Maritime cyber security careers

Maritime cyber security is one of the fastest-growing specialist roles in the shipping industry. Since IMO Resolution MSC.428(98) made cyber risk management mandatory in ship Safety Management Systems from 2021, demand for professionals who combine maritime operational experience with cyber security expertise has grown substantially — and it is expected to grow further as IACS Unified Requirements E26 and E27 (mandatory from July 2024 for new builds) drive class society and flag-state compliance requirements. Experienced deck and engine officers — particularly Chief Mates, Chief Engineers, and ETOs — are well-positioned to transition into maritime cyber roles, bringing the operational technology (OT) systems knowledge that pure IT cyber specialists lack. STCW sets the international floor for the underlying CoC; maritime cyber is an emerging area where class society and industry frameworks are developing faster than flag-state regulation. See the surveyor and auditor careers page for related ashore transition paths, and the career pathways reference.

Regulatory framework

IMO MSC.428(98) — Cyber Risk Management in SMS (in force 2021) — Requires ship operators to incorporate cyber risk management into the ISM Code SMS. During ISM audits, companies must demonstrate that cyber risks have been identified, assessed, and mitigated. MSC-FAL.1/Circ.3 provides non-mandatory implementation guidelines. Flag state enforcement and ISM audit depth varies.
BIMCO Cyber Security Workbook for On Board Ship Use— The industry's most widely adopted practical guidance document for shipboard cyber risk management. Produced jointly by BIMCO, ICS, INTERTANKO, INTERCARGO, OCIMF, and other shipping associations. Includes risk assessment templates, crew training guidance, and incident response procedures.
IACS UR E26 — Cyber Resilience of Ships (mandatory from July 2024) — Applies to vessels contracted for construction on or after 1 July 2024. Five-domain framework (identify, protect, detect, respond, recover) for ship-level cyber resilience. Class societies verify compliance at new build surveys.
IACS UR E27 — Cyber Resilience of On-Board Systems and Equipment — Equipment-level cyber requirements for OEM manufacturers. Requires that navigation, propulsion, cargo, and safety systems meet defined cyber resilience standards at design and manufacture. Applies from the same date as E26.
Class society cyber notations — DNV CyberSecure, LR ShipRight Cyber, BV Cyber Resilience, ABS CyberSafety. Currently voluntary (beyond IACS UR E26/E27 mandatory floor), but expected to become charterer vetting requirements in the tanker and offshore sectors.

Career pathways into maritime cyber

From STCW deck officer (OOW / Chief Mate) — Navigation system expertise (ECDIS, AIS, GPS/GNSS, radar, GMDSS) maps directly to OT cyber risk assessment on bridge systems. Adding a cyber certification (CompTIA Security+, then CISSP or CISM) and ISM cyber audit training is the typical transition path. Target roles: Fleet Cyber Manager, Class Society Cyber Consultant, Maritime Cyber Auditor.
From STCW engineer officer (Chief Engineer / Second Engineer) — Engine room automation, PLC/SCADA systems, and planned maintenance systems are OT environments directly addressed by IACS UR E26/E27. Engineers with an understanding of engine management systems and HV installations bring rare OT context to cyber roles. Target roles: OT Security Consultant (maritime), Marine Equipment Cyber Compliance Engineer, Class Society Surveyor (cyber).
From Electro-Technical Officer (ETO, STCW III/6) — ETOs manage the widest range of OT and IT systems on modern vessels — from bridge electronics to cargo automation to GMDSS and entertainment networks. The ETO background provides the strongest technical foundation for maritime cyber roles. The ETO career page covers the STCW III/6 qualification in detail.
From IT / cyber with no maritime background — Pure IT/cyber professionals can enter maritime cyber roles but must develop OT knowledge (SCADA, ICS, PLC), maritime regulatory knowledge (ISM, SOLAS, STCW), and practical understanding of shipboard system architecture. Some class societies and maritime cyber firms run onboarding programmes. This path has longer time-to-competency than the officer transition.

