New USCG cybersecurity rules raise stakes for operators

As marine vessels become more modernized, they also become vulnerable to cyberattacks. Ransomware continues to pose a major threat, impacting a vessel’s entire operational networks, until a ransom is paid. 

According to Michael DeVolld, senior director, maritime cybersecurity, ABS Consulting and head of the ABS Cyber Center of Excellence, modern ships tie navigation, propulsion, dynamic-positioning, ballast automation and cargo-handling into the same digital backbone that shoreside personnel can reach for analytics and remote support. 

“If an attacker slips through a poorly segmented remote-access link or an unpatched shoreside workstation, they could push legitimate-looking commands straight to safety-critical equipment and change a vessel’s behavior in real time should all other safety and human oversight processes fail,” DeVolld says. 

The cornerstone of maritime cybersecurity regulation remains the International Maritime Organization’s (IMO) Resolution MSC.428(98), which mandates that all cargo ships of 500 gross tonnage or more integrate cybersecurity risk management into their Safety Management Systems (SMS). 

In the United States, the USCG has implemented the most comprehensive maritime cybersecurity regulations to date. USCG’s final rule, effective July 16, 2025, establishes minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and facilities subject to the Maritime Transportation Security Act (MTSA). 

To mitigate these risks, the USCG regulation requires that all staff members participate in training. Specifically, the new requirements mandate the development and maintenance of comprehensive cybersecurity plans, designation of dedicated cybersecurity officers and implementation of structured procedures for detecting, responding to and recovering from cybersecurity incidents. Compliance is not optional—a failure to implement the required training could lead to penalties or a halt to operations.

“This regulatory move represents a paradigm shift in how cybersecurity is approached within the marine transportation system—as a matter of national security,” DeVolld says.

Ports, terminals, vessel operators and other critical infrastructure stakeholders must take proactive steps to comply with these regulations. January 12, 2026, is the training deadline to begin planning immediately. According to DeVolld, all employees must complete cybersecurity training. New hires accessing informational technology (IT) or operational technology (OT) systems must complete training within five days of system access, followed by annual refresher training.

July 16, 2027, is the full compliance deadline requiring companies to submit written designation of a cybersecurity officer, conducting comprehensive cybersecurity assessments within 24 months of the rule’s effective date and submitting cybersecurity plans to the USCG for approval within the same timeframe.

“Between expanding attack surfaces and increasingly sophisticated threats, the stakes have never been higher,” DeVolld says. “It is essential for the maritime industry to not only understand its cyber risk but also translate knowledge into decisive action that protects lives, operations and assets.”

The post New USCG cybersecurity rules raise stakes for operators appeared first on Marine Log.