January 19, 2017

Maritime Alert: USCG Clarifies Cyber Incident Reporting Requirements

The U.S. Coast Guard recently published CG-5P Policy Letter 08-16: “Reporting Suspicious Activity and Breaches of Security” (the “Policy Letter”).  The Policy Letter clarifies what type of cybersecurity events constitute suspicious activity (“SA”) and a breach of security (“BoS”) that must be reported to the National Response Center (NRC).

Currently, any operator of a vessel or facility with an approved Vessel Security Plan (VSP) or Facility Security Plan (FSP) is required to report to the NRC any activity that may result in a transportation security incident.  This includes any SA (observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity) or a BoS (incidents in which a security measure has been circumvented, eluded, or violated).

While cyber-related incidents may trigger SA or BoS reporting requirements, the Coast Guard recognizes that vessel and facility operators experience countless malicious but low-level cyber events that are addressed via standard anti-virus programs or network security protocols.  These routine threats do not need to be reported as SA or a BoS.

The Policy Letter provides guidance on the types of physical and cybersecurity related events that may trigger reporting requirements, and those that do not.  The following activities must be reported as either SA or a BoS:

Suspicious Activity (SA)

  • “Targeted” incidents, including large, sustained attacks on important cyber systems;
  • Spear phishing campaigns, a marked increase in network scanning, or other attacks may be considered SA if the volume, persistence, or sophistication of the attacks is out of the ordinary.

Breach of Security (BoS)

  • Intrusion into telecommunications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring);
  • Unauthorized root or administrator access to security and industrial control systems;
  • Successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems that are linked to the Marine Transportation System;
  • Instances of viruses, Trojan Horses, worms, zombies or other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions;
  • Any denial of service attacks that adversely affect or degrade access to critical services that are linked to security plan functions;
  • Physical events such as unfamiliar persons in restricted areas, individuals displaying unusual behavioral patterns, or discovery of potentially dangerous devices on or near the facility/vessel.

The following activities do not meet the reporting requirements as SA or a BoS:

  • Routine and “untargeted” cyber incidents such as spam, phishing attempts, persistent scanning of networks, and other nuisance events that do not breach a system’s defenses;
  • Breaches of telecommunications equipment, computer, and networked systems that clearly target business or administrative systems unrelated to safe and secure maritime operations.

Operators should report any SA or a BoS to the NRC at 1-800-424-8802.  For cyber incidents that do not involve physical effects (such as pollution or a physical breach of security), the Coast Guard allows parties to report the incident to the National Cybersecurity and Communications Integration Center (NCCIC) at (888) 282-0870.  Parties must inform the NCCIC that they are a Coast Guard regulated entity to ensure that federal reporting requirements are satisfied.

A copy of the Policy Letter is linked here.

Keesal, Young & Logan Maritime Law Group
Keesal, Young & Logan Cyber Risk Group

This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.