USCG Releases Final Cybersecurity in the Marine Transportation System Rule
The U.S. Coast Guard is set to publish a notice for the release of its final rule for Cybersecurity in the Maritime Transport System in the U.S. Federal Register on Friday, January 17. It is a comprehensive strategy addressing the growing threat to vessels, ports and facilities, and operations on the Outer Continental Self and requires operators to take new steps to harden their defenses and preparations.
The Coast Guard writes in the 370-page document that the purpose of the final rule is to safeguard the maritime transport system (MTS) against current and emerging threats associated with cybersecurity. It says it is laying out minimum cybersecurity requirements to help direct, respond to, and recover from cybersecurity risks that may cause transportation security incidents.
“This final rule addresses risks from increased interconnectivity and digitalization of the MTS and current and emerging cybersecurity threats to maritime security in the MTS with the additional minimum requirements,” declares the document.
President Joe Biden responded to the growing concerns over cyber risks that started with the accusations that Chinese-built container cranes for ports contained spying links and remote programming abilities. The trade association of the ports called it paranoia but the issue gained traction in the U.S. Congress leading to a series of efforts to harden the infrastructure of U.S. ports.
The USCG Coast Guard was ordered to audit the ports and develop the new rules as well overseeing the enhancement of cyber security. The White House also moved to place new tariffs on Chinese-made cargo cranes and equipment and encourage the reshoring of the manufacturing capabilities to the U.S.
The final rule requires a series of steps from the owners and operators of U.S.-flagged vessels, facilities, and Outer Continental Shelf facilities to enhance and maintain cybersecurity efforts. The USCG will oversee the efforts. It estimates the rule creates costs for the industry and government of approximately $1.2 billion in total and annualized costs of $138.7 million.
There are several aspects to the rue. Vessels and facilities are required to develop and maintain a Cybersecurity Plan and Cyber Incident Response Plan. There are requirements for cybersecurity drills, exercises, and penetration testing.
The plan must incorporate seven security measures. These include elements such as automatic lockouts after repeated failed login attempts, increases to password security, and multifactor authentication. The plan must include four device security measures including a list of any hardware, firmware, and software approved by the owner that must be installed and an inventory of network-connected systems. The plan also requires secure logs of activity and encryption.
All of the facilities covered by the rule are also required to prepare and document a Cyber Incident Report Plan. Owners and operators must also designate a Cybersecurity Officer who is responsible for overseeing the implementation of the plan and response plan. They must also ensure the plan is updated and undergoes an annual audit.
The Cybersecurity Officer will also arrange for cybersecurity inspections, ensure adequate training, and report and record all incidents.
The final rule phases in a series of key milestones. Effective immediately companies must begin reporting all incidents to the Coast Guard and then within six months must complete employee training. Companies have up to 24 months to conduct assessments, designate their Cybersecurity Office, and submit plans for approval. Once the plan is approved, companies must conduct drills at least twice each calendar year.
While the rule is due to go into effect six months after it is published in the Federal Register, the U.S. Coast Guard is requesting public comment on a potential two to five-year delay for implementing the elements for U.S.-flagged vessels.