Cybersecurity for ships

Photo: A 26th Marine Expeditionary Unit (MEU) Maritime Raid Force Marine engages simulated.

A modern ship is a complicated system using digitization and automation. Several assets prone to cybersecurity attacks are located on a ship: operational technology OT-networks, information technology IT-networks, radio frequency RF-communication systems, systems for navigation and machinery. Most of these systems are connected together and in many cases to the Internet. This brings a risk of malicious attack to the ship’s networks and systems. Additionally, the personnel accessing systems on board may form a risk by itself.

The situation of basic guidelines for implementing cybersecurity for ships has become much better when Code of Practice: Cyber Security for Ships was published 2017 by the Institution of Engineering and Technology. This important guideline declares the basic management framework to lower the probability of cyberattacks against different types of ships.

Figure: Evolution of the management framework towards Cybersecurity for ships.

The most recent components in the evolution of the management framework of cybersecurity for ships are the CyberSecurity Assessment CSA and CyberSecurity Plan CSP. A new Cybersecurity Officer CySO has task to develop, review periodically and maintain both CSA and CSP.

Figure: Cybersecurity Assessment CSA-process for ships

The Cyber Security Assessment CSA is based on a risk management approach. The cyber security risks are prioritized to mitigate the vulnerabilities in cost-effective ways. In the CSA process, the ship assets, the ship business processes, the ship risks and security controls needed are identified. The review of the CSA should be done frequently according rapidly changing cybersecurity situation.

A comprehensive approach for developing the Cybersecurity Plan CSP is also important to cover all the areas of cybersecurity. The CSP should cover all the policies, processes coming from the policies and procedures to give more detailed directions to cybersecurity. The CyberSecurity Plan CSP should be based on the CyberSecurity Assessment CSA and it covers the three security levels of the ISPS Code, which are minimum appropriate, appropriate additional and specific protective security measures.

For example, here are some of very minimum contents of a Cyber Security Plan CSP for ships to cover:

  • responsibilities
  • approving connections to ship systems
  • changes to system operations
  • access and control to communications and navigation systems
  • access and control to IT and OT systems
  • access and control to electronic monitoring systems
  • protection of data concerning cargo and stores
  • response to threats, breaches and cybersecurity incidents
  • auditing of cybersecurity controls
  • links to assisting organizations
  • awareness, training and drills required by personnel

Building upon these aspects, we can expect to improve the security of the ship, its crew, passengers and cargo.


Code of Practice: Cyber Security for Ships. 2017. London, UK: Institution of Engineering and Technology.

Kohnke, A., Shoemaker, D. & Sigler, K. 2016. The Complete Guide to Cybersecurity Risks and Controls. Boca Raton, FL: CRC Press.

Pin It on Pinterest