The United Sates Coast Guard (USCG) has updated its cyber rules to include a compliance timeline and inspection process for Non Safety Management System vessels, with a deadline at the end of this year.
The Coast Guard Office of Commercial Vessel Compliance updated its Vessel Cyber Risk Management Work Instruction with the new timeline, which applies to ships that do not require Safety Management Systems subject to the Marine Transportation Safety Act of 2002.
These vessels are required to address cybersecurity vulnerabilities within their Vessel Security Assessment no later than December 31, 2021, USCG says.
The document highlights the basic questions to be asked by Marine Inspectors during Maritime Transportation Security Act (MTSA) verification procedures, the first of which is to query whether the ship’s Vessel Security Plan (VSP) addresses measures taken to address cybersecurity vulnerabilities and whether those measures are now in place.
If those measures have not been highlighted in the plan and put into practice the issue may be escalated with the designated Company Security Officer, and could result in a ‘Security Violation’ deficiency being recorded.
Inspectors may also ask for a report of any cybersecurity events experienced by the vessel within the past 12 months, examples of which are listed in the guidance note.
These include intrusions into communications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring), unauthorised root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems.
Details of any instances of viruses, Trojan Horses or “other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions” can also be requested.
The full updated USCG document is available here.