Recognizing the growing cyber threats from adversaries targeting the U.S. Marine Transportation System, the U.S. Coast Guard (USCG) will increase Port State Control (PSC) inspections focused on signs of poor cybersecurity practices, especially those affecting International Safety Management (ISM) Code compliance on foreign-flagged vessels. This heightened scrutiny could lead to deficiencies requiring correction, vessel detention, denial of entry, or actions by the Captain of the Port (COTP) to regulate vessel movement. These measures aim to protect and defend U.S. ports, waterways, and shipping interests while maintaining maritime dominance.
Understanding how maritime security evolved in the early 2000s helps contextualize current cybersecurity efforts. When the Maritime Transportation Security Act (MTSA) was enacted in 2002, it primarily aimed to enhance physical security at U.S. ports and maritime infrastructure through measures such as restricted-area controls, surveillance, access checks, personnel ID verification, and cargo screening to deter threats like terrorism. It also incorporated administrative components such as security plans, vulnerability assessments, and port-wide security committees. Originally, MTSA was a national response to 9/11, assuming threats were physical, visible, and geographically confined. Although today’s maritime risks extend beyond physical boundaries, the layered defense principles established by MTSA continue to shape how the industry approaches cybersecurity and adapts to the evolving attack surface.
- Immediately upon the effective date of July 16, 2025, all reportable cyber incidents must be reported to the National Response Center.
- By January 12, 2026, and annually thereafter, all personnel must complete the training specified in33 CFR 101.650.
- By July 16, 2027, owners and operators must designate the Cybersecurity Officer, conduct the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval.
Maritime operations are increasingly susceptible to cyber incidents that can cause loss of system availability, operational disruption, or safety hazards. Overall, a cyber incident is an occurrence that negatively impacts the confidentiality, integrity, or availability of information, an information system, or any operational technology in the environment. More specifically, a breach that causes a safety concern, disrupts cargo operations, unauthorized access to shipboard or other critical computer systems, or loss of confidential data.
Key cyber incidents that have affected the Maritime Transportation System (MTS) include:
- Ransomware/Malware
- 2017: Not Petya attack on A.P. Moller-Maersk resulting in approximately $300 million in losses by disabling critical IT systems used for cargo tracking, terminal operations, and logistics. Maersk ultimately had to shut down port operations worldwide and rebuild its entire infrastructure, as the malware wiped over 40,000 PCs and 4,000 servers.
- Global Positioning System (GPS) and Global Navigation Satellite System (GNSS) Attacks
- 2025: A container ship,MSC Antonia,was grounded in the Red Sea, south of Jeddah Port, after a GPS spoofing incident made the vessel appear to be hundreds of miles south of its actual location. The cargo on the ship was delayed as it took several days to free the vessel, which was stuck in shallow waters.
- Supply Chain Attacks
- 2023-2024: Vendors and/or service providers introduced Remote Access Trojan (RAT) malware to shipping companies that operated vessels in Greece, Norway, and the Netherlands. It is believed that third parties used removable media (USB devices) during normal activities to carry malware to ship systems. This introduced advanced persistent threats (APTs) to the environments that spread throughout the onboard systems and enabled remote access capabilities. At the time of discovery, the malware was still in its early stages of deployment and had not yet achieved full operational control. Although there were indications that machinery monitoring systems and navigation functions may have been affected, the intrusion was limited due to the threat group not having established a solid foothold.
The role of Cybersecurity Officer (CySO) is designated by the owner or operator of the US-flagged vessel, facility, or Outer Continental Shelf facility, aligning with other existing MTSA roles, such as Facility Security Officer. The role is filled internally, not by the government or Coast Guard.
The qualifications for the CySO role are robust. The individual must have knowledge of cybersecurity and maritime operations. The individual must be able to guide and enforce cybersecurity best practices, conduct audits, monitor, and provide training. In addition, understand maritime environments, operations, and operating conditions.
Some of the main responsibilities of CySOs are ensuring the Cybersecurity Assessment is completed and followed, the development and implementation of the Cybersecurity Plan, execution of the Cybersecurity Incident Response Plan (CSIRP), and cybersecurity training of personnel.
Definitions, per the Coast Guard, for a U.S.-flagged vessel, an Outer Continental Shelf (OCS) location, and for Facilities.
Three requirements stand out as uncommon for a purely technical cybersecurity role, and reflect the maritime security origins of this framework:
General vessel, facility, or OCS facility operations and conditions The CySO must understand the physical and operational environment they are protecting — not just the IT/OT systems within it. This is rare in standard cybersecurity compliance and reflects the convergence of physical and cyber risk in maritime contexts.
Handling of Sensitive Security Information (SSI) and security-related communications SSI is a federally designated category of protected information unique to transportation security (TSA/Coast Guard frameworks). Managing and protecting SSI goes well beyond typical data classification requirements seen in most cyber compliance regimes.
