News: USCG updates cyber compliance timeline for non-SMS US vessels
02 March 2021
Further to the club’s previous news item, the United States Coast Guard (USCG) has updated the Vessel Cyber Risk Management Work Instruction (CVC-WI-027(2)) to include a compliance timeline and inspection process for non-Safety Management System vessels that are subject to the Marine Transportation Safety Act of 2002.
These vessels are required to address cybersecurity vulnerabilities within their Vessel Security Assessment no later than 31 December 2021.
The attached document highlights the basic questions to be asked by Marine Inspectors during Maritime Transportation Security Act (MTSA) verification procedures, the first of which is to check whether the Vessel Security Plan (VSP) addresses measures taken to address cybersecurity vulnerabilities and whether those measures are now in place. If those measures have not been highlighted in the plan and put into practice the issue may be escalated with the designated Company Security Officer and could result in a 'Security Violation' deficiency being recorded.
Inspectors may also ask for a report of any cybersecurity events experienced by the vessel within the past 12 months, examples of which are listed in the guidance note. These include intrusions into communications equipment, computer, and networked systems linked to security plan functions (eg access control, cargo control, monitoring), unauthorised root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems. Details of any instances of viruses, Trojan Horses or other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions can also be requested.
Members are recommended to refer to club’s cyber risk management guidelines, and ensure cyber risk management is appropriately addressed in their SMS no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.