Is maritime cyber security mandatory?

Yes. IMO Resolution MSC.428(98) requires cyber risk management to be addressed in the Safety Management System no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. IACS UR E26 and E27 apply to new ships contracted for construction on or after 1 July 2024. In the United States, the US Coast Guard’s final rule “Cybersecurity in the Marine Transportation System” was published on 17 January 2025 and became effective on 16 July 2025.

What are IACS UR E26 and E27?

IACS UR E26 covers cyber resilience requirements for ships, including system integrity, network segmentation, and incident response capabilities. UR E27 addresses cyber resilience of onboard systems and equipment, setting requirements for equipment manufacturers and system integrators.

What are the biggest cyber threats to ships?

Critical threats include ransomware (e.g., the Maersk NotPetya attack cost approximately USD 300 million), phishing targeting crew and shore staff, GPS/AIS spoofing, unauthorized access to operational technology (OT) systems like ECDIS and engine controls, and supply chain vulnerabilities through third-party software.

What OT systems on ships are vulnerable to cyber attacks?

Critical OT systems at risk include ECDIS (navigation), AIS (vessel tracking), GPS (positioning), GMDSS (communications), engine control systems, cargo management systems, and ballast water treatment controls. These systems are increasingly interconnected, expanding the attack surface.

What is the NIST framework for maritime cyber security?

The NIST Cybersecurity Framework provides five core functions applied to maritime: Identify (asset and risk inventory), Protect (access controls and network segmentation), Detect (monitoring and anomaly detection), Respond (incident response procedures), and Recover (system restoration and lessons learned).

Back to Solutions

Maritime Cyber
Security

Powered by CyberSmart Smart CyberSecurity. Since January 2021, IMO Resolution MSC.428(98) has required cyber risk management to be addressed within ships' Safety Management Systems. Maritime cyber compliance now also intersects with IACS UR E26 and E27 for new ships contracted for construction on or after 1 July 2024, and with the US Coast Guard's final rule “Cybersecurity in the Marine Transportation System”, published on 17 January 2025 and effective from 16 July 2025.

IMO MSC.428(98)IACS UR E26–E27USCG Final Rule Effective 16 Jul 2025

Why Maritime Cyber Security Matters

Modern vessels rely on interconnected digital systems for navigation, communication, cargo management, and engine control. Operational Technology (OT) systems such as ECDIS, AIS, GPS receivers, GMDSS, and engine automation are increasingly networked—creating attack surfaces that didn't exist a decade ago. The convergence of IT and OT on board means a cyber incident can directly impact vessel safety and operations.

IMO's MSC-FAL.1/Circ.3/Rev.2 provides updated guidelines on maritime cyber risk management, recommending alignment with the NIST Cybersecurity Framework's five functions: Identify, Protect, Detect, Respond, and Recover. The ISM Code now requires cyber risks to be incorporated into the SMS, verified at DOC audits by flag state or recognized organizations.

IMO MSC.428(98): Cyber risk management mandatory in SMS since January 2021

IACS UR E26: Ship-level cyber resilience for newbuilds contracted from July 2024

IACS UR E27: Equipment-level cyber resilience for system integrators and manufacturers

NIST Framework: Identify, Protect, Detect, Respond, Recover applied to maritime context

Class society cyber notations available from DNV, Lloyd's Register, and Bureau Veritas

OT vs IT Systems at Risk

ECDIS (OT)

Chart display manipulation, position offset errors

AIS Transponder (OT)

Identity spoofing, position falsification

GPS / GNSS (OT)

Signal spoofing, jamming, position errors

GMDSS (OT)

Distress system compromise, communication loss

Engine Control (OT)

Propulsion manipulation, safety system bypass

Cargo Management (IT/OT)

Loading computer errors, stability risks

Notable Maritime Cyber Incidents

These high-profile incidents demonstrate the real-world impact of cyber attacks on maritime operations and the critical importance of proactive cyber resilience.

2017

Maersk – NotPetya

NotPetya ransomware shut down Maersk's global operations for two weeks, affecting 76 ports and causing an estimated $300M in losses.

2020

IMO Website Attack

The International Maritime Organization's website and internal systems were taken offline by a sophisticated cyber attack targeting critical infrastructure.

2023

DNV ShipManager

DNV's ShipManager software platform was hit by a ransomware attack, affecting fleet management operations for approximately 1,000 vessels worldwide.

Common Attack Vectors

Understanding the primary threat vectors targeting maritime systems is the first step toward building effective defences and training crew to recognize risks.

Phishing & Social Engineering

Targeted emails impersonating port authorities, charterers, or classification societies to harvest credentials or deploy malware.

USB & Removable Media

Infected USB drives introduced to shipboard systems during port calls, service engineer visits, or crew changes.

Ransomware

Encryption of critical shipboard or shore-based systems, demanding payment to restore operations and data access.

GPS Spoofing

Broadcast of false GPS signals to manipulate vessel position data, potentially causing navigation errors or enabling smuggling.

AIS Manipulation

Spoofing or jamming of AIS transponders to create ghost vessels, hide vessel movements, or cause confusion in traffic management.

NIST Cybersecurity Framework – Maritime Application

IMO guidelines recommend aligning maritime cyber risk management with the NIST Cybersecurity Framework. We apply all five functions across vessel and shore operations.

