Flag State Advice and vessels visiting the USA

This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security focusing Flag State Advice and vessels visiting the USA .

At the time of writing this blog (March 2020) there has been a distinct lack of guidance put out by Flag States on measures they expect their owners to follow in order to comply with the requirements of Resolution 428(98).

Most Flags are ill prepared to give this advice due to a lack of technical cyber expertise on staff. In fact one major Flag, when asked their position on the forthcoming changes, stated that they have absolutely no interest in developing specific advice for their vessels!

The United States Coast Guard (USCG) has issued Safety Alert 06-19 in response to a vessel that was found to be operating without effective cybersecurity measures which exposed a critical vessel control system whilst she was entering the Port of New York and New Jersey. The Safety Alert is worth a read and can be found at https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf

As a consequence of this incident the USCG strongly recommends the following basic measures:-

Segment Networks – “Flat” networks allow an adversary to easily manoeuvre to any system connected to that network. Segment your networks into “subnetworks” to make it harder for an adversary to gain access to essential systems and equipment.

Per-user Profiles & Passwords – Eliminate the use of generic log-in credentials for multiple personnel. Create network profiles for each employee. Require employees to enter a password and/or insert an ID card to log on to on board equipment. Limit access/privileges to only those levels necessary to allow each user to do his or her job. Administrator accounts should be used sparingly and only when necessary.

Be Wary of External Media – This incident revealed that it is common practice for cargo data to be transferred at the pier, via USB drive. Those USB drives were routinely plugged directly into the ship’s computers without prior scanning for malware. It is critical that any external media is scanned for malware on a standalone system before being plugged into any shipboard network. Never run executable media from an untrusted source.

Install Basic Antivirus Software – Basic cyber hygiene can stop incidents before they impact operations. Install and routinely update basic antivirus software.

Don’t Forget to Patch – Patching is no small task, but it is the core of cyber hygiene. Vulnerabilities impacting operating systems and applications are constantly changing – patching is critical to effective cybersecurity.

The USCG also “strongly encourages” vessels and operators to conduct cybersecurity assessments. We would suggest that a “strongly encourage” from the USCG means that if your vessel is calling at a port in the USA don’t be surprised if you are asked if one has been done, and if it hasn’t been done what measures you actually have in place. If those measures are lacking, then at least expect defects to be raised or possibly the vessel detained (depending on the attitude of the USCG Port Captain).

The USCG has also issued Marine Safety Information Bulletin No. 04-19 in response to recent email phishing and malware intrusion attempts that target commercial vessels. All vessels calling at ports in the USA are required to issue a Notice of Arrival (NOA). This is frequently done by email from the vessel. There have been instances where emails have arrived on board the ship purporting to be from the official Port State Control authority but are in fact from potential hackers. It’s worth noting that according to Cisco Systems (a leading technology services provider) email phishing is the largest single threat to compromise cyber security.

If you should experience such an incident on board one of your vessels – even if it comes to no harm – you are required to report it to the Coast Guard National Response Centre (NRC). It is an offence not to do so should this happen in US waters. For further information on what needs to be reported and how, please refer to the Code of Federal Regulations – Section 101.305 https://gov.ecfr.io/cgi-bin/text-idx?SID=dfc165c4e333a6535d121126a793ca77&mc=true&node=se33.1.101_1305&rgn=div8

It is worthy of note that the USA issued their advice following an incident on board a vessel bound for one of their ports. We can expect advice from other flags in the near future. This will be driven either as a consequence of recommendations from accident investigators (should an incident occur within their jurisdiction as a coastal state), or if Flag’s performance in the Port State Control league tables is being affected by an increase in deficiencies given against their vessels for poor cyber security performance. Our next blog will cover this aspect of PSC.

If you wish to know more about Eazi Security and their world leading cyber security software solutions please contact Mr David Clayden Email David.clayden@eazisecurity.com Tel +44 (0)7711 351463 Web www.eazisecurity.com
Alternatively sign up for a free trial here