Safeguarding the Marine Transportation System: New Cybersecurity Rules

The maritime industry is grappling with an escalating wave of cybersecurity threats as it increasingly relies on interconnected digital systems. Recognizing the critical need to address these vulnerabilities, the U.S. Coast Guard issued a final rule aimed at fortifying the marine transportation system (MTS) against current and emerging cybersecurity risks.

This rule introduces minimum cybersecurity requirements to 33 CFR Part 101 to enhance the sector’s ability to detect, respond to, and recover from cyber incidents that could result in transportation security incidents (TSIs). By addressing the challenges posed by the growing interconnectivity and digitalization of maritime systems, this new framework establishes robust safeguards designed to protect the MTS.

The Current State of Cybersecurity in the MTS

The maritime industry is increasingly adopting digital solutions for efficiency, cost savings, safety, and sustainability. However, this reliance on information technology (IT) and operational technology (OT) systems also raises cybersecurity risks, making U.S.-flagged vessels, facilities, and OCS facilities more vulnerable to cyberattacks. Attacks on critical infrastructure highlight the need to protect maritime systems, as cyber threats could disrupt navigation, communications, and port operations, leading to delays, accidents, and economic impacts.

Autonomous vessels, automated OT, and remote operations present additional targets for insider threats, criminal organizations, and nation-state actors. These types of cyberattacks can range from altering a vessel’s navigational systems to disrupting communication with ports, leading to delays, accidents, or even potential groundings. Such disruptions can halt vessel movements, shut down port operations, and negatively impact the transportation and commerce of goods, raw resources, and passengers. Potential military operations could also be affected. Given the role of cybersecurity in global trade, enhancing it is essential.

This final rule outlines cyber risk management (CRM) measures to help maritime stakeholders detect, respond to, and recover from cyber threats. The Coast Guard aims to strengthen security while maintaining safe operations by enforcing minimum cybersecurity requirements. The 2017 IMO guidelines emphasize CRM in Safety Management Systems (SMS) under the ISM Code, ensuring companies implement cybersecurity within their safety policies.

For U.S.-flagged vessels, the rule establishes baseline cybersecurity protections, with the Coast Guard overseeing compliance through Cybersecurity Plan approvals and inspections. The rule also applies to facilities under 33 CFR Parts 105 and 106. Public comments are being sought on a possible 2-to-5-year delay for implementation on U.S.-flagged vessels.

Current Marine Transportation Systems Act of 2002(MTSA) Regulations Related to Cybersecurity

The MTSA-implementing regulations in 33 CFR Parts 101, 103, 104, 105, and 106 give the Coast Guard the authority to review and approve security assessments and plans that apply broadly to the various security threats facing the maritime industry. Through the Navigation and Vessel Inspection Circular (NVIC) 01-20 (85 FR 16108, March 20, 2020), the Coast Guard interpreted 33 CFR Parts 105 and 106 as requiring owners and operators of facilities and OCS facilities to address cybersecurity in their Facility Security Assessments (FSAs) and OCS FSAs, as well as in their FSPs and OCS FSPs. The NVIC provides non-binding guidance on how regulated entities can address these issues.

This final rule also expands upon the agency’s previous actions by establishing minimum performance-based cybersecurity requirements for the MTS within the MTSA regulations. Similar to the existing requirements in 33 CFR Parts 104, 105, and 106, the Coast Guard allows owners and operators flexibility to determine the best way to implement and comply with these new requirements. Following the effective date of this final rule, personnel must complete certain training requirements within approximately 6 months, and owners or operators must sequentially complete a Cybersecurity Assessment and submit the Cybersecurity Plan to the Coast Guard for review and approval within 24 months. The Cybersecurity Plan also includes designating a Cybersecurity Officer (CySO, as discussed in more detail below). These implementation periods allow sufficient time for the owners and operators of applicable U.S.-flagged vessels, facilities, and OCS facilities to comply with the requirements of this final rule.

Owners or operators should comply with the measures in their submitted Cybersecurity Plans until their Plan is approved, or until the COTP or Marine Safety Center (MSC) respond to ask the entity to address any issues with the submitted Plan. When a regulated entity must take actions in accordance with this final rule before submitting their initial Cybersecurity Plan to the Coast Guard for approval, any responsibility of the CySO, if that person is not yet designated, should be completed by the owner, operator, or existing security officer.

Key Cybersecurity Requirements to Be Implemented

Under this rule, owners and operators of U.S.-flagged vessels, facilities, and OCS facilities subject to security plan requirements under 33 CFR Parts 104, 105, and 106 must develop and maintain both a Cybersecurity Plan and a Cyber Incident Response Plan.

The Cybersecurity Plan includes measures focused on account security, device security, and data protection:

Account Security Measures:

• 1. Enable automatic account lockout after multiple failed login attempts.
  2. Change default passwords or implement compensating controls before system use.
  3. Enforce minimum password strength on IT and operational technology (OT) systems.
  4. Implement multifactor authentication on password-protected IT and remotely accessible OT systems.
  5. Apply the principle of least privilege to administrator accounts.
  6. Use separate credentials for critical IT and OT systems.
  7. Revoke credentials for users leaving the organization.

Device Security Measures:

• 1. Maintain an approved list of hardware, firmware, and software.
  2. Disable applications running executable code by default on critical systems.
  3. Keep an accurate inventory of network-connected systems.
  4. Develop and document network maps and OT device configurations.

