Regulatory References Used
- International Maritime Organization
IMO Resolution MSC.428(98)
IMO Guidelines MSC-FAL.1/Circ.3/Rev.3 - U.S. Coast Guard
NVIC 01-20 (Cyber Risk Management)
Maritime Security Directives & CVC guidance - International Association of Classification Societies
IACS Unified Requirements E26 & E27
1. Operational Technology (OT) Integrity
A. Physical Port Audit
Checklist item:
Blocking unused USB/Ethernet ports on bridge, ECR, CCR
Regulatory mapping:
- IMO: Protection measures against unauthorized access (Identify → Protect)
- USCG: Control of removable media & physical access to critical systems
- IACS E26: Protection of onboard equipment interfaces against misuse
Inspector logic:
“Can unauthorized devices be connected to safety-critical systems?”
B. Bridge Workstation Sanitization
Checklist item:
Navigation systems are used strictly for navigation
Regulatory mapping:
- IMO: Segregation of critical systems supporting safe operation
- USCG: IT/OT separation and the least-functionality principle
- IACS E27: Network zoning and functional separation
Inspector logic:
“Is the bridge workstation exposed to non-operational cyber risk?”
C. Remote Access Management
Checklist item:
Permit-to-Work and verification of disconnect
Regulatory mapping:
- IMO: Access control and lifecycle management
- USCG: Governance of vendor remote access paths
- IACS E27: Secure remote access with defined trust boundaries
Inspector logic:
“Who can access the system remotely, when, and how is that controlled?”
D. OT Change Control
Checklist item:
Logging, approval, and rollback capability for OT changes
Regulatory mapping:
- IMO: Detect & Recover capabilities within SMS
- USCG: Configuration management for critical systems
- IACS E26: Lifecycle cybersecurity of equipment
Inspector logic:
“Can you prove what changed, when, and why?”
2. The Human Element (Friction Reduction)
A. “Clean-Room” Charging
Checklist item:
Non-networked charging for personal devices
Regulatory mapping:
- IMO: Preventive controls against malware introduction
- USCG: Removable media and personal device risk
- IACS E26: Protection of equipment from external contamination
Inspector logic:
“How do you prevent accidental device introduction?”
B. Plain-Language Cyber SOPs
Checklist item:
Clear procedures usable under stress
Regulatory mapping:
- IMO: Cyber risk embedded in operational procedures
- USCG: Crew awareness & procedural readiness
- IACS E27: Operational response requirements
Inspector logic:
“Can the crew actually execute the procedure onboard?”
C. No-Blame Reporting
Checklist item:
Safe reporting of mis-clicks or near-misses
Regulatory mapping:
- IMO: Detect function and incident reporting
- USCG: Early detection and reporting culture
- IACS: Indirectly supports operational resilience
Inspector logic:
“Would the crew report a mistake immediately?”
D. Authority Clarity
Checklist item:
Defined authority to isolate systems
Regulatory mapping:
- IMO: Response & Recovery roles within SMS
- USCG: Command responsibility during cyber incidents
- IACS E27: Incident containment capability
Inspector logic:
“Who decides to pull the plug—and is that clear?”
3. Network Hygiene
A. Welfare vs. Work Isolation
Checklist item:
Crew Wi-Fi separated from admin/OT networks
Regulatory mapping:
- IMO: Protection of critical systems
- USCG: IT/OT and crew network segregation
- IACS E27: Mandatory network zoning
Inspector logic:
“Can a crew device reach a navigation system?”
B. Hardware Asset Inventory
Checklist item:
Complete visibility of connected devices
Regulatory mapping:
- IMO: Asset identification
- USCG: System inventory requirement
- IACS E26/E27: Equipment and system documentation
Inspector logic:
“Do you know what is connected right now?”
C. Default Credential Elimination
Checklist item:
Removal of factory passwords
Regulatory mapping:
- IMO: Protective controls against unauthorized access
- USCG: Credential hygiene
- IACS E26: Secure configuration of equipment
Inspector logic:
“Are default credentials still in use?”
D. Remote Access Landing Zone
Checklist item:
Controlled termination point for remote access
Regulatory mapping:
- IMO: Network protection measures
- USCG: Secure remote access governance
- IACS E27: Secure architecture design
Inspector logic:
“Where does remote access actually land?”
4. Supply Chain & Maintenance
A. Third-Party Media Scanning
Checklist item:
Scanning of all external media
Regulatory mapping:
- IMO: Protection from external threats
- USCG: Removable media control
- IACS E26: Supply-chain cyber protection
Inspector logic:
“How do you manage third-party devices?”
B. Patch & Update Handover
Checklist item:
Logging updates in SMS
Regulatory mapping:
- IMO: Continuous risk management
- USCG: Vulnerability and patch management
- IACS E26: Lifecycle cybersecurity
Inspector logic:
“Can you prove systems are maintained?”
C. Vendor Account Expiry
Checklist item:
Automatic disabling of temporary access
Regulatory mapping:
IMO: Access lifecycle control
USCG: Least-privilege enforcement
IACS E27: Secure access design
Inspector logic:
“Do vendor accounts persist after work?”
5. Emergency Preparedness (Cyber-Seaworthiness)
A. Manual Override Readiness
Checklist item:
Practicing manual navigation and control
Regulatory mapping:
- IMO: Recovery and continuity of safe operation
- USCG: Operational resilience
- IACS E27: Degraded-mode operation
Inspector logic:
“Can the vessel sail safely without screens?”
B. Offline Backup Verification
Checklist item:
Encrypted, offline backups
Regulatory mapping:
- IMO: Recovery capability
- USCG: Backup and restoration expectations
- IACS E26: Secure recovery mechanisms
Inspector logic:
“Can you recover without the network?”
C. Integrated Cyber Drills
Checklist item:
Cyber scenarios embedded in safety drills
Regulatory mapping:
- IMO: Cyber risk within SMS drills
- USCG: Crew preparedness and response
- IACS E27: Incident response readiness
Inspector logic:
“Is cyber treated like fire or flooding?”
Final Thoughts:
From a regulatory perspective:
IMO asks: Is cyber risk managed as an operational safety risk?
USCG asks: Can you demonstrate control and response onboard?
IACS asks: Is cybersecurity engineered into the vessel and its systems?
This checklist aligns with all three—without turning cyber into a paperwork exercise.