Technical Information - Text Version -
Displays the text (first approx. 2,000 characters) of ClassNK Technical Information.
For details, please click Tec No. and refer to the PDF file.
Application of Cyber Risk Management to U.S. vessels, foreign flagged vessels that call on ports in the U.S., and MODUs.
The Vessel Cyber Risk Management Work Instruction (CVC-WI-027(1)) was issued by the U.S. Coast Guard on 27 October 2020.
According to this WI, the USCG expects that all companies with U.S. vessels, foreign flagged vessels that call on ports in the U.S., and MODUs. should ensure cyber risk management is appropriately addressed in their SMS.
If objective evidence is identified indicating that the foreign flagged vessels that call on ports in the U.S., and MODUs. failed to implement its SMS with respect to cyber risk management, the following actions should be directed by the PSCO:
1 If cyber risk management has not been incorporated into the vessel's SMS by the company's first annual verification of the DOC after 1 January 2021, a deficiency should be issued with action code 30 - Ship Detained.
2 When objective evidence indicates that the vessel failed to implement its SMS with respect to cyber risk management, a deficiency for both the operational deficiency and an ISM deficiency should be issued with an action code 17 - Rectify Prior to Departure or an action code 30 - Ship Detained depending on its seriousness.
The specific procedures are that the PSCO should confirm the basic cyber hygiene of the vessel under inspection, and if it is determined that there is a concern, can proceed to SMS-based further inspections (called "expanded exam")
The USCG has revised the "Vessel Cyber Risk Management Work Instruction (CVC-WI-027)" and issued its third version (CVC-WI-027(3)) on 1 September 2023.
The updated version (version 3), while the basic requirements from the USCG have not been changed, does clarify the criteria, where the PSCO should be concerned about the basic cyber hygiene of the vessel under inspection. For example, if the session lock function is not activated after 30 minutes elapsed with no activities for a business PC on the bridge - that can give a fair reason for the PSCO to request an expanded exam.
(To be continued)