Michael DeVolld, Senior Director of Maritime Cybersecurity at ABS Consulting, isn’t mincing words: ransomware is still the biggest cyber threat to global shipping, and the industry needs to wake up to the reality that digital transformation has expanded the attack surface, not shrunk it. “Whether we are looking at this challenge through an operational or organizational safety lens, cyber risk is a critical business risk. An incident will impact everyone,” DeVolld warns. And he’s not just talking about data breaches—he’s talking about real-time disruptions to navigation, propulsion, and cargo handling systems.
The problem isn’t just that digital ships are more connected; it’s that attackers are getting smarter about exploiting those connections. “If an attacker slipped through weak remote access or an unpatched workstation, they could push legitimate-looking commands straight to safety-critical equipment and change a vessel’s behavior in real time should all other safety and human oversight processes fail,” DeVolld cautions. That’s not hyperbole—that’s a scenario that could ground a vessel, delay cargo, or even put lives at risk.
The industry isn’t blind to the threat. New regulations are tightening the screws on cybersecurity compliance. The U.S. Coast Guard’s final rule, set to take effect in July 2025, will require U.S.-flagged vessels and regulated facilities to implement cybersecurity plans, designate officers, and establish detection and response procedures. Meanwhile, the European Union’s updated NIS2 Directive is strengthening supply chain security and tightening reporting timelines. But regulations alone won’t stop ransomware attacks—they’re just the baseline.
DeVolld stresses that cyber risk must be treated like any other safety-of-navigation hazard. That means implementing IACS E26/E27 requirements, applying IEC 62443 controls, enforcing multi-factor authentication, and maintaining rigorous patching. But it also means something more fundamental: role-based training. ABS Consulting has launched programs to train Facility Security Officers, Vessel Security Officers, and other personnel on threats, incident response, and regulatory requirements. “The goal we all share is to protect the industry as a whole, and especially to safeguard the world’s largest supply chain,” DeVolld says.
This isn’t just about compliance—it’s about resilience. The shipping industry runs on tight schedules and thin margins. A cyber incident isn’t just a business disruption; it’s a safety hazard. And as DeVolld makes clear, the only way to stay ahead of the threat is to treat cybersecurity as a shared responsibility, with everyone from the bridge to the boardroom playing their part. The question now is whether the industry will act fast enough to keep pace with the evolving threat.