USCG publish guidance to their vessel inspectors regarding Cyber Security
Monday, November 2nd, 2020 in: News
The US Coast Guard (USCG) has issued guidance to inspectors on how to enforce the IMO Cyber Risk Management Guidelines that come into force on 1st January 2021 for all ships trading to the United States. The Guidance CVC-WI-027(1)[WE1]  can be found here.
What you need to know…
- Every flag state is in scope
- Serious deficiencies will require fixing and an external audit within 90 days or risk detention
- Minor deficiencies will need an internal audit within 90 days and the deficiencies to be fixed prior to departure
- Inspections will only cover networked systems directly relevant to vessel safety
- Where faults have occurred in systems critical for vessel safety the inspector/port security control officer is mandated to investigate if the cause was ‘cyber -related’, and if so whether the right procedures were followed prior to that fault occurring.
- If the inspector believes there are clear grounds for an expanded inspection, and clear evidence is gathered of poor implementation of the cyber risk management element of the SMS, further deficiencies may be issued.
- The US Coast Guard document focuses on safety and security. Environmental protection remains in scope, but appears deemphasised in the USCG document
This instruction has real teeth. Owners should ensure that every ship has clear documentation, standards and processes in place to ensure that Marine Inspector (“MI”)/Port State Control Officer (“PCSO”) has confidence in their approach to cybersecurity risk management. Even the smallest failure in a critical system requires urgent and professional remediation. If you arrive in the US port with a malfunctioning critical system, you will be required to fix it there and then, be audited, and be able to reassure the PSCO on your next visit that the issue has been rectified. If you cannot do this your vessel will be detained. As the saying goes, you have been warned.