Maritime Cybersecurity Awareness Training — the complete crew program aligned to IMO MSC-FAL.1/Circ.3, IACS UR E26 (training), and USCG 33 CFR Part 101.
EST. 2–3 HRS · 8 MODULES · 3 APPLIED GAMES · CERTIFICATE ON COMPLETION
Maritime cybersecurity has moved from voluntary guidance to enforceable international law. This section explains the regulatory framework that governs every vessel you serve on.
In June 2017, the NotPetya ransomware attack crippled A.P. Møller-Maersk, the world's largest container shipping company. The attack spread from a single infected update server to 45,000 PCs and 4,000 servers across 130 countries in minutes. Terminals worldwide shut down. Vessels could not receive loading instructions.
COSCO Shipping, the world's third-largest container line, suffered a ransomware attack that knocked out its email and telephone systems in the Americas. The attack spread through the internal network before being contained.
| Regulation | Scope | Key Requirement |
|---|---|---|
| IMO MSC.428(98) | All ISM-certified vessels | Cyber risk management integrated into SMS by Jan 2021 |
| IMO MSC-FAL.1/Circ.3 | All commercial vessels | Guidelines on maritime cyber risk management — includes crew training |
| IACS UR E26 | Newbuilds from 2024 | Cyber resilience requirements for onboard systems and equipment |
| IACS UR E27 | Newbuilds from 2024 | Cyber resilience requirements for on-board systems — network segmentation |
| USCG 33 CFR §101 | US-flagged vessels & MTSA facilities | First mandatory US maritime cyber rules — Cybersecurity Plan required |
| ISM Code | All ISM-certified vessels | Cyber incidents are safety incidents. Crew responsibilities documented in SMS |
Modern vessels are floating networks. Understanding what can be attacked — and how — is the foundation of every defensive behaviour this course teaches.
Business and crew systems: email, internet, crew Wi-Fi, CCTV, access control, passenger entertainment. Disruption causes operational and financial impact.
Safety-critical systems: ECDIS navigation, AIS, GPS, engine management, propulsion, dynamic positioning, steering. Disruption endangers lives and the vessel.
The most common entry point. Attackers craft emails impersonating port authorities, classification societies, VSAT providers, or ship management companies. Spear phishing targets specific crew by name and role.
A USB drive introduced at a port call, left aboard by a contractor, or found on the vessel can deliver malware directly to isolated OT networks that have no internet connection and are otherwise unreachable.
Satellite communication terminals are exposed to the internet and frequently run outdated firmware. Attackers have exploited VSAT terminals to pivot into vessel networks, intercept cargo data, and deploy ransomware.
State and criminal actors broadcast false GPS signals to make vessels appear in wrong locations, disrupt dynamic positioning, or deceive maritime authorities. AIS data can be spoofed to fake vessel positions and identities.
Ransomware encrypts vessel systems and demands payment for decryption keys. In maritime environments, this can lock navigation systems, disable engine monitoring, and halt cargo operations during critical port calls.
Disgruntled crew, contractors with excessive access, or crew members targeted for recruitment by criminal groups. Maritime vessels are high-value targets — cargo manifests, charter schedules, and owner details are commercially valuable intelligence.
In 2017, over 20 vessels in the Black Sea simultaneously reported GPS anomalies placing them 32km inland at Gelendzhik Airport. The incident was one of the first confirmed large-scale maritime GPS spoofing events. Vessels relying solely on GPS for navigation would have made incorrect course corrections based on false position data.
Phishing is the leading cause of maritime cyber incidents. It works because it targets human behaviour — not software — and because maritime communications involve many external parties whose emails and calls can be convincingly spoofed.
Mass emails impersonating legitimate organisations — port authorities, classification societies, VSAT providers, flag states. Volume-based — sent to thousands of addresses hoping some will click.
Targeted emails using real names, vessel names, and role-specific content. The attacker has researched you — your LinkedIn profile, your vessel's port calls, your management company. Far more convincing than generic phishing.
Phone calls impersonating IT support, flag state officials, classification society surveyors, or VSAT support teams. Uses urgency and authority to pressure crew into revealing credentials or granting access.
SMS messages and WhatsApp/Signal messages with malicious links. Crew are accustomed to sharing vessel information via messaging apps — attackers exploit this familiarity.
AI tools allow attackers to generate perfectly-worded, grammatically flawless phishing emails in any language, mimicking real people's writing styles. The traditional red flag of "bad grammar" no longer applies. AI deepfake voice and video calls can impersonate real officers and owners.
