Role-based training a priority to combat maritime cyber risks

Image: ABS Consulting

Maritime operations run on tight schedules and thin margins, and as ships, terminals and supply chains connect systems for visibility and efficiency, attackers gain paths to entry. Cyber risk has become an operational reliability and safety concern, not just an IT issue.

“Whether we are looking at this challenge through an operational or organizational safety lens, cyber risk is a critical business risk. An incident will impact everyone,” says Michael DeVolld, senior director of maritime cybersecurity at ABS Consulting.

Primary threat: ransomware

“While it’s true that digital ships feature more sophisticated and secure technologies, the cyber risk has not changed: ransomware continues to pose a major threat,” explains DeVolld. He describes ransomware as taking down an organization’s computer systems, impacting its entire operational and financial networks, until a ransom is paid, pointing to recent disruptions across busy ports in North America, Australia, Europe and Japan.

The expanding attack surface

According to DeVolld, the push to integrate IT and operational technology (OT) for analytics and predictive maintenance has expanded the attack surface. With the industry increasingly reliant on digital systems, he warned, “there’s an increased risk of external cyber threats.”

Foundational controls still close the biggest gaps, says DeVolld, adding that patching and updating software, limiting network access and implementing multi-factor authentication are foundational cybersecurity measures that would go a long way toward safeguarding systems.

Underreporting and the new U.S. Coast Guard rules

Citing observations from the U.S. Coast Guard (USCG), DeVolld notes that while the number of reported ransomware attacks is down, the cost is up. The operative word, he stresses, is reported.

“Not all incidents are reported, which is a key issue since regulators and the private sector need to communicate and collaborate to tackle this threat together,” he says. “The goal we all share is to protect the industry as a whole, and especially to safeguard the world’s largest supply chain.”

Could an attacker steer a ship?

DeVolld answers that this is plausible but not likely due to the safety systems and human procedures built into commercial maritime operations. Even so, he cautions that modern ships tie navigation, propulsion, dynamic-positioning, ballast automation and cargo-handling into the same digital backbone that shoreside personnel can reach for analytics and remote support.

If an attacker slipped through weak remote access or an unpatched workstation, “they could push legitimate-looking commands straight to safety-critical equipment and change a vessel’s behavior in real time should all other safety and human oversight processes fail,” he says.

The answer is to treat cyber risk exactly like any other safety-of-navigation hazard, DeVolld says, by implementing International Association of Classification Societies Unified Requirements (IACS UR) E26/E27 and International Electrotechnical Commission (IEC) 62443 controls and segmentation, enforcing multi-factor authentication on remote access, maintaining rigorous patching and continuously monitoring OT traffic.

Ports, vendors and the wider supply chain

Network-connected OT in port facilities and shore-side are being targeted, DeVolld confirms, explaining that many environments still rely on outdated software and protocols and insufficient access controls. Breaches can disrupt global trade flows, delay cargo deliveries and damage relationships with customers and partners, with consequences that “extend far beyond immediate operational impacts.

Europe’s chokepoints multiply impact

DeVolld highlights high-volume corridors where a single node outage can cascade. The English Channel and Dover Strait funnel North–South Atlantic traffic. The Strait of Gibraltar is a narrow neck for Asia, the Americas and Northern Europe flows. Northwest gateway ports, like Rotterdam, Antwerp-Bruges and Hamburg, move a large share of containerized imports as well as refined products, liquefied natural gas (LNG) and chemicals. “Even a 24-hour cyber stoppage at Rotterdam’s Maasvlakte terminals would strand tens of thousands of twenty-foot equivalent units (TEU),” he says,

Each node couples dense physical traffic with complex, network-connected terminal operations, so resilience should be treated as a shared critical-infrastructure obligation, supported by OT hardening, drills and transparent information-sharing under the EU’s Network and Information Systems Security Directive 2.0 (NIS2). Vessel traffic service (VTS) centers are also key dependencies in these corridors, he notes.

Regulations are raising the baseline

“Regulatory frameworks set a baseline and targets for where we need to go on the cybersecurity journey,” says DeVolld. Objective, third-party safety focused organizations like ABS and its affiliated company, ABS Consulting, add to that by bringing forward standards interpretation, guidance and compliance support to:

• Protect life, property and the environment; and
• Support the maritime community in operating safely, reliably, efficiently and in compliance with applicable regulations and standards.

DeVolld’s maritime cybersecurity team helps clients understand how to navigate global maritime regulations.

The International Maritime Organization’s (IMO) Resolution MSC.428(98) mandates cyber risk management in the Safety Management System (SMS) for cargo ships 500 gross tonnage (GT) and above. In the European Union (EU), NIS2 tightens incident reporting timelines and strengthens supply-chain security, requiring measures from cryptography and multi-factor authentication to incident handling and business continuity.

In the United States, the USCG’s final rule (effective July 16, 2025) establishes minimum cybersecurity requirements for US-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities regulated under the Maritime Transportation Security Act (MTSA), mandating cybersecurity plans, designated officers and structured detection, response and recovery.

Training for MTSA-regulated facilities

To support the USCG’s updated MTSA requirements, ABS Consulting offers role-based MTSA compliance training for facility security officers, vessel security officers, operational managers and IT/OT personnel.

Tracks cover the current threat landscape, MTSA-aligned implementation and controls, and incident categories and reporting under 33 CFR, with practical exercises. Courses are available online or on site and include role-specific certificates to support audit readiness.”