Digital outages are inevitable for any business. A chief executive of a marine transportation company asked this great question: “How do we keep our business, our vessels, and our people going and safe in the event of a general IT or cyber outage?” It’s a superb question that is centering for any business which is serious about being competitive, profitable, and safe in this time of increasing technology integration and interdependence.
On the waterfront, what makes maritime cybersecurity special is the varying blend of Information Technology (IT), Operational Technology (OT), Industrial Controls Systems (ICS), and the Internet of Things (IoT) across cargo handling facilities and a wide variety of vessel types. For example, physical cargo handling systems or marine engines with remote access over the internet allows for vendors, owners, and operators to have access to machinery or voyage data, and even perform remote maintenance and control functions. This is more prevalent with new monitoring technologies. A cyber-related outage of these systems can have physical effects, which is the safety risk if it is not understood and managed. This requires proactive risk management to have plans and precautions in place, no different from the long list of other risks we are already vigilant to and manage. The great thing is the maritime professionals on board and in the business are in place to be the first responders and make the appropriate decisions.
Maritime Transportation Security Act (MTSA)-regulated PVA members are now faced with the new U.S. Coast Guard maritime cybersecurity compliance requirements following the final 33 CFR 101 Subpart F rulemaking of July 2025, with a final implementation deadline of July 2027. Among the list of requirements is reporting cyber-related incidents. For many, this seemingly broad-brush stroke of requirements could be intimidating, while some requirements may be simpler to contend with than you think. You as the owner and operator know your business better than anyone, and what’s most important is for you to understand what your cyber risk exposures are and how you and your business will act in the time of an outage. If you know this, you can exceed the requirements of the regulations because you can draw upon the inspiration of protecting your business and operations, versus operating strictly to a compliance mindset.
…You can exceed the requirements of the regulations because you can draw upon the inspiration of protecting your business and operations, versus operating strictly to a compliance mindset.
In taking a step back from the tone of the regulation, any business (of any cyber maturity) should consider the following actions that are cost-effective (some are no-cost): perform a cyber resilience review (CRR), review your incident response plan (IRP), conduct a cybersecurity tabletop exercise (TTX), conduct an inventory of assets, such as OT, and perform training.
Consider a Cyber Resilience Review
The CRR is a lightweight guided self-assessment of a business’ cybersecurity program. The purpose is to understand the current state of cybersecurity management of services and associated assets that are critical for a company’s business at that point in time, and the ability to understand how your business manages risk in normal times and in times of crisis. The CRR focuses on good practices of protection and sustainment within key areas that typically contribute to the overall cyber resilience of a business. “The CRR measures essential cybersecurity capabilities and behaviors to provide meaningful indicators of an organization’s operational resilience during normal operations and during times of operational stress,” per the Cybersecurity and Infrastructure Security Agency (CISA). The output of a CRR is understanding the gaps in security against the key controls, and recommendations on next steps for continuous improvement of the cybersecurity program. The CRR costs nothing if performed by the business itself or through CISA. The CRR can also be facilitated by an outside cybersecurity service provider. Click here for the CISA CRR fact sheet.
Review Your Incident Response Plan (IRP)
Do you have a plan and procedures to respond as a business in the event of a cyber-related outage? If not, there are a wide variety of templates you can download to get started. If you have one, is it up to date? How many in your organization know about it and have you exercised the plan? Do you have sufficient primary and alternate roles and points of contact?
An IRP review serves to identify gaps and areas for improvement in the plan. Simply put, it states what your business defines as an “incident,” how you respond, and actions taken internally and externally—such as reporting. These processes are executive decisions that can have significant implications. However, it’s a process that is tailored, applicable, and scalable to any size business. All PVA member companies should have an IRP and train to it.
Perform a Cybersecurity Tabletop Exercise (TTX)
In maritime we perform drills and exercises as a routine, and a cybersecurity TTX is no different—bring the business’s and/or vessel personnel and other stakeholders as a cross-functional team to exercise together against plausible scenarios to learn and improve. A common cybersecurity TTX is to exercise the IRP against scenarios, such as a corporate ransomware attack or an OT outage on a vessel. Of key focus are the assignment of key roles to the right personnel, the team’s knowledge with whom to communicate, what and when to report, and actions to take detailed in the IRP. The TTX can be performed at no cost too, or can be facilitated by an outside provider. The outcome is learning how the business’ key personnel work together against policies and procedures, with open dialog and learning to support continuous improvement and preparation.
OT Asset Inventory
You may or may not realize that the marine diesel engine on your vessel may have equipment that can communicate ashore to your office and the original equipment manufacturer (OEM). Without cybersecurity, those with unauthorized access to your network can see that engine too, just like any other unprotected device on the Internet. To determine if the cybersecurity provisions relating to OT apply to your business, be sure to know what you have below decks and in the wheelhouse. Does your equipment have software? Is it accessible to the internet either directly or when a vendor boards your vessel to make updates with his device? If yes, you have to account for the cybersecurity of that equipment. A simple inventory of what you have is the first step to knowing what to protect, and what should not be allowed.
Finally, be vigilant when repowering your vessels. There may be OEM equipment that is installed for monitoring, data collection, and maintenance functions. Ask the vendor the questions, and be sure the deployment is performed in accordance with International Electrotechnical Commission (IEC) 62443, which is the international standard for cybersecurity of control systems and OT. Consider consulting with an independent marine engineer and cybersecurity professionals when working with the OEM for due diligence. The IEC link is here.
Conduct Training
The market is flooded with affordable and practical cybersecurity training, to include phishing campaigns, all designed to provide awareness and speak to the minimum requirements of the Coast Guard regulation. Additionally, in-house developed training is required for key roles and responsibilities, and for specifics relating to OT. No matter how you choose to train your personnel, be sure to communicate what you want your personnel to know in the time of an outage: how will we operate, who is in charge, and what is my role?
Conclusion
Protecting your business from unauthorized access from cyberspace is protecting your clients’ experience with you.
Regulation is uninspiring, but it was put in place to protect our nation’s maritime critical infrastructure and our people. PVA member businesses may be small in comparison to the large port facilities and internationally trading fleets of vessels, but we all share the channels and waterfronts. Protecting your business from unauthorized access from cyberspace is protecting your clients’ experience with you. This is where cybersecurity is an essential part of your value chain, and not a cost center.
True North, a new associate member of PVA, is a maritime cybersecurity managed security services provider with the mission of keeping the working waterfront moving by defending clients against cyber threat through assessments, operations, and advisory. Learn more here: truenorthusa.net.
Owner & Partner, True North Group LLC
Alex is a master mariner and a state maritime pilot in Massachusetts with 32 years of maritime operations experience. He has been working in maritime cybersecurity since 2013. He earned a B.S. in Marine Transportation from the Massachusetts Maritime Academy and an M.A. in Defense and Strategic Studies with a concentration in Information Operations and Cybersecurity from the U.S. Naval War College.