b'Onthewaterfront,whatmakesmaritimecybersecuritystroke of requirements could be intimidating, while some FOGHORN FOCUS specialisthevaryingblendofInformationTechnologyrequirements may be simpler to contend with than you (IT), Operational Technology (OT), Industrial Controlsthink. You as the owner and operator know your business Systems(ICS),andtheInternetofThings(IoT)acrossbetter than anyone, and whats most important is for you cargo handling facilities and a wide variety of vessel types.to understand what your cyber risk exposures are and how For example, physical cargo handling systems or marineyou and your business will act in the time of an outage. engineswithremoteaccessovertheinternetallowsforIf you know this, you can exceed the requirements of the vendors, owners, and operators to have access to machin- regulations because you can draw upon the inspiration of ery or voyage data, and even perform remote maintenanceprotecting your business and operations, versus operating and control functions. This is more prevalent with newstrictly to a compliance mindset.monitoring technologies. A cyber-related outage of these systems can have physical effects, which is the safety risk ifIn taking a step back from the tone of the regulation, any it is not understood and managed. This requires proactivebusiness (of any cyber maturity) should consider the fol-risk management to have plans and precautions in place,lowing actions that are cost-effective (some are no-cost): no different from the long list of other risks we are alreadyperform a cyber resilience review (CRR), review your inci-dent response plan (IRP), conduct a cybersecurity tabletop exercise (TTX), conduct an inventory of assets, such as .You can exceed the OT, and perform training.requirements of CONSIDER A CYBER RESILIENCE REVIEW The CRR is a lightweight guided self-assessment of a busi-ness cybersecurity program. The purpose is to understand the regulations becausethe current state of cybersecurity management of services and associated assets that are critical for a companys busi-you can draw upon theness at that point in time, and the ability to understand how your business manages risk in normal times and in times of inspiration of protectingcrisis. The CRR focuses on good practices of protection and sustainment within key areas that typically contribute to the your business and overall cyber resilience of a business. The CRR measures essential cybersecurity capabilities and behaviors to provide operations, versus meaningful indicators of an organizations operational re-silience during normal operations and during times of op-operating strictly to a erational stress, per the Cybersecurity and Infrastructure Security Agency (CISA). The output of a CRR is under-compliance mindset. standing the gaps in security against the key controls, and recommendationsonnextstepsforcontinuousimprove-ment of the cybersecurity program. The CRR costs nothing vigilant to and manage. The great thing is the maritimeif performed by the business itself or through CISA. The professionals on board and in the business are in place toCRR can also be facilitated by an outside cybersecurity ser-be the first responders and make the appropriate decisions. vice provider. Click here for the CISA CRR fact sheet.MaritimeTransportationSecurityAct(MTSA)-regulat- REVIEW YOUR ed PVA members are now faced with the new U.S. CoastINCIDENT RESPONSE PLAN (IRP)GuardmaritimecybersecuritycompliancerequirementsDo you have a plan and procedures to respond as a busi-following the final 33 CFR 101 Subpart F rulemaking ofness in the event of a cyber-related outage? If not, there July 2025, with a final implementation deadline of Julyare a wide variety of templates you can download to get 2027. Among the list of requirements is reporting cyber-re- started. If you have one, is it up to date? How many in latedincidents.Formany,thisseeminglybroad-brushyour organization know about it and have you exercised FOGHORN 16'