The U.S. Coast Guard continues to focus on cybersecurity, as computer systems and technology plan an ever-increasing role in the maritime environment. In its February 26, 2020 edition of the Navigation and Vessel Inspection Circular, the U.S. Coast Guard issued its Guidelines for Addressing Cyber Risk at Marine Transportation Security Act (MTSA) Regulated Facilities (NVIC 01-20).
The Circular offers examples and recommendations for facilities on how to meet 33 CFR parts 105 and 106’s requirement to analyze vulnerabilities associated with computer systems and networks. Beginning in October 2020, MTSA-regulated facilities will be required to specifically include cyber analysis as part of the annually submitted facility safety plan (FSP).
The first step for any facility would be to map the facility’s use of cyber technologies and storage of electronic data. This would include identifying employee access permissions to different types of data, determining where and how data is stored and backed up and ascertaining whether the data/ system has a critical link to the safety and/or security functions of the facility.
The Circular offers other recommendations, as well, including:
- Describing how and when physical security and cybersecurity personnel will coordinate for notifications of suspicious activity, breaches of security or heightened security levels
- Documenting how cybersecurity is included as part of personnel training, policies and procedures, and explaining how this material will be kept current and monitored for effectiveness
- Describing how drills and exercises will test cybersecurity vulnerabilities of the FSP
- Detailing cyber-related procedures for interfacing with vessels, including any network interaction, portable media exchange, remote access or other wireless access sharing
- Documenting cyber-related procedures for managing software updates and patch installations
- Implementing measures to limit unauthorized access to restricted areas and systems, including those controlled by cyber networks
Operators of MTSA-regulated facilities should review the Circular and determine the extent to which their existing systems already meet the recommendations and what other actions can be taken to implement them.
Our Privacy, Cybersecurity and Data Management and Maritime Teams will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on marine cyber issues.