Recommended certifications

· CISSP (ISC2) — Gold standard for senior cyber security professionals. Requires 5 years of paid experience in two or more cyber domains. Highly regarded in maritime insurance and class society roles.
· CISM (ISACA) — Focused on information security management; well-suited for Fleet Cyber Manager and maritime company CISO roles.
· CISA (ISACA) — Focused on audit and compliance; well-suited for maritime cyber auditor roles and ISM Code cyber audit preparation.
· CompTIA Security+ — Entry-level vendor-neutral certification; useful as a first step before pursuing CISSP or CISM.
· GICSP (Global Industrial Cyber Security Professional — GIAC) — ICS/SCADA focused; highly relevant for maritime OT environments.
· BIMCO Cyber Security Training — Short industry-specific awareness course for officers and shore staff; not a technical certification but widely used for ISM SMS cyber training documentation.

Salary ranges (2025)

· Junior maritime cyber analyst (ashore): USD 55,000–80,000/year
· Fleet Cyber Manager / Maritime Cyber Consultant: USD 90,000–140,000/year
· Class society cyber surveyor / specialist: USD 85,000–130,000/year
· Maritime CISO (large shipping company): USD 130,000–200,000+/year
· Salaries are broadly at parity with senior Chief Mate / Chief Engineer seagoing rates when ashore — see salary database for comparison.

Frequently asked questions

Is maritime cyber security mandatory under international law?
Yes, since 2021. IMO Resolution MSC.428(98) requires that cyber risk management be incorporated into a ship's Safety Management System (SMS) under the ISM Code no later than the first annual verification of the company's Document of Compliance (DOC) after 1 January 2021. This means ship operators must identify cyber risks, document mitigation measures, and demonstrate compliance during ISM audits. The Resolution does not prescribe specific technical standards, but references IMO MSC-FAL.1/Circ.3 (Guidelines on Maritime Cyber Risk Management) and industry frameworks including the BIMCO Cyber Security Workbook and OCIMF Cyber Security Framework.
What are IACS UR E26 and E27?
IACS Unified Requirements E26 (Cyber Resilience of Ships) and E27 (Cyber Resilience of On-Board Systems and Equipment) are mandatory requirements from the International Association of Classification Societies (IACS) that apply to vessels contracted for construction on or after 1 July 2024. E26 sets ship-level requirements for cyber resilience across five domains: identify, protect, detect, respond, and recover. E27 sets equipment-level cyber requirements that marine equipment manufacturers must meet. Together, they are the most detailed mandatory technical framework for maritime cyber security to date and are expected to drive significant demand for maritime cyber expertise.
Do I need a cybersecurity certification to work in maritime cyber?
For most roles in maritime cyber — including shipboard cyber officer, fleet cyber manager, and class society cyber consultant — a combination of maritime operational experience plus a recognised cyber security qualification is the expected profile. Widely recognised certifications include: CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), and CompTIA Security+. The maritime-specific overlay — ISM Code, STCW, IACS UR E26/E27, OT (operational technology) systems — is typically gained from seagoing experience. No dedicated IMO STCW standard yet exists for maritime cyber officers, but class societies and BIMCO are developing competency frameworks.
What is the difference between IT and OT in a maritime cyber context?
IT (Information Technology) systems on ships include administrative networks, crew welfare internet, company intranet, voyage management systems, and email servers. OT (Operational Technology) systems include navigation systems (ECDIS, AIS, GPS, radar), propulsion control, GMDSS, dynamic positioning, cargo monitoring and control systems, and engine-room automation. OT cyber attacks are of greater safety significance because they can directly affect vessel navigation, propulsion, or cargo safety. Maritime cyber specialists must understand both domains — and the interfaces between them — as the integration of IT and OT networks on modern vessels creates significant cross-contamination risk.
What class society cyber approvals exist and do they matter for shipping companies?
Several class societies offer voluntary cyber notation schemes: DNV CyberSecure (Level 1 and Level 2, with Level 2 requiring third-party penetration testing), Lloyd's Register ShipRight Cyber (notation applied at new build or retrofit), Bureau Veritas Cyber Resilience notation, and ABS CyberSafety. While these notations are currently voluntary (beyond IACS UR E26/E27 mandatory requirements), some charterers, cargo owners, and insurers are beginning to include cyber notation in their vetting criteria — similar to how SIRE vetting has operated in the tanker sector. For maritime cyber specialists, familiarity with the class society cyber framework is essential.

