Coast Guard Publishes New Cybersecurity Rule

In mid-January, the U.S. Coast Guard released its long-awaited update to regulations for cybersecurity standards in the marine transportation system. The rule was published in the Federal Register on January 17 and will come into effect July 16, although the Coast Guard is accepting comments through March 18 on a potential delay for the implementation period.

“The rule has been under consideration since February of last year,” said Andy Lee, a partner in Jones Walker LLP’s litigation practice group who founded and co-leads the firm’s privacy, data strategy and artificial intelligence team. “This was issued right before the inauguration. I think the timing was deliberate. It’s the first major rulemaking by the Coast Guard in quite some time.”

Lee said the rule applies to owners and operators of U.S.-flagged vessels, facilities and outer continental shelf (OCS) facilities. Certain training requirements have to be in place on July 17, but companies will have a two-year window to submit a cybersecurity plan that accords with the regulation. Lee said larger organizations, or those already under Coast Guard supervision “for various reasons related to critical infrastructure” likely already have developed and enacted a cybersecurity plan and will, thus, submit that long before the end of the two-year window.

“It really has most impact on the small stakeholders who have not heretofore done much in this area,” Lee said. “They’re going to have to create a cybersecurity incident response plan, or CIRP, some call it a CSIRP, within two years of the effective date. That document is not specific to maritime but generic across all organizations that have them.”

Lee called the cybersecurity incident response plan the “meat and potatoes of understanding your organization’s resilience and vulnerabilities.”

“In the process, you learn what you are protecting,” Lee said, “and at the end of the process of creating the plan, you have essentially a reaction blueprint to a cybersecurity incident, which also is a defined term in the regulation.”

The training requirements that have to be in place from day one might include phishing response guidelines or tabletop exercises.

“Things like that have to commence in July,” Lee said.

A major point of angst in the regulation is the requirement for companies to designate a cybersecurity officer.

“That person can have other job duties, and in small organizations it’s almost certain that they will,” Lee said. “That role takes on responsibility for technical understanding of cybersecurity requirements and to be the point of contact for the Coast Guard in investigating any incidents.”

Some companies, particularly smaller ones, may not even have an internal information technology function, Lee said, choosing instead to outsource that to a third party.

“That particular requirement is a big one, and obviously, from the Coast Guard’s perspective, it’s important for them to have the ability to communicate with somebody who’s completely in sync with the organization’s cybersecurity status, so that’s why they put that regulation on there.”

The regulation also requires security of accounts, including multi-factor authentication, security over devices like handhelds or electronics and security of data, meaning encryption.

“In the process of creating a cybersecurity plan, you go through all the processes of considering those things and deciding which controls to implement in order to be as resilient as possible,” Lee said.

One thing to consider when assessing vulnerability is if a company’s data is kept in one place, on a single server, and is there adequate security over that data. Alternatively, if data is kept on individual users’ computers, that carries additional risks.

“As organizations go through the process of creating that data map, they ask those questions of themselves and come to realize where they are vulnerable,” Lee said. “If they keep data at the desktop level, then they better be sure to encrypt or secure it there, because all the security in the world that’s imposed on the server side can be thwarted if an individual user keeps copies of that data on their individual laptop or desktop.”

At several points in the Coast Guard’s cybersecurity rule, the regulation references Jones Walker’s 2022 Ports and Terminals Cybersecurity Survey, which helped the Coast Guard “gain an understanding of the cybersecurity measures that are currently in place at facilities and OCS facilities in the United States.”

From the firm’s first cybersecurity survey in 2018 to the 2022 survey, Lee said he and his colleagues saw some definite improvement.

“Almost all of them said they had a cybersecurity plan,” Lee said, “though when you dug deeper, some of them were a little dusty. They hadn’t checked in on them in a year or more, which is a best practice so that you know you’re keeping up with the latest threats that are out there.”

Lee said he understands that smaller organizations will have fewer resources to devote to cybersecurity readiness, but with the new rule in place, that’s not an excuse.

“The Coast Guard is essentially leveling the playing field, so that everybody who is affected by this, from the mom and pop barge company to the major shipper, has the same obligations imposed on them. That’s going to be viewed as fairly daunting by the smaller operators, but it’s not insurmountable. It does take a little bit of work and dedication, but the process results in a very high confidence level that’s useful to them.”

For companies starting from scratch or that would like some outside help to assess their needs, the Coast Guard has cybersecurity experts who will meet with stakeholders to help plot a course to compliance.

“These are genuine experts in the field who are happy to get their hands dirty and help organizations get ready for this,” Lee said. “I think the organization is going to have to overcome a little bit of concern that their regulator is going to be ‘looking under the hood’ before they’re ready. But my experience dealing with the Coast Guard cybersecurity experts is that they’re not there to report on these folks. They’re there to help, and they’re more interested than anything in everybody getting their ship in good shape to be ready for this rule.”

The Cybersecurity & Infrastructure Security Agency, or CISA, also provides similar assessment services.

Regardless of the size of a company or its fleet, the threat is real. Just look at the Colonial Pipeline, which was the target of a ransomware attack in May 2021. The system intrusion occurred through a compromised email, and the company shut down its network of pipelines in order to manage the attack. The company paid the ransom—$4.4 million in bitcoin—and eventually restored the system.

Companies in the maritime space could be just as vulnerable if a hacker was able to access operational technology, like navigation systems, cargo or ballast control systems or communications systems.

“A cyberattack on those types of systems could result in loss of control over those functions that could result in damage, a spill or mechanical failure,” Lee said. “If a cyberattack takes down a system, and you’re hobbled from that, it could cause at least delays, which could be an economic loss.”

The full rule, including information about submitting comments on delaying implementation of portions of the rule, is available at federalregister.gov. Search for docket no. USCG-2022-0802.