners and operators must undertake is not publicly disclosed, because it is considered Sensitive Security Information (SSI) pursuant to US law.
This directive took effect when issued on 21 February 2024. Owners and operators of affected US ports should immediately contact their cognizant USCG Captain of the Port to obtain access to MARSEC Directive 105-4, and follow procedures in 49 C.F.R. Part 1520 for its handling. SSI may be shared with trusted advisors, such as external legal counsel, when operators may need additional guidance on how to implement the requirements.
EXECUTIVE ORDER 14116 – Amending regulations relating to the safeguarding of vessels, harbors, ports and waterfront facilities of the US, 33 C.F.R. PART 6.
On 21 February 2024, President Biden also issued Executive Order 14116, updating regulations in 33 C.F.R. Part 6, to explicitly address cyber threats in the US maritime domain. The Executive Order may be accessed here.
In general, regulations in 33 C.F.R. Part 6 provide the USCG Captain of the Port with broad authority to control and regulate vessel movement and facility operations to protect the safety and security of vessels, harbors, ports, and waterfront facilities under US jurisdiction.
Traditionally, the USCG has exercised this authority to mitigate risks with regard to physical security, but in accordance with the Executive Order the President has now extended this authority to specifically address and mitigate cyber risks in the maritime domain.
Among other provisions, the Executive Order added a definition for “cyber incident” and established a requirement to report evidence of an “actual or threatened cyber incident” involving or endangering any vessel, harbor, port, or waterfront facility to the USCG, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency (CISA).
These reporting requirements under the Executive Order are in addition to, and independent of, existing reporting requirements for other types of security incidents set forth in 33 C.F.R. § 101.305.12 Covered entities should diligently review their incident response planning to ensure these are aligned with Executive Order’s requirements.
NPRM – Cyber security in the marine transportation system
Finally, the USCG has also issued Proposed Regulations to update its existing maritime security regulations that were issued under the MTSA, 33 C.F.R. Subchapter H. The Proposed Regulations are focused on expanding cybersecurity requirements applicable to US flag vessels, regulated waterfront facilities located in the United States, and certain regulated facilities on the US Outer Continental Shelf (OCS Facilities).
Existing MTSA regulations establish minimum requirements not only with regard to physical security of vessels and facilities, but also requirements related to radio and telecommunication systems, including computer systems. The intent of the NPRM is to update and expand the MTSA regulations, placing an enhanced emphasis on cybersecurity measures in the maritime domain.
The Proposed Regulation would add minimum cybersecurity requirements to 33 C.F.R. Part 101, set out in new sections 33 C.F.R. § 101.600-665. As a general rule, if a vessel, regulated waterfront facility, or OCS Facility is currently required to have an approved security plan, then the proposed maritime cybersecurity regulations would apply. The Proposed Regulation would not apply to foreign flag vessels calling on US ports.
In general, the Proposed Regulation would require owners and operators of US-flagged vessels, regulated waterfront facilities, and OCS Facilities to take actions to prepare for, prevent, and respond to cyber threats and vulnerabilities.
Specifically, to first identify and address these cyber threats and vulnerabilities, the Proposed Regulation require the vessel or facility owner or operator to perform a cybersecurity assessment. Based on the cybersecurity assessment, the owner or operator of the vessel or facility must develop and implement an effective cybersecurity plan.
Other key requirements set out in the proposed regulation include: designation of a qualified cyber security officer; requirements for network segmentation, physical security of cyber systems, and provisions for resilience (response and recovery capabilities); requirements to manage cybersecurity risks in the supply chain and the use of third-party vendors; requirements for reporting cyber incidents; requirements for the performance of cyber security drills and exercises; requirements for the performance of cybersecurity audits; and various recordkeeping related to these cybersecurity requirements.
Conclusion – key takeaways
The maritime industry is increasingly relying on inter-connected, digital solutions for enhancing operational effectiveness, efficiency, safety, and more sustainable business operations. In response to this trend of inter-connectedness, the US government has taken significant steps to mitigate the risks associated with this digital transformation, and the cyber requirements imposed on those operating in the maritime environment have never been greater. Key takeaways regarding these initiatives include the following:
- MARSEC Directive 105-4 took effect on 21 February2024. Owners and operators of affected US ports with PRC-manufactured STS cranes should immediately contact their cognizant USCG Captain of the Port to obtain access to MARSEC Directive 105-4, to ascertain what will be required going forward.
- The reporting requirements in the Executive Order and 33 C.F.R. § 6.16-1 took effect on 21 February 2024. Owners and operators of vessels, ports, and OCS Facilities should review their vessel or facility security plans, as appropriate, to ensure the reporting policies and procedures in those plans are aligned and consistent with the new “cyber incident” reporting requirements established under the Executive Order.
- Affected maritime industry stakeholders should review the NPRM and consider providing comments to the USCG by 22 April 2024. The USCG has sought comments on several specific issues, including whether any of the proposed requirements would overlap, conflict with, or duplicate existing regulatory requirements from other Federal agencies.
- Additionally, maritime stakeholders should consider reviewing the cyber aspects of their existing maritime security plans, and potentially conduct an exercise to better ascertain any gaps under the existing or Proposed Regulation.
Written by Luke M. Reid, Guillermo S. Christensen, Brian J. Hopkins
Above article has been initially published on K&L Gates website and is reproduced here with authors’ kind permission
The views presented are only those of the authors and do not necessarily reflect those of SAFETY4SEA and are for information sharing and discussion purposes only.