Attackers compromise or spoof the email account of a captain, owner, or manager to request urgent wire transfers or crew data. Responsible for hundreds of millions in maritime financial losses annually.
"Your account will be suspended in 24 hours." "Act before departure." "URGENT — action required today." Attackers create time pressure to prevent you from thinking carefully.
classnk-portal-online.net instead of classnk.or.jp. port-rotterdam-auth.com instead of portofrotterdam.com. One character, one extra word, one different TLD — always deliberate, always deceptive.
No legitimate IT system, management company, port authority, or classification society will ever ask for your password via email or phone. No legitimate owner or captain will request emergency wire transfers without a phone call to a known number.
Particularly: .exe, .zip, .iso files. "Chart updates," "firmware," "invoice," or "tracking links" you did not request. Hover over links before clicking — check the actual URL.
A port agent hands you a USB saying "here's the updated sailing orders from the management company." The file could contain malware that activates when plugged into any vessel computer.
Crew post vessel positions, guest photos, equipment images, and departure schedules on social media. Attackers use this intelligence to craft highly convincing spear phishing attacks — or worse, to plan physical security intrusions.
A vendor arrives at the gangway asking to connect a laptop to the vessel network for a "firmware update." They appear professional. They have a business card. Verify every external access request through your management company before allowing any physical access to vessel systems.
You will receive 6 emails — some are phishing attacks, some are legitimate. Classify each correctly before the timer runs out.
Not every cyber attack comes through email. Physical access to vessel systems — through USB drives, planted hardware, unverified contractors, or unauthorised visitors — is one of the most dangerous and underestimated threat vectors in maritime environments. Unlike network attacks, physical attacks bypass every firewall and software defence aboard.
Stuxnet — the most sophisticated piece of malware ever publicly documented — infected the air-gapped Iranian nuclear facility at Natanz via a single USB drive. The facility had no internet connection. It did not matter. A USB drive, introduced by an insider or left where it would be found, crossed the air gap and destroyed centrifuges. The same technique has been adapted for maritime targets: OT systems with no internet connection are fully vulnerable to USB-delivered malware.
An unauthorised person follows an authorised crew member through a secured door, access control reader, or gangway checkpoint without presenting their own credentials. Challenge anyone who cannot present valid identification entering any restricted space — bridge, engine room, comms room, or data centre. The social cost of challenging someone is negligible. The cost of a breach is not.
A convincing uniform, a professional-looking ID, and a plausible story about a "firmware update" or "routine maintenance" are all an attacker needs to gain physical access to vessel systems. Verify every contractor through the ship manager or management company directly — using their known contact details, not numbers provided by the contractor. No verification, no access. No exceptions.
Visitors photographing bridge or engine room equipment are not always curious — they may be conducting reconnaissance. Bridge photos can reveal network port layouts, manufacturer labels, software version numbers, and physical topology that an attacker can use to plan a targeted intrusion. Enforce your vessel's photography policy in all restricted spaces.
Network switches, routers, USB hubs, and other IT hardware delivered to the vessel can be pre-compromised during transit — a technique known as "supply chain interdiction." All IT hardware must be ordered through approved procurement channels, delivered to a verified address, and inspected before installation. Never accept IT equipment from unofficial sources or at the gangway.
Passwords, vessel schedules, passenger manifests, and navigation plans visible on screen in common areas — or in sight of windows on the bridge — can be captured by an attacker without touching any vessel system. Apply screen privacy filters on bridge terminals. Lock unattended screens. Be aware of who has sightlines to sensitive displays in port.
Personal devices aboard vessels are simultaneously one of the most significant cyber risks and one of the most difficult to control. Every smartphone, tablet, and laptop that comes aboard is a potential entry point into vessel systems — and a potential source of intelligence for attackers. Understanding the boundaries is essential for every crew member.
Modern vessels run multiple segregated networks — management/bridge, crew Wi-Fi, guest Wi-Fi, and OT systems. This segregation is a deliberate security architecture. When you connect your personal device to the crew Wi-Fi, you are joining a network that shares physical infrastructure with the vessel's operational systems. Any malware on your device can attempt to reach those systems. This is why crew Wi-Fi is the only network any personal device should ever touch.
Posting your current location, next port of call, departure time, or ETA tells a potential attacker exactly where the vessel and its passengers will be and when. Pirates, kidnappers, and cargo thieves actively monitor social media for this intelligence. Your vessel's schedule is confidential operational information.
Photos from the bridge or engine room showing navigation equipment, comms systems, radar displays, or network infrastructure give an attacker a detailed view of vessel systems — manufacturer names, software versions, physical layout. This intelligence is used to craft targeted attacks against specific equipment.
