What is the MTS NRPM, and how does it impact the industry?
The US Coast Guard’s (USCG) Cybersecurity in the Marine Transportation System (MTS) Notice of Proposed Rulemaking (NPRM) is designed to provide minimum ‘best-practice’ cyber security requirements for US-flagged vessels, ports, terminals, and waterways.
However, it will also impact foreign-flagged vessels entering US coastal waters and harbors as the associated Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States gives the USCG immediate authority to protect the MTS from acts of terrorism and other conventional threats by explicitly addressing cyber threats.
While we expect the final rulemaking to have many changes from the issued NPRM, it would benefit organizations within scope to start working toward the requirements if they haven’t already done so and continue enhancing their programs based on these initial requirements.
Since the International Maritime Organization (IMO) Maritime Safety Committee’s (MSC) adoption of Resolution MSC.428(98) in June 2017, maritime industry organizations and governing bodies have issued several frameworks and standards to provide ship and port operators guidance on how to bolster the cyber security posture of their vessels and facilities. Maritime organizations who adopted and implemented the prescribed controls listed in the NIST CSF; USCG NVIC 01-20; MSC-FAL.1/Circ.3/Rev.2; IACS UR E22, E26, and E27; and the BIMCO guidelines for cyber security onboard ships in the last seven years are well prepared to comply with the MTS NPRM, which we expect to become law by 2026.
Today, the reality is that most maritime organizations were waiting to invest capital until governing bodies consolidated and mandated the many controls that have been provided as guidance. The suggested controls impact ship and port operators in three main areas: people, processes, and technology.
NCC Group’s vessel and port assessment experience shows that operators today are mature in procedures and processes but lack the necessary controls to secure their people and technologies. Ship owners invest in safety measures because they are mandated, and owner-operators are held accountable in court for violations. Physical security followed suit post-9/11. Then, on February 21, 2024, we saw the start of cyber security controls becoming law when President Biden signed the Executive Order. This follows the cultural regularity lifecycle from IMO circular to port state law.
Most likely, other UN countries will pass similar laws. The Canadian government is proposing similar laws under Bill C-26, and we expect other port states to follow.
What are the key requirements of the MTS NPRM?
The MTS NPRM does not propose new unique controls or practices not already seen within the above standards and guidelines. Those ship and port operators who have the time to read its 230 pages should not find themselves surprised by the proposed requirements. Those organizations that have already been following industry best practices, developing cyber security plans, and conducting internal or third-party assessments can likely revise and repackage existing policies and documentation to comply with most of the proposed rule. Still, even the most mature organizations should dissect the requirements within the NPRM and map to their roles (people) policies, processes, and technology implementations to identify areas of compliance as well as gaps to address over the next couple of years, particularly regarding new builds and technology modernization efforts.
In general, the proposed cyber security measures meet international and industry-recognized standards which, at a high level, recommend the following:
1. Determine and inventory all operationally critical cyber systems.
2. Develop network segmentation policies and controls to ensure that operational technology systems can continue safely operating if an information technology system has been compromised, and vice versa.
3. Create access control measures to secure and prevent unauthorized access to critical cyber systems.
4. Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cyber security threats and anomalies that affect critical system operations.
5. Reduce the risk of exploitation of unpatched systems by timely applying security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems using a risk-based methodology.
In detail, the NPRM scope currently states that US-flagged vessels, facilities, and outer continental shelf facilities must:
- Designate a Cybersecurity Officer who is accessible to the USCG.
- Conduct Cybersecurity Assessments (which should be used as inputs to the Cybersecurity Plan), and more specifically, conduct assessments annually or when the following occurs:
- Change in ownership.
- Major amendments to the Cybersecurity Plan.
- Penetration testing upon renewal of a VSP, FSP, or OCS FSP every five years.
