Cyber Awareness & Risk Management

Cyber Awareness Series Part 2: Risk management

Editors note: This article is the second in a series that the Coast Guard will be publishing in recognition of Cybersecurity Awareness Month.  Now in its 18th year, Cybersecurity Awareness Month offers an opportunity to emphasize the importance of cybersecurity and cyber risk management across all critical infrastructure, and especially the Marine Transportation System (MTS).  Cybersecurity Awareness Month also coincides with the Department of Homeland Security’s Cyber Sprint for Transportation Security. Through current authorities, rulemaking, and industry and stakeholder engagement, DHS is pursuing a strengthened cybersecurity posture among critical transportation operators with the Coast Guard charged with the maritime transportation sector.

Submitted by Lt. Catherine Paris, Office of Design and Engineering Standards

Incorporating Cyber Risk Management into Vessel Safety Management Systems

Cyber related technologies are at the core of the progress in technological advancements enabling the maritime industry to operate at unprecedented capacity and efficiency. However, the increasing frequency and sophistication of this technology parallels the potential consequences of cyber threats. These emerging cyber threats need leaders in the maritime community to manage changing risk vectors effectively to create a safer cyber environment.

Risk management is foundational to the maritime industry. The International Maritime Organization (IMO) began taking steps to address cyber risks in the shipping industry in June of 2017. In publishing Maritime Safety Committee (MSC)/Facilitation Committee (FAL) Circular 3, Guidelines on Maritime Cyber Risk Management and MSC Resolution 428(98), Maritime Cyber Risk Management in Safety Management Systems, IMO explicitly identified cyber as a risk that should be managed by Safety Management Systems (SMS). By doing so, IMO affirmed that an approved SMS should take into account cyber risk management (CRM) in accordance with the objectives and functional requirements of the International Safety Management (ISM) Code, which is implemented into regulation in 33 CFR Part 96.

Vessels and Responsible Persons (RPs) subject to, or that choose to voluntarily comply with, chapter IX of the International Convention for the Safety of Life at Sea (SOLAS) 1974 or 33 CFR Part 96 are required to assess and take safeguards against all risks.  In accordance with the previously cited IMO circular and resolution, cyber risks must be addressed as any other risk. The incorporation of CRM into SMS should follow the process established by the ISM Code. Both vessel security and the safe operation of vital ship systems should be considered when assessing cyber risks in order to facilitate operations and protect vessels from posing a hazardous condition within the port or waterway. Documentation, identification of roles and responsibilities, drills, exercises, and feedback mechanisms for non-conformities should follow existing SMS processes to address cyber risks.

Per Resolution MSC.428(98), no later than the first annual verification of a company’s Document of Compliance (DOC) after January 1, 2021, RPs should ensure cyber risks are addressed in the SMS. The incorporation of CRM into SMS should follow the MSC/FAL.1/Circ. 3 guidelines for managing cyber risks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework shown below. Industry standards, Classification Society rules and recommended practices, and other guidelines for maritime CRM are always being developed and updated and may meet or exceed the minimum elements described above. The Coast Guard encourages selecting and applying specific standards in consultation with the Flag State or Recognized Organization that approves the DOC and Safety Management Certificate.

Source: National Institute of Standards and Technology

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.