The US Coast Guard's first-ever mandatory cybersecurity framework for ports, vessels, and offshore facilities has taken effect, ending two decades of voluntary compliance and putting operators on a countdown with a 2027 deadline. The regulations affect any US-flagged vessel or maritime facility subject to the Maritime Transportation Security Act of 2002 and require that they develop and maintain a cybersecurity plan, designate a Cybersecurity Officer (CySO), conduct annual assessments, and train any information- and operational-technology workers on their cybersecurity duties.[1]
The regulations resemble those of other industries, such as the National Electric Reliability Council's Critical Infrastructure Protection (NERC-CIP) plan, which has improved cybersecurity across the power-generation and distribution ecosystem, says Elan Alvey, principal industrial consultant at Dragos, an industrial cybersecurity provider. "Regulation has helped, it's not the fix for everything, because threat groups are pretty sneaky," he says. "But it gets rid of a lot of the low-hanging fruit that your opportunists, hackers, your ransomware folks, will see and say, 'Oh, it's open. Let's go [attack] it.'"
The cybersecurity regulations come as the maritime transportation industry has suffered some major cyberattacks, including the NotPetya attack that halted shipping by AP Moller-Maersk and global positioning system attacks that caused ships to run aground. International standards already require similar cybersecurity measures for transoceanic shipping and foreign-flagged vessels. Other oil-and-gas producing nations, such as Norway, have made decisive moves to strengthen the cybersecurity of ships and offshore facilities.
See: https://redskyalliance.org/xindustry/notpetya-us-law
In 2025, the US Coast Guard expanded the requirements of the Maritime Transportation Security Act of 2002 to include mandatory reporting of cybersecurity incidents starting in July 2025, followed by cybersecurity training for all IT and OT workers on their roles and responsibilities under the law by January of this year. The rule mirrors how the post-9/11 MTSA reshaped physical port security, signaling that Washington aims to shore up maritime cybersecurity, Dragos's Alvey stated in an analysis.
The next deadline is in July, when every US-flagged vessel or Outer Continental Shelf (OCS) facility must have completed a cybersecurity assessment and created a cybersecurity plan that enforces segmentation between IT and OT networks.
Jim McKee, CEO of Red Sky Alliance Corp., stated, “We have been offering an inexpensive cyber threat notification and mitigation service named RedXray. RedXray can be easily deployed for any domain in the world to protect ships, ports, and infrastructure.”
See: https://www.redskyalliance.com/redxray
The underlying principles of the MTSA are that ships, oil rigs, and other maritime facilities must enforce security measures and require their suppliers and vendors to do the same. Companies should expect similar requirements to expand to other industries, if they are not already in place, says Trey Ford, chief strategy and trust officer at Bugcrowd, a crowdsourced cybersecurity firm. "Large industrial suppliers should treat this as the leading indicator for what is coming across every regulated sector and start building accountability into their program design now, before the deadline forces it," he says. "The ICS/SCADA universe should pay attention, I trust regulators will be looking in their direction soon."
Among the most significant changes wrought by the new regulations is that every US-flagged vessel, facility, or outer continental shelf (OCS) facility must designate a cybersecurity officer (CySO) to take responsibility for the cybersecurity of both the IT and OT infrastructure, mirroring existing roles under the MTSA, such as the facility security officer.
The scope of duties for the CySO is different from that of a traditional chief information security officer, says Dragos Alvey. "The CISO is [about] your technical, everyday IT information," he says. "To me, the cybersecurity officer is more of a regulatory officer, because they're in charge of ensuring that not only are you following the regulations, but if there were incidents or anything that's reportable, they're also in charge of that."
The final stage of the MTSA cybersecurity rollout, which must be completed by 16 July 2027, is the most challenging: network segmentation. Even land-based companies struggle to meet that cybersecurity goal. In a 2025 survey, networking giant Cisco found that 94% of organizations encountered segmentation problems due to the complexity of their environments, limited visibility, and difficulty identifying legitimate information flows.
Unfortunately, there is no simple solution, Amer Akhter, senior director of product management for Cisco, stated in his review of the survey results. "There's no 'box' or single product that one can purchase. Nor is there a single approach that can be modeled as a best practice for every use case," he said. "Instead, organizations are having to rely on multiple segmentation methods. Unfortunately, this lack of clarity can add complexity to an already complex situation. The result? Many, too many, segmentation projects fail."
Dragos's Alvey notes that companies are expected to complete network segmentation within roughly a year and a half, a timeline he views as tight given the multiple prerequisite steps involved (asset inventory, architectural design, etc.), and one likely to prompt pushback from regulated entities. "Just because you're compliant, doesn't mean you're secure," he says.
That is where the MTSA cybersecurity requirements can help prepare facilities and companies, Bugcrowd's Ford says. Beyond the defenses, training, and new roles, the requirements focus on what happens during an incident. Network segmentation helps slow down lateral movement by attackers; regular assessments can detect where defenses or visibility have failed; and requiring secure design from the start means the organization is moving toward a destination. That's a lesson that every company should take to heart, Ford says. "The MTSA gets one foundational thing right that most enterprise programs still resist: the assumption of failure," he says. "It treats the question as not whether a system can be compromised, but whether you will know before an adversary acts on it."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/cybersecurity-operations/coast-guards-cybersecurity-rules-lessons-cisos
Comments