Loading…
Maritime cyber security became an explicit ISM Code requirement on 1 January 2021 under IMO Resolution MSC.428(98). The shipping industry was historically dominated by operational technology (OT) — radar, ECDIS, AIS, automation systems — designed before cyber threats were a consideration. Increasing connectivity through VSAT broadband, ECDIS updates via internet, and crew use of personal devices has substantially expanded the attack surface on the modern vessel.
Unlike most maritime safety regimes, cyber security is genuinely cross-disciplinary: it requires cooperation between the master, deck officers who operate bridge systems, chief engineers who manage OT networks, and shore-side IT departments. The fundamental challenge is that OT equipment — much of it running legacy embedded operating systems — cannot be patched on the same schedule as office IT, yet is increasingly connected to systems that can be reached from outside the vessel.
In force 1 January 2021. Requires that approved Safety Management Systems address cyber risk, making cyber security an explicit ISM Code obligation for all SOLAS vessels.
The principal IMO guidance document, jointly produced by the Maritime Safety Committee and the Facilitation Committee. Sets out the five-function approach (Identify, Protect, Detect, Respond, Recover) aligned with NIST CSF.
Industry-leading practical guidance co-authored by BIMCO, INTERCARGO, INTERTANKO, ICS, OCIMF, and others. Covers risk assessment, network architecture, crew training, and incident response.
Added to the TMSA framework in 2017 specifically for tanker management. SIRE 2.0 vetting inspections assess Element 13 compliance as part of vessel inspections.
Classification societies issue cyber capability notations (e.g. DNV CYBER SECURE, ABS CyberSafety, LR ShipRight Cyber Enabled) for vessels that meet enhanced cyber resilience standards.
Documented incidents in the Black Sea and Mediterranean since 2017. Vessels reported false positions dozens of miles from their actual location; some cases attributed to deliberate state-level interference.
Bridge navigation systems often run embedded Windows operating systems that are no longer patched by the OEM. Exploitation can corrupt charts, disable logging, or allow unauthorised control.
Maersk NotPetya (2017, ~$300 m loss), CMA CGM (2020), ZIM (2020) are the highest-profile shipping ransomware incidents. Shore-side IT networks were entry points but port operations, voyage planning, and cargo booking systems were all affected.
Crew and office staff are targeted via shipowner email impersonation to divert payroll, authorise fraudulent wire transfers, or install credential-harvesting malware.
Satellite communications can be intercepted or subject to man-in-the-middle attacks. Unencrypted traffic over shared VSAT links exposes vessel data to third parties sharing the satellite beam.
Crew connecting personal smartphones or laptops to the operational technology (OT) network — or to a ship WiFi that is not properly segmented from OT — can introduce malware to navigation, automation, and cargo systems.
Electronic Navigational Chart (ENC) updates and software patches frequently arrive on USB media. Infected USB drives are one of the most common vectors for introducing malware to bridge and engine room systems.
Inventory all OT assets (ECDIS, VDR, AMS, AIS, GMDSS), IT assets (email, crew WiFi, VSAT routers), data flows, and third-party remote-access dependencies. Assign risk ratings.
Implement access control, keep software and firmware patched via authorised update services, train crew, and enforce network segmentation — OT (bridge and engine-room systems) must be isolated from IT (administrative and crew networks).
Enable system logging on all bridge and engine-room equipment. Apply anomaly detection where feasible. Use an Intrusion Detection System (IDS) on higher-risk vessels (tankers, passenger ships).
Maintain a documented incident response plan in the SMS. Define communication protocols: master notifies Company immediately; Company contacts class society; flag administration as required. Master retains operational authority during an incident.
Maintain off-network backups of critical system configurations and ENCs. Document business continuity procedures. Conduct a lessons-learned review after any incident or near-miss.
When a cyber incident is suspected — unusual system behaviour, ransomware notice, GPS anomaly — the master should immediately notify the Company via an alternative communications channel (not the potentially compromised system). The Company notifies the relevant class society and, where the incident involves a SOLAS-relevant system, the flag administration. Evidence must be preserved: do not power down affected equipment without guidance from the Company's cyber incident response team, as volatile memory may contain critical forensic information.
Ships must be capable of proceeding safely using backup and paper-based navigation during a cyber incident. Officers should be familiar with manual chartwork, paper nautical publications, and the vessel's backup navigation equipment as required by STCW.
IMO's Maritime Safety Committee is actively considering dedicated cyber-related amendments to STCW as part of the 2026 comprehensive review. Proposals include mandatory cyber security competence elements for OOWs and chief engineers, and a new module on crew awareness. Classification societies are also advancing harmonised cyber notation standards; the IACS UR E26 and E27 unified requirements on cyber resilience entered into force for new builds contracted from 1 January 2024.