Regulators Say Maritime Industry’s Pandemic Plans Can Skip Cybersecurity Details

Following prescient comments from industry, the Coast Guard no longer plans to recommend cruise ships and cargo vessels describe additional cybersecurity measures for responding to any increase in the Maritime Security (MARSEC) levels, which may result from security threats associated with pandemics such as COVID-19. 

“Some changes in MARSEC level could involve cyber security threats but others may not, and a change in cyber security posture may not always be appropriate,” read guidelines set to be published in the Federal Register Friday.

An earlier draft of the Navigation and Vessel Inspection Circular recommended “facility owners and operators describe additional cyber-related measures to be taken during changes in MARSEC levels,” according to the Federal Register notice.

The Coast Guard enforces the Maritime Transportation Security Act of 2002, which applies to maritime vessels as well as offshore facilities such as oil rigs. It requires such entities to conduct facility security assessments and to accordingly implement facility security plans. The law notes that it applies to “computer systems and networks.”

The majority of the Coast Guard’s guidance is spent reassuring antsy commenters that the NVIC does not add regulations. Moreover, the guidance updates draft language to emphasize the flexibility entities have in doing their assessments and making their plans. 

“The NVIC does not mandate that facilities use specific cyber security technology or take specific actions to mitigate a computer system or network vulnerabilities,” wrote Karl L. Schultz, U.S. Coast Guard admiral and commandant. “It simply reminds facility owners and operators of existing MTSA regulations that require the assessment of computer system and network vulnerabilities in their FSAs and incorporation, where applicable, in their FSPs.”

Some commenters asked for more advice about how to conduct their assessments to incorporate cybersecurity. But the Coast Guard, based on other comments, removed more detailed guidance and examples from the draft NVIC.

“The draft NVIC contained an Enclosure (2)...This Enclosure provided recommended practices, including the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and NIST Special Publication 800-82,” the guidance reads. “We have concluded that Enclosure (2) created more confusion than benefit for the owners and operators of MTSA-regulated facilities. For example, some commenters mistook the described examples and the framework for recommended parts of an FSA.”

NIST SP 800-82 addresses cyber risks to industrial control systems—an “operational priority” of the Cybersecurity and Infrastructure Security Agency’s “strategic intent.”

Other parts of the guidance note the folly of certain actions while maintaining the flexibility for industry to construct their plans.

“Waiting for scheduled intervals to install security patches and other updates instead of performing such actions immediately provides opportunities for system exploitation,” the guidance reads, noting “facilities can choose the intervals with which to install security patches.”  

The guidance does clarify entities should include procedures for managing software updates and patch installations in their security plans.