close
close

Shipping concerned about burdensome new US cybersecurity regulations

Posted on by darion

In late February, the United States Coast Guard (USCG) issued a notice of proposed rulemaking (NPRM) regarding cybersecurity for U.S.-flag vessels. More formally, the proposed changes to the Federal Regulations are described as an effort to: “update maritime security regulations by adding provisions specifically focused on establishing minimum cybersecurity requirements for U.S.-flag vessels, facilities on the Outer Continental Shelf, and U.S. facilities regulated under the Maritime Transport Safety Act 2002.”

Comments from interested parties are required when the NPRM is issued; the deadline for submitting comments has already expired, and then the responses will be considered before the final wording of the new regulations is adopted.

The proposed language for the new regulatory language is broad and based on the USCG’s observations that: “The maritime industry is undergoing a significant transformation that involves the increased use of cybernetically connected systems. While these systems improve the operation of commercial ships and port facilities, they also create a new set of challenges affecting design, operations, safety, training and workforce.

Referring to the spring 2021 cyberattack on the Colonial Pipeline connecting the Gulf of Mexico region to the Northeast, which led to a temporary waiver of the Jones Act to allow the flow of petroleum products along the coast), the USCG opines in its NPRM, that: “Every day, malicious actors (including, but not limited to, individuals, groups, and hostile threat nations) attempt to gain unauthorized access to control devices or networks using a variety of communication channels.”

Dozens of comments were received from the industry. From a very practical point of view, smaller companies, such as those involved in coastal or inland shipping, do not have large information technology (IT) departments and often employ external consultants to assist with cyber-related issues. In responses to the NPRM, several tug operators, including Florida Maritime Transportation, Western Towboat Company, Dann Marine Towing, Golding Barge Lines and Andrie (members of American Waterway Operators, or AWO for short – which appears to have recommended individual wording to its members) expressed the following concerns:

  • Develop risk-based plans with applicability tailored to your company’s actual business profile
  • Add cybersecurity to Alternative Security Plans submitted by AWO members (and other groups)
  • Improve incident reporting through the National Response Center and establish incident reporting thresholds
  • Rethink the role of cybersecurity inspectors (it’s not practical to have them on board every ship)
  • Reduce the frequency of proposed cybersecurity exercises

Maersk Line, which has a significant presence in non-Jones Act foreign (foreign) trade, provided a crafted commentary raising similar issues (but in great detail), noting that: “We see this as a significant step toward improving the cybersecurity situation of this critical infrastructure sector. However, to maximize its impact and feasibility, we recommend further improvements in the areas of transparency, efficiency and compatibility with existing programs.

They believed that the USCG’s goals could be achieved by providing “clear, standardized, risk-based, and practical measures that leverage existing industry best practices and avoid creating undue burdens.”

In another response from Liberty Global Logistics, LGL, which also operates U.S.-flagged ships internationally, suggested that “the proposed regulations are extremely burdensome, financially burdensome, and impractical in terms of timing and ultimate implementation.”

Regarding ransomware attacks (the primary motivation for cyberattacks), LGL stated: “A company’s decision on how to respond to a ransomware attack is its own subjective prerogative and if a company chooses to pay a ransom, it should not be required to report this information because the act itself requiring reporting may ultimately discourage some companies from making ransom payments, which may actually increase the overall number of cyber incidents and ransomware attacks.”

Resources: :
The NPRM can be downloaded here: https://www.regulations.gov/document/USCG-2022-0802-0001

Industry comments mentioned in the article (as well as other responses) can be found at: https://www.regulations.gov/document/USCG-2022-0802-0001/comment

Copyright © 2024. All rights reserved. Seatrade, a trading name of Informa Markets (UK) Limited.