Regulatory Mapping: Vessel-Level Cyber-Hygiene Checklist

Why Crew-Centric Digital Experience Is a Priority at Sea

Regulatory References Used

  • International Maritime Organization
    IMO Resolution MSC.428(98)
    IMO Guidelines MSC-FAL.1/Circ.3/Rev.3
  • U.S. Coast Guard
    NVIC 01-20 (Cyber Risk Management)
    Maritime Security Directives & CVC guidance
  • International Association of Classification Societies
    IACS Unified Requirements E26 & E27

1. Operational Technology (OT) Integrity

A. Physical Port Audit

Checklist item:
Blocking unused USB/Ethernet ports on bridge, ECR, CCR

Regulatory mapping:

  • IMO: Protection measures against unauthorized access (Identify → Protect)
  • USCG: Control of removable media & physical access to critical systems
  • IACS E26: Protection of onboard equipment interfaces against misuse

Inspector logic:
“Can unauthorized devices be connected to safety-critical systems?”

B. Bridge Workstation Sanitization

Checklist item:
Navigation systems are used strictly for navigation

Regulatory mapping:

  • IMO: Segregation of critical systems supporting safe operation
  • USCG: IT/OT separation and the least-functionality principle
  • IACS E27: Network zoning and functional separation

Inspector logic:
“Is the bridge workstation exposed to non-operational cyber risk?”

C. Remote Access Management

Checklist item:
Permit-to-Work and verification of disconnect

Regulatory mapping:

  • IMO: Access control and lifecycle management
  • USCG: Governance of vendor remote access paths
  • IACS E27: Secure remote access with defined trust boundaries

Inspector logic:
“Who can access the system remotely, when, and how is that controlled?”

D. OT Change Control

Checklist item:
Logging, approval, and rollback capability for OT changes

Regulatory mapping:

  • IMO: Detect & Recover capabilities within SMS
  • USCG: Configuration management for critical systems
  • IACS E26: Lifecycle cybersecurity of equipment

Inspector logic:
“Can you prove what changed, when, and why?”

2. The Human Element (Friction Reduction)

A. “Clean-Room” Charging

Checklist item:
Non-networked charging for personal devices

Regulatory mapping:

  • IMO: Preventive controls against malware introduction
  • USCG: Removable media and personal device risk
  • IACS E26: Protection of equipment from external contamination

Inspector logic:
“How do you prevent accidental device introduction?”

B. Plain-Language Cyber SOPs

Checklist item:
Clear procedures usable under stress

Regulatory mapping:

  • IMO: Cyber risk embedded in operational procedures
  • USCG: Crew awareness & procedural readiness
  • IACS E27: Operational response requirements

Inspector logic:
“Can the crew actually execute the procedure onboard?”

C. No-Blame Reporting

Checklist item:
Safe reporting of mis-clicks or near-misses

Regulatory mapping:

  • IMO: Detect function and incident reporting
  • USCG: Early detection and reporting culture
  • IACS: Indirectly supports operational resilience

Inspector logic:
“Would the crew report a mistake immediately?”

D. Authority Clarity

Checklist item:
Defined authority to isolate systems

Regulatory mapping:

  • IMO: Response & Recovery roles within SMS
  • USCG: Command responsibility during cyber incidents
  • IACS E27: Incident containment capability

Inspector logic:
“Who decides to pull the plug—and is that clear?”

3. Network Hygiene

A. Welfare vs. Work Isolation

Checklist item:
Crew Wi-Fi separated from admin/OT networks

Regulatory mapping:

  • IMO: Protection of critical systems
  • USCG: IT/OT and crew network segregation
  • IACS E27: Mandatory network zoning

Inspector logic:
“Can a crew device reach a navigation system?”

B. Hardware Asset Inventory

Checklist item:
Complete visibility of connected devices

Regulatory mapping:

  • IMO: Asset identification
  • USCG: System inventory requirement
  • IACS E26/E27: Equipment and system documentation

Inspector logic:
“Do you know what is connected right now?”

C. Default Credential Elimination

Checklist item:
Removal of factory passwords

Regulatory mapping:

  • IMO: Protective controls against unauthorized access
  • USCG: Credential hygiene
  • IACS E26: Secure configuration of equipment

Inspector logic:
“Are default credentials still in use?”

D. Remote Access Landing Zone

Checklist item:
Controlled termination point for remote access

Regulatory mapping:

  • IMO: Network protection measures
  • USCG: Secure remote access governance
  • IACS E27: Secure architecture design

Inspector logic:
“Where does remote access actually land?”

4. Supply Chain & Maintenance

A. Third-Party Media Scanning

Checklist item:
Scanning of all external media

Regulatory mapping:

  • IMO: Protection from external threats
  • USCG: Removable media control
  • IACS E26: Supply-chain cyber protection

Inspector logic:
“How do you manage third-party devices?”

B. Patch & Update Handover

Checklist item:
Logging updates in SMS

Regulatory mapping:

  • IMO: Continuous risk management
  • USCG: Vulnerability and patch management
  • IACS E26: Lifecycle cybersecurity

Inspector logic:
“Can you prove systems are maintained?”

C. Vendor Account Expiry

Checklist item:
Automatic disabling of temporary access

Regulatory mapping:

  • IMO: Access lifecycle control

  • USCG: Least-privilege enforcement

  • IACS E27: Secure access design

Inspector logic:
“Do vendor accounts persist after work?”

5. Emergency Preparedness (Cyber-Seaworthiness)

A. Manual Override Readiness

Checklist item:
Practicing manual navigation and control

Regulatory mapping:

  • IMO: Recovery and continuity of safe operation
  • USCG: Operational resilience
  • IACS E27: Degraded-mode operation

Inspector logic:
“Can the vessel sail safely without screens?”

B. Offline Backup Verification

Checklist item:
Encrypted, offline backups

Regulatory mapping:

  • IMO: Recovery capability
  • USCG: Backup and restoration expectations
  • IACS E26: Secure recovery mechanisms

Inspector logic:
“Can you recover without the network?”

C. Integrated Cyber Drills

Checklist item:
Cyber scenarios embedded in safety drills

Regulatory mapping:

  • IMO: Cyber risk within SMS drills
  • USCG: Crew preparedness and response
  • IACS E27: Incident response readiness

Inspector logic:
“Is cyber treated like fire or flooding?”

Final Thoughts: 

From a regulatory perspective:

  • IMO asks: Is cyber risk managed as an operational safety risk?

  • USCG asks: Can you demonstrate control and response onboard?

  • IACS asks: Is cybersecurity engineered into the vessel and its systems?

This checklist aligns with all three—without turning cyber into a paperwork exercise.

Ready to transform your business?

Let's get started!