The Coast Guard proposes to update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. This proposed rule would help to address current and emerging cybersecurity threats in the marine transportation system.
https://www.dco.uscg.mil/Our-Organization/CGCYBER/
US Coast Guard Cyber Command Maritime Cyber Alert 03-23
October 4, 2023
Information Sharing Protocol: TLP: CLEAR (https://www.us-cert.gov/tlp)
Threat from “Cl0p Ransomware Group”
Summary: The Coast Guard is observing malicious activity, linked to the Cl0p Ransomware Group, affecting the
Marine Transportation System (MTS) and entities that directly support the MTS. Cl0p began leaking
lists of the victims they’ve exploited on the internet in June 2023, which have grown to include
compromised data from approximately 400 victims. Many of these victims are either direct
members of the MTS or provide critical services to the maritime industry.
 R 241451Z APR 23 MID200080926165U FM COMDT COGARD WASHINGTON DC TO ALCOAST BT UNCLAS ALCOAST 161/23 SSIC 16600 SUBJ: COAST GUARD MARITIME INDUSTRY CYBERSECURITY RESOURCE WEBSITE 1. This ALCOAST announces the launch of the Maritime Industry Cybersecurity Resource website by the Office of Cyberspace Forces (CG-791) and Coast Guard Cyber Command’s (CGCYBER) Maritime Cyber Readiness Branch (MCRB), in cooperation with the Department of Transportation’s Maritime Administration and the Department of Homeland Security’s Cybersecurity and Critical Infrastructure Agency. The website is accessible at: www.uscg.mil/maritimecyber 2. The Maritime Industry Cybersecurity Resource website is an external facing site serving as a one-stop-shop for maritime industry partners to access trusted information, government points of contact, and current industry-focused cybersecurity resources critical to our nation’s efforts to protect the Marine Transportation System from cyber threats. The website supports Section 11224 of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 and Presidential Policy Directive 21: Critical Infrastructure Security and Resilience to strengthen and maintain secure, functioning, and resilient critical infrastructure. The Maritime Industry Cybersecurity Resource website will provide: – Incident reporting requirements and procedures – Marine Safety Information Bulletins – Cyber Alerts – Coast Guard resources and references – MCRB assistance request procedures – Cyber Protection Team assistance request procedures – Links to other government agency resources 3. Points of contact: a. LCDR John Packard, COMDT (CG-791), John.D.Packard@uscg.mil b. LCDR Quinton DuBose, CGCYBER MCRB, Quinton.L.DuBose@uscg.mil 4. RADM Todd C. Wiemers, Assistant Commandant for Capability (CG-7), sends. 5. Internet release is authorized. |
The following is an excerpt from NVIC 01-20
CYBER SECURITY AND MTSA
Under the current regulations in 33 CFR parts 105 and 106, facilities, including Outer
Continental Shelf (OCS) facilities, are required to identify and assess their radio and
telecommunication equipment, including computer systems and networks, and update or
revise their FSAs and FSPs to address and mitigate any identified vulnerabilities.
This enclosure discusses these regulatory provisions and provides facility owners and
operators with compliance guidance. It does not change any legal requirements: facility
owners and operators already in compliance with regulatory requirements remain in
compliance. This enclosure provides examples and recommendations on how to meet
applicable requirements. Notably, the examples and recommendations in this enclosure
also do not represent a minimum standard or required level of demonstrated compliance.
Existing regulations require the owners and operators of MTSA-regulated facilities to
analyze vulnerabilities associated with radio and telecommunication equipment,
including computer systems and networks. Vulnerabilities in computer systems and
networks are commonly referred to as cyber security vulnerabilities. Under the MTSA
regulations, an FSP must address any cyber security vulnerabilities identified in the FSA.
This NVIC is intended to assist regulated facility owners and operators in updating FSPs
to comply with the existing MTSA regulations. This NVIC is also intended to assist
owners and operators in identifying computer systems and networks whose failure or
exploitation could cause or contribute to a Transportation Security Incident (TSI).
