Urgent Maritime Cybersecurity Warning: U.S. Final Rule Signals Alarm on Weak Resilience

The maritime industry, a backbone of global trade supporting $5.4 trillion in annual U.S. economic activity, faces an escalating wave of cyber threats that could cripple ports, vessels, and supply chains. Recognizing this growing danger, the U.S. Coast Guard published a landmark final rule on January 17, 2025, establishing mandatory minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject to the Maritime Transportation Security Act (MTSA). Set to take effect on July 16, 2025, these regulations aim to create baseline standards for cyber resilience and resistance to cyberattacks. But the need to “create baseline requirements” raises a critical question: What level of cyber resilience exists in the maritime sector today? The answer, based on recent incidents and audits, reveals a troubling vulnerability that demands urgent action.

The U.S. Coast Guard’s Final Rule: A Response to Rising Threats

The Coast Guard’s final rule, published in the Federal Register, introduces comprehensive cybersecurity mandates to address current and emerging threats in the Marine Transportation System (MTS). Key requirements include:

• Cybersecurity Plans: Owners and operators must develop and maintain plans outlining roles, responsibilities, and strategies to manage cyber risks.

• Cybersecurity Officer (CySO): Entities must designate a qualified officer to oversee compliance, audits, training, and incident response.

• Security Measures: Plans must include account security, device security, data encryption, network segmentation, and supply chain risk management.

• Incident Reporting: Significant cyber incidents must be reported to the National Response Center, FBI, and Cybersecurity and Infrastructure Security Agency (CISA).

• Drills and Audits: Regular exercises and annual audits ensure ongoing preparedness.

The rule responds to a surge in cyberattacks, with 31% of maritime professionals reporting at least one incident in 2024, nearly double the rate of the previous five years. Notable incidents include the August 2024 ransomware attack on the Port of Seattle, which caused cargo delays and a data breach affecting 90,000 individuals, and a 2023 attack on the Port of Nagoya, Japan, that disrupted operations for three days. These attacks highlight the sector’s vulnerability, particularly to operational technology (OT) systems governing navigation, propulsion, and cargo handling, which often run on outdated software.

Current Cyber Resilience: A Troubling Picture

The Coast Guard’s need to establish baseline requirements underscores a stark reality: the maritime sector’s current cyber resilience is woefully inadequate. A July 2024 Department of Homeland Security (DHS) Inspector General audit found that the Coast Guard lacks sufficient cyber expertise, capacity, and credibility to effectively partner with private-sector port operators. A February 2025 Government Accountability Office (GAO) report further revealed that the Coast Guard cannot accurately track cybersecurity incidents due to incomplete data in its Marine Information for Safety and Law Enforcement (MISLE) system, hindering timely responses.

Smaller operators, in particular, face significant challenges. Many lack the resources to implement robust cybersecurity measures, and the absence of mandatory standards until now has led some to underestimate the threat. The reliance on Chinese-manufactured ship-to-shore cranes, which dominate 80% of U.S. strategic ports, adds another layer of risk. These cranes, potentially controllable remotely, are vulnerable to exploitation by state-sponsored actors like China’s Volt Typhoon, raising concerns about supply chain disruptions.

The 2018 MTSA amendments required operators to address cybersecurity risks, but specific regulations were not issued until January 2025, leaving a gap in enforceable standards. Voluntary guidance, such as the Coast Guard’s 2021 Cyber Strategic Outlook and 2023 risk assessment model, has been insufficient to drive widespread adoption. Posts on X reflect industry frustration, with users noting that compliance costs—estimated at $80 million annually—could strain smaller firms, yet inaction risks catastrophic incidents like vessel immobilizations or navigational failures.

Why the Sector Is Vulnerable

The maritime sector’s vulnerability stems from its increasing reliance on interconnected digital systems. Modern vessels and ports depend on IT and OT systems for navigation, cargo management, and safety, but many lack modern cybersecurity protections. Geopolitical tensions, particularly with China, Iran, and Russia, drive state-sponsored attacks targeting trade and infrastructure, as seen in hybrid warfare tactics combining cyber and physical disruptions. The growing use of autonomous vessels introduces new risks, with unsecured software potentially allowing attackers to seize control.

Supply chain risks are equally pressing. The 2024 DNV report highlighted that supply chain cyberattacks, exploiting third-party vendors, are a growing threat. The Coast Guard’s Maritime Security Directives 105-4 and 105-5, issued in 2024, mandate risk management for Chinese-manufactured cranes, but broader supply chain vulnerabilities persist. The lack of domestic crane manufacturing, with no U.S.-made ship-to-shore cranes produced in 30 years, exacerbates dependence on foreign technology.

The Path to Resilience

The Coast Guard’s final rule marks a critical step toward bolstering cyber resilience, aligning with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and CISA’s Cross-Sector Performance Goals. However, its success hinges on implementation. The Coast Guard is soliciting comments by March 18, 2025, on a potential 2-to-5-year delay for U.S.-flagged vessels, acknowledging the compliance burden. Industry experts recommend immediate steps:

• Conduct Risk Assessments: Identify vulnerabilities in IT and OT systems.

• Train Personnel: Equip crews to recognize phishing, ransomware, and other threats.

• Adopt Automation: Tools like Nozomi Networks’ platform can enhance asset visibility and threat detection.

• Strengthen Supply Chains: Vet third-party vendors and reduce reliance on foreign technology.

The Biden administration’s February 2024 Executive Order and $20 billion investment in domestic crane production signal long-term commitment, but short-term gaps remain. International efforts, such as the International Maritime Organization’s (IMO) Resolution MSC.428(98), complement U.S. actions, urging global cybersecurity standards.

Conclusion

The U.S. Coast Guard’s final rule is a wake-up call for a maritime sector with alarmingly low cyber resilience. Current vulnerabilities, exposed by recent attacks and inadequate oversight, threaten global trade and national security. While the rule establishes essential baselines, the question of existing resilience reveals a sector playing catch-up against sophisticated threats. As compliance looms, operators must act swiftly to fortify their defenses, leveraging training, technology, and regulatory support to safeguard the MTS. The Schweers’ use of USDA crop insurance in New Mexico reflects a similar reliance on proactive risk management—a model the maritime industry must emulate to navigate this digital storm.