- Develop and submit Cybersecurity Plans for USCG approval (and operate within that plan). The plan should include specifics on how the vessel or facility fulfills the NPRM requirements within the following areas:
- Cybersecurity organizational design and identity of the CySO
- Personnel training
- Drills and exercises
- Records and documentation
- Communications
- Cybersecurity systems and equipment with associated maintenance
- Cybersecurity measures for access control, supply chain, network segmentation, and physical security, including computer, IT, and OT areas
- Audits and amendments to the Cybersecurity Plan
- Cybersecurity audit and inspection reports to include documentation of resolution or mitigation of all identified vulnerabilities, along with unresolved vulnerabilities that are intentionally unresolved due to risk acceptance
- Cyber Incident Response Plan and reporting procedures
- Cybersecurity Assessment
- Report all cyber incidents to relevant authorities (per USCG NVIC 02-24)
Note that portions of the proposed rulemaking look similar to the TSA Security Directive for the rail industry and the Emergency Amendment for the aviation industry. As some sections required within the MTS NPRM Cybersecurity Plan look like those called for within Cybersecurity Implementation Plans (and other plans) by the TSA SD and EA, there are likely plenty of lessons learned and example plans that can be used for reference.
The USCG should coordinate with TSA on these lessons learned and incorporate them into additional guidance to stakeholders and processes to review plans and overall compliance. Interested parties have until April 22, 2024, to submit comments on the NPRM and influence a later rule via the Federal Register.
Challenges to overcome
Ship and port IT/OT/IoT environments are complex by nature. Prioritization of security controls is critical to a security program’s success. Prioritization is an output of an operationally informed risk assessment or resiliency review. Vessels and ports operate 24/7, and scheduled maintenance stoppages occur only every few years. Cyber security teams must be tactically precise during the control implementation phase. This process is even more challenging when dealing with legacy systems because the most effective controls, such as credential hardening, patching, and antivirus, cannot be added to the system’s architecture, most likely because the operating system is no longer supported. More agile and flexible security solutions are required.
The critical first step in managing risk is to ‘know your assets.’ In maritime spaces, simply gaining an accurate hardware and software inventory can be arduous and challenging to keep updated. Partnering with a managed service provider that has experience with ship and port operations and has completed similar projects is critical when outsourcing any asset management security function. OEM system documentation, until recently, did not include details relevant to security, so it is unlikely to find important information such as interfaces (cyber-physical), protocols, and ports, making any network segmentation project a nightmare. An asset’s operational objective in these cases will help define the boundaries, zones, and conduits for a securely segmented architecture.
For these reasons, it is crucial that new-build programs include cyber-SMEs at the beginning of the design phase, which has been proven to increase return on investment in security improvements. New-build vessels and ports should invest in security measures that improve detection and protection capabilities by providing fleet operations with relevant alerts and communications. Legacy system security programs benefit from securing remote access, testing, validating back-ups, and scheduled recovery drills.
Monitoring ship and port operational systems is a struggle for many maritime companies because the systems are fragmented and controlled by numerous departments. Deploying a passive network monitoring solution focusing on asset visibility and automated vulnerability reporting is also challenging because OT/IoT/Control/Bus protocols do not have built-in mechanisms for maintaining an actionable asset inventory. Passive monitoring requires continuous human analysis and tuning based on lessons learned and baseline behavior to produce actionable dashboards and reports.
Companies often find cost savings when hiring managed services to monitor the network versus building an internal team to manage it. If you are looking for a starting point, start by monitoring the ingress and egress points of supplier-managed remote access.
Cost Impact to the MTS
The NPRM provides a roadmap to increase cyber security posture across the various stakeholders and clarity on the content and format of required cyber security plans and supporting documentation. Yet, it underestimates the cost to private companies in meeting the requirements outlined above. This is particularly the case in areas such as penetration testing.
For example, the NPRM estimates that a penetration test should cost “$5,000 for the initial penetration test and an additional $50 for each employee’s internet protocol (IP) address to capture the additional costs of network complexity.”
This rationale is applied to both vessels and facilities in developing the cost impact estimate for the industry. In reality, those with experience in conducting penetration tests of boats and facilities know that the cost of a test is entirely dependent on the goals and scope of the test, along with the complexity of the vessel or facility, which leads us to think the authors are actually referring to a vulnerability scan instead of a penetration test.
A penetration test is a much deeper technical assessment of an environment (e.g., a vessel, crane) where testers can identify vulnerabilities and attack chains while evaluating the actual impact and risk from a safety, operational, and business perspective.
Depending on the threat model, a penetration test may focus on the OT systems (e.g., navigation, propulsion), IT infrastructure, or a combination of both. As an illustrative example, a cruise ship will have far more IT infrastructure than a cargo ship simply based on the nature of providing guest experiences. So, in this case, a comprehensive IT and OT penetration test of a cruise ship would require orders of magnitude more effort (and cost) than a focused IT infrastructure penetration test of a cargo ship.
