(SPRING, Texas) — Maritime operations run on tight schedules and thin margins, and as ships, terminals and supply chains connect systems for visibility and efficiency, attackers gain paths to entry. Cyber risk has become an operational reliability and safety concern, not just an information technology (IT) issue.
“Whether we are looking at this challenge through an operational or organizational safety lens, cyber risk is a critical business risk. An incident will impact everyone,” said Michael DeVolld, senior director of maritime cybersecurity at ABS Consulting.
The primary threat: Ransomware
“While it’s true that digital ships feature more sophisticated and secure technologies, the cyber risk has not changed: ransomware continues to pose a major threat,” DeVolld said. He described ransomware as taking down an organization’s computer systems, impacting its entire operational and financial networks, until a ransom is paid, pointing to recent disruptions across busy ports in North America, Australia, Europe and Japan.
The expanding attack surface
According to DeVolld, the push to integrate IT and operational technology (OT) for analytics and predictive maintenance has expanded the attack surface. With the industry increasingly reliant on digital systems, he warned, “there’s an increased risk of external cyber threats.”
Foundational controls still close the biggest gaps, DeVolld said, adding that patching and updating software, limiting network access and implementing multi-factor authentication are foundational cybersecurity measures that would go a long way toward safeguarding systems.
Underreporting and the new U.S. Coast Guard rules
Citing observations from the U.S. Coast Guard, DeVolld noted that while the number of reported ransomware attacks is down, the cost is up. The operative word, he stressed, is reported.
“Not all incidents are reported, which is a key issue since regulators and the private sector need to communicate and collaborate to tackle this threat together,” he said. “The goal we all share is to protect the industry as a whole, and especially to safeguard the world’s largest supply chain.”
Could an attacker steer a ship?
DeVolld answered that this is plausible but not likely due to the safety systems and human procedures built into commercial maritime operations. Even so, he cautioned that modern ships tie navigation, propulsion, dynamic positioning, ballast automation and cargo-handling into the same digital backbone that shoreside personnel can reach for analytics and remote support.
If an attacker slipped through weak remote access or an unpatched workstation, “they could push legitimate-looking commands straight to safety-critical equipment and change a vessel’s behavior in real time should all other safety and human oversight processes fail,” he said.
The answer is to treat cyber risk exactly like any other safety-of-navigation hazard, DeVolld said, by implementing International Association of Classification Societies unified requirements (IACS UR) E26/E27 and International Electrotechnical Commission (IEC) 62443 controls and segmentation, enforcing multi-factor authentication on remote access, maintaining rigorous patching and continuously monitoring OT traffic.
Ports, vendors and the wider supply chain
Network-connected OT in port facilities and shoreside are being targeted, DeVolld confirmed, explaining that many environments still rely on outdated software and protocols and insufficient access controls. Breaches can disrupt global trade flows, delay cargo deliveries and damage relationships with customers and partners, with consequences that “extend far beyond immediate operational impacts.”
Europe’s chokepoints multiply impact
DeVolld highlighted high-volume corridors where a single node outage can cascade. The English Channel and Dover Strait funnel north-south Atlantic traffic. The Strait of Gibraltar is a narrow neck for Asia, Americas and Northern Europe flows. Northwest gateway ports, like Rotterdam, Antwerp-Bruges and Hamburg, move a large share of containerized imports as well as refined products, liquefied natural gas (LNG) and chemicals. “Even a 24-hour cyber stoppage at Rotterdam’s Maasvlakte terminals would strand tens of thousands of twenty-foot equivalent units (TEUs),” he said.
Each node couples dense physical traffic with complex, network-connected terminal operations, so resilience should be treated as a shared critical-infrastructure obligation, supported by OT hardening, drills and transparent information-sharing under the European Union’s Network and Information Systems Security Directive 2.0 (NIS2). Vessel traffic service (VTS) centers are also key dependencies in these corridors, he noted.
Regulations are raising the baseline
“Regulatory frameworks set a baseline and targets for where we need to go on the cybersecurity journey,” DeVolld said. Objective, third-party safety-focused organizations like ABS and its affiliated company, ABS Consulting, add to that by bringing forward standards interpretation, guidance and compliance support to protect life, property and the environment, and support the maritime community in operating safely, reliably, efficiently and in compliance with applicable regulations and standards.
DeVolld’s maritime cybersecurity team helps clients understand how to navigate global maritime regulations.
The International Maritime Organization’s (IMO) Resolution MSC.428(98) mandates cyber-risk management in the safety management system (SMS) for cargo ships 500 gross tonnage (GT) and above. In the European Union (EU), NIS2 tightens incident-reporting timelines and strengthens supply-chain security, requiring measures from cryptography and multi-factor authentication to incident handling and business continuity.
In the United States, the Coast Guard’s final rule (effective July 16, 2025) establishes minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities regulated under the Maritime Transportation Security Act (MTSA), mandating cybersecurity plans, designated officers and structured detection, response and recovery.
Training for MTSA-regulated facilities
To support the Coast Guard’s updated MTSA requirements, ABS Consulting offers role-based MTSA compliance training for facility security officers, vessel security officers, operational managers and IT/OT personnel.
Tracks cover the current threat landscape, MTSA-aligned implementation and controls, and incident categories and reporting under 33 CFR, with practical exercises. Courses are available online or on site and include role-specific certificates to support audit readiness.
– ABS Consulting
