Maritime cyber security

IMO MSC.428(98) cyber-risk management requirements + the practical defensive posture every modern bridge + ECR needs. Phishing, ransomware, ECDIS spoofing, OT/IT segregation.

What it is

The defensive posture against cyber threats targeting the IT (information technology) + OT (operational technology) systems on a modern vessel. IMO MSC.428(98) (2017) requires cyber-risk management in the ship's Safety Management System (SMS) from 1 January 2021. Insurance + flag-state inspections now check it.

Why it matters

Ransomware against shore-side maritime IT (Maersk 2017, COSCO 2018, MSC 2020) has cost the industry billions. Vessel-side attacks on ECDIS + GNSS are less common but increasing in frequency. Crew phishing + USB-based malware are the most common attack vectors.

Where it stands in 2026

Universal requirement under MSC.428(98) — every vessel's SMS must address cyber. ISO/IEC 27001 + IACS UR E26 + E27 are emerging baselines. Insurance + class-society audits routinely check cyber posture.

Training implications

Crew-level cyber-awareness training (phishing, USB hygiene, password practice).
Specialist training for the designated cyber-security officer (often the Master or DPA in smaller fleets, dedicated CISO at major operators).
Bridge + ECR officers on detecting GNSS spoofing + ECDIS chart-update anomalies.

Safety risks

Ransomware lockout of ECDIS, BNWAS, cargo-control systems.
GNSS spoofing (already documented in Black Sea + South China Sea regions).
USB-based malware via shore-supplied media.
Phishing-driven credential theft (shore-side payroll + crew systems).

Career angles

Maritime cyber roles are a new shore-side career path — see /careers/maritime-cyber.
Senior officers + DPAs taking on cyber-security officer responsibilities as a career broadening.
ETOs with cyber training valued on modern bridges + cargo-control systems.

Common misunderstandings

'Cyber is the IT department's problem.' IMO + insurance now make it a Master + DPA responsibility.
'OT systems are isolated and safe.' Increasing integration with IT + remote access means OT exposure is growing.
'GNSS spoofing is rare.' Documented in major shipping lanes — bridge officers should know the symptoms + cross-check procedures.

Primary sources

High confidence

Last verified 13 days ago

What it is

Training implications

Crew-level cyber-awareness training (phishing, USB hygiene, password practice).

Specialist training for the designated cyber-security officer (often the Master or DPA in smaller fleets, dedicated CISO at major operators).

Bridge + ECR officers on detecting GNSS spoofing + ECDIS chart-update anomalies.

Common misunderstandings

'Cyber is the IT department's problem.' IMO + insurance now make it a Master + DPA responsibility.

'OT systems are isolated and safe.' Increasing integration with IT + remote access means OT exposure is growing.

'GNSS spoofing is rare.' Documented in major shipping lanes — bridge officers should know the symptoms + cross-check procedures.

High confidence

Last verified 13 days ago

Maritime cyber security

What it is

Why it matters

Where it stands in 2026

Training implications

Safety risks

Career angles

Common misunderstandings

Related

Primary sources

Maritime cyber security

What it is

Why it matters

Where it stands in 2026

Training implications

Safety risks

Career angles

Common misunderstandings

Related

Primary sources