The U.S. Coast Guard once again takes the lead on maritime cybersecurity issues

The U.S. Coast Guard (USCG) is frequently involved in initiatives related to maritime cybersecurity. They were recently seen responding to a vessel affected by a cyber incident and also reporting on the impact of the Ryuk ransomware on a U.S. maritime operator. In their security bulletins, they also regularly address cyber threats in the maritime environment.

In a new circular, available here, the U.S. Coast Guard proposes updated guidance for addressing cyber threats affecting facilities and vessels under their authority.

This circular, known as Navigation and Vessel Inspection Circular (NVIC) 01-20, titled “Guidelines for addressing cyber risks at Maritime Transportation Security Act (MTSA) regulated facilities”, represents a step forward, particularly in anticipation of the implementation of IMO cybersecurity requirements starting January 1, 2021. Even the wording “Inspection Circular” signals that some recommendations may soon become mandatory.

Entities concerned must notably assess and document vulnerabilities in their information systems within a document called a Facility Security Assessment (FSA) and address them through an action plan described in a Facility Security Plan (FSP).

The USCG specifies that these guidelines are intended only to clarify existing regulations. They do not modify current rules and do not introduce new regulatory requirements. Facility managers and operators remain free to implement stricter frameworks—such as those recommended by the NIST—provided they meet regulatory obligations. The Coast Guard explicitly encourages the use of NIST standards, particularly the Framework for Improving Critical Infrastructure Cybersecurity and NIST publication 800-82.

In fact, MTSA requirements already impose numerous obligations, recalled in the document (notably parts 105 and 106 of Title 33 of the CFR). The circular provides general cybersecurity guidance and confirms the Coast Guard’s authority to conduct compliance inspections and approve both FSAs and FSPs. Nevertheless, identifying, evaluating, and managing cyber risks remains the responsibility of facility operators and managers.

The USCG also emphasizes the maritime sector’s increasing reliance on information systems. These systems support communications, engineering, cargo management, environmental monitoring, access control, and passenger or cargo verification. Security and safety mechanisms—such as fire detection and perimeter surveillance—also depend on digital systems. While these technologies significantly improve efficiency and reliability, they also introduce new vulnerabilities and risks. Malicious exploitation, misuse, or simple failures of these cyber-physical systems could lead to injuries or fatalities, environmental damage, or disruptions to critical national activities.

Among the key points highlighted in the circular is personnel training. Responsible entities must explain how cybersecurity is incorporated into staff training programs, policies, and procedures. Exercises (see CFR 33 §105.220 and §106.225) must also be organized to assess the cyber vulnerabilities of the FSP, for example through scenarios combining cybersecurity and physical security incidents.

Other notable aspects mentioned in the circular include:

• mandatory documentation of system update procedures and regression testing;
• security measures for access control systems (see CFR 33 §105.255 and CFR 33 §106.260);
• defensive measures such as antivirus monitoring, real-time intrusion detection, host and server logging supervision, IT/OT network segmentation, backup procedures, and network mapping.