CYBER SECURITY Archives

psc-officers-verifing-ecdis-patched-on-board-a-vessel-1-1200x800.png

Urgent Update: Enforcement Now Active

As of June 1, 2025, the IMO’s SN.1/Circ.901 is fully enforced, with:

23 ships detained globally for non-compliance (per Equasis data)
Top deficiencies:
1. Unpatched Furuno FEA-2100 systems (62%)
2. Missing hardware security modules (HSMs) (28%)
3. Incomplete crew training records (10%)

Key Requirements Under Scrutiny

1. Mandatory Patches for Critical Vulnerabilities

System	Patch Version	Risk if Unpatched
Furuno FEA-2100	v4.2.1 (2025-05)	GPS spoofing attacks
Transas Navi-Sailor 4000	v3.8.3	Chart tampering
JRC JAN-9200	v2.6.0	Ransomware infiltration

2. Hardware Security Modules (HSMs) Now Mandatory

Approved Models:
- Thales payShield 9000 ($3,800/ship)
- Utimaco CryptoServer CP5 (IMO-certified)
Deadline: Installed before next annual survey

3. Crew Training Documentation

New 2025 Standard: Minimum 4 hours/year of cyber drills
Acceptable Proof:
- IMO-model course 1.45 certificates
- VR training logs from Marlins

Recent Enforcement Actions

Case Study: MV Atlantic Dawn Detention (June 15, 2025)

Location: Singapore Port
Deficiency: Unpatched JRC ECDIS (v2.4.0)
Consequences:
- 48-hour detention ($12,000/day fee)
- Class suspension until compliance

Lesson: PSC checks now include automated version scans of ECDIS firmware.

Compliance Checklist for June 2025

Verify Your System

ECDIS Menu → Help → About → Check version

Submit Proof to Flag State
- Template: IMO Compliance Declaration Form
Prepare for PSC Inspections
- Required documents:
  - Patch installation logs
  - HSM purchase invoices
  - Crew training records

Industry Impact

Insurance Changes (June 2025):

Lloyd’s Market Association: 15% premium surcharge for ships without HSMs
North P&I Club: Cyber claims denied if ECDIS unpatched

Quote from BIMCO:

“Over 40% of ships needed last-minute upgrades in Q2 2025 – don’t risk detentions.”

📌 Key Resources

IMO SN.1/Circ.901 (2025 Revised)
Free Cyber Compliance Webinar (June 28, 2025)

The International Maritime Organization (IMO) has issued updated guidelines to enhance cybersecurity in the maritime sector, urging shipping companies and ports to integrate cyber risk management into their Safety Management Systems (SMS). This move comes amid rising cyber threats targeting critical shipping infrastructure, including GPS spoofing, ransomware attacks, and operational disruptions.

Why the New IMO Cyber Risk Management Guidelines Matter

Cyber threats pose a growing risk to ships, ports, and supply chains. Recent incidents—such as the 2023 ransomware attack on a major European port and GPS jamming in conflict zones—highlight the urgent need for robust cybersecurity measures.

The IMO’s latest guidance reinforces Resolution MSC.428(98), which mandates that cyber risks be addressed in compliance with the International Safety Management (ISM) Code. Companies must now ensure that:

Cyber risks are identified and mitigated in SMS documentation.
Crew members receive regular cybersecurity training.
Critical systems (navigation, propulsion, cargo ops) are protected from cyber intrusions.

Key Updates in the IMO’s Cyber Risk Guidelines

Risk Assessment – Companies must conduct regular cyber risk evaluations, including threat modeling for onboard and shore-based systems.
Incident Response Plans – Ships should have clear protocols for responding to cyber incidents (e.g., data breaches, system failures).
Third-Party Vendor Risks – Increased scrutiny on software providers, satellite communications, and port IT systems.
Training & Awareness – Crew and shore staff must be trained to recognize phishing, social engineering, and malware threats.

🔗 Download Official IMO Cyber Risk Management Documents

IMO MSC-FAL.1/Circ.3 (2023) – Revised Guidelines on Maritime Cyber Risk Management (PDF)
IMO Resolution MSC.428(98) – Cyber Risk Management in SMS (PDF)
IMO’s Cyber Risk Management Webpage (Additional Resources)

Industry Reactions & Compliance Deadlines

Classification societies (DNV, ABS, LR) have updated their SMS audit checklists to include cyber risk compliance.
The U.S. Coast Guard (USCG) and European Maritime Safety Agency (EMSA) have aligned their advisories with IMO standards.
Deadline: While the guidelines are non-mandatory, the IMO strongly recommends implementation by 2025 to align with ISM Code audits.

