The U.S. Coast Guard is set to publish this week its final rule covering maritime security regulations by establishing minimum cybersecurity requirements for U.S.-flagged vessels, outer continental shelf facilities, and facilities subject to the Maritime Transportation Security Act of 2002 regulations. This final rule addresses current and emerging cybersecurity threats in the marine transportation system by adding minimum cybersecurity requirements to help detect risks and respond to and recover from cybersecurity incidents.

In a final rule scheduled for publication in the Federal Register, the Department of Homeland Security through the Coast Guard aims to enhance cybersecurity within the marine transportation system. The proposal includes mandates to create and uphold a Cybersecurity Plan, appoint a Cybersecurity Officer, and implement various strategies to ensure cybersecurity is maintained. Additionally, the Coast Guard is inviting feedback on a possible extension for the implementation timelines for U.S.-flagged vessels.

The final rule aims to protect the marine transportation system from cybersecurity threats by establishing minimum cybersecurity requirements. These requirements are designed to detect, respond to, and recover from risks that could lead to transportation security incidents (TSIs). The rule specifically targets risks arising from the increased interconnectivity and digitalization of the marine transportation system, addressing current and emerging cybersecurity threats to maritime security.

The Coast Guard noted that with this final rule, it has to finalize the requirements that were proposed in the notice of proposed rulemaking (NPRM), ‘Cybersecurity in the Marine Transportation System,’ published last February 22. The agency also responded to the public comments that we received to the NPRM and made several clarifications regarding the regulatory framework.

The Cybersecurity Plan must include seven account security measures for owners or operators of a U.S.-flagged vessel, facility, or outer continental shelf facility enabling of automatic account lockout after repeated failed login attempts on all password protected IT systems; changing default passwords (or implementing other compensating security controls if unfeasible) before using any IT or operational technology (OT) systems; and maintaining a minimum password strength on IT and OT systems technically capable of password protection.

It also covers implementing multi-factor authentication on password-protected IT and remotely accessible OT systems; applying the principle of least privilege to administrator or otherwise privileged accounts on both IT and OT systems; maintaining separate user credentials on critical IT and OT systems; and removing or revoking user credentials when a user leaves the organization.

The U.S. Coast Guard outlined that the Cybersecurity Plan also must include four device security measure requirements. They are developing and maintain a list of any hardware, firmware, and software approved by the owner or operator that may be installed on IT or OT systems; ensure that applications running executable code are disabled by default on critical IT and OT systems; maintain an accurate inventory of network-connected systems including those critical IT and OT systems; and develop and document the network map and OT device configuration information.

Additionally, the Cybersecurity Plan must include two data security measure requirements that ensure that logs are securely captured, stored, and protected and accessible only to privileged users, and deploy effective encryption to maintain confidentiality of sensitive data and integrity of IT and OT traffic when technically feasible.

The U.S. Coast Guard prescribed that owners or operators of U.S.-flagged vessels, facilities or outer continental shelf facilities must also prepare and document a Cyber Incident Response Plan that outlines instructions on how to respond to a cyber incident and identifies key roles, responsibilities, and decision-makers amongst personnel.

Furthermore, owners or operators must also designate a Cybersecurity Officer (CySO) who must ensure that U.S.-flagged vessel, facility, or outer continental shelf facility personnel implement the Cybersecurity Plan and the Cyber Incident Response Plan. The CySO must also ensure that the Cybersecurity Plan is up-to-date and undergoes an annual audit. The CySO must also arrange for cybersecurity inspections, ensure that personnel have adequate cybersecurity training, record and report cybersecurity incidents to the owner or operator, and take steps to mitigate them.

The Coast Guard estimates that this final rule creates costs for industry and government of about US$1.2 billion total and $138.7 million annualized, discounted at 2 percent (2022 dollars). This increased estimate from the NPRM is primarily driven by increases to our estimates of costs related to cybersecurity drills, exercises, and penetration testing. Cost estimates are also increased due to updated affected population data.

The final rule also notes that its benefits include reduced risk and mitigation of cyber incidents to protect impacted entities and downstream economic participants, and improved protection of marine transportation system business operations to build consumer trust and promote increased commerce in the U.S. economy. Additional benefits include improved minimum standards of cybersecurity to protect the marine transportation system, which is vital to the nation’s economy and national security, and to avoid supply chain disruptions.

The U.S. Coast Guard also requires owners and operators of U.S.-flagged vessels, facilities, and outer continental shelf facilities to segment their IT and OT networks, and log and monitor connections between them. Based on information from CGCYBER, CG-CVC, and NMSAC, network segmentation can be particularly difficult in the marine transportation system, largely due to the age of infrastructure in the affected population of U.S.- flagged vessels, facilities, and outer continental shelf facilities. The older the infrastructure, the more challenging network segmentation may be.

The document also laid down that it will require owners and operators of U.S.-flagged vessels, facilities, and outer continental shelf facilities to limit physical access to IT and OT equipment; secure, monitor, and log all personnel access; and establish procedures for granting access on a by-exception basis.

Last July, the DHS’ Office of Inspector General (OIG) published a final report identifying that the U.S. Coast Guard has made progress in enhancing the cyber posture of the marine transportation system by establishing maritime cybersecurity teams over the past two years, in line with statutory requirements. Based on its findings, the report proposes four recommendations to improve the Coast Guard’s cyber readiness and precautions to secure the U.S. supply chain. The DHS has concurred with four recommendations.

 

Source : Industrial Cyber