New Rules Will Jolt Maritime Cybersecurity Market Amid Geopolitical Anxiety
A Coast Guard rule imposing standards on operational technology systems in ports and larger U.S.-flagged commercial vessels is poised to supercharge the maritime cybersecurity market – a boon granted by concern that shipping is a weak target for a world roiled by mounting geopolitical tensions.
See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?
The new rule imposes broad requirements on maritime operators, who have until July 2027 to appoint a cybersecurity officer, conduct a cybersecurity assessment and draw up a cybersecurity plan for every vessel or facility covered. They’ve been required since July last year to report any cyber incidents to the Coast Guard’s National Response Center. Vessel staff should have received mandatory cybersecurity training by last January.
“We’ve already had customers approach us and say, ‘Hey, we have this coming up, can you help us interpret what this is telling us to do? Can you tell us what we’re missing?'” said Elan Alvey, associate principal industrial consultant for Dragos, an OT cybersecurity vendor. “They’re asking the right questions,” he told ISMG.
The new rules will help cybersecurity professionals in shipping companies make a business case for the resources they need, said Michael DeVolld, senior director of maritime cybersecurity at ABS Consulting.
New compliance requirements were an “opportunity to argue for the budget they need to do the security that they already know they need,” he said.
But, he added, the sector needs additional guidance from the Coast Guard on definitions and best practices. “The whole industry is waiting for the Coast Guard to put out their policy on what a good pen testing looks like. … They haven’t put out what they expect to see for the risk assessment. They haven’t shown people what a good cybersecurity plan looks like,” he said.
The Coast Guard has estimated the total cost of the new maritime transportation system rule to average $134.5 million a year or $1.2 billion total over 10 years, taking account of currency depreciation.
According to Valor Consultancy, a market intelligence firm, the entire global market for cybersecurity services in the maritime sector was just $186 Million in 2024, meaning as the costs of the new rule emerge, they are likely to drive substantial growth.
Growth in the maritime cybersecurity market for cybersecurity services, although substantial, will still have limits such as the determination of large shipping companies not to outsource their security operation centers. Pressured by costs, “many ship owners opt for more cost-effective, self-managed security solutions,” Valor concluded.
An in-house approach can work for shipping, said DeVolld, because of the need for compliance with the new rule to reflect operational relevance as well. The rule requires the cybersecurity officer to have operational expertise, and “it’s easier to take a maritime person that understands the industry, understands the operations and train them on the cyber piece, than to take a cyber person who’s never set foot on a vessel or in one of these facilities, and try to get them to understand how maritime operates,” DeVolld said.
Sandro Delucia, director of commercial maritime products at connectivity vendor Speedcast, said that smaller shipping lines may have little choice to outsource. There’s an “extensive variance between the Maersk’s of this world, and even smaller commercial fleets,” he said. Not every firm covered by the Coast Guard regulation is a multi-billion, multinational with its fingers in multi-modal transport systems. Smaller firms typically have a small IT team running a managed IT environment, with no dedicated cybersecurity resources. “These are already quite burdensome, stressful environments and now with new cybersecurity requirements that they have to deal with,” he said and it isn’t clear they’d be able to manage that in-house.
Questions Over Enforcement
The new rules align with global standards imposed by the International Maritime Organization, and the Coast Guard has promised an aggressive campaign of cyber standards enforcement against foreign-flagged vessels, in addition to its role ensuring compliance by U.S. operators.
But almost 15,000 vessels and facilities will be covered by the new regulations, and a big question for industry is whether the Coast Guard has the capability to meaningfully enforce them, one retired senior national security official told ISMG.
“I don’t know that they have the manpower for that,” the retired official said.
Although the agency received a largest ever funding injection – nearly $25 billion – in the Trump administration’s massive spending bill last year, it has, in common with other government agencies, wrestled with recruiting and training sufficient numbers of properly-qualified cyber specialists, according to a government audit last year.
The Coast Guard, the oldest continuously existing U.S. military service, is a part of the Department of Homeland Security, which has been shut down as a result of a congressional stand-off over funding. The service’s public affairs office was unable to respond by press time to ISMG’s questions.
But the service, which has long enforced safety and physical security rules on the nation’s shipping and ports, has been preparing for its cyber role for years, said retired Rear Adm. John Mauger, who held many senior cyber and enforcement roles at the Coast Guard prior to his retirement in 2024.
The agency has been appointing civilian cybersecurity specialists to advise its captains of port, who are responsible for enforcement on the ground, and building up a handful of skilled cyber protection teams in regional centers, said Mauger, now a consultant in the private sector.
“There will be a layered approach to compliance. There are personnel in the field who have a basic understanding. … They can call back and get additional technical support from their national and regional cyber protection teams,” he explained.
“There is a process in place already,” said ABS consultant DeVolld, also a former Coastie, “Every vessel, every facility, already gets these routine inspections on an annual basis,” he said, suggesting the Coast Guard would “tag on the cyber piece” to these already existing inspections.
The Coast Guard Auxiliary, a volunteer force, allows the Coast Guard to “leverage talent from the National Security Agency, from major cybersecurity providers, from individuals who desire to give back to their nation,” Mauger said. Although they are not allowed to participate directly in compliance activities, auxiliaries could offer technical advice to the captain of the port and conduct training for Coast Guard service members and industry.
But at the end of the day, Mauger acknowledged, the new rule “like any regulatory system, relies heavily on ensuring that the owners and operators are the ones that are responsible for their security.”
From Espionage to Sabotage
The maritime sector threat is no longer hypothetical. Global shipping giant Maersk was notoriously one of the biggest victims of the Not Petya cyber plague in 2017, which originated as a Russian intelligence cyberattack against Ukrainian businesses. Ransomware gangs have increasingly targeted vessel operators the same way they target everyone else – indiscriminately.
Reports from cybersecurity vendors in the maritime industry, perhaps unsurprisingly, record dramatic rises in the frequency and severity of cyberattacks in the sector. South Korean maritime cybersecurity vendor CYTUR said in February that cyberattacks on its customers last year more than doubled, from 408 to 828, the vast majority DDoS or ransomware attacks, apparently from crime groups.
In 2024, Eset reported on a targeted campaign by a China-aligned cyberespionage threat actor it tracks as Mustang Panda, that used USB sticks to get malware onto air-gapped or segmented shipboard systems, so it could spy on vessels navigation and cargo data.
The stakes rose dramatically at the end of last year, when French authorities arrested a Lithuanian seaman who was crewed aboard an Italian-owned passenger ferry. Prosecutors said the malware he introduced to the ferry’s bridge workstation could have allowed an attacker to “take control” of the vessel, adding they were investigating the case as a bid “by an organized group to attack an automated data-processing system, with the aim of serving the interests of a foreign power.”
Assessments by the Coast Guard found that U.S. facilities and vessels were extremely vulnerable, said DeVolld.
And that prospect is alarming because of the degree to which the U.S. military would rely on civilian port infrastructure to move troops and materiel into the Asia-Pacific theatre in the event of a military conflict with China, the retired senior national security official said
“Can you imagine the damage you could do, if you could get control of a half dozen container ships” and smash them into piers at a U.S. port like Long Beach?”