When cyber security vulnerabilities are identified in the FSA, an owner or operator may
demonstrate compliance with the regulations by providing its cyber security mitigation
procedures in a variety of formats. The information may be provided in a stand-alone
cyber annex to the FSP or incorporated into the FSP together with the physical security
measures. If the owner or operator elects to create a cyber-annex, the new annex would
be the only part of the FSP subject to re-inspection and re-approval upon receipt by the
Coast Guard. If the owner or operator chooses to incorporate cyber security
vulnerabilities into the FSP, only those new parts would be subject to re-inspection and
re-approval upon receipt. Facility owners and operators may include a general description
of the cyber security vulnerabilities and mitigation measures to be taken. They do not
have to identify specific technology or a business model, but should provide
documentation on how they are addressing their facility-specific cyber security
vulnerabilities.
Although the MTSA regulations in 33 CFR parts 105 and 106 are mandatory, it is up to
each facility to determine how to identify, assess, and address the vulnerabilities of their
computer systems and networks. For example, each individual facility should determine
the organizational structure; number of employees; the employee roles, responsibilities,
and access permissions; and, the employee training needed so that its security personnel
can address the facility’s cyber security risks. Each facility should also determine how,
and where, its data is stored and, if it is stored offsite, whether the data has a critical link
to the safety and/or security functions of the facility. If such a critical link exists, the
facility should address any vulnerabilities.
The following is an excerpt from MSIB 02-22
“CYBERSECURITY AWARENESS & ACTION”
“The Coast Guard continues to monitor world events and their potential impact on the Marine Transportation System (MTS). We remain engaged with our interagency partners and industry stakeholders to share information and coordinate the federal government’s preparedness and response efforts to minimize disruptions to the MTS, including disruptions due to cyber threats.
CISA’s “Shields Up” website remains the primary location for information and recommendations for adapting a heightened cybersecurity posture, and we highly encourage all MTS stakeholders to visit the site regularly for updates and reminders. MTS stakeholders can also receive CISA’s subscription service for timely updates/bulletins. The Coast Guard continues to monitor guidance and products from CISA and partner agencies and will distribute these materials to stakeholders, along with maritime specific context, as appropriate.
Per CISA’s “Shields Up” guidance, “Every organization should have documented thresholds for reporting potential cyber incidents to senior management and to the U.S. Government. In this heightened threat environment, these thresholds should be significantly lower than normal.” The Coast Guard fully supports this guidance and stands ready with our partner agencies to respond to these reports. Considering the heightened risk, stakeholders should closely monitor their computer systems, telecommunications systems, and networks for suspicious activity and breaches of security and, when in doubt, report to the National Response Center (NRC). Maritime Transportation Security Act (MTSA) regulated vessels and facilities are required, and other MTS stakeholders are encouraged, to report breaches of security or suspicious activity to the NRC at 1-800-424-8802. The CG-5P Policy Letter 08- 16, Reporting Suspicious Activity and Breaches of Security provides additional guidance on the reporting of cyber incidents..”
Ask yourselves while assessing your company’s cybersecurity posture: What would happen if you suddenly lost all access to your computer networks and equipment?
Would you be able to operate? Would you be able to move cargo or passengers? Would you need to deny vessel access to your facility while you sort it out? Would you have access to critical information you need?
While not required, a good method for your cybersecurity assessments and security plan updates would be to look into and address the following items (as appropriate);
- Inventory and control of all authorized networked hardware in your system, i.e., what equipment do you have? Who is authorized to make changes or updates? Are there any known vulnerabilities specific to that equipment?
- Inventory and control of all authorized software in your system. What software do you have? Who is authorized to make changes or updates? Are there any known vulnerabilities specific to that software?
- Continuously monitor vulnerabilities (make sure automated security updates are made to the systems, keeping up-to-date with the latest information released by the companies that produced the equipment and software you use)
- Controlled use of administrative level accounts on the network and ensuring that non-administrative activities are not performed while logged into an administrative level account (not checking your personal email or accessing open internet while logged into an administrative account)
- Configuration for hardware and software (documenting / mapping how your computer network is set up)
- Ensuring that automatic logging is enabled on systems so that there is an understanding of what is happening on the network
A lot of the information you would identify above does not need to be (and probably should not be) included in your security plans, but rather the procedures of how to do those things is what would & should be put in the plan. For instance, if you were to follow items 1 and 2 above, you would not need to include an inventory list of your hardware or software in your security plan, rather, your security plan could provide instructions for the FSO or other company IT personnel to maintain a separate inventory and actively track this information.