Governance & Risk Management,
Operational Technology (OT),
Regulation
New Rules Will Jolt Maritime Cybersecurity Market Amid Geopolitical Anxiety
A new rule recently established by the U.S. Coast Guard mandates robust standards for operational technology systems utilized in ports and larger U.S.-flagged commercial vessels. This initiative is expected to invigorate the maritime cybersecurity market, a sector increasingly viewed as vulnerable due to rising geopolitical tensions.
Under the new regulations, maritime operators have until July 2027 to appoint a dedicated cybersecurity officer, conduct thorough cybersecurity assessments, and establish comprehensive cybersecurity plans for each vessel or facility under their operations. Since last July, these operators have been obligated to report any cybersecurity incidents to the Coast Guard’s National Response Center. Additionally, it was required that vessel staff receive mandatory cybersecurity training by January of this year.
Companies within the sector are already reaching out for assistance in navigating these requirements. Elan Alvey, an associate principal industrial consultant at Dragos, a vendor specializing in operational technology cybersecurity, mentioned that many clients are turning to them for interpretation and insight into the new requirements. “They’re asking the right questions,” Alvey noted, signifying a proactive approach from industry professionals aiming to fulfill these mandates effectively.
The newly enforced guidelines provide an avenue for cybersecurity professionals within shipping companies to advocate for the necessary resources to enhance their security measures. Michael DeVolld, senior director of maritime cybersecurity at ABS Consulting, emphasized that the compliance requirements present an opportunity for maritime entities to secure budgets for security initiatives that have long been recognized as essential but often underfunded.
Despite this positive shift, there remains an urgent need for additional clarity from the Coast Guard regarding definitions and best practices for compliance. As DeVolld pointed out, the industry is eagerly anticipating specific guidance from the Coast Guard that elucidates expectations regarding penetration testing and risk assessment methodologies, as well as templates for effective cybersecurity plans.
The Coast Guard has projected that the average annual cost for enforcing this maritime transportation system rule could reach approximately $134.5 million, amounting to an estimated $1.2 billion over a decade when considering factors like currency depreciation. In a stark contrast, the entire global cybersecurity services market for maritime operations was recorded at a mere $186 million in 2024, suggesting that the newly introduced rules could catalyze substantial growth in this sector.
Nevertheless, the prospect for growth may be tempered by the reluctance of larger shipping companies to fully outsource their security operations, prompted by cost considerations. Valor Consultancy found that many ship owners tend to prefer more cost-effective, self-managed security solutions instead. The approach of managing security in-house can be advantageous due to the new regulatory requirement that the appointed cybersecurity officer possesses operational expertise. DeVolld remarked that it’s often easier to train maritime personnel on cybersecurity than it is to train cybersecurity professionals in maritime operations.
Conversely, smaller shipping lines might not have the luxury of managing cybersecurity in-house and may have to resort to outsourcing their security operations. Sandro Delucia, director of commercial maritime products at Speedcast, highlighted the disparities between larger organizations, like Maersk, and smaller commercial fleets that often have limited IT resources. With the pressing demands of complying with new cybersecurity regulations, these smaller firms may find it challenging to manage cybersecurity efforts internally.
Questions Over Enforcement
These new regulations align with international standards set forth by the International Maritime Organization. The Coast Guard has pledged an aggressive enforcement campaign against foreign-flagged vessels while also ensuring compliance within U.S. operators. Nevertheless, a significant concern exists regarding the feasibility of enforcing these rules across approximately 15,000 vessels and facilities. A retired senior national security official expressed skepticism about whether the Coast Guard possesses the necessary manpower to enforce these regulations meaningfully.
Despite receiving a historical funding boost of nearly $25 billion during the Trump administration to enhance its capabilities, the Coast Guard, much like other governmental bodies, faces challenges in recruiting and training qualified cybersecurity specialists, as noted in a government audit.
The Coast Guard’s role has evolved, with preparations underway for its enhanced cybersecurity responsibilities over the years. Retired Rear Adm. John Mauger, formerly of the Coast Guard, revealed that civilian cybersecurity specialists are being appointed to advise port captains, and regional cyber protection teams are being developed to provide crucial support in enforcement efforts.
There is already a framework in place for compliance. DeVolld pointed out that inspections are conducted on every vessel and facility annually, which can now incorporate cybersecurity evaluations. Additionally, the Coast Guard Auxiliary, comprised of volunteers, enables the agency to leverage expertise from individuals with substantial cybersecurity backgrounds to support training and advisory roles for Coast Guard personnel and industry stakeholders.
However, ultimately, the responsibility for cybersecurity lies with the owners and operators of vessels and facilities. Mauger emphasized that trust in the operators to manage their security will be crucial to the enforcement of these new regulations.
From Espionage to Sabotage
The threats to the maritime sector are no longer abstract. The global shipping giant Maersk infamously fell victim to the Not Petya cyberattack in 2017, which began as an intelligence operation targeting Ukrainian businesses. Furthermore, ransomware groups have indiscriminately begun targeting vessel operators, further complicating the security landscape.
Reports indicate a rapid escalation in both the frequency and seriousness of cyberattacks within the maritime sector. South Korean maritime cybersecurity firm CYTUR revealed that the number of cyber incidents it recorded more than doubled from the previous year. Many of these incidents have been attributed to Distributed Denial of Service (DDoS) attacks and ransomware, indicating a troubling trend within the industry.
In 2024, Eset reported on a targeted campaign by a China-linked cyberespionage group that infiltrated shipboard systems using USB devices, indicating the growing sophistication of cyber threats against maritime operations. The implications of these attacks are profound; the recent arrest of a Lithuanian seaman in France, who allegedly introduced malware that could potentially compromise a passenger ferry’s navigational systems, underscores the urgent need for stringent cybersecurity measures.
As cybersecurity assessments conducted by the Coast Guard have indicated, vulnerabilities within U.S. vessels and facilities are significant challenges. This concern becomes particularly pressing considering how vital civilian port infrastructure is for U.S. military operations, especially in scenarios where rapid deployment of troops and supplies to the Asia-Pacific region may become necessary. A retired national security official underlined the potential havoc that could ensue if control over even a handful of container ships were maliciously directed towards major U.S. ports.