UCSG Work InstructionOn 27th October 2020, USCG issued a work instruction with guidance on implementation of IMO Resolution 428(98) and MSC-FAL.1/Circ 3. This work instruction provides guidance regarding the U.S. Coast Guard (USCG) commercial vessel compliance program’s approach to assessing the cyber risk on US flagged and foreign vessels to ensure they do not pose a risk to the Marine Transportation System due to a cyber event.Indications of poor Cyber performanceWhen boarding vessels for inspection, USCG Officers (MI/PSCO – Marine Inspectors (MIs) and Port State Control Officers (PSCOs), will check for signs indicating poor cyber performance. Some indicative items (not limited to) are as follows:
If observations are not directly linked to statutory requirements or are not technical or operational-related deficiencies, MI/PSCO will not have clear grounds to conduct a more detailed inspection. However, these vulnerabilities should be discussed directly with the Master. In addition, these discussions shall be annotated in the MISLE inspection narrative and documented with a deficiency entered into MISLE marked “Worklist Item/Do Not Show in PSIX” for data analysis Inspection GuidanceDuring the course of a normal inspection/examination, the MI/PSCO should evaluate whether or not a cybersecurity event occurred due to failure in a system required for the safe navigation or operation of the vessel.If clear grounds are established, the MI/PSCO should conduct a more detailed inspection consistent with the applicable guidance for a foreign or U.S. vessel. Based on objective evidence, the MI/PSCO may discover and issue deficiencies based on the portion of the SMS that is not being effectively implemented with respect to cyber risk management.A more detailed inspection does NOT automatically mean that an ISM deficiency exists. MI/PSCO should NOT direct the ship to create any checklists or procedures with respect to cyber risk management. A MI aboard a U.S. vessel may review internal audits and corrective action reports while conducting a more detailed inspection.Possible Deficiencies
Reporting requirementsReporting of cyber incidents is not something new in USA. USCG’s Policy Letter 08-16 “Reporting Suspicious Activity and Breaches of Security”, has already set a framework towards that end. In addition, the following need to be reported:
All such incidents should be reported to Port Authorities’ relevant Authorized Security Services. Especially for USA all SA and BoS should be reported to the National Response Center (NRC) at 1-800- 424-8802. Facility and vessel operators may also make reports directly to the local COTP; however, priority should be given to the NRC. The authorized office to address such reports is the National Cybersecurity and Communications Integration Center (NCCIC), which is a 24/7 cyber situational awareness, incident response, and management center. Additionally send a notification to Coast Guard Cyber Command 24/7 watch at 202-372-2904 or CyberWatch@uscg.milActions requiredShip Managers should be duly prepared for effective PSC inspection worldwide having in mind that the cyber issues required by IMO as an SMS requirement will be checked for implementation after 1st January 2021.Ship Managers should:
Shipboard staff should:
You may also find further information on USCG Guidance for Cyber Risk Management under ISM at SAFETY4SEA