Primary sources

Flag-state caveat: STCW sets the international floor for the underlying seagoing CoC. Maritime cyber security requirements are currently governed primarily by IMO resolutions, IACS unified requirements, and class society frameworks — not by STCW. Individual flag states are developing national implementations at different speeds. Always verify current requirements with the issuing flag-state administration and the relevant class society.

This page is for information only and does not constitute legal or professional advice. Cyber regulations are evolving rapidly — verify with the relevant authorities before acting.

Maritime cyber security careers

Regulatory framework

IMO MSC.428(98) — Cyber Risk Management in SMS (in force 2021) — Requires ship operators to incorporate cyber risk management into the ISM Code SMS. During ISM audits, companies must demonstrate that cyber risks have been identified, assessed, and mitigated. MSC-FAL.1/Circ.3 provides non-mandatory implementation guidelines. Flag state enforcement and ISM audit depth varies.

BIMCO Cyber Security Workbook for On Board Ship Use— The industry's most widely adopted practical guidance document for shipboard cyber risk management. Produced jointly by BIMCO, ICS, INTERTANKO, INTERCARGO, OCIMF, and other shipping associations. Includes risk assessment templates, crew training guidance, and incident response procedures.

IACS UR E26 — Cyber Resilience of Ships (mandatory from July 2024) — Applies to vessels contracted for construction on or after 1 July 2024. Five-domain framework (identify, protect, detect, respond, recover) for ship-level cyber resilience. Class societies verify compliance at new build surveys.

IACS UR E27 — Cyber Resilience of On-Board Systems and Equipment — Equipment-level cyber requirements for OEM manufacturers. Requires that navigation, propulsion, cargo, and safety systems meet defined cyber resilience standards at design and manufacture. Applies from the same date as E26.

Class society cyber notations — DNV CyberSecure, LR ShipRight Cyber, BV Cyber Resilience, ABS CyberSafety. Currently voluntary (beyond IACS UR E26/E27 mandatory floor), but expected to become charterer vetting requirements in the tanker and offshore sectors.

Career pathways into maritime cyber

From STCW deck officer (OOW / Chief Mate) — Navigation system expertise (ECDIS, AIS, GPS/GNSS, radar, GMDSS) maps directly to OT cyber risk assessment on bridge systems. Adding a cyber certification (CompTIA Security+, then CISSP or CISM) and ISM cyber audit training is the typical transition path. Target roles: Fleet Cyber Manager, Class Society Cyber Consultant, Maritime Cyber Auditor.

From STCW engineer officer (Chief Engineer / Second Engineer) — Engine room automation, PLC/SCADA systems, and planned maintenance systems are OT environments directly addressed by IACS UR E26/E27. Engineers with an understanding of engine management systems and HV installations bring rare OT context to cyber roles. Target roles: OT Security Consultant (maritime), Marine Equipment Cyber Compliance Engineer, Class Society Surveyor (cyber).

From Electro-Technical Officer (ETO, STCW III/6) — ETOs manage the widest range of OT and IT systems on modern vessels — from bridge electronics to cargo automation to GMDSS and entertainment networks. The ETO background provides the strongest technical foundation for maritime cyber roles. The ETO career page covers the STCW III/6 qualification in detail.

From IT / cyber with no maritime background — Pure IT/cyber professionals can enter maritime cyber roles but must develop OT knowledge (SCADA, ICS, PLC), maritime regulatory knowledge (ISM, SOLAS, STCW), and practical understanding of shipboard system architecture. Some class societies and maritime cyber firms run onboarding programmes. This path has longer time-to-competency than the officer transition.

Recommended certifications

· CISSP (ISC2) — Gold standard for senior cyber security professionals. Requires 5 years of paid experience in two or more cyber domains. Highly regarded in maritime insurance and class society roles.

· CISM (ISACA) — Focused on information security management; well-suited for Fleet Cyber Manager and maritime company CISO roles.

· CISA (ISACA) — Focused on audit and compliance; well-suited for maritime cyber auditor roles and ISM Code cyber audit preparation.

· CompTIA Security+ — Entry-level vendor-neutral certification; useful as a first step before pursuing CISSP or CISM.

· GICSP (Global Industrial Cyber Security Professional — GIAC) — ICS/SCADA focused; highly relevant for maritime OT environments.

