Why Maritime Cyber Risk Assessment Matters Now
Maritime cyber risk assessment is no longer optional. Maritime cyber attacks increased 103% in 2025, with GPS spoofing now affecting over 40,000 vessels daily and the average attack costing $550,000. Three major regulatory frameworks now require vessel operators to conduct formal assessments of their cyber risk exposure, document the results, and demonstrate active mitigation. If your vessel trades internationally, you are almost certainly subject to at least one of these requirements - and likely all three. See documented incidents →
The IMO's MSC-FAL.1/Circ.3 guidelines required cyber risk to be incorporated into Safety Management Systems from January 2021. The USCG's 33 CFR 101 Subpart F mandates a formal cyber risk assessment as part of vessel security plans, with enforcement already underway. And the EU's NIS2 Directive classifies maritime transport operators as essential entities, requiring comprehensive risk management measures including cyber risk assessment.
Despite these requirements, many vessel operators still treat cyber risk assessment as a paperwork exercise - a box to tick during the annual ISM audit. That approach creates real exposure. A proper maritime cyber risk assessment is a practical tool that identifies where your vessel is vulnerable, prioritises the threats that matter most, and guides your spending toward controls that actually reduce risk.
Who Needs a Maritime Cyber Risk Assessment
The short answer is almost every commercial vessel operator. The specific requirements vary by jurisdiction and flag state, but the convergence of international regulation means very few operators can avoid this obligation.
- USCG-regulated vessels - Any vessel calling at US ports under MTSA regulation must conduct a cyber risk assessment per 33 CFR 101.630-635. This includes foreign-flagged vessels.
- IMO member state vessels - All vessels subject to the ISM Code must incorporate cyber risk management into their Safety Management System. Flag state auditors are increasingly checking for documented cyber risk assessments during ISM audits.
- EU-trading vessels - Maritime transport operators classified as essential entities under NIS2 must implement risk management measures that include formal risk assessment. Member state transposition has extended these requirements to vessel operators serving EU ports.
- Classification society requirements - Major classification societies including Lloyd's Register, DNV, and Bureau Veritas have published cyber security notations that require documented risk assessments as a prerequisite for certification.
Even if your vessel does not fall neatly into one of these categories, P&I clubs and charterers are increasingly requesting evidence of cyber risk assessment as a condition of insurance coverage or charter party agreements.
The Risk Register - Likelihood Times Impact
At the heart of any maritime cyber risk assessment is the risk register. This is not a complex document - it is a structured list of identified cyber risks, each scored by two factors: how likely the risk is to occur, and how severe the impact would be if it did.
The standard approach uses a 5x5 matrix. Likelihood is scored from 1 (rare) to 5 (almost certain). Impact is scored from 1 (negligible) to 5 (catastrophic). Multiplying these gives a risk score between 1 and 25, which places each risk into a severity category - typically low (1-4), medium (5-9), high (10-15), or critical (16-25).
What makes this maritime-specific
A generic IT risk assessment will miss the threats that matter most on a vessel. Maritime cyber risk assessment must account for the unique operating environment: systems that cannot be patched at sea, satellite connectivity that limits monitoring capability, crew rotation that disrupts security continuity, and operational technology that was never designed to be networked.
Your risk register should categorise risks by system zone. Bridge systems, engine room systems, IT infrastructure, and safety systems each have different threat profiles, different impact severities, and different mitigation options. A ransomware infection on a crew entertainment system is a nuisance. The same malware reaching an ECDIS terminal is a safety event.
Assessing OT vs IT Systems
One of the most common mistakes in maritime cyber risk assessment is treating all systems the same. Operational Technology and Information Technology have fundamentally different risk profiles, and your assessment must reflect that distinction.
IT systems on a vessel
IT systems include crew WiFi networks, email systems, administrative computers, satellite communication terminals, and business management applications. These systems are familiar - they use standard operating systems, connect to the internet, and face the same threats as shore-based IT infrastructure. Phishing emails, malware downloads, and weak passwords are the primary attack vectors.
OT systems on a vessel
OT systems include the Electronic Chart Display and Information System (ECDIS), engine management and monitoring systems, ballast water management systems, Global Maritime Distress and Safety System (GMDSS), Voyage Data Recorders (VDR), and dynamic positioning systems. These systems control physical processes. A compromise does not just lose data - it can affect vessel navigation, stability, or safety.
OT systems are increasingly networked, often sharing infrastructure with IT systems for data transfer, remote diagnostics, or shore-based monitoring. This connectivity creates attack paths that did not exist a decade ago. Your risk assessment must identify every connection point between IT and OT networks and evaluate the controls in place at each boundary.
