On 27th October 2020, USCG issued a work instruction with guidance on implementation of IMO Resolution 428(98) and MSC-FAL.1/Circ 3. SQE Marine shares more information, explaining that this work instruction provides guidance regarding the U.S. Coast Guard (USCG) commercial vessel compliance program’s approach to assessing the cyber risk on US flagged and foreign vessels to ensure they do not pose a risk to the Marine Transportation System due to a cyber event.
Indications of poor Cyber performance
When boarding vessels for inspection, USCG Officers (MI/PSCO – Marine Inspectors (MIs) and Port State Control Officers (PSCOs), will check for signs indicating poor cyber performance. Some indicative items (not limited to) are as follows:
a. Poor cyber hygiene
- Username / Password openly displayed
- Computer system appears to require a generic login or no login for access
- Computer system does not appear to automatically log out after extended period of user inactivity
- Heavy reliance on flash drive/USB media use
b. Shipboard computers readily appear to have been compromised by ransomware/excessive popups
c. Officers/crew complain about unusual network issues and reliability impacting shipboard systems
d. Unit/vessel screener received potential ‘spoofed’ email from master/crew onboard.
If observations are not directly linked to statutory requirements or are not technical or operational-related deficiencies, MI/PSCO will not have clear grounds to conduct a more detailed inspection. However, these vulnerabilities should be discussed directly with the Master. In addition, these discussions shall be annotated in the MISLE inspection narrative and documented with a deficiency entered into MISLE marked “Worklist Item/Do Not Show in PSIX” for data analysis.
During the course of a normal inspection/examination, the MI/PSCO should evaluate whether or not a cybersecurity event occurred due to failure in a system required for the safe navigation or operation of the vessel.
If clear grounds are established, the MI/PSCO should conduct a more detailed inspection consistent with the applicable guidance for a foreign or U.S. vessel. Based on objective evidence, the MI/PSCO may discover and issue deficiencies based on the portion of the SMS that is not being effectively implemented with respect to cyber risk management.
A more detailed inspection does NOT automatically mean that an ISM deficiency exists. MI/PSCO should NOT direct the ship to create any checklists or procedures with respect to cyber risk management. A MI aboard a U.S. vessel may review internal audits and corrective action reports while conducting a more detailed inspection.
a. For U.S. Vessels:
1) MIs should follow the guidance in USCG Oversight of Safety Management Systems on U.S Flag Vessels, which sets forth guidance for assessing the effectiveness of a company’s SMS on U.S. flag vessels
b. For NON US flagged vessels:
1) If cyber risk management has not been incorporated into the vessel’s SMS by the company’s first annual verification of the DOC after January 1, 2021, a deficiency should be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
2) If objective evidence indicates that the vessel failed to implement its SMS with respect to cyber risk management, then the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port after sailing foreign.
3) If objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), after gaining concurrence from the OCMI, the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
c. Deficiencies issued with respect to ISM and cybersecurity will be assigned as deficiency code 15113 (Other ISM), in accordance with USCG deficiency code system.
Reporting of cyber incidents is not something new in USA. USCG’s Policy Letter 08-16 “Reporting Suspicious Activity and Breaches of Security”, has already set a framework towards that end. In addition, the following need to be reported:
- Transportation Security Incident (TSI)
- Breach of Security (BoS)
- Suspicious Activity (SA)
All such incidents should be reported to Port Authorities’ relevant Authorized Security Services. Especially for USA all SA and BoS should be reported to the National Response Center (NRC) at 1-800- 424-8802. Facility and vessel operators may also make reports directly to the local COTP; however, priority should be given to the NRC. The authorized office to address such reports is the National Cybersecurity and Communications Integration Center (NCCIC), which is a 24/7 cyber situational awareness, incident response, and management center. Additionally send a notification to Coast Guard Cyber Command 24/7 watch at 202-372-2904 or [email protected]
Ship Managers should be duly prepared for effective PSC inspection worldwide having in mind that the cyber issues required by IMO as an SMS requirement will be checked for implementation after 1st January 2021.
Ship Managers should:
- Implement procedures in SMS ensuring cyber risk management is appropriately addressed, no later than the first annual verification of the company’s Document of Compliance (DOC) after January 1, 2021.
- Provide adequate training for both shore and on-board staff in order to implement these procedures as required.
- Create an evaluation procedure (through internal audits/drills) in order to gain feedback for effectiveness of their procedures.
Shipboard staff should:
- Be familiar with cyber procedures as incorporated in their SMS
- Implement and follow the cyber procedures on board
- Act proactively to protect on board Information Technology (IT) and Operational Technology (OT) systems from cyber attacks
- Report to Head Office (and relevant PSC Authorities) any cyber incident as required by SMS, Flag Administration and local requirements.
SQE has developed a circular to be used as guidance: