The Coast Guard's Marine Transportation System cybersecurity rule (33 CFR) requires MTSA-regulated facilities and vessels to conduct cybersecurity exercises under an approved Cybersecurity Plan. CyberICS delivers 300+ ready-to-run OT/ICS scenarios, AI-generated After Action Reports, and audit-ready evidence — so your Cybersecurity Officer can demonstrate exercise completion to the Captain of the Port.
The MTS cybersecurity rule applies to MTSA-regulated facilities, vessels, and OCS facilities that must maintain and exercise a Coast Guard-approved Cybersecurity Plan. Tabletop exercises satisfy the plan's annual exercise obligation.
Container terminals, bulk facilities, and port operators subject to MTSA must maintain a Cybersecurity Plan and exercise its incident-response, OT-isolation, and reporting procedures for terminal operating systems, cranes, gates, and reefer monitoring.
MTSA-regulated vessels and Outer Continental Shelf facilities must address the vessel-shore interface — navigation data integrity, remote engineering access, and shipboard OT — under the approved Cybersecurity Plan and Coast Guard reporting duties.
The designated Cybersecurity Officer and Facility Security Officer must exercise their authorities — activation criteria, OT shutdown decisions, NRC notification, and COTP / Area Maritime Security Committee coordination — with the personnel who would execute them.
The Cybersecurity Plan's exercise, reporting, OT-protection, and coordination duties are the ones most directly addressed by tabletop exercises. Both the annual exercise and the annual plan review are tracked as live clocks.
| Standard | Title | Key Requirement Addressed | CyberICS Capability | Relevance |
|---|---|---|---|---|
| 33 CFR — CS Plan | Cybersecurity Plan — Incident Response | Maintain and exercise incident-response procedures under the Coast Guard-approved Cybersecurity Plan, including reportable-incident determination. | Live session mode, scenario-driven exercise flow, timestamped responses, AI AAR documenting the plan-activation record for the annual exercise. | Direct |
| Annual Exercise | Annual Cybersecurity Exercise | Conduct cybersecurity exercises at least annually per the approved plan (with more frequent drills on the plan's schedule). | A formal, evaluated exercise on plan objectives with named personnel; the AAR becomes the annual exercise record supporting the plan review. | Direct |
| NRC Reporting | Coast Guard / NRC Incident Reporting | Report reportable cyber incidents to the National Response Center and the cognizant Captain of the Port. | In-exercise reporting-decision timestamps in the compliance log; drip micro-drills reinforce NRC/COTP notification thresholds. | Direct |
| Plan Review | Cybersecurity Plan Review / Audit | Annual review/audit of the Cybersecurity Plan, informed by exercise findings. | AAR findings and the remediation tracker feed plan amendments; readiness trend surfaces recurring gaps for the annual review. | Supporting |
| OT Measures | Terminal & Vessel OT Protection | Protect terminal operating systems, cranes, gates, and vessel OT; define safe-state and isolation procedures. | Crane, TOS, and vessel-shore scenarios exercise safety-first shutdown decisions, OT isolation, and return-to-service verification. | Scenario |
| AMSC Coord. | COTP & Area Maritime Security Coordination | Coordinate cyber-physical incidents through the COTP and Area Maritime Security Committee at the applicable MARSEC level. | Capstone coordinated cyber-physical scenarios exercise unified command, AMSC coordination, and MARSEC-level decisioning with the COTP. | Scenario |
Three platform capabilities work together to satisfy the Cybersecurity Plan's annual-exercise and documentation duties.
Live Session mode provides a structured, real-time exercise environment. Participants join by code, respond to scenario steps, and all activity is timestamped — creating an auditable exercise record.
CyberICS's AI engine generates a structured AAR immediately after each exercise — documenting gaps identified, recommended corrective actions, and framework alignment.
The Compliance Dashboard generates per-framework evidence packages — a multi-page audit PDF covering exercise log, controls mapping, gap analysis, remediation timeline, and formal attestation page.
Six high-fidelity maritime and port scenarios are immediately available, sequenced from foundational to advanced. Each exercises Cybersecurity Plan procedures across your OT, terminal operations, and executive teams.
The TOS is encrypted an hour before vessel operations; gate lanes and crane queues are dead. Tests NRC/COTP reporting, manual vessel-work decisions, and landside backlog management.
An STS crane executes an uncommanded movement; its PLC shows firmware nobody installed. Tests safety-first shutdown decisions, OEM coordination, and return-to-service verification.
Arriving vessels report GPS jumps and AIS ghosts in the channel. Tests pilot/VTS/COTP coordination and determining whether the facility network is the interference source.
A planned, evaluated exercise on the plan's objectives — Cybersecurity Officer authorities, OT isolation for cranes/gates/reefer, and NRC reporting. Deviations become plan-review findings.
Containers are released against manipulated manifest data over days. Tests CBP/carrier coordination, access-path hunting in shared port systems, and shipment-verification decisions.
Gate systems fail open across terminals while a drone closes the anchorage — possibly coordinated. Tests unified command, AMSC coordination, and MARSEC-level decisions with the COTP.
Plus 59 additional scenarios across Energy, Oil & Gas, Manufacturing, Water, Rail, and more. Browse the full library →
Every CyberICS exercise automatically generates four categories of compliance evidence that map directly to Cybersecurity Plan documentation requirements.
AI-generated structured PDF with gap analysis, corrective actions, and framework references. Ready within minutes of exercise completion.
Multi-page per-framework audit PDF: exercise log, controls mapping, gap analysis, remediation timeline, and signed attestation page.
Timestamped record of all participant responses, host actions, and step progression. Demonstrates real exercise activity to auditors.
Gaps identified in the exercise are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start free with a 14-day trial — no credit card required. Or talk to our maritime sector team about Cybersecurity Plan exercise programs across your terminals and vessels.
Also explore: TSA Directives Toolkit · NIST SP 800-82 Toolkit · IEC 62443 Toolkit