In today’s threat landscape, cyberattacks in shipping are often opportunistic. Malicious actors aren’t necessarily targeting a specific company—they’re looking for exploitable vulnerabilities across the maritime sector. One of the most overlooked yet dangerous vectors is the use of USB devices onboard vessels.
USB sticks are still widely used for routine tasks: updating ECDIS charts, transferring logs, or running diagnostics. But these seemingly harmless devices can serve as entry points for malware, compromising both IT and OT systems. When infected, they can silently disable critical systems or cause disruptions that are misdiagnosed as hardware failure.
Regulatory Framework: IMO, IACS & Maritime Codes
Effective USB management is now a core component of maritime cybersecurity governance. Regulatory bodies such as the International Maritime Organization (IMO) and the International Association of Classification Societies (IACS) have set clear expectations for how ship operators should manage cyber risk—including risks introduced through removable media.
Industry Regulations and Guidelines
- IMO Guidelines (MSC-FAL.1/Circ.3): Mandates that cyber risk be embedded into the ISM Code, including continuous risk assessment, contingency planning, and improvement of defenses.
- IACS Unified Requirements (UR E26 & E27): Focus on securing IT/OT architecture, applying access control policies, and managing removable media use.
- ISM & ISPS Code Alignment: Though they don’t mention USBs explicitly, these codes support integrating USB controls within broader safety and security frameworks.
Why USBs Remain a Threat
Recent data show that 52% of all threats originating from USB devices had the potential to cause significant disruption to OT systems. Furthermore, 1 in 5 threats was specifically designed to exploit air-gapped environments—a common setup onboard vessels. These statistics reinforce that USB-based attacks are not only active but increasingly targeted and sophisticated.
- Infection of OT Systems: Many OT environments run outdated or unpatchable software, making them vulnerable to malware introduced via USB.
- Misdiagnosed Failures: Malware symptoms often mimic equipment malfunctions, leading to unnecessary hardware replacements and missed cyber threats.
- Uncontrolled Use: Personal or unauthorized USBs are frequently used onboard without proper scanning or logging, increasing the risk of accidental breaches.
In addition to traditional malware, a growing wave of advanced USB-based techniques poses new challenges:
- Keystroke Injection Attacks (e.g., Rubber Ducky): These devices emulate keyboard input to execute scripted commands upon insertion, allowing attackers to bypass user awareness and perform automated exploits.
- Firmware Reprogramming (BadUSB): Attackers modify USB firmware to perform unauthorized actions, such as executing malicious code, logging keystrokes, or posing as trusted devices.
- USB Drop Attacks: Infected USBs are intentionally left in public places, relying on human curiosity to trigger malware execution when inserted onboard systems.
Popular USB Malware Variants to Watch in 2025
- SOGU Malware: Delivered via USB flash drives, used to extract sensitive data and linked to TEMP.Hex, a China-based espionage actor.
- SNOWYDRIVE: Targets oil and gas organizations in Asia, installs backdoors for remote access and lateral movement.
- WispRider: Capable of spreading via USB across air-gapped networks, disguised as legitimate executable files, and tied to the Mustang Panda threat group.’s 2024 Industrial Cybersecurity USB Threat Report shows that 52% of all threats originating from USB devices had the potential to cause significant disruption to OT systems. Furthermore, 1 in 5 threats was specifically designed to exploit air-gapped environments—a common setup onboard vessels. These statistics reinforce that USB-based attacks are not only active, but increasingly targeted and sophisticated.
Policy Components: Building a Secure USB Management Framework
A robust USB policy must go beyond restrictions—it needs a layered approach that includes hardware control, software protection, and human behavior. This chapter outlines the essential elements to structure a policy that is both technically sound and operationally feasible.
Device Control & Access Restrictions
- Allow USB usage only on approved systems.
- Enforce the use of company-issued, encrypted USBs.
- Implement endpoint protection platforms (e.g., DeviceLock, Symantec DLP) for USB control.
Malware Scanning & Quarantine Procedures
- Use standalone scanning terminals for all USBs.
- Quarantine and scan files before transferring between IT and OT networks.
- Log all USB activity for auditing purposes.
Crew and Third-Party Training
- Train crew and vendors on proper USB usage.
- Emphasize OT vulnerability and the potential operational impact of malware.
Incident Detection & Response
- Integrate USB alerts into onboard SIEM or logging systems.
- Create USB-specific response playbooks as part of your broader incident response plan.
- Coordinate with Class, Flag, and OEM vendors in case of suspected infection.
Compliance and Vendor Enforcement
- Include USB policies in contracts and SLAs.
- Require compliance from technicians, contractors, and service engineers.
Implementation and Enforcement Onboard
USB management must also integrate with the vessel’s broader cybersecurity and compliance infrastructure. MarPoint’s UNI Virtualization Server, for example, addresses several persistent pain points for maritime IT teams—such as lack of visibility into file transfers, challenges with enforcing standard operating procedures, and difficulty in isolating security breaches across distributed fleet networks. Solutions like UNI help centralize USB policy enforcement while enabling real-time monitoring and integration with classification society cybersecurity audits.
Even the most comprehensive policy can fall short without proper execution. This section focuses on how to implement USB controls onboard using existing infrastructure, and how to enforce rules without disrupting day-to-day operations.
- Deploy centralized policy management using shipboard routers and endpoint tools.
- Use solutions like MarPoint’s EVO3 Router to apply dynamic policies per connection type (Starlink, VSAT, 5G).
- Perform regular USB audits and simulate potential breach scenarios as part of cyber drills.
Monitoring and Continuous Improvement
Cybersecurity is not static. As threats evolve, so must your policies. This chapter outlines how to keep your USB management framework effective through continuous monitoring, data-driven review cycles, and regular system audits.
- Review policy effectiveness quarterly with support from shoreside IT.
- Leverage data from onboard firewalls and web filtering platforms.
- Report anomalies to internal cybersecurity stakeholders and update controls accordingly.
Real-World Incidents: Lessons from the Field
Understanding past incidents reinforces the need for strong USB policies. The maritime industry has already seen the consequences of poorly controlled removable media:
- 2023 Malware Attacks on Greek, Dutch, and Norwegian Vessels: As reported by CyberOwl, multiple malware infections were discovered across vessels from these nations. Investigations revealed that USB devices were the primary infection vector—malware was unknowingly introduced by vendors and third-party service providers using compromised USB sticks. The infections led to degraded OT performance, impacted critical operations, and triggered unnecessary equipment replacements due to misdiagnosed faults. These cases also exposed gaps in USB usage logging and scanning procedures onboard.
This example serves as a reminder that malware introduced through USBs often evades detection until damage is done. Prevention, scanning, and monitoring are essential defenses.
Final Thoughts:
USB management is not just a technical issue—it’s a strategic imperative. By aligning with IMO and IACS standards, implementing robust controls, and training crew, shipping companies can drastically reduce the risk posed by removable media.
Cybersecurity at sea begins with strong fundamentals. A well-governed USB policy ensures safe data transfers, protects OT infrastructure, and supports uninterrupted operations—turning a common vulnerability into a controlled asset.