How Shipping Companies Should Prepare

Conduct a cybersecurity gap analysis (compare current SMS vs. IMO guidelines).
Train seafarers & IT staff on cyber hygiene (e.g., strong passwords, suspicious email detection).
Secure OT (Operational Technology) systems (ECDIS, AIS, engine control networks).
Partner with cybersecurity firms specializing in maritime threats (e.g., NAVTOR, CyberKeel).

📌 Additional Resources

NIST Cybersecurity Framework for Ships (U.S. National Institute of Standards and Technology)
BIMCO Cybersecurity Guidelines (Best Practices for Shipowners)

To: All Ship Owners, Operators, Masters, and Navigating Officers

1. Background

Recent reports indicate an increased risk of GPS signal interference or jamming in the vicinity of the Strait of Hormuz. Vessels operating in this region should remain vigilant and prepare for potential disruptions to Global Navigation Satellite Systems (GNSS), including GPS.

2. Recommended Actions

In the event of suspected or confirmed GPS jamming, vessels are strongly advised to employ alternative navigation techniques to ensure safe passage. The following measures should be considered:

A. Non-GPS Navigation Methods

Celestial Navigation: Use sextant observations for celestial fixes.
Radar Navigation: Cross-check positions using radar bearings and ranges.
Dead Reckoning (DR): Maintain accurate logs of course and speed for position estimation.
Inertial Navigation Systems (INS): Rely on gyrocompass and inertial sensors if available.
Visual & Terrestrial Aids: Verify positions using lighthouses, buoys, and landmarks.

B. Operational Precautions

Cross-Verify Positions: Use multiple independent methods to confirm location.
Monitor AIS/ECDIS Discrepancies: Be aware that these systems may be compromised without GPS.
Report Incidents: Notify nearby vessels, port authorities, and maritime agencies (e.g., UKHO, IMB) of suspected jamming.

3. Contingency Planning

Ensure bridge officers are trained in manual navigation.
Conduct GPS-denial drills.
Carry updated paper charts as a mandatory backup.

4. Additional Resources

IMO Guidelines (MSC.1/Circ.1572)
UKHO Maritime Security Chart Q6099

5. Contact Information

For urgent assistance or further guidance, contact:

SHIP IP LTD
📞 Tel: (+359) 24929284
📧 Email: sales@shipip.com
🌐 Website: www.shipip.com

Iran’s parliament has approved a measure to close the Strait of Hormuz pending Supreme Council review, a move that could impact roughly 20% of the world’s oil supply . Such a closure, if executed, could drive oil prices above $100/barrel and severely disrupt global trade reuters.com+5washingtonpost.com+5news.com.au+5. However, analysts caution Iran lacks the capability—and legal grounds—to fully block the strait en.wikipedia.org+9washingtonpost.com+9nypost.com+9.

Safety/Shipping Impact:

Urgent need for rerouting strategies and safety contingency plans
Spike in tanker freight rates and maritime risk premiums
Increased vigilance required by insurers and P&I clubs

📣 Final Note

SHIP IP advises all clients operating in or near the Gulf region to review safety management systems, coordinate with naval authorities, and ensure crew readiness under high-risk conditions.

📧 For custom routing or safety consultancy, contact: support@shipip.com

Region: Strait of Hormuz / Gulf of Oman

🔍 Incident Overview

In the past 72 hours, multiple vessels in the Strait of Hormuz have reported severe GPS interference, resulting in erratic navigational behavior. This culminated in a serious incident involving the oil tanker Front Eagle, which collided with the vessel ADALYNN, leading to an onboard fire and minor spill.

The collision was reportedly linked to spoofed GPS signals that misled the Front Eagle’s navigational systems, causing a sudden course deviation. Emergency response units contained the fire, and all crew were evacuated safely. The collision and spill area have triggered an environmental monitoring operation.

🛰️ What Is GPS Spoofing?

GPS spoofing is the deliberate broadcast of false GPS signals, causing a vessel to believe it is in a different location than it truly is. This can result in:

Incorrect autopilot routing
Navigation into restricted waters
Increased collision risk

This interference has been confirmed by data from commercial satellite tracking and reported widely by global shipping operators.

