US Coast Guard – Checklist for MTSA regulated facilities

This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security.

We have written in previous blogs about guidance issued by Flag States.The US Coast Guard continue to provide excellent information to ship operators and shore facility managers. USCG have recently issued an Inspector Cyber Job Aid –

Whilst this is primarily for shore-based facilities located in the USA, it is also useful for vessel operators as a structure prior to any Flag or Class ISM audit. Read in conjunction with Navigation and Vessel Inspection Circular (NVIC) No. 01-20: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities it provides guidance to facility owners and operators on complying with cybersecurity requirements to assess, document, and address computer system and network vulnerabilities.

Unsurprisingly, facilities are encouraged to be familiar with cyber security and cyber risk management guidance by the USCG and the Inspector cyber job checklist places equal emphasis on Information Technology (IT) and Operational Technology (OT). IT systems support daily tasks associated with administration, finances, human resources, and other applications that typically support non-operational activities. Examples include computer workstations, laptops, servers, and the Internet. OT equipment supports operational activities within a facility such as chemical processing, cargo handling, and security access control. The checklist encourages USCG Inspectors to become familiar with how OT systems interact with security access control systems. Likewise, possessing knowledge on the convergence of IT and OT systems to support daily operations within facilities is vital to understanding that traditional IT threats (such as ransomware and viruses) can affect OT operations.

The Inspector aid comprises a number of questions with “Yes”, “No” or “N/A” responses to the following sections:

• Facility Cyber Security Assessments
• Cyber Security Administration and Organization
• Personnel Training
• Drills and Exercises
• Records and Documentation
• Response to Change in MARSEC Level
• Communications
• Procedures for Interfacing with Vessels and Segmented Networks
• Security Systems and Equipment Maintenance
• Security Measures for Access Control
• Security Measures for Restricted Areas
• Security Measures for Handling Cargo
• Security Measures for Delivery of Stores
• Security Measures for Monitoring
• Facility Security Plan (FSP) – Cyber Annex
• Audits and Security Plan Amendments

Checking “No” on the job aid warrants further discussion with the facility and does not necessarily mean a discrepancy or violation during the inspection or review of the FSA or FSP.

The checklist is wide ranging and whilst we would never recommend that your cyber security measures are designed simply to pass a statutory test (to which you already have the questions before the exam), the document is useful in the following ways:-

1. When implementing your new cyber security measures, to ensure that you are adequately covered in all applicable areas,

2. The use of this job aid internally, or by company appointed third party auditor, prior to an audit from USCG, to understand gaps and overall level of compliance, and

3. To ease the process when audited by the USCG by having all the information you can expect to be required by them to hand.

Safe travels.

If you wish to know more about Eazi Security and their world leading cyber security software solutions please contact David Clayden Email Tel +44 (0)7711 351463