A More Secure Industry

In February, the U.S. Coast Guard (USCG) proposed to update its maritime security regulations. The changes would establish minimum cybersecurity requirements for U.S.-flagged vessels, large passenger and cargo ports and oil, gas and mineral facilities on the U.S. Outer Continental Shelf (OCS). The Coast Guard said, “Cyber-attacks on public infrastructure have raised awareness of the need to protect systems and equipment that facilitate operations within the marine transportation system (MTS) because cyber-attacks have the potential to disable the IT and OT [information technology and operational technology] onboard U.S.-flagged vessels, U.S. facilities and OCS facilities.”

The Coast Guard used the term “update” but the proposed regulations (111 pages in the Federal Register) are extensive, setting new requirements ranging from cybersecurity officers to planning and testing, drills and exercises and “account security measures,” a subheading with nine separate parts covering topics from device and data security to resilience.

The comment period was to close April 22, but maritime and port executives, noting the extent and complexity of the regulations, asked the Coast Guard for an extension which was granted pushing the closure to May 22.

Referencing Recent Incidents

To build support for the proposed rule, the Coast Guard referenced two high-profile cyber-attacks that might have been weakened or avoided with better cyber defense. One was the May 2021 Colonial Pipeline incident that forced the company to shut down east coast operations for six days. The Coast Guard said computer hackers could access Colonial Pipeline’s computer systems with only a password.

The Coast Guard believes the new rules, which would require system managers to implement account security measures like multifactor authentication, would make attacks more challenging. Multifactor authentication includes requiring a five- or six-digit passcode after a password has been entered.

Other security measures may include encryption demands that would make stolen data useless. A “penetration test” – simulating real-world cyber-attacks – could ensure safety and security. The Coast Guard said that better network mapping and configuration information may have allowed Colonial Pipeline to “detect exactly where the connections to the affected systems were, and (the company) may have been able to isolate the problem without having to shut down all pipeline operations, as it did temporarily, which greatly affected its fuel supply operations.”

The second event was a 2017 ransomware-malware attack against Maersk shipping. According to the Coast Guard, in 2016 Maersk had expressed concerns, at least within the company, about its older operating systems, but the concerns were unaddressed. The consequences were costly, estimated at $300 million. The Coast Guard believes that its proposed rules (e.g., Sec. 101.650 “Cybersecurity Measures”) would require the latest software updates, which include periodic software patches.

The Coast Guard said outdated legacy equipment and software can still be useful, but are vulnerable. Systems and equipment like these can be targets for cyber-attacks stemming from insider threats, criminal organizations, nation state actors and others. Autonomous vessel technology, automated OT and remotely operated machines provide further opportunities for cyber-attackers.
The Coast Guard acknowledges that software updates can be expensive and requested comments from the public on the anticipated costs associated with this difference in software for the affected population of this proposed rule.

Other Active Players

Another concern is whether the Coast Guard’s ideas align with other cybersecurity initiatives. The Cybersecurity and Infrastructure Security Agency (CISA) has incident reporting rules regarding cyber-attacks, and there are also requirements set by the 2022 Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA). Additionally, the American Bureau of Shipping has a Cyber Resilience Program that is very similar to the Coast Guard’s proposed rules.

In the meantime, on February 21, President Biden issued Executive Order 14116 “Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports and Waterfront Facilities of the United States.” The order grants new powers to port captains to take measures against “increasingly sophisticated malicious cyber campaigns.” The Coast Guard said this executive order is separate from its proposed rules and that it is a coincidence that they came out at the same time.

Great Lakes Impacts

David Gutheil, chief commercial officer for the Port of Cleveland, said he believes the proposed regulations are important and will lead to safer ports. “It is beneficial that the proposed regulations also cover both U.S. and foreign flag vessels. These regulations will strengthen port operations by enhancing our ability to detect, respond and recover from cyber-attacks,” he added. “As an aside, the Port of Cleveland is the port on the U.S. side of the Great Lakes that has undergone a cybersecurity exercise in conjunction with the USCG.”

Gutheil believes the regulations seem to be workable and mirror CISA protocols. However, he said the new regulations will likely at least double the cost of current security protocols. “We cannot absorb these costs and would eventually have to pass these costs on to our customers,” Gutheil said.

Next Steps

On May 9 the Coast Guard’s National Maritime Security Advisory Committee held a special meeting seeking to establish a new, temporary committee to help review the public comments received on the proposed cybersecurity rule. Committee members must have their evaluations to the committee chair by July 1.