Recognizing characteristics and behavioral patterns of persons likely to threaten security This is a traditional physical security and counterterrorism competency — borrowed directly from vessel and facility security officer training. It is virtually unheard of as a cybersecurity officer qualification and signals that this role bridges both the human/behavioral threat landscape and the digital one.
Together, these three requirements make the CySO role distinctly maritime and homeland security-influenced, not a standard enterprise CISO or cybersecurity compliance function.
To meet the regulation, vessel and facility operators must formally document and maintain a comprehensive set of minimum cybersecurity measures in their Cybersecurity Plans. These measures span all major security domains:
- Account security measures
- Device security measures
- Data security measures
- Cybersecurity training for personnel
- Risk management
- Routine system maintenance
- Supply chain
- Resilience
- Network segmentation
- Physical safeguards
In practice, operators must document how they implement baseline controls, such as secure account management, hardware and software inventories, cybersecurity awareness training, and vulnerability assessments. These measures must be kept active, verifiable, and accessible for Coast Guard review. The regulation requires not just the existence of these protections but also their consistent documentation, application, periodic validation, and integration into a continuous cybersecurity management program. This program should cover daily operations, as well as preparation for and response to cyber incidents.
At Dragos, we regularly collaborate with regulatory agencies and provide valuable input. Our team includes subject-matter experts (SMEs) who have experience working at utilities during the implementation of regulations. We also perform an annual assessment across various critical infrastructure sectors to spot emerging trends. Our findings indicate that regulated industries generally enjoy better protection. While we cannot definitively link the Oil and Gas (O&G) sector or NERC/CIP-regulated companies’ compliance with regulations, the Dragos blog SANS State of OT Security 2025: What the Data Tells Us shows a notable reduction in financial losses and safety impacts, with the same incident rates as those in the same sector.
In another example,companies regulated by NERC/CIP consistently outperform those in other industries in tracked categories. Although Dragos has not fully correlated regulations with the findings reporting, there is some evidence suggesting that regulations do have an impact.
Interestingly, the USCG and the Transportation Security Administration (TSA) both fall under the Department of Homeland Security (DHS), but the MTSA regulation is more in-depth than the TSA’s. In this blogger’s opinion, the MTSA is more like the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC/CIP). Specifically, the MTSA imposes more requirements on selected Cybersecurity Officers and on the auditing of ports and maritime infrastructure than the TSA’s Security Directives.
Three of the biggest issues Dragos finds customers running into while implementing massive projects, whether that’s a new regulation, a control system overhaul, or a major security program, are: cost, trained workforce, and the sheer number of moving parts. This writer has yet to meet a customer who doesn’t need more money or a bigger team.
That reality is exactly why Dragos approaches regulations like the new MTSA through a crawl, walk, run framework. The idea is straightforward: rather than trying to solve everything at once and running headfirst into all three of those obstacles simultaneously, you build capability progressively.
Crawl is about establishing awareness and foundational understanding, knowing what you have and what the regulation is asking before you start making decisions.
Walk is where you begin structured implementation, turning that awareness into documented processes, architectural decisions, and assigned accountability.
Run is where the program matures, where controls are tested under real conditions, gaps are actively closed, and compliance becomes operational discipline rather than a project with a deadline.
No organization gets to run without crawling first. The framework isn’t a shortcut; it’s a sequencing strategy that makes a complex regulation manageable without efforts stalling on cost, staffing, or scope. Below is an example of what you can expect in future blogs, but we’ll go deeper and include lessons learned and practical examples.
A Closer, But Not Full, Look at Network Segmentation
Network segmentation is a logical starting point because it underpins nearly every other requirement in the regulation, and the core concept applies equally to vessel and facility environments. It is also one of the areas where the gap between how a network was originally designed and how it operates today is typically the widest.
Crawl: At this stage, the goal is simple: understand what you actually have. Most environments drift over time—systems get added, vendors plug in remotely, and undocumented connections accumulate. The crawl phase is about establishing a truthful picture of your current network posture so you can see where assumptions differ from reality. That gap is often where the highest risk lives.
Walk: Once you know what you’re working with, you can begin making intentional architectural decisions. This means defining what should communicate, what shouldn’t, and where controls need to exist. The walk phase shifts you from inherited, organically grown networks to purpose‑built designs that reflect a deliberate security posture.
Run: In the run phase, design becomes discipline. Segmentation and other controls are validated under real conditions to ensure boundaries hold when it matters most. The focus moves from drawing lines on diagrams to confirming that they function as intended, can detect deviations, and support continuous operations.
This series will break down each of these stages across key MTSA requirements, offering practical guidance and lessons learned without overcomplicating the journey.
The most alarming insight from the MTSA is that our sea-based assets are not just vulnerable to ransomware; they are prime targets for nation-state threat groups and insiders with malicious intent. While the MTSA requirements are a decent starting point, relying on compliance alone leaves critical gaps in your defenses. If you want to truly understand your vulnerabilities and fortify your environment, contact the Dragos Sales team today to request a comprehensive review by our experts.