Posting guest names, photographs of VIPs, or details about who is aboard — even indirectly ("had an amazing charter this week") — violates guest privacy and can enable targeted attacks against high-value individuals. Charter guest privacy is both a legal obligation and a security requirement.
LinkedIn profiles, Facebook posts, and Instagram accounts that reveal your rank, vessel name, management company, and regular ports are a complete spear phishing dossier. Attackers use this information to craft targeted emails that reference your real role, real vessel, and real management company — making them extremely convincing.
You have been assigned to conduct a security sweep of two vessel spaces. Identify every cyber threat before the timer runs out.
Weak or shared credentials are the single most commonly exploited vulnerability in maritime cyber incidents. An attacker who has your password has your access — to navigation systems, vessel management software, email, financial systems, and anything else your credentials unlock. Credential security is not an IT concern. It is every crew member's personal responsibility.
A shared account (e.g., "bridge@vessel.com" used by multiple officers) means no individual is accountable for actions taken under that credential. When an incident occurs, investigators cannot determine which person took which action. Shared accounts also mean that when one person leaves the vessel, the credential cannot be cleanly revoked — it must be changed for everyone. Individual accounts are mandatory.
The most common scenario: a senior officer or urgent deadline creates pressure to share credentials "just this once." Once shared, a password has been compromised — you no longer know who has it, where it has been entered, or whether it has been captured by malware. Refuse every request regardless of seniority or urgency. There is always an alternative: IT can grant temporary access through proper channels.
Multi-factor authentication requires two or more verification factors to access a system: something you know (password), something you have (phone or hardware token), or something you are (fingerprint or face). Even if an attacker has your exact password — through phishing, a data breach, or a keylogger — they cannot log in without your second factor. Enable MFA on every system that supports it: email, ship management software, VSAT portals, fleet management systems, and crew portals. MFA is the single most effective defence against credential-based attacks.
Artificial intelligence has fundamentally changed what is possible for attackers. Defences that worked two years ago — checking for bad grammar, recognising suspicious email formats, trusting voice calls from known numbers — are no longer reliable. Understanding the AI threat landscape is now a core competency for maritime crew at every level.
AI voice cloning tools can replicate any person's voice from as little as three seconds of publicly available audio — a YouTube interview, a social media video, a company presentation. Criminals use cloned voices to impersonate vessel owners, company directors, and senior officers in phone calls requesting emergency wire transfers or sensitive information. In 2024, a Hong Kong finance worker transferred $25 million after a deepfake video call appeared to show the company's CFO.
Video calls can now be manipulated in real time — replacing the caller's face and voice with a convincing digital clone of a known person. A video call that visually and audibly resembles your vessel owner, your captain, or your company director is no longer inherently trustworthy. For any high-value request arriving via video call, verify through a separate communication channel before taking action.
Modern AI tools generate thousands of personalised, grammatically perfect phishing emails per hour — in any language, mimicking the writing style of specific known contacts, referencing real vessel names and real management companies. The traditional indicator of poor grammar no longer applies. AI-generated phishing is indistinguishable from genuine communications by appearance alone. The only reliable test is verifying through a known-good separate channel.
Data breach databases containing billions of username/password combinations are freely available on the dark web. AI-powered tools test these combinations against maritime management portals, VSAT systems, fleet management software, and email accounts automatically and at massive scale. If you reuse a password from any other service that has ever been breached, every account sharing that password is compromised.
AI tools can scan vessel-facing internet infrastructure — VSAT terminals, remote access portals, AIS reporting systems — and identify exploitable vulnerabilities faster and more comprehensively than human researchers. Vessels that are slow to patch known vulnerabilities in internet-facing equipment are increasingly exposed to AI-assisted automated exploitation.
For any high-value request — financial transfer, credential provision, system access — verify through a completely separate channel. End the call. Call back on a known, pre-saved number. Never use numbers provided in the request itself.
Pre-agree a verification code word with vessel owners and management company contacts for use in high-stakes communications. A deepfake cannot know a privately agreed code word that has never been published anywhere.
MFA defeats credential stuffing completely — even if an attacker has your exact password from a breach database, they cannot log in without your second factor. Enable it on every system that supports it.
AI-assisted attacks use extreme urgency to bypass rational thinking. "Transfer immediately — we are in breach." "I need access now — emergency." Real emergencies do not require you to bypass security procedures. Urgency is a manipulation technique.
