If you’re the master or owner of a commercially registered (charter) yacht of 500 GT or more in or visiting a U.S. port, the United States Coast Guard (USCG) may want to see your papers. The USCG announced recently that it would start enforcing the universal requirement for a cybersecurity plan as of January 1, 2021, for all commercial yachts and ships over 500GT visiting U.S. ports, regardless of flag. This makes the U.S. the first to announce that it’ll get serious about cybersecurity within its waters. Although the International Maritime Organization (IMO) enacted the requirement that a formal cybersecurity plan be included in a yacht’s International Safety Management (ISM) Code in July 2017 effective from January 1, 2021, enforcement responsibilities were a bit cloudy and were being left to flag states.
The IMO Resolution, MSC428(98), calls for documents and training regarding cybersecurity protection to be in place “no later than” the date of the first annual Document of Compliance (DOC) check after the beginning of 2021, wording that gave some in the industry the belief that enforcement would be slowly implemented. However, the USCG has said that it and a designated Captain of the Port have the authority to “spot check” vessels and will begin to screen for cybersecurity protocols on January 1, 2021.
The USCG announced recently that it would start enforcing the universal requirement for a cybersecurity plan as of January 1, 2021, for all commercial yachts and ships over 500GT visiting U.S. ports, regardless of flag.
A yacht’s captain may be asked questions about the yacht’s cybersecurity risk management and will need to show evidence that IMO 2021 regulations are being followed as part of the yacht’s safety plan. They may question if there have been any unusual behaviors of bridge systems or communications and if so, what did the crew do about it. If the investigating officer hears no plan, and the crew cannot produce a written plan as part of their ISM, the USCG can enforce penalties up to detainment of the yacht for non-compliance. Among the lesser penalties are not being able to return to that port until the deficiency is addressed and compliance assured or requiring that the problem be resolved before the vessel departs.
The USCG created its own cybersecurity strategy in 2015 in advance of the IMO requirement based on increasing issues with what INTERPOL calls the fastest growing area of crime. While much of the USCG effort is directed at keeping commercial shipping and ports operating smoothly, as part of the federal Department of Homeland Security, the USCG also needs to make sure vessels don’t bring harm to the ports they visit through compromised informational technology or operational technology.
This column is taken from the February 2021 issue of Dockwalk.