When boarding vessels for inspection, USCG Officers (MI/PSCO – Marine Inspectors (MIs) and Port State Control Officers (PSCOs), will check for signs indicating poor cyber performance. Some indicative items are as follows:
If observations are not directly linked to statutory requirements or are not technical or operational-related deficiencies, MI/PSCO will not have clear grounds to conduct a more detailed inspection. However, these vulnerabilities should be discussed directly with the Master. In addition, these discussions shall be annotated in the inspection narrative and documented with a deficiency for data analysis.
During the course of a normal inspection/examination, the MI/PSCO should evaluate whether or not a cybersecurity event occurred due to failure in a system required for the safe navigation or operation of the vessel. If clear grounds are established, the MI/PSCO should conduct a more detailed inspection consistent with the applicable guidance for a foreign or U.S. vessel. Based on objective evidence, the MI/PSCO may discover and issue deficiencies based on the portion of the SMS that is not being effectively implemented with respect to cyber risk management.
For U.S. Vessels: MIs should follow the guidance in USCG Oversight of Safety Management Systems on U.S Flag Vessels, which sets forth guidance for assessing the effectiveness of a company’s SMS on U.S. flag vessels
For NON US flagged vessels: If cyber risk management has not been incorporated into the vessel’s SMS a deficiency should be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
If objective evidence indicates that the vessel failed to implement its SMS with respect to cyber risk management, then the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port.
If objective evidence indicates there is a serious failure that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a U.S. port.