How do I increase assurance while preparing for the actual rule?
As the basic NPRM requirements are good best practice, work to identify qualified CySO(s), develop or compile materials to create Cybersecurity Plans based on existing operational policies, processes, and technical documentation, conduct a Cybersecurity Assessment (or audit) against the requirements within the NPRM, perform penetration tests based on risk, and ensure incident response plans and procedures are in line with NVIC 02-24.
• Marine Regulations and Standards (e.g., USCG NPRM, IACS UR E26/27) Gap Assessments and Implementation: These standards provide the frameworks for an overall vessel and/or facility (e.g., terminal, offshore facility) cyber security program from security requirements and concept development to threat modeling to vessel monitoring and security operations. The IMO also recommends NIST CSF as a great framework for an initial risk assessment. Take advantage of the newly released 2.0 version which provides CISOs with a baseline score that they can reassess annually to measure security maturity progress. Based on your business and operational needs, a gap assessment against these regulations and standards will support security roadmap development to guide the implementation of new controls and practices to increase assurance.
• Virtual CySO: Qualified Fleet Cybersecurity Officers are hard to find. Most companies will need to create a cyber security training plan that selects internal candidates from both marine and technical operations to fill the role(s).
Alternatively, shipping companies could hire a virtual/resident CySO to design and implement the security roadmap while providing OJT (on-the-job training) to the internally selected CySO(s), ensuring capability continuity.
• Vessel and Facility Resiliency Reviews and Penetration Testing: Conduct rightsized assessments from ship/facility safety systems to complex automation and control networks (e.g., navigation, propulsion, cargo handling equipment, wireless networks, access control, communications) tailored to business and security objectives.
• Defensible Architecture Design and Review: Integrate security into the initial design for new builds. Develop architectures that support visibility, log collection, asset identification, segmentation, OT/IoT DMZs, and process communication enforcement, paying special attention to requirements within IACS UR E26 and E27.
• Supplier risk management programs and reviews: Conduct a comprehensive review of your supplier program (focusing on critical operational and safety systems that may include both IT and OT) based on the current state – from full Program Buildout (process analysis and program design), Current Program Assessment and targeted supplier assessments (reviewing or creating supplier risk profiles), to Corrective Action Planning Management (focused on remediating risk across suppliers).
• Software escrow and source code audits of supplier components and applications: Securely store software source code, firmware, binaries, and artifacts within physical or virtual vaults of a third party in line with the shipyard, OEM, and supplier’s agreements. This also facilitates third-party verification of the code.
• Monitoring and detection: Implement solutions to monitor and detect vulnerabilities and threats throughout the business with special attention to vessel and facility operational and safety systems, connected services, and any third-party connectivity vessels and facility equipment. Evaluate passive scanning tools and techniques to enable near real-time traffic monitoring without disruption and facilitate threat detection through deep packet and traffic analysis, unlike active scanning. Passive scanning may also reveal previously unknown communications between assets across networks thought to be segmented.
• Digital Forensics and Incident Response Retainers: Obtain an IR retainer with a third party and conduct tabletop exercises, response plan drills and exercises, first responder trainings, and/or incident response capabilities assessments.
NCC Group Maritime Transport Assurance
NCC Group is a global cyber and software resilience business operating across IT, IoT, and OT networks and technologies. NCC Group has a decade of experience supporting the global maritime industry, including some of the largest ship (PAX/Cargo), port/terminal operators, and hardware and software providers of maritime-specific systems both ashore and on the ship, in all the services outlined above.
We bring together cyber security professionals with deep knowledge and operational experience in the maritime sector, including consultants with previous experience as cyber security engineers/architects and operations managers able to provide assurance to all maritime stakeholders – owner/operator, maker (OEM), and integrator.
Our Maritime Practice comprises services to increase our clients’ cyber security maturity at each step of a port/vessel’s lifecycle – design, build, test, and delivery. We identify the current maturity level and security posture and assess process, product, people, and the supply chain, enabling our clients to mitigate risk, manage operational continuity, and respond by providing rapid access to cyber incident response.
With circa 2,400 colleagues, we have a significant market presence in the UK, Europe, and North America, as well as a growing footprint in Asia Pacific with offices in Australia, Japan, and Singapore.