🔒 Recommended Actions for Ship Operators

To safeguard vessels navigating the Persian Gulf, especially around the Strait of Hormuz, the following best practices are strongly advised:

1. Use Redundant Navigation Methods

Cross-check GPS with radar, visual bearings, and inertial navigation systems (INS)
Update crews on dead reckoning and manual plotting skills

2. Autopilot Safety Protocols

Disable autopilot in high-risk areas and steer manually
Increase bridge watch vigilance and apply voyage data recorder (VDR) reviews

3. Situational Awareness

Monitor NAVTEX, IMO GISIS, and UKMTO alerts for real-time guidance
Use AIS overlays and satellite services (like GNS Watch) to detect spoofing anomalies

4. Cybersecurity Drills

Simulate spoofing/jamming scenarios during bridge team drills
Test GPS signal validation via ECDIS-integrated tools where available

5. Report and Record

Immediately report GPS disruptions to UKMTO and MARLO Bahrain
Log incident time, false coordinates, and corrective actions in the vessel logbook

🌍 Broader Implications

The incident highlights a growing maritime cybersecurity and navigational safety threat in geopolitically sensitive regions. Shipping companies, charterers, and P&I clubs are closely monitoring risk levels, and rerouting is under consideration for some operators.

A formal investigation has been launched. The IMO is also reviewing the use of multi-layered navigation systems to prevent future spoofing-induced accidents.

📣 Stay Informed

SHIP IP encourages all ship operators and safety officers to update their navigational safety manuals and conduct crew refresher training in light of these developments.

For support or customized fleet guidance, contact us via:
📧 support@shipip.com | 🌐 www.shipip.com

The maritime sector has recently faced significant cybersecurity challenges, highlighting the critical need for robust digital defenses.

Notable Cybersecurity Incidents:

Ukrainian Railways Cyber Attack: On March 23, 2025, Ukrainian state railways, Ukrzaliznytsia, experienced a large-scale cyber attack affecting its online freight services. This disruption forced a temporary switch to paper-based operations, underscoring vulnerabilities in transportation infrastructure. Reuters
North Sea Oil Tanker Collision: In early March, a collision between the container ship Solong and the U.S. tanker Stena Immaculate off the coast of Yorkshire raised concerns about potential cyber interference. Investigations are ongoing to determine if cybersecurity failures contributed to the incident. The Sun

Regulatory Developments:

RINA’s Enhanced Cybersecurity Rules: The Italian classification society RINA announced amendments to its “Rules for Classification of Ships,” effective July 1, 2024. These changes aim to bolster the cyber resilience of ship systems, incorporating new requirements for system certification and emphasizing software and hardware change management. Marine Regulations
U.S. Coast Guard’s Final Rule on Maritime Cybersecurity: On January 17, 2025, the U.S. Coast Guard published a final rule to enhance cybersecurity within the Marine Transportation System. Effective July 16, 2025, the rule mandates comprehensive cybersecurity assessments, the development of response plans, and the appointment of cybersecurity officers for applicable vessels and facilities. MarineLink

Implications for Shipowners:

These incidents and regulatory updates underscore the escalating cyber threats in the maritime industry and the imperative for shipowners to implement robust cybersecurity measures. Ensuring compliance with evolving regulations and proactively enhancing cyber defenses are crucial steps in safeguarding assets and maintaining operational integrity.

The maritime industry is experiencing significant advancements in cybersecurity to address emerging threats and comply with new regulations.

IACS Unified Requirements E26 and E27 Now Mandatory

As of January 1, 2024, the International Association of Classification Societies’ (IACS) Unified Requirements E26 and E27 have become mandatory for classed ships and offshore installations contracted for construction. These requirements focus on enhancing the cyber resilience of ships and onboard systems, ensuring they can withstand and recover from cyber threats. Marine Regulations+3SHIP IP LTD+3Maritime Informed+3Marine Regulations+1SHIP IP LTD+1

RINA Updates Classification Rules for Enhanced Cybersecurity

The classification society RINA has amended Part C of its “Rules for Classification of Ships,” effective July 1, 2024. These amendments aim to bolster the cyber resilience and security of ship systems and equipment, incorporating IACS UR E26 and E27 standards to safeguard against cyber threats. BIMCO+3Marine Regulations+3Maritime Informed+3

