Are maritime hackers pushing at an open door?

At a time when armed gangs are attacking ships navigating in the Red Sea and the Black Sea is effectively a war zone, it may seem an exaggeration to assert that hacking is arguably the biggest current threat to business continuity in maritime.

However, the maritime industry’s transformation from a niche business, isolated by low bandwidth and bespoke applications, to a high value target with political and economic significance, has brought it unwelcome attention.

Of course, counter-measures exist and a combination of regulatory guidance and industry standards has helped balance the odds, but this is a game that is still weighted in favour the attackers rather than the defenders.

There is a broad spread between the leaders, the followers and the laggards and it is among this last group where the concern should be highest.

Until recently, the latter have relied on anti-virus software and a lot of crossed fingers, but with the odds moving in favour of the hackers, a combination of proactive protection and regulation is coming into play.

Compliance with cyber security regulations is still a new experience for most shipping companies. This began with the IMO 2021 additions to the ISM Code which were in reality a guide to best practice rather than a regulatory baseline. The TMSA and SIRE standards call for higher burdens of proof but these are market sector-specific.

The US Coast Guard is set to introduce regional measures and IMO has cyber on its agenda for future regulation but in the meantime, the newest rules on the block are the IACS Unified Requirements E26 and E27.

UR E26, which provides mandatory cyber security baselines for newbuildings – with a companion regulation E27 for shipboard systems – are arguably the first examples of tangible standards for cyber security but even so only represent a relatively low bar in terms of compliance requirements.

Their application to newbuildings alone poses an important question: why would owners apply cyber protection regulations only to these vessels, if they have one or two year-old assets of similar value on the water, presumably with similar risk profiles?

Of course, bodies including Class Societies offer notations and guidance for existing ships, but the concern will always be that items which are not mandatory do not get prioritised.

Why are they not protect their existing assets to the same extent or higher? Asset values will be similar, cargo risk the same or higher, balance sheet and business continuity impact from a successful attack would be the same or greater.

As the old Andorran goat herder’s saying has it: “A man with two houses doesn’t leave one unlocked to protect the other.”

By only applying the IACS minimum standards to newbuilding and not to their existing ships, owners are taking on additional risk rather than reducing their risk profile overall.

The ability of Houthi rebels to target ships they believe are directly linked to their enemies, illustrates the ease of accessing data on fleet ownership and deployment. There are fewer and fewer places to hide.

The pressure for adoption of similar measures to existing ships is likely to grow, with charterers and insurers best placed to exert pressure on vessel owners to ensure that compliance is consistent across the fleet.

In reality, they will have to go further. The provisions with the IACS URs are not without their critics who fear that box-ticking rather than positive action is driving compliance. This overlooks the reality that obtaining consensus within IACS, like many similar organisations, is about compromise.

The growing pressure for cyber security, enables shipping companies to meet the baseline standards and frees them to go further, adopting more rigorous approaches in terms of technology, training, procedures and awareness.

The evidence from tried and tested industry standards is that they can embed cyber risk awareness within the supply chain and make it a condition of doing business.

Owners will have to face the uncomfortable truth that to retain their status as reputable, investable operators, they will need to implement an in-depth cyber audit across their fleets, using UR E26 as a starting point, but not an end point.

Tore Morten Olsen 

President, Maritime, Marlink

This article was published on 23.04.2025 by Ship Technology