Data Security Measures:

• 1. Securely capture, store, and protect system logs, limiting access to privileged users.
  2. Deploy encryption to safeguard sensitive data and ensure traffic integrity.

Additionally, a Cyber Incident Response Plan must outline detailed response instructions, define key roles and responsibilities, and ensure personnel readiness in the event of a cyberattack.

Cybersecurity Officer Designation

The rule mandates the appointment of a CySO responsible for implementing and maintaining the cybersecurity framework. The CySO must:

• Oversee annual audits and updates to the Cybersecurity Plan.
• Conduct inspections and ensure personnel receive adequate training.
• Record, report, and mitigate cybersecurity incidents.

Final Rule Announcement: Cybersecurity Implementation Dates and Comment Period

The final rule on cybersecurity measures for U.S.-flagged vessels, facilities, and OCS facilities will officially take effect on July 16, 2025, which is 180 days after its publication in the Federal Register on January 17, 2025.

The Coast Guard is soliciting comments regarding a potential 2-to-5-year delay in implementation periods for U.S.-flagged vessels as outlined in Section VII of the preamble. Stakeholders are encouraged to submit their feedback by March 17, 2025, which is 60 days after the publication date of the rule.

Comments can be submitted through the official channels detailed in the Federal Register notice. Your input will help inform the feasibility and timing of these critical cybersecurity measures.

Practical Steps to Ensure Compliance with Updated Cybersecurity Statutes

The recent amendments to maritime cybersecurity regulations emphasize proactive planning, role clarity, and rigorous accountability. Here’s a guide to help U.S.-flagged vessel, facility, and OCS facility operators comply with the updated statutes effectively:

1. Owner or Operator Responsibilities

To fulfill these responsibilities:

• Develop a Cybersecurity Plan: Outline cybersecurity roles, responsibilities, and strategies tailored to identified risks. Ensure the plan includes specific measures to mitigate vulnerabilities.
• Appoint a Cybersecurity Officer (CySO): Select a qualified professional available 24/7, and share their contact information with stakeholders.
• Conduct Regular Exercises and Audits: Schedule annual audits, cybersecurity drills, and exercises to validate the plan’s effectiveness.
• Prepare a Cyber Incident Response Plan: Clearly define procedures for responding to and mitigating cyber incidents.
• Report Cyber Incidents Promptly: Notify the National Response Center (NRC) immediately upon detecting any reportable incident.

2. Cybersecurity Officer (CySO) Requirements

To meet CySO standards:

• Define the Role: The CySO can hold other roles but must prioritize cybersecurity duties, including overseeing assessments, audits, and vulnerability mitigations.
• Enhance Expertise: Ensure the CySO has training in vessel/facility operations, cybersecurity best practices, and risk management. Encourage continuous education on threat identification and mitigation.
• Ensure Systematic Oversight: Assign the CySO responsibility for maintaining training records, updating the Cybersecurity Plan, and ensuring compliance with audit requirements.

3. Crafting and Maintaining a Cybersecurity Plan

Key actions for compliance:

• Content Development: Include organizational structure, CySO identity, access control, communication protocols, and incident reporting procedures.
• Mitigation of Risks: Address vulnerabilities identified in the Cybersecurity Assessment, ensuring that measures comply with Subpart F regulations.
• Timely Updates: Amend the plan promptly to reflect changes in ownership, cybersecurity vulnerabilities, or operational conditions.
• Annual Audits and Drills: Schedule independent audits annually and conduct biannual drills to test the plan’s readiness. Maintain detailed records of all activities.

4. Strengthen Communication Systems

• Notify Stakeholders: Establish effective channels to communicate cybersecurity condition changes to all relevant parties, documenting procedures in the Cybersecurity Plan.
• Ensure Continuous Communication: Implement robust systems for seamless communication between security personnel, vessels, and authorities.

5. Implement Robust Cybersecurity Measures

• Account Security: Enforce strong passwords, multifactor authentication, and automatic lockout policies. Regularly update credentials and remove access for departing personnel.
• Device Security: Maintain an approved list of hardware/software, inventory networked systems, and ensure critical IT and OT systems are mapped and monitored.
• Data Security: Encrypt sensitive data and store logs securely to maintain confidentiality and integrity.
• Training Programs: Provide role-specific cybersecurity training to all personnel, with annual updates. Include training on recognizing threats, incident reporting, and OT-specific cybersecurity practices.
• Risk Management: Conduct Cybersecurity Assessments by July 2027 and annually thereafter. Include penetration tests as part of plan renewals and act swiftly on identified vulnerabilities.
• Resilience: Develop a Cyber Incident Response Plan, conduct annual exercises, and back up critical systems regularly. Protect backups with encryption and frequent testing.
• Network Segmentation: Separate IT and OT systems and monitor connections for unauthorized access or suspicious activity.
• Physical Security: Restrict access to IT/OT equipment and manage unused ports by disabling or removing them.

6. Stay Ahead of Compliance Deadlines

Submission of Plans: Submit Cybersecurity Plans to the Coast Guard by July 16, 2027.

Maintain Documentation: Keep plans and penetration test results readily accessible for Coast Guard review.

Address Noncompliance: Seek waivers or equivalency determinations if needed and notify authorities of temporary deviations.

By adhering to these steps, owners and operators can build a resilient cybersecurity framework, reduce vulnerabilities, and comply with federal regulations while safeguarding critical maritime infrastructure.

Topics Cyber