Maritime OT vs IT Security - Why Your Vessel Needs Both

What IT and OT Mean on a Vessel

Every modern commercial vessel operates two fundamentally different categories of digital systems. Understanding the distinction between them is the starting point for any meaningful cyber security program, because the threats, vulnerabilities, and consequences are entirely different for each.

Information Technology - IT

IT systems on a vessel handle data. They are the systems that crew and shore-based staff use for communication, administration, and business operations. On a typical vessel, IT systems include:

• Crew WiFi and internet access - Personal browsing, messaging, and entertainment for crew during off-duty hours
• Email and messaging - Communication between vessel and shore office, port agents, charterers, and suppliers
• Business systems - Planned maintenance systems, procurement software, payroll, and administrative applications
• Satellite communication terminals - VSAT, Fleet Broadband, or cellular connections providing WAN connectivity
• Office workstations - Computers used for administrative tasks, documentation, and reporting

IT systems on a vessel face the same threats as any corporate IT environment - phishing, malware, ransomware, data theft, and unauthorized access. The key difference is that vessel IT operates over expensive, bandwidth-constrained satellite links with limited shore-based support. A ransomware infection that might take an office IT team an afternoon to remediate could leave a vessel without email and business systems for days while at sea.

Operational Technology - OT

OT systems control physical processes. They are the systems that keep the vessel navigating safely, the engines running, and safety equipment functioning. On a typical vessel, OT systems include:

• ECDIS - Electronic Chart Display and Information System, the primary navigation tool on most modern vessels
• Engine management systems - Monitoring and control of main engines, generators, fuel systems, and propulsion
• Ballast water management - Automated ballast water treatment and transfer systems
• GMDSS - Global Maritime Distress and Safety System, including EPIRB, SART, and DSC radio equipment
• VDR - Voyage Data Recorder, capturing bridge audio, radar imagery, AIS data, and navigation parameters
• Dynamic positioning - Automated station-keeping systems on offshore vessels and specialized ships
• Cargo management - Loading computers, tank gauging systems, and cargo monitoring equipment
• Alarm and monitoring systems - Bridge and engine room alarm systems, fire detection, and safety monitoring

The critical distinction is that a compromise of OT systems can have physical consequences. An IT breach might expose data or disrupt communication. An OT breach could affect navigation accuracy, engine performance, stability calculations, or safety system functionality. The stakes are fundamentally different.

Why Maritime OT Systems Are Increasingly Vulnerable

For decades, maritime OT systems were effectively air-gapped - physically isolated from external networks and running proprietary protocols that were difficult to attack. That era is over. Several converging trends have dramatically increased the attack surface of vessel OT systems.

Connectivity for remote monitoring

Ship owners and managers increasingly want real-time access to vessel performance data from shore. Engine manufacturers offer remote diagnostics. Classification societies accept electronic survey data. Charter parties may require automated reporting. All of this requires OT systems to send data through the vessel's network to shore-based servers, creating pathways that did not exist before.

Shared network infrastructure

On many vessels, IT and OT systems share the same physical network infrastructure - switches, routers, and cabling. While logical segmentation (VLANs) may separate the traffic, misconfigured switches, flat network architectures, or "temporary" connections that become permanent mean that the boundary between IT and OT is often weaker than operators believe. A compromised crew laptop on the WiFi network may be only a misconfigured firewall rule away from the ECDIS terminal.

Standard operating systems

Modern maritime OT systems increasingly run on standard operating systems - primarily Windows. ECDIS terminals, engine monitoring displays, and loading computers often run Windows 7, Windows 10, or Windows-based embedded systems. These systems are vulnerable to the same malware, exploits, and vulnerabilities that affect any Windows computer. The difference is that patching a bridge workstation is far more complex than patching an office PC - updates must be type-approved, tested, and applied during maintenance windows that may be months apart.

USB-based updates

Many OT systems receive software updates and data transfers via USB devices. Chart updates for ECDIS, software patches for engine management systems, and configuration changes are routinely delivered on USB drives. If those drives are not scanned before use - or if they are prepared on compromised shore-based computers - they become a direct path for malware into safety-critical systems.

Real Incidents - What Has Actually Happened

Maritime OT/IT security is not a theoretical concern. Real incidents have demonstrated the consequences of inadequate protection.

NotPetya and Maersk - 2017

The NotPetya attack in June 2017 was not targeted at shipping, but Maersk was one of its most prominent victims. The malware entered through a Ukrainian tax software update and spread across Maersk's global network within hours. The impact was devastating: 49,000 laptops, over 1,000 applications, and the company's entire booking system were taken offline. Maersk estimated the total cost at $250-300 million. Port terminals were forced to process cargo manually. Vessels could not load or unload. The incident demonstrated how quickly a cyber event on shore-side IT systems could cascade into operational disruption across an entire fleet.

Ransomware targeting port systems

Multiple port facilities have been hit by ransomware attacks that disrupted terminal operations. The Port of San Diego in 2018, the Port of Barcelona in 2018, and South Africa's Transnet in 2021 all experienced ransomware incidents that affected port management systems, cargo tracking, and terminal operations. While these were primarily IT attacks on shore-based systems, they demonstrated the maritime sector's vulnerability and the operational consequences of system unavailability.

