Cyber Awareness & Risk Management

Cyber Awareness Series Part 3: Cyber hygiene

Editors note: This article is the third in a series that the Coast Guard will be publishing in recognition of Cybersecurity Awareness Month.  Now in its 18th year, Cybersecurity Awareness Month offers an opportunity to emphasize the importance of cybersecurity and cyber risk management across all critical infrastructure, and especially the Marine Transportation System (MTS).  Cybersecurity Awareness Month also coincides with the Department of Homeland Security’s Cyber Sprint for Transportation Security. Through current authorities, rulemaking, and industry and stakeholder engagement, DHS is pursuing a strengthened cybersecurity posture among critical transportation operators with the Coast Guard charged with the maritime transportation sector.

Submitted by the Office of Commercial Vessel Compliance, Port State Control Division

Cyber hygiene – The first line of defense in cyber risk management

Cybersecurity incidents are becoming an increasingly frequent occurrence and can have significant impacts, as evidenced by the recent Solar Winds incident and the attack on Colonial Pipeline. The maritime community is not immune from cybersecurity incidents with several events resulting in reduced operations and financial losses for maritime businesses. Cyber hygiene is the first line of defense in a cyber-risk management plan and involves the processes one uses to protect access to an information network.  

The first step for good cyber hygiene is password management.  This includes:

  • changing a password frequently
  • ensuring that the password is complex
  • and limiting users who have administrative level access

Recent Coast Guard inspections revealed cybersecurity risks from poor cyber hygiene.  Examples include:

  • passwords semi-permanently attached to the equipment they are used on
  • printed emails noting that a password has changed lying in plain view
  • and sharing user accounts to display electronic vessel certificates or reference Safety Management System documents

The maritime transportation industry must proactively take steps to harden company and vessel cybersecurity.  The IMO published MSC Resolution 428(98), Maritime Cyber Risk Management in Safety Management Systems requiring cyber risks be addressed in the vessel’s Safety Management System at the first annual verification of a company’s Document of Compliance after January 1, 2021.  U. S. Coast Guard Marine Inspectors and Port State Control Officers will verify this during regularly scheduled inspections to ensure compliance with this requirement. The Marine Inspector and Port State Control Officer Vessel Cyber Risk Management Work Instruction is available on the Office of Commercial Vessel Compliance website.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.