Cyber Proofing

 

With the Coast Guard's final cybersecurity rule in effect as of July 16, 2025 and the training mandate due January 12, 2026, the marine transportation system is being pushed to treat cyber risk as an operational reality.

Two voices, one from a maritime technology company and one from a safety-and-risk leader, point to the same answer: If the industry wants resilience, it must move beyond checklists toward engineered controls, measurable hygiene and contracts that create accountability.

SECURITY OPERATIONS CENTERS

Now a part of DNV, Singapore-based CyberOwl is focused on a stubborn problem for shipowners: the practical visibility of onboard operational technology.

"One of the toughest challenges in cybersecurity for shipping is how to simplify gaining visibility of both connected and presumably unconnected operating technology (OT) systems," says CEO Daniel Ng. "As part of DNV, collaboration with OEMs has become significantly more meaningful."

The aim is to push some responsibility upstream so security data is logged, passed and delivered consistently from design through operation. That reduces fragile retrofit needs and gives owners a clearer evidentiary trail.

Ng argues that fear of a security operations center (SOC) often comes from enterprise pricing that does not fit maritime economics. "Putting in place a SOC service does not have to be as hard or expensive as people imagine," he says, if costs are predictable on a per-vessel/per-day basis.

He recommends a minimum viable capability where a complete SOC is not feasible. Configure alerts for a few safety-critical use cases with onboard equipment, focusing on network bridging (creating a direct path between two otherwise separated networks at the data-link level, making them act as one) and remote access. Keep a "zero-hour" (when a new threat first appears) incident response arrangement so a maritime-experienced team can deploy quickly.

He cautions that this stopgap usually costs more over time than a right-sized SOC that shuts incidents down early and steadily improves hygiene.

ATTACK VECTORS

The attack picture is blunt.

"Unfortunately, the top vector is still USB," Ng notes. "This represents 75 percent of all the malware incidents we saw during 2024. That trend continues in 2025 so far." Physical USB locks do not fix the problem. He calls them "a poorly understood control that is clearly not working" because crews can unlock them and warns that inspecting for them encourages security theater and distracts from controls that lower risk.

Remote access as an ingress route is also rising "from four percent of the incidents we saw in 2023 to 13 percent in 2024," a byproduct of digitalization and supply chain exposure.

The practical prescription remains simple and effective: Segment critical systems and implement USB controls that work in practice rather than appearance.

DETECTING THREATS & BUILDING DEFENSES

CyberOwl's answer to the so-called "evidence problem" is to make proof easy to produce.

The company's OT Security Manager mines maintenance documents and spreadsheets to build a defensible inventory to roughly sixty to seventy percent accuracy without installing software onboard. Crews then verify the remainder through targeted walkthroughs or scans while AI flags inconsistencies. Medulla, CyberOwl's cybersecurity monitoring platform, then turns that baseline into a hygiene scorecard mapped to IMO guidance, IACS E26 and E27 and NIST so crews can produce a ready-to-show evidence pack in minutes.

Ng also urges the industry to look upstream at how E26 (which sets minimum requirements for the cyber resilience of ships) plays out in practice. He concludes that while E26 is imperfect, it's a reasonable step.

The issue is where implementation begins, at the shipyard. Many newbuilds come from yards where cybersecurity receives less attention, and that mindset flows to owners who must operate and maintain the result. He cautions that some yards simplify for convenience by pushing a single template for network architecture, securing class approval and then telling owners it's the only way to safeguard a ship. That approach hinders fleetwide harmonization and locks in design choices that may not serve the operator.

Procurement is where behavior changes fast.

"We're seeing an increasing number of charterparty contracts demanding minimum-level cybersecurity, particularly in the oil and gas segments," Ng says. He wants OEM supply-and-service contracts to spell out responsibilities, liabilities and incident support for safety-critical systems where owners lack direct control over vendor equipment, such as black boxes.

FROM RULES TO READINESS

Michael DeVolld, Senior Director for Maritime Cybersecurity at ABS Consulting, says cyber connects when it lives in daily work: "Cyber resonates best when integrated into the policies and procedures crews already use, not treated as something separate."

He points to tabletop exercises alongside fire or spill drills and real-world cases where cyber events disrupted navigation, cargo operations and port logistics. "At the end of the day, cyber connects best when framed in the same terms crews already live by – safety, reliability and continuity."

He widens the lens to the economy: "Too often, cyber is seen as an IT issue, not a supply chain crisis. The Suez Canal blockage is a telling parallel. It wasn't a cyber incident, but one ship that caused billions in losses and cascading congestion. A cyberattack could create the same disruption, only faster and across multiple ports or vessel classes. The knock-on effects – demurrage, delayed cargo, missed contracts and even inflation – can scale quickly. Insurance exclusions are growing, leaving operators more exposed than they realize. The risk is not just corporate, it's systemic. The sooner we recognize cyber as an economic stability issue, the better prepared we'll be."

Training is both the near-term test and the long-term project.

"I see a split in how operators approach the 2026 training deadline," DeVolld says. "Some are leaning in early, working with the Coast Guard and experienced consultants to understand the intent and tailor training to operations. Others assume their corporate off-the-shelf training will check the box, and that could result in a major gap. Generic programs often do not prepare crews, facility operators or contractors for the realities of maritime systems."

His fix is to embed role-based practice in the safety culture that crews already live by and to scale sensibly for smaller firms: "Cybersecurity should be taught from the beginning, built into maritime academies, woven into STCW training and treated as core professional knowledge."

On the technology side, he wants higher-quality software and systems from shipyards, vendors and integrators through secure coding, rigorous testing and disciplined integration so vulnerabilities are engineered out before they reach operations: "AI can support defense by detecting anomalies faster and making sense of complex systems, but it's not mature enough to be a foundation. Every new product seems AI-driven, yet AI cannot replace the basics – governance, configuration, skilled people and tested plans."

He also warns: "Phishing campaigns are more sophisticated. Deepfakes and disinformation are eroding trust, and reconnaissance tools are mapping targets with alarming speed. Combine that with risks of model manipulation and reduced human oversight, and vulnerabilities multiply. AI should be a tool to augment human operators, not a substitute for the fundamentals that make systems resilient."

Vendors are part of daily operations, so procurement must carry weight.

ABS Consulting recommends writing clear cyber expectations into contracts and service levels, covering how remote access is authorized and logged, the timelines for fixes, and incident support. Modernization should be deliberate on ship and shore with critical networks separated, remote access tightened, failover paths tested and coordination with authorities exercised before inspections or incidents.

EMBEDDED RESILIENCE

Maritime cybersecurity will mature when evidence replaces theater, design anticipates operations and people practice until response feels routine.

From bridge to berth, the playbook is simple: Measure what matters, contract for accountability, modernize deliberately and train for the job you actually do. Do that, and resilience becomes embedded in daily work everywhere.