Common Maritime-Specific Cyber Threats
A credible maritime cyber risk assessment must address the threats that are specific to or amplified in the maritime environment. Generic corporate threat lists are not sufficient.
GPS spoofing and jamming
GPS spoofing involves transmitting false GPS signals to deceive a vessel's navigation systems. This can cause position errors that affect route planning, collision avoidance, and port approach. GPS jamming - simply blocking the signal - is even more common and can occur near conflict zones, contested waters, or during deliberate interference operations. Your risk assessment should evaluate how your vessel would detect and respond to GPS anomalies.
AIS manipulation
The Automatic Identification System broadcasts vessel identity, position, course, and speed. AIS data can be spoofed to create phantom vessels, hide real vessel positions, or trigger false collision alerts. While AIS manipulation is more commonly associated with state actors and sanctions evasion, it represents a real threat to situational awareness on the bridge.
Ransomware on bridge and engine systems
Ransomware remains the most likely cyber incident for most vessel operators. The maritime sector has seen numerous ransomware attacks, from the NotPetya incident that cost Maersk an estimated $300 million to targeted attacks on port management systems. Bridge systems running outdated Windows installations are particularly vulnerable, especially when they share network connectivity with crew systems or receive updates via USB drives from untrusted sources.
Compromised ECDIS
ECDIS terminals run on standard computing hardware, typically with Windows operating systems, and require regular chart updates that are often delivered via USB or network transfer. A compromised ECDIS could display incorrect chart data, suppress hazard warnings, or fail entirely during a critical navigation phase. Your risk assessment should evaluate the update process, network isolation, and backup navigation procedures for ECDIS systems.
Social engineering targeting crew
Crew members are frequently targeted through phishing emails, fake WiFi networks in port, and social engineering via personal devices. The high turnover rate on many vessels means that security awareness varies significantly across crew rotations. USB devices brought aboard by crew or service technicians remain one of the most common vectors for introducing malware to vessel systems.
Building Your Risk Register - Practical Steps
A maritime cyber risk assessment does not need to be overwhelming. Follow a structured process and focus on the risks that are most relevant to your vessel type and trading pattern.
- Inventory your systems - Document every networked system on the vessel, categorised by zone (bridge, engine, IT, safety). Include make, model, operating system version, and network connections.
- Identify threat scenarios - For each system, identify the realistic threat scenarios. Focus on threats that are known to affect maritime operations, not theoretical attacks that have never been observed in the wild.
- Score likelihood and impact - Use the 5x5 matrix to score each threat scenario. Be honest about likelihood - if your ECDIS runs Windows 7 and receives USB updates, the likelihood of malware exposure is not "rare."
- Document existing controls - Record what controls are already in place for each risk. Network segmentation, access controls, backup procedures, and monitoring capabilities all reduce risk scores.
- Plan mitigations - For risks that score above your acceptable threshold, identify specific mitigation actions, assign owners, set deadlines, and track completion.
- Review regularly - A risk assessment is not a one-time exercise. Review the register quarterly, after any significant system change, and after any cyber incident.
How NCoDE Command Makes Risk Assessment Manageable
NCoDE Command includes a purpose-built Risk Register module designed specifically for maritime cyber risk assessment. Rather than managing risk in spreadsheets that quickly become outdated, the Risk Register provides a structured, auditable, and continuously maintained assessment of your vessel's cyber risk posture.
The built-in 5x5 severity scoring matrix aligns with IMO, USCG, and classification society expectations. Each risk entry captures the threat description, affected systems, likelihood score, impact score, existing controls, planned mitigations, assigned owner, and target completion date. Risk scores are calculated automatically and risks are colour-coded by severity for immediate visibility.
Mitigation tracking links each risk to specific actions and monitors their completion status. When a mitigation is implemented, the risk score is automatically recalculated to reflect the improved posture. This creates a documented trail showing how your risk profile has improved over time - exactly the kind of evidence that auditors and inspectors want to see.
The Systems Inventory module feeds directly into risk assessment by providing a complete, categorised register of all onboard systems by zone. When a new vulnerability is discovered in a specific system type, you can immediately identify which vessels in your fleet are affected and update their risk scores accordingly.
For fleet managers and DPAs overseeing multiple vessels, NCoDE Command provides a consolidated view of risk across the fleet, highlighting vessels with elevated risk scores and overdue mitigations. This visibility is essential for prioritising resources and demonstrating due diligence to flag state administrators and P&I underwriters.