BIMCO Releases Updated Cybersecurity Guidelines

In November 2024, BIMCO, in collaboration with various maritime associations and cybersecurity firms, released version 5 of the “Guidelines on Cyber Security On Board Ships.” This update emphasizes the need for regular cybersecurity risk assessments in response to evolving cyber threats and changes in shipboard systems. BIMCO

T.E.N. and DNV Collaborate on Cyber Secure Notation

Tsakos Energy Navigation Ltd (T.E.N.) has partnered with DNV to achieve the Cyber Secure Essential notation for their newly contracted shuttle tankers. Scheduled for completion in 2025, these vessels will comply with IACS Unified Requirements E26 and E27, positioning T.E.N. ahead of mandatory implementation dates. Marine Regulations+3Maritime Informed+3SHIP IP LTD+3

Global Flag States Implement Cybersecurity Regulations

Flag states worldwide are integrating cybersecurity regulations in line with IMO standards. For instance, the United States mandates that vessels develop and maintain a Cybersecurity Plan and designate a Cybersecurity Officer by July 16, 2025. Similarly, other nations have set implementation deadlines and enforcement practices to enhance maritime cybersecurity. apnews.com+4Ship Universe+4SHIP IP LTD+4

These developments underscore the maritime industry’s commitment to strengthening cybersecurity measures, ensuring compliance with international standards, and safeguarding critical infrastructure against evolving cyber threats.

The U.S. Coast Guard is set to publish this week its final rule covering maritime security regulations by establishing minimum cybersecurity requirements for U.S.-flagged vessels, outer continental shelf facilities, and facilities subject to the Maritime Transportation Security Act of 2002 regulations. This final rule addresses current and emerging cybersecurity threats in the marine transportation system by adding minimum cybersecurity requirements to help detect risks and respond to and recover from cybersecurity incidents.

In a final rule scheduled for publication in the Federal Register, the Department of Homeland Security through the Coast Guard aims to enhance cybersecurity within the marine transportation system. The proposal includes mandates to create and uphold a Cybersecurity Plan, appoint a Cybersecurity Officer, and implement various strategies to ensure cybersecurity is maintained. Additionally, the Coast Guard is inviting feedback on a possible extension for the implementation timelines for U.S.-flagged vessels.

The final rule aims to protect the marine transportation system from cybersecurity threats by establishing minimum cybersecurity requirements. These requirements are designed to detect, respond to, and recover from risks that could lead to transportation security incidents (TSIs). The rule specifically targets risks arising from the increased interconnectivity and digitalization of the marine transportation system, addressing current and emerging cybersecurity threats to maritime security.

The Coast Guard noted that with this final rule, it has to finalize the requirements that were proposed in the notice of proposed rulemaking (NPRM), ‘Cybersecurity in the Marine Transportation System,’ published last February 22. The agency also responded to the public comments that we received to the NPRM and made several clarifications regarding the regulatory framework.

The Cybersecurity Plan must include seven account security measures for owners or operators of a U.S.-flagged vessel, facility, or outer continental shelf facility enabling of automatic account lockout after repeated failed login attempts on all password protected IT systems; changing default passwords (or implementing other compensating security controls if unfeasible) before using any IT or operational technology (OT) systems; and maintaining a minimum password strength on IT and OT systems technically capable of password protection.

It also covers implementing multi-factor authentication on password-protected IT and remotely accessible OT systems; applying the principle of least privilege to administrator or otherwise privileged accounts on both IT and OT systems; maintaining separate user credentials on critical IT and OT systems; and removing or revoking user credentials when a user leaves the organization.

The U.S. Coast Guard outlined that the Cybersecurity Plan also must include four device security measure requirements. They are developing and maintain a list of any hardware, firmware, and software approved by the owner or operator that may be installed on IT or OT systems; ensure that applications running executable code are disabled by default on critical IT and OT systems; maintain an accurate inventory of network-connected systems including those critical IT and OT systems; and develop and document the network map and OT device configuration information.

Additionally, the Cybersecurity Plan must include two data security measure requirements that ensure that logs are securely captured, stored, and protected and accessible only to privileged users, and deploy effective encryption to maintain confidentiality of sensitive data and integrity of IT and OT traffic when technically feasible.

The U.S. Coast Guard prescribed that owners or operators of U.S.-flagged vessels, facilities or outer continental shelf facilities must also prepare and document a Cyber Incident Response Plan that outlines instructions on how to respond to a cyber incident and identifies key roles, responsibilities, and decision-makers amongst personnel.

