With maritime operations becoming more reliant upon automated systems, cyber risk is an increasing concern within the Marine Transportation System (MTS).  Work Instruction CVC-WI-027 provides guidance on how the U.S. Coast Guard will assess the cyber risk on vessels to minimize risk to the MTS.

The USCG recognizes that not all towing companies and towing vessels are alike.  If utilized, a safety management system (SMS) provides a towing company with the ability to tailor a structured system to address evolving cybersecurity vulnerabilities unique to a company and its vessels.  A SMS established under the ISM Code is required to address cyber risks.  Section D.1.h.3.t of CVC-WI-004 - U.S. Flag Interpretations on the ISM Code addresses emergency preparedness specifically states, "At a minimum the following risks should be evaluated and appropriate procedures established to respond: Piracy/Terrorism/Cyber Attacks".  As such, ISM companies, either subject to the ISM Code or voluntarily complying, are required to implement procedures addressing cyber-attacks. In accordance with CVC-WI-027, companies have until their 2021 DOC audit to demonstrate implementation of the requirement. CVC-WI-027 also provides guidance on how to asses cyber risk management onboard non-SMS U.S. vessels.

Regulatory Cites:

33 CFR 104.305(d)(2)(v) and (vi)

Additional Guidance:

CVC-WI-004 - U.S. Flag Interpretations on the ISM Code
CVC-WI-027 - Vessel Cyber Risk Management Work Instruction

MTSA applicability for towing vessels is based on the MTSA status of barges being towed.  The ISPS Code applies to vessels on international voyages. Because MTSA includes ISPS requirements, compliance with MTSA satisfies ISPS requirements for U.S. vessels on an international voyage.  

MTSA is applicable to all towing vessels greater than 26 feet in length engaged in towing a barge or barges subject to 46 CFR subchapters D or O.  MTSA is also applicable to towing vessels that engage in towing a barge or barges that carry certain dangerous cargo in bulk that are subject to 46 CFR subchapter I.  The above MTSA applicability does not apply to a towing vessel that temporarily assists another vessel engaged in towing a barge or barges, shifts a barge or barges at a facility or within a fleeting facility, assists sections of a tow through a lock, or provides emergency assistance.  

Towing vessels subject to MTSA must be operated in accordance with their approved Vessel Security Plan (VSP) or Alternate Security Program (ASP) at all time.  The VSP or ASP may include variable security measures to cover towing operations that don’t involve barges subject to MTSA. Security plan approval is valid for five years from the date of approval.  VSPs and ASPs must have an initial verification upon plan approval, and verification once in five years by the Coast Guard.  

Regulatory Cites:

33 CFR 160.204 Exemptions and exceptions
33 CFR 104.105 Applicability – towing vessels
33 CFR 104.120 Compliance documentation
33 CFR 104.410 Submission requirements

Additional Guidance:

NVIC 4-03 Guidance for verification of vessel security plans