Why the New USCG 's New Cybersecurity Rules are Vital for the U.S. Gulf Coast

The maritime industry is the lifeblood of global trade, and our Gulf Coast region is no exception. From Houston (the largest U.S. port by tonnage) to New Orleans to Tampa, to the vast network of offshore production platforms & pipelines and the commercial vessels, traversing the Gulf of Mexico, this region thrives on the seamless movement of consumer goods, raw materials and other products inbound and outbound, transiting being transported across the seas.

However, this interconnectedness also creates vulnerabilities that cyber-criminals are increasingly exploiting. In response, the United States Coast Guard (“USCG”) has proposed a set of new cybersecurity regulations for the maritime industry. These proposed rules  (under public comment through May 22, 2024), (still under public comment as of this writing in April), are a critical step towards safeguarding the Gulf Coast's economic engine and national security.

The Gulf Coast's maritime sector faces a unique set of cybersecurity challenges. The increasing reliance on automation and digital technologies onboard vessels, oil & gas production platforms, and within port facilities creates attractive and accessible targets for hackers. A successful cyberattack could disrupt critical operations, leading to delays in cargo movement, environmental damage from spills and physical harm to personnel. The 2017 cyberattack on Maersk, the Danish shipping giant, crippled their operations for weeks and cost them over $300 million dollars.  That still serves as a stark reminder of the potential consequences of a cyberattack in the maritime sector.

The USCG's proposed cybersecurity rules aim to address these concerns by establishing minimum cybersecurity standards for U.S.-flagged vessels, outer continental shelf (“OCS”) facilities, and U.S. facilities subject to the Maritime Transportation Security Act (“MTSA”). These standards encompass several measures, including:

• Cybersecurity Assessments: Companies will be required to conduct thorough assessments to identify vulnerabilities in their IT networks and OT systems. This proactive approach is essential for prioritizing cybersecurity efforts and allocating resources effectively.
• Cybersecurity Plans: Based on the assessments, companies will be required to develop and implement USCG-approved cybersecurity plans. These plans will need to outline specific procedures for protecting systems, detecting and responding to cyber incidents, and ensuring business continuity in the event of an attack.
• Training and Awareness: The proposed rules emphasize the importance of a cyber security-conscious workforce. Training programs for crew members and shoreside personnel will equip them to recognize and report suspicious activity, reducing the risk of human error that can facilitate cyberattacks.
• Incident Reporting: Prompt and accurate reporting of cyber incidents is crucial for identifying trends, mitigating damage, and informing future cybersecurity strategies. The proposed rules establish clear reporting protocols for companies to follow in the event of an attack.

These proposed regulations are particularly important for the Gulf Coast for several reasons. First and foremost, the region's economic well-being hinges on a secure maritime sector. Disruptions caused by cyberattacks could have a significant ripple effect, impacting businesses, jobs, and the overall economic health of the region. Secondly, the Gulf Coast's energy infrastructure, heavily reliant on offshore oil & gas production platforms and pipelines, is a prime target for cyberattacks. A successful attack on this infrastructure could have consequential environmental consequences and disruptions to power generation facilities. Finally, the Gulf Coast plays a crucial role in national security, serving as a major entry point for goods and personnel. Cyberattacks that compromise port operations in this region could disrupt military deployments and vital supply chains globally.

The proposed USCG cyber rules are not without their challenges and limitations. Implementing new procedures and technologies is costly for companies, particularly smaller operators. However, the long-term benefits far outweigh the initial investment, and implementing these rules can also be seen as a competitive advantage over those companies who elect to not make them a priority.  Furthermore, the definition of "reportable cyber incident" and the specific reporting protocols will require further clarification to ensure a balance between providing valuable information and needlessly burdening companies with excessive reporting requirements.  The Securities and Exchange Commission have their own remote requirements for “material” cyber events but their criteria is different from the expectations of the USCG.

The public comment period for the proposed rules is ongoing.  This provides stakeholders in the Gulf Coast maritime industry with an opportunity to share their thoughts and voice their concerns and offer suggestions. Open dialogue between the USCG, industry leaders, and cybersecurity experts is essential for crafting effective regulations that are comprehensive, adaptable and achievable to effectively counter the ever-evolving cyber threat landscape.

The United State Coast Guard’s proposed cybersecurity regulations represent a significant step forward in protecting the Gulf Coast's vital maritime industry. By establishing minimum standards for cybersecurity practices, these rules will enhance the resilience of the region's infrastructure, safeguard its economic well-being, and contribute to national and international security. While challenges remain in implementation and refining these rules, active participation from stakeholders will help to ensure that these regulations effectively navigate the digital sea, charting a course towards a more secure future for the Gulf Coast.

About the Author

David Smith