Identify

Asset inventory, risk assessment, supply chain mapping for all IT and OT systems

Protect

Access controls, network segmentation, crew training, data security measures

Detect

Continuous monitoring, anomaly detection, intrusion detection systems

Respond

Incident response plans, communications protocols, impact mitigation

Recover

System restoration, backup procedures, lessons learned integration

Our Cyber Security Solutions

We provide end-to-end maritime cyber security services covering regulatory compliance, technical hardening, incident preparedness, and crew awareness training.

Cyber Risk Assessment & Gap Analysis (Smart CyberSecurity)

Comprehensive evaluation of your vessel and shore-based cyber posture against IMO, IACS, and NIST frameworks using Smart CyberSecurity to identify vulnerabilities and prioritize remediation.

IT and OT system inventory & mapping
Vulnerability scanning & penetration testing
Risk register development & prioritization
Compliance gap analysis against IMO MSC.428

IMO MSC.428 SMS Integration

Integration of cyber risk management into your Safety Management System as required by IMO resolution MSC.428(98), ensuring compliance at your next DOC audit.

Cyber risk policy development
SMS procedure updates for cyber threats
Roles and responsibilities definition
DOC audit preparation & support

IACS UR E26/E27 Implementation

Full support for newbuild and retrofit compliance with IACS Unified Requirements for ship-level and equipment-level cyber resilience.

UR E26 ship-level resilience planning
UR E27 equipment supplier assessment
Cyber resilience verification support
Classification society liaison & approval

OT/IT Network Security & Segmentation

Design and implementation of network architecture that properly segregates operational technology from IT systems, protecting critical navigation and engine controls.

Network topology review & redesign
IT/OT segmentation implementation
Firewall and access control setup
ECDIS, AIS & engine system hardening

Incident Response Planning & Drills (Smart CyberSecurity)

Development of maritime-specific cyber incident response plans with Smart CyberSecurity threat monitoring, regular tabletop exercises, and drills to ensure crew and shore staff readiness.

Incident response plan development
Communication & escalation protocols
Tabletop exercises & scenario drills
Post-incident review & lessons learned

Crew Cyber Awareness Training

Tailored training programs for seafarers and shore-based personnel covering maritime-specific cyber threats, safe practices, and incident reporting procedures.

Phishing awareness & simulation
Safe USB and device handling
Password management & MFA adoption
Incident recognition & reporting

Reference Links (Official)

IMO — maritime cyber riskimo.org

IACS — UR E26 and E27 press releaseiacs.org.uk

US Federal Register — Cybersecurity in the Marine Transportation Systemfederalregister.gov

FAQ

Frequently Asked Questions

Common questions about our Maritime Cyber Security services and compliance requirements.

: Yes. IMO Resolution MSC.428(98) requires cyber risk management to be addressed in the Safety Management System no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. IACS UR E26 and E27 apply to new ships contracted for construction on or after 1 July 2024. In the United States, the US Coast Guard’s final rule “Cybersecurity in the Marine Transportation System” was published on 17 January 2025 and became effective on 16 July 2025.

Ready to Strengthen Your Cyber Resilience?

With IMO MSC.428 enforcement at every DOC audit and IACS UR E26/E27 now in effect for newbuilds, proactive cyber risk management protects your operations, crew, and compliance standing.

Get Cyber Assessment All Solutions

Maritime Cyber
Security

Why Maritime Cyber Security Matters

OT vs IT Systems at Risk

Notable Maritime Cyber Incidents

Maersk – NotPetya

IMO Website Attack

DNV ShipManager

Common Attack Vectors

Phishing & Social Engineering

USB & Removable Media

Ransomware

GPS Spoofing

AIS Manipulation

NIST Cybersecurity Framework – Maritime Application

Identify

Protect

Detect

Respond

Recover

Our Cyber Security Solutions

Cyber Risk Assessment & Gap Analysis (Smart CyberSecurity)

IMO MSC.428 SMS Integration

IACS UR E26/E27 Implementation

OT/IT Network Security & Segmentation

Incident Response Planning & Drills (Smart CyberSecurity)

Crew Cyber Awareness Training

Reference Links (Official)

Frequently Asked Questions

Related Solutions

Communication

CyberSmart AI

Flag State Inspection

Ready to Strengthen Your Cyber Resilience?

Maritime CyberSecurity

Why Maritime Cyber Security Matters

OT vs IT Systems at Risk

Notable Maritime Cyber Incidents

Maersk &ndash; NotPetya

IMO Website Attack

DNV ShipManager

Common Attack Vectors

Phishing & Social Engineering

USB & Removable Media

Ransomware

GPS Spoofing

AIS Manipulation

NIST Cybersecurity Framework – Maritime Application

Identify

Protect

Detect

Respond

Recover

Our Cyber Security Solutions

Cyber Risk Assessment & Gap Analysis (Smart CyberSecurity)

IMO MSC.428 SMS Integration

IACS UR E26/E27 Implementation

OT/IT Network Security & Segmentation

Incident Response Planning & Drills (Smart CyberSecurity)

Crew Cyber Awareness Training

Reference Links (Official)

Frequently Asked Questions

Related Solutions

Communication

CyberSmart AI

Flag State Inspection

Ready to Strengthen Your Cyber Resilience?

Maritime Cyber
Security

Maersk – NotPetya