Op-Ed: Addressing cyber threats to maritime

By Andrew R. Lee & Jim Kearns, Jones Walker LLP

In fall 2022, our agency revealed a survey of 125 senior leaders at U.S. ports and terminals that gave perception into the state of cybersecurity on this vital sector of our nation’s transportation infrastructure. We mentioned our findings with Marine Log, and we concluded our abstract with a glance to the longer term: Cybersecurity challenges will improve at a speedy tempo. With clear, dedicated management engagement, nonetheless, a lot could be performed to handle this ever-expanding risk.

The speedy escalation of cyber threats focusing on our nation’s vital infrastructure has turn out to be an more and more pressing concern. In response to this rising menace, significantly with regard to the maritime transportation system, the US Coast Guard has lately taken essential steps to bolster its capacity to handle these challenges.

On February 22, 2024, in a major transfer to reinforce cybersecurity measures, the Coast Guard issued a Discover of Proposed Rule Making (NPRM) that outlines complete updates to the cybersecurity necessities for US-flagged vessels, Outer Continental Shelf (OCS) services, and marine services topic to the Maritime Transportation Safety Act of 2002 (MTSA). The 100-page NPRM extensively references the Jones Walker senior chief survey and offers worthwhile insights into the present state of cybersecurity measures at marine services throughout the nation.

So what does the Coast Guard suggest to manage? The proposed rule would set up constant cybersecurity necessities throughout vessels, marine services, and OCS services. Homeowners and operators could be obligated to nominate certified personnel to develop a strong cybersecurity plan incorporating detailed preparation, prevention, and response actions for cybersecurity threats and vulnerabilities. The rule outlines stringent minimal necessities for the plan’s content material and its submission to and approval by the Coast Guard. Moreover, house owners or operators could be required to designate a “Cybersecurity Officer” by identify and title, who should be accessible to the Coast Guard 24/7.

­The proposed rule outlines complete cybersecurity measures to determine dangers, detect threats and vulnerabilities, defend vital methods, and facilitate restoration from cyber incidents. These measures embrace particular necessities for securing accounts, units, and knowledge, in addition to mandating cybersecurity coaching for personnel and implementing strong threat administration practices, corresponding to conducting cybersecurity assessments and addressing cybersecurity dangers throughout the provide chain. The proposed actions intention to make sure that vessels, marine services, and OCS services can swiftly recuperate from cyber incidents whereas minimizing the affect on vital operations. Moreover, the rule proposes supplemental bodily safety measures that might complement the safety assessments already required below present laws.

The proposed rule mandates the execution of drills and workouts to evaluate the proficiency of personnel of their assigned cybersecurity duties and to confirm the efficient implementation of each the cybersecurity plan and the general safety plan for the vessel or facility. To make sure compliance with all necessities, house owners and operators might be required to keep up complete information documenting their adherence to the stipulated measures.

The deadline for submitting feedback on the NPRM is April 22, 2024, a date that could be prolonged. Considered one of many questions raised by the scope of the NPRM is why foreign-flagged vessels are excluded from the regulation, given the potential dangers and vulnerabilities they pose to the US maritime system.

A day earlier than the Coast Guard issued the NPRM, the White Home issued an Government Order that launched a requirement for reporting any proof of precise or threatened cyber incidents involving or endangering vessels, harbors, ports, or waterfront services to the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Safety Company, and the related Captain of the Port. This requirement overlapped with present laws that obligate MTSA-regulated entities to report safety breaches, suspicious actions, or transportation safety incidents to the Coast Guard. To make clear the reporting necessities, the Coast Guard issued Navigation and Vessel Inspection Round (NVIC) 02-24, additionally on February 21. NVIC 02-24 specified that the present reporting necessities for MTSA-regulated entities embody cyber incidents as outlined within the government order. Moreover, the NVIC emphasised that any vessel, harbor, port, or waterfront facility, no matter its standing as an MTSA-regulated entity, must also report any cyber incident to the Coast Guard.

These actions by the president and the Coast Guard display that vital progress could be achieved in addressing evolving cyber threats to our maritime transportation infrastructure. However it’s equally evident that cybersecurity challenges persist and are quickly escalating and that there’s a want for clear, dedicated management to confront these challenges head-on.