USCG provides useful Vessel Cyber Risk Management Guidance


( As maritime operations become more reliant on the systems integrated through automation, cyber risk is an area of increasing concern in the Marine Transportation System. This matter would eventually be monitored via PSC inspections for both domestic as well as foreign Flag vessels calling US ports.

In an effort to address cyber threats in the maritime sector, the US Coast Guard has issued a Guidance Paper to provide guidance to Coast Guard Marine Inspectors and Port State Control Officers for assessing cyber hygiene onboard applicable vessels, as well as compliance options if deficiencies are noted.

USCG recognizes that not all shipping companies and ships are alike, and therefore the SMS provides shipping companies the ability to tailor a structured system to address evolving cybersecurity vulnerabilities unique to a company/vessel’s specific management and operations.

MSC-FAL.1/Circ 3. contains high-level recommendations to maritime stakeholders on assessing maritime cyber risk management. This IMO circular refers to several standards to help identify and mitigate cyber risks, including five functional elements consistent with the National Institute of Standards and Technology (NIST) Framework:

  1. Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, post risks to ship operations.
  2. Protect: Implement risk control processes and measures, and contingency planning to protect against cybersecurity events and ensure continuity of shipping operations.
  3. Detect: Develop and implement activities necessary to detect a cybersecurity event in a timely manner.
  4. Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.
  5. Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cybersecurity event.

As a Flag Administration, the USCG expects that U.S. flagged vessels and companies will incorporate cyber risk management into their SMS.

Additionally, as a Port State, companies with foreign-flagged vessels that call on ports in the U.S. should ensure cyber risk management is appropriately addressed in their SMS no later than the first annual verification of the company’s Document of Compliance (DOC) after January 1, 2021.

The below document also contains guidance regarding those vessels that are not required to implement and maintain an SMS, but are required to maintain a Vessel Security Plan (VSP).

Keep in mind that a VSP might include measures taken to mitigate cyber-related vulnerabilities that the ship would be required to follow in order to meet 33 CFR part 104.

Owners and operators of a vessel required to maintain a VSP had until December 31, 2021 to implement measures to mitigate cyber-related vulnerabilities.

For the purposes of this Guidance paper, USCG vessel compliance activities will only be directed towards cyber risk management on systems that are critical to the safe operation and navigation of the vessel.

Stand-alone computers or other systems which do not affect the safe operation or navigation of the vessel are not to be inspected or examined.

The below guidance is not a substitute for applicable legal requirements, nor is it itself a rule. It is not intended to nor does it impose legally binding requirements on any part. It represents the US Coast Guard’s current thinking on this topic and may assist industry, mariners, the public, and the Coast Guard, as well as other federal and state regulators, in applying statutory and regulatory requirements.

You can use an alternative approach for complying with these requirements if the approach satisfies the requirements of the applicable statutes and regulations.

USCG Port State Control Officers (PSCOs) will be familiar with and use the guidance provided in this paper, to evaluate how well a vessel’s Safety Management System (SMS) complies with requirements. Additionally, this paper provides guidance PSCOs when assessing cyber risk management onboard non-SMS U.S. vessels. Lastly, it discusses use of COTP orders and CG-835Vs to control vessels that have been affected by a cyber incident, and responding to a reported or probable cyber incident affecting the seaworthiness of a vessel.

Ship Managers and their vessels should be duly prepared for a PSC inspection worldwide, having in mind that the cyber issues required by IMO as an SMS requirement will be monitored for implementation after 1st January 2021.

Owners / Ship Managers should:

  • Establish procedures in their SMS ensuring cyber risk management is appropriately addressed, no later than the first annual verification of the company’s Document of Compliance (DOC) after January 1, 2021.
  • Provide adequate training for both shore and on-board staff in order to implement these procedures.
  • Create an evaluation procedure (internal audits/drills) in order to obtain feedback for the effectiveness of their procedures.

Shipboard staff should:

  • Be familiar with cyber procedures as incorporated in their SMS.
  • Implement and follow the cyber procedures on board.
  • Act proactively to protect onboard Information Technology (IT) and Operational Technology (OT) systems from cyber attacks.
  • Report to their Ship Manager (and relevant PSC Authorities) any cyber incident as required by SMS, Flag Administration and other Port State requirements.

Last word:

Owners / Shipmanagers should ensure that every ship has clear documentation, standards and processes in place to ensure that the Port State Control Officer has confidence in their approach to cybersecurity risk management. Even the smallest failure in a critical system requires urgent and professional remediation. If you arrive in the US port with a malfunctioning critical system, you will be required to fix it there and then, be audited, and be able to reassure the PSCO on your next visit that the issue has been rectified. If you cannot do this, your vessel will most probably be detained.

Click below to download the USCG guidance on Vessel Cyber Risk Management:

Source: USCG


For more Resources and Guidance papers on maritime Cyber Security click HERE

[Total: 4]