Furthermore, owners or operators must also designate a Cybersecurity Officer (CySO) who must ensure that U.S.-flagged vessel, facility, or outer continental shelf facility personnel implement the Cybersecurity Plan and the Cyber Incident Response Plan. The CySO must also ensure that the Cybersecurity Plan is up-to-date and undergoes an annual audit. The CySO must also arrange for cybersecurity inspections, ensure that personnel have adequate cybersecurity training, record and report cybersecurity incidents to the owner or operator, and take steps to mitigate them.

The Coast Guard estimates that this final rule creates costs for industry and government of about US$1.2 billion total and $138.7 million annualized, discounted at 2 percent (2022 dollars). This increased estimate from the NPRM is primarily driven by increases to our estimates of costs related to cybersecurity drills, exercises, and penetration testing. Cost estimates are also increased due to updated affected population data.

The final rule also notes that its benefits include reduced risk and mitigation of cyber incidents to protect impacted entities and downstream economic participants, and improved protection of marine transportation system business operations to build consumer trust and promote increased commerce in the U.S. economy. Additional benefits include improved minimum standards of cybersecurity to protect the marine transportation system, which is vital to the nation’s economy and national security, and to avoid supply chain disruptions.

The U.S. Coast Guard also requires owners and operators of U.S.-flagged vessels, facilities, and outer continental shelf facilities to segment their IT and OT networks, and log and monitor connections between them. Based on information from CGCYBER, CG-CVC, and NMSAC, network segmentation can be particularly difficult in the marine transportation system, largely due to the age of infrastructure in the affected population of U.S.- flagged vessels, facilities, and outer continental shelf facilities. The older the infrastructure, the more challenging network segmentation may be.

The document also laid down that it will require owners and operators of U.S.-flagged vessels, facilities, and outer continental shelf facilities to limit physical access to IT and OT equipment; secure, monitor, and log all personnel access; and establish procedures for granting access on a by-exception basis.

Last July, the DHS’ Office of Inspector General (OIG) published a final report identifying that the U.S. Coast Guard has made progress in enhancing the cyber posture of the marine transportation system by establishing maritime cybersecurity teams over the past two years, in line with statutory requirements. Based on its findings, the report proposes four recommendations to improve the Coast Guard’s cyber readiness and precautions to secure the U.S. supply chain. The DHS has concurred with four recommendations.

Source : Industrial Cyber

As Industry 4.0 continues to redefine operations, the lines between Information Technology (IT) and Operational Technology (OT) systems are increasingly blurred. Marine terminals now face unique cybersecurity risks to both types of systems, each requiring tailored defenses.

IT Systems: Protecting Data and Networks

IT systems manage critical business data and communication infrastructure. Cybersecurity risks for IT systems include malware, phishing attacks, and data breaches. Employing strong network security protocols, regular software updates, and staff training are essential for safeguarding sensitive data.

OT Systems: Securing Operational Processes

OT systems, which control equipment and automation at marine terminals, face distinct risks. These include attacks on Industrial Control Systems (ICS) and vulnerabilities in legacy systems. Protecting OT involves ensuring real-time monitoring, regular upgrades, and physical security to prevent unauthorized access.

Best Practices for Marine Terminals:

For IT systems: Implement multi-factor authentication, regularly update software, and train employees to spot phishing attempts.
For OT systems: Maintain an inventory of all assets, update outdated systems, and ensure secure remote access.

With both IT and OT systems now interconnected, a unified approach to cybersecurity is crucial. Protecting these systems is not just about safeguarding data but also ensuring the continued safe operation of critical infrastructure.

Modern commercial ports are a critical infrastructure which is highly dependent on information systems. The security of a port thus relies on the integrity of both physical and cyber assets. Despite evidence that ports are becoming targets for hackers, whose attacks can affect both cyber and physical assets and halt operations, too many ports have inadequate cybersecurity. Physical threats, incidents, and accidents to the physical assets (e.g., terminals, gates, buildings) of the maritime infrastructures or cyber threats and attacks to the cyber assets (e.g., Port Community Systems, navigation systems) can jeopardise the maritime operations, disrupt supply chains and destroy international trade and commerce.

https://rusieurope.eu/wp-content/uploads/2024/02/cybersecurity-in-maritime-critical-infrastructure-crimson-report-english.pdf

Older Posts