The $5.4 trillion global maritime industry faces a perfect storm of cyber vulnerabilities, and a new government regulation aims to be the lighthouse guiding stakeholders to safer digital harbors.
On January 17, 2025, the US Coast Guard (USCG) published a final rule titled "Cybersecurity in the Marine Transportation System," aiming to bolster the cybersecurity posture of the nation's marine transportation system (MTS). This rule introduces mandatory cybersecurity measures for US-flagged vessels, Outer Continental Shelf (OCS) facilities, and certain facilities regulated under the Maritime Transportation Security Act of 2002 (MTSA).
The integration of digital technologies and interconnected systems within the MTS has heightened vulnerability to cyber threats. Recognizing these risks, the USCG's rule sets a baseline for cybersecurity standards, ensuring entities within the MTS can effectively detect, respond to, and recover from cyber incidents.
The final rule applies to:
- US-flagged vessels, including cargo vessels exceeding 100 gross tons, commercial passenger vessels carrying more than 150 passengers, offshore supply vessels, mobile offshore drilling units, towing vessels longer than 26 feet engaged in towing certain dangerous cargo barges, and cruise ships or passenger vessels carrying more than 12 passengers on international voyages.
- Facilities subject to MTSA, such as container terminals, chemical facilities with waterfront access, petroleum terminals, cruise ship terminals, bulk liquid transfer facilities, LNG/LPG terminals, barge fleeting facilities handling dangerous cargo, facilities receiving vessels carrying more than 150 passengers, and marine cargo terminals.
- OCS facilities, including offshore oil and gas production
platforms, drilling rigs, floating production storage and
offloading units, deepwater ports, offshore wind energy facilities,
and offshore loading/unloading terminals.
The rule outlines several critical requirements to enhance cybersecurity within the MTS:
- Cybersecurity Plan Development: Owners and
operators must create a comprehensive cybersecurity plan
addressing:
- Account Security: Implement measures like automatic account lockout after failed login attempts, enforce strong password policies, utilize multifactor authentication, apply the principle of least privilege, maintain separate user credentials for critical systems, and promptly revoke access when personnel leave the organization.
- Device Security: Develop inventories of approved hardware, firmware, and software; disable unnecessary executable code; maintain accurate records of network-connected systems; and document network maps and device configurations.
- Data Security: Ensure secure logging
practices, protect log data from unauthorized access, and employ
encryption to safeguard sensitive information and maintain data
integrity.
- Cyber Incident Response Plan: Establish a plan
detailing procedures for responding to cyber incidents that clearly
defines roles, responsibilities, and decision-making authority
among personnel.
- Designation of a Cybersecurity Officer (CySO):
Appoint a CySO responsible for implementing and maintaining the
Cybersecurity and Cyber Incident Response Plans, conducting regular
audits, arranging cybersecurity training, and ensuring timely
reporting of incidents.
- Training and Awareness: Within six months of
the rule's effective date, conduct training sessions to
recognize and detect cybersecurity threats, understand
circumvention techniques, and familiarize personnel with reporting
procedures. Key personnel are required to undergo more in-depth
training.
- Plan Approval and Audits: Submit cybersecurity
plans to the USCG for review and approval within 24 months of the
rule's effective date. The USCG reserves the authority to
perform inspections and audits to verify compliance.
- Reporting Requirements: Promptly report
"reportable cyber incidents" to the National Response
Center. The rule also revises the definition of "hazardous
condition" to explicitly include cyber incidents.
- Waivers and Equivalence Determinations: Provide mechanisms for limited waivers or equivalence determinations if entities can demonstrate that certain cybersecurity requirements are unnecessary or that alternative measures offer an equivalent level of security. Requests will be evaluated on a case-by-case basis.
The final rule is set to take effect on July 16, 2025. However,
the USCG is soliciting comments on the potential for a
two-to-five-year delay in the implementation periods for US-flagged
vessels. Interested parties must submit comments by March 18,
2025.
The USCG's final rule represents a significant step toward
safeguarding the MTS against evolving cyber threats. As the July
2025 enforcement date approaches, maritime stakeholders must chart
their course toward compliance—not merely to satisfy
regulations, but to safeguard the critical infrastructure that
keeps America's maritime economy afloat in increasingly
treacherous digital waters.
Originally published by MarineLink
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
