USCG: Guidance on reporting security incidents and cyber threats in maritime transportation

The United States Coast Guard issued Navigation and Vessel Inspection Circular No. 02-24 regarding reporting requirements for breaches of security, suspicious activity, transportation security incidents, and cyber incidents.

This circular was published on 21 February 2024.

Purpose:

The circular provides guidance on reporting requirements for Breaches of Security (BOS), Suspicious Activity (SA), Transportation Security Incidents (TSI), and Cyber Incidents. It aligns with regulations for Maritime Transportation Security Act (MTSA)-regulated entities and clarifies reporting obligations under Title 33 of the Code of Federal Regulations.

Disclaimer:

The circular offers clarity on existing requirements without imposing new obligations, allowing stakeholders flexibility to comply with legal requirements.

Background:

Under MTSA, regulated entities must report BOS, SA, and TSI. A recent Executive Order amended regulations, adding a definition for "cyber incident" and expanding reporting obligations to include cyber threats, creating an overlap with existing MTSA requirements.

Action:

Coast Guard entities, stakeholders, and MTSA-regulated entities are directed to use the guidance for reporting incidents. It emphasizes immediate reporting to the National Response Center and relevant authorities.

Environmental Impact:

The circular's policies fall under DHS's categorical exclusion A3, with no substantial environmental impact.

Records Management:

No additional records scheduling requirements are imposed, maintaining existing standards.

Forms/Reports:

No specific forms or reports are required.

Disclaimer:

The circular offers operational guidance and does not create legally binding requirements outside the U.S. Coast Guard.

Questions:

Any inquiries should be directed to the U.S. Coast Guard Office of Port and Facility Compliance.

Additionally, the circular includes an attachment outlining reporting guidance for MTS stakeholders and glossary of terms.

MTS Stakeholder and MTSA-Regulated Entity Reporting Guidance

Discussion: The circular outlines reporting criteria for Breaches of Security (BOS), Suspicious Activity (SA), Transportation Security Incidents (TSI), and cyber incidents. It emphasizes that when in doubt, entities should report as per applicable regulations.

Cyber Incident Reporting:

• Applies to MTS stakeholders.
• Definition and criteria for reporting cyber incidents are provided, including examples and exclusions.
• Emphasizes reporting incidents beyond routine events, especially those affecting confidentiality, integrity, availability, or operational technology.

Breach of Security (BOS) Reporting:

• Applies to MTSA-regulated entities.
• Definition and examples of BOS incidents provided, including unauthorized access and system intrusions.

Suspicious Activity (SA) Reporting:

• Applies to MTSA-regulated entities.
• Definition and examples of SA incidents provided, including unfamiliar persons in restricted areas and unusual behavioral patterns.

Transportation Security Incident (TSI) Reporting:

• Applies to MTSA-regulated entities.
• Definition and criteria for reporting TSI incidents provided, including significant impacts on life, environment, or transportation systems.

Reporting Procedures:

• Procedures for reporting BOS, SA, TSI, and cyber incidents outlined, including contact information and required details.
• Differentiates reporting procedures for various incidents based on regulations and potential impact.

Other Critical Infrastructure and Cyber Incident Resources:

• Provides resources for additional reporting requirements and assistance, including contacts for cyber specialists and other agencies.
• Encourages participation in local Area Maritime Security Committees (AMSC) for collaboration and information sharing.

Glossary of Terms

This glossary provides definitions of key terms related to cybersecurity and incident reporting within the maritime transportation sector. Here are the key points:

1. Access: Refers to the ability to interact with or control a system.
2. Cyber Incident: An event jeopardizing information integrity, confidentiality, or availability, or violating security policies.
3. Cybersecurity: The protection of information and communication systems from damage or unauthorized use.
4. Cyber System: Facilities, equipment, personnel, and procedures integrated to provide cyber services.
5. Cyber Threat: Circumstances or events with the potential to harm organizational operations or assets through information systems.
6. Industrial Control System (ICS): Information systems controlling industrial processes.
7. Information System: Interconnected set of information resources sharing common functionality.
8. Intrusion: Actions attempting to compromise system integrity, confidentiality, or availability.
9. Intrusion Detection Systems (IDS): Security service monitoring and analyzing network or system events for unauthorized access attempts.
10. Malicious Cyber Activity: Unauthorized activities seeking to compromise or impair information systems.
11. Malware: Intentionally harmful hardware, firmware, or software.
12. MTS Stakeholders: Vessels, harbors, ports, and waterfront facilities, including regulated entities.
13. Network Defense: Programs and activities protecting computer networks and systems.
14. Phishing: Deceptive methods to obtain sensitive personal information.
15. Spear Phishing: Highly targeted phishing attacks customized for specific individuals.
16. Suspicious Activity: Behavior indicating pre-operational planning related to terrorism or criminal activity.
17. Threat: Event or condition with potential for asset loss or undesirable consequences.
18. Trojan Horse: Software with hidden malicious functions.
19. Unauthorized Access: Gaining access without permission.
20. Virus: Self-replicating program that can damage or spread through a computer.
21. Worm: Self-replicating program spreading through networks.
22. Zombie: Program installed on a system to attack others.

For more information, please see the document below (available only to subscribers):

Reporting Breaches of Security, Suspicious Activity, Transportation Security Incidents, and Cyber Incidents