Navigation system compromises

There have been documented cases of ECDIS systems infected with malware, navigation displays showing incorrect data due to GPS spoofing, and vessel networks compromised through infected chart update USB drives. While many of these incidents did not result in casualties, they demonstrated viable attack paths against safety-critical navigation systems. In one reported case, a new-build vessel was delayed from delivery because its navigation systems were found to be infected with malware before the vessel left the shipyard.

Network Segmentation - The Foundation of Maritime Cyber Security

Network segmentation is the single most important technical control for maritime cyber security. The principle is straightforward: IT systems, OT systems, and crew/guest networks should be separated so that a compromise in one zone cannot spread to the others.

In practice, this means maintaining at least three distinct network zones on the vessel:

• OT zone (Bridge/Engine) - Navigation systems, engine management, safety systems, and other operational technology. This zone should have the most restrictive access controls and the least connectivity to external networks.
• IT zone (Business) - Administrative workstations, email, planned maintenance systems, and business applications. This zone needs internet connectivity but should be isolated from OT systems.
• Crew/Guest zone - Personal devices, crew WiFi, entertainment systems. This zone should be completely isolated from both OT and business IT systems.

Segmentation must be enforced at the network level with properly configured firewalls, VLANs, and access control lists. Critical OT systems should not be accessible from the crew WiFi network under any circumstances. Data flows between zones - such as performance data from engines to shore-based monitoring - should pass through controlled, monitored gateways with strict protocol-level filtering.

USCG 33 CFR 101.650(d) specifically requires network security measures including segmentation. Classification societies offering cyber security notations assess network architecture as a key component of their evaluations. This is not optional for compliant vessels.

How to Inventory and Classify OT vs IT Assets

You cannot protect what you do not know you have. A comprehensive systems inventory is the foundation of both OT and IT security on a vessel. Many operators are surprised by what they find when they conduct a thorough inventory - forgotten test systems, legacy equipment still connected to the network, and undocumented connections between zones.

An effective maritime systems inventory should capture:

• System identification - Make, model, serial number, and location on the vessel
• Classification - Whether the system is IT or OT, and which vessel zone it belongs to (Bridge, Engine Room, IT Room, Accommodation)
• Operating system - Version number and patch level, including end-of-life status
• Network connectivity - IP address, VLAN assignment, and what other systems or zones it can communicate with
• Update mechanism - How software updates are delivered (network, USB, vendor service visit) and how frequently they are applied
• Criticality - Whether the system is safety-critical, operationally important, or administrative
• Owner - Who is responsible for maintaining and securing the system

This inventory should be reviewed and updated at least annually, and whenever systems are added, removed, or modified. It forms the basis of your risk assessment, vulnerability management, and incident response planning.

How NCoDE Command Manages OT and IT Security

NCoDE Command provides purpose-built tools for managing the unique challenge of securing both OT and IT systems on a vessel.

Systems Inventory by zone

The Systems Inventory module maintains a complete register of all onboard systems, categorised by zone - Bridge, Engine, IT, and Safety. Each system record captures the information needed for effective security management: make, model, operating system, network zone, update mechanism, and criticality classification. The inventory is linked to the Risk Register, so vulnerability discoveries can be immediately cross-referenced against deployed systems.

Wazuh integration for vulnerability scanning

NCoDE Command integrates with Wazuh, an open-source security platform deployed directly on vessel endpoints. Wazuh agents running on IT and compatible OT systems provide continuous vulnerability scanning, file integrity monitoring, rootkit detection, and Security Configuration Assessment against CIS benchmarks. Security events from across the vessel are collected and displayed on the CyberSecurity dashboard, giving the CySO real-time visibility into the security posture of both IT and OT systems.

Network segmentation monitoring

Through direct integration with Peplink maritime routers, NCoDE Command monitors network segmentation between IT, OT, and crew zones. The system detects and alerts on cross-zone traffic that violates segmentation policies. Firewall rules are documented and version-controlled. WAN connectivity status, bandwidth allocation, and content filtering policies are visible from the dashboard, providing the network security evidence that USCG examiners and classification society auditors require.

Patch lifecycle management

The Patch Lifecycle module tracks software updates from identification through testing, approval, deployment, and verification - for both IT and OT systems. Known Exploited Vulnerabilities from the CISA KEV catalogue are cross-referenced against the vessel's systems inventory to prioritise critical patches. For OT systems where patching is constrained by type-approval requirements and maintenance windows, the system tracks compensating controls until patches can be applied.

Fleet-wide visibility

For fleet managers and DPAs, NCoDE Command provides consolidated visibility across all vessels. System inventories, vulnerability status, segmentation compliance, and patch levels can be compared across the fleet. This makes it possible to identify systemic vulnerabilities - such as a specific ECDIS model running end-of-life software across multiple vessels - and prioritise remediation at the fleet level.