A finance worker at a multinational company received instructions via email to conduct a secret transaction. Suspicious, they joined a video call that appeared to show the company's CFO and other colleagues — all real-looking, all speaking. Convinced by the video call, the worker transferred $25.6 million USD across 15 transactions. Every person on the call was a deepfake. The real CFO had no knowledge of the transaction.
Early reporting and correct first actions can prevent a containable incident from becoming a catastrophic one. Every crew member has a role in the vessel's cyber incident response — regardless of technical background.
A pop-up demanding Bitcoin or cryptocurrency to unlock vessel systems. A countdown timer. Files that can't be opened. Your first action is isolation — not payment, not restart.
Mouse moving on its own. Applications opening without your input. An active remote desktop session you did not initiate. Someone is in the system right now. Disconnect from the network — do not shut down.
High bandwidth utilisation at unusual hours (03:00–05:00 is a classic exfiltration window). Network equipment showing unexpected LED patterns. Systems unusually slow for no reason. Document and escalate.
GPS position contradicting radar, soundings, and visual bearings. ECDIS showing unexpected course deviations. AIS contacts behaving unusually. Switch to independent navigation systems immediately and alert the captain.
Stop what you're doing. Disconnect the affected device from the network (unplug cable, turn off Wi-Fi) — only if safe to do so without affecting vessel safety or navigation.
Shutting down destroys volatile memory evidence critical to incident investigation. Leave the device powered on but disconnected. Do not click anything else.
Tell the OOW or captain immediately — in person, not via the potentially compromised system. State: what you saw, what you clicked, what time it happened.
Time, system affected, what was displayed, what actions were taken before and after discovery. This log is essential for forensic investigation and regulatory reporting.
Complete documented cyber awareness training. Follow vessel cyber procedures. Report suspicious activity to OOW. Never share access credentials.
Ensure all supervised crew complete training. Act as first point of contact for incident reports. Enforce BYOD and USB policies. Document all cyber incidents in the vessel log.
Maintain the Cybersecurity Plan. Ensure IMO and USCG reporting obligations are met. Co-ordinate with flag state and classification society post-incident. Conduct annual cyber risk assessments.
You are the watch officer. 5 real incidents are unfolding. Make the correct command decision under time pressure.
Not every attack is aimed at the vessel. A growing share is aimed at you — your wages, your identity, your next contract, and the months you spend far from home. These scams cost seafarers real money every year, and a compromised crew member is often the first step toward a compromised vessel.
An email — appearing to come from you — asks the crewing or accounts office to "update my bank details for this month's wages." The new account belongs to the attacker. One redirected pay run can cost a full month's salary. Crewing offices are the real target; you are the impersonated identity.
A too-good contract on a "premium" vessel, then a request for an advance fee — visa processing, medical, "seafarer registration" — or for your passport, CDC, and certificate scans. The money disappears; the documents are sold or used for identity theft. Legitimate manning agents never charge the seafarer to be placed.
A friendly stranger on social media or a dating app builds trust over weeks, then introduces a "guaranteed" crypto or forex platform. Early small withdrawals work, encouraging larger deposits — then the account locks. Seafarers with savings and long isolated rotations are deliberately targeted.
A message claiming a relative is in hospital or in trouble, needing money wired urgently — or a "captain"/"superintendent" messaging from a personal number asking you to buy gift cards or move funds quietly. Urgency plus secrecy plus an unusual payment method is the signature of a scam.
A manning agent received an email from a chief engineer's lookalike address asking to change his salary account before the month-end run. The wording matched his style; the signature was copied from a genuine earlier email. Wages went out before anyone called him. He was at sea, unaware, until payday. The fix that would have stopped it: a single verification call to a known number before changing any payment detail.
Any request to send money, buy gift cards, or change bank details — stop and confirm by calling the person on a number you already had, not one in the message. Urgency is the pressure; verification is the defence.
Treat your passport, CDC, and certificates like your bank card. Never pay a recruiter to be placed, and never send document scans to an unverified agent or a contract that arrived out of nowhere.
No legitimate investment is guaranteed, and no genuine friend you've only met online needs you on a specific trading platform. The ability to withdraw a small amount early is the bait, not proof.
Report attempts to the captain or DPA even when no vessel system is involved. A scammer who has your credentials, identity, or trust is a foothold into the vessel. Reporting protects the next crew member too.
Answer all 25 questions drawn from all 9 modules. You need 80% (20/25) to pass and receive your completion certificate.
You have successfully completed the DeckSecure Maritime Cybersecurity Awareness training, aligned to IMO MSC-FAL.1/Circ.3 and the ISM Code.