· BIMCO Cyber Security Training — Short industry-specific awareness course for officers and shore staff; not a technical certification but widely used for ISM SMS cyber training documentation.

Salary ranges (2025)

· Junior maritime cyber analyst (ashore): USD 55,000–80,000/year

· Fleet Cyber Manager / Maritime Cyber Consultant: USD 90,000–140,000/year

· Class society cyber surveyor / specialist: USD 85,000–130,000/year

· Maritime CISO (large shipping company): USD 130,000–200,000+/year

· Salaries are broadly at parity with senior Chief Mate / Chief Engineer seagoing rates when ashore — see salary database for comparison.

Frequently asked questions

Is maritime cyber security mandatory under international law?

Yes, since 2021. IMO Resolution MSC.428(98) requires that cyber risk management be incorporated into a ship's Safety Management System (SMS) under the ISM Code no later than the first annual verification of the company's Document of Compliance (DOC) after 1 January 2021. This means ship operators must identify cyber risks, document mitigation measures, and demonstrate compliance during ISM audits. The Resolution does not prescribe specific technical standards, but references IMO MSC-FAL.1/Circ.3 (Guidelines on Maritime Cyber Risk Management) and industry frameworks including the BIMCO Cyber Security Workbook and OCIMF Cyber Security Framework.

What are IACS UR E26 and E27?

IACS Unified Requirements E26 (Cyber Resilience of Ships) and E27 (Cyber Resilience of On-Board Systems and Equipment) are mandatory requirements from the International Association of Classification Societies (IACS) that apply to vessels contracted for construction on or after 1 July 2024. E26 sets ship-level requirements for cyber resilience across five domains: identify, protect, detect, respond, and recover. E27 sets equipment-level cyber requirements that marine equipment manufacturers must meet. Together, they are the most detailed mandatory technical framework for maritime cyber security to date and are expected to drive significant demand for maritime cyber expertise.

Do I need a cybersecurity certification to work in maritime cyber?

For most roles in maritime cyber — including shipboard cyber officer, fleet cyber manager, and class society cyber consultant — a combination of maritime operational experience plus a recognised cyber security qualification is the expected profile. Widely recognised certifications include: CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), and CompTIA Security+. The maritime-specific overlay — ISM Code, STCW, IACS UR E26/E27, OT (operational technology) systems — is typically gained from seagoing experience. No dedicated IMO STCW standard yet exists for maritime cyber officers, but class societies and BIMCO are developing competency frameworks.

What is the difference between IT and OT in a maritime cyber context?

IT (Information Technology) systems on ships include administrative networks, crew welfare internet, company intranet, voyage management systems, and email servers. OT (Operational Technology) systems include navigation systems (ECDIS, AIS, GPS, radar), propulsion control, GMDSS, dynamic positioning, cargo monitoring and control systems, and engine-room automation. OT cyber attacks are of greater safety significance because they can directly affect vessel navigation, propulsion, or cargo safety. Maritime cyber specialists must understand both domains — and the interfaces between them — as the integration of IT and OT networks on modern vessels creates significant cross-contamination risk.

What class society cyber approvals exist and do they matter for shipping companies?

Several class societies offer voluntary cyber notation schemes: DNV CyberSecure (Level 1 and Level 2, with Level 2 requiring third-party penetration testing), Lloyd's Register ShipRight Cyber (notation applied at new build or retrofit), Bureau Veritas Cyber Resilience notation, and ABS CyberSafety. While these notations are currently voluntary (beyond IACS UR E26/E27 mandatory requirements), some charterers, cargo owners, and insurers are beginning to include cyber notation in their vetting criteria — similar to how SIRE vetting has operated in the tanker sector. For maritime cyber specialists, familiarity with the class society cyber framework is essential.

Primary sources

This page is for information only and does not constitute legal or professional advice. Cyber regulations are evolving rapidly — verify with the relevant authorities before acting.

Maritime cyber security careers

Regulatory framework

Career pathways into maritime cyber

Recommended certifications

Salary ranges (2025)

Frequently asked questions

See also

Primary sources

Maritime cyber security careers

Regulatory framework

Career pathways into maritime cyber

Recommended certifications

Salary ranges (2025)

Frequently asked questions

See also

Primary sources