USCG published a guidance, calling for Safety Management Systems required under the ISM Code to address cyber risks. The guidance regards the USCG commercial vessel compliance program’s approach to assessing the cyber risk on vessels to ensure vessels do not pose a risk to the Marine Transportation System (MTS) due to a cyber event.
The guidance also include a compliance timeline and inspection process for non-Safety Management System vessels that are subject to the Marine Transportation Safety Act of 2002. These vessels are required to address cybersecurity vulnerabilities within their Vessel Security Assessment no later than 31 December 2021.
Vessels subject to the ISM Code (U.S. & Foreign Vessels)
The MI/PSCO shall identify when basic cyber hygiene procedures are not in place onboard. These include, but not limited to the following:
- Poor cyber hygiene: Username / Password openly displayed, computer system appears to require a generic login or no login for access, computer system does not appear to automatically log out after extended period of user inactivity, heavy reliance on flash drive/USB media use.
- Shipboard computers readily appear to have been compromised by ransomware/excessive popups.
- Officers/crew complain about unusual network issues and reliability impacting shipboard systems.
- Unit/vessel screener received potential ‘spoofed’ email from master/crew onboard.
Guidance for assessing cybersecurity onboard a vessel subject to the ISM Code
During the course of a normal inspection/examination, the MI/PSCO should evaluate whether or not a cybersecurity event was a factor in the failure of a system required for the safe navigation or operation of the vessel.
If clear grounds are established, the MI/PSCO should conduct a more detailed inspection consistent with the applicable guidance for a foreign o U.S. vessel. Based on objective evidence, the MI/PSCO may discover and can issue deficiencies based on the portion of the SMS that is not being effectively implemented with respect to cyber risk management.
If objective evidence is identified indicating that the vessel failed to implement its SMS with respect to cyber risk management, the MI/PSCO should direct the vessel to take the following actions:
For U.S. Vessels
MIs should follow the guidance in reference which sets forth guidance for assessing the effectiveness of a company’s SMS on U.S. flag vessels.
For Foreign vessels
- If cyber risk management has not been incorporated into the vessel’s SMS by the company’s first annual verification of the DOC after January 1, 2021, a deficiency should be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
- When objective evidence indicates that the vessel failed to implement its SMS with respect to cyber risk management, then the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port after sailing foreign.
- When objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), after gaining concurrence from the OCMI, the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
Non-SMS U.S. Vessels subject to MTSA
Questions for MIs to ask during Maritime Transportation Security Act (MTSA) Verifications:
- Does your VSP address measures taken to address cybersecurity vulnerabilities? If yes: Are these measures in place? If no, then ask: Has the vessel experienced any cybersecurity events within the past 12 months?
- If yes, then ask: Have you reported these cybersecurity incidents to your CSO? If yes: Reasonably verify reporting to CSO, then no further action. If no: Issue deficiency.
Finally, when attending a vessel for a damage survey, inservice inspection or port state control exam following a report of a marine casualty the MI/PSCO or Investigating Officer (IO) should always consider the possibility of the incident being related to a cybersecurity event in cases where system/equipment failure have no obvious causes.
MIs/PSCO/IO should utilize the procedures outlined above to assist with this determination. The MI/PSCO/IO should determine if there was a failure of a system required for the safe navigation or operation of the ship, and then determine if it was a cybersecurity event.
After making this determination, the MI/PSCO/IO ensure that the owner or operator promptly report the incident to the National Response Center (NRC) or the Department of Homeland Security National Communications and Cybersecurity Information Center (NCCIC) to initiate a coordinated federal response.