The US Coast Guard’s first-ever mandatory cybersecurity framework for ports, vessels, and offshore facilities has taken effect, ending two decades of voluntary compliance and putting operators on a countdown with a 2027 deadline.
The regulations affect any US-flagged vessel or maritime facility subject to the Maritime Transportation Security Act of 2002 and requires that they develop and maintain a cybersecurity plan, designate a cybersecurity officer (CySO), conduct annual assessments, and train any information- and operational-technology workers on their cybersecurity duties.
The regulations resemble the requirements for other industries, such as the National Electric Reliability Council’s Critical Infrastructure Protection (NERC-CIP) plan, which has improved cybersecurity across the power-generation and distribution ecosystem, says Elan Alvey, principal industrial consultant at Dragos, an industrial cybersecurity provider.
“Regulation has helped — it’s not the fix for everything, because threat groups are pretty sneaky,” he says. “But, it gets rid of a lot of the low-hanging fruit that your opportunists, hackers, your ransomware folks, will see and say, ‘Oh, it’s open. Let’s go [attack] it.'”
The cybersecurity regulations come as the maritime transportation industry has suffered some major cyberattacks, including the NotPetya attack that halted shipping by AP Moller-Maersk and global positioning system attacks that caused ships to run aground. International standards already require similar cybersecurity measures for transoceanic shipping and foreign-flagged vessels. Other oil-and-gas producing nations, such as Norway, have made decisive moves to strengthen the cybersecurity of ships and offshore facilities.
In 2025, the US Coast Guard expanded the requirements of the Maritime Transportation Security Act of 2002 to include mandatory reporting of cybersecurity incidents starting in July 2025, followed by cybersecurity training for all IT and OT workers on their roles and responsibilities under the law by January of this year. The rule mirrors how the post-9/11 MTSA reshaped physical port security, signaling that Washington aims to shore up maritime cybersecurity, Dragos’s Alvey stated in an analysis.
The next deadline is in July, when every US-flagged vessel or outer-continental shelf (OCS) facility — think oil rigs — need to have completed a cybersecurity assessment and have created a cybersecurity plan that enforces segmentation between IT and OT networks.
A New Role: CySO
The underlying principles of the MTSA is that ships, oil rigs, and other maritime facilities must enforce security and require that their suppliers and vendors do the same. Companies should expect similar requirements to expand to other industries, if they are not already in place, says Trey Ford, chief strategy and trust officer at Bugcrowd, a crowdsourced cybersecurity firm.
“Large industrial suppliers should treat this as the leading indicator for what is coming across every regulated sector and start building accountability into their program design now, before the deadline forces it,” he says. “The ICS/SCADA universe should pay attention — I trust regulators will be looking their direction soon.”
Among the most significant changes wrought by the new regulations is that every US-flagged vessel, facility, or outer continental shelf (OCS) facility must designate a cybersecurity officer (CySO) to take responsibility for the cybersecurity of both the IT and OT infrastructure, mirroring existing roles under the MTSA, such as the facility security officer.
The scope of duties for the CySO is different than for a traditional chief information security officer, says Dragos’s Alvey.
“The CISO is [about] your technical, everyday IT information,” he says. “To me, the cybersecurity officer is more of a regulatory officer, because they’re in charge of ensuring that not only are you following the regulations, but if there were incidents or anything that’s reportable, they’re also in charge of that.”
Biggest Challenge Dead Ahead
The final stage of the MTSA cybersecurity rollout, which must be completed by July 16, 2027, is the most challenging: network segmentation. Even land-based companies have trouble with meeting that cybersecurity goal. In a 2025 survey, networking giant Cisco found that 94% of organizations encountered problems with segmentation due to the complexity of their environments, a lack of visibility, and difficulty identifying legitimate information flows.
Unfortunately, there is no simple solution, Amer Akhter, senior director of product management for Cisco, stated in his review of the survey results.
“There’s no ‘box’ or single product that one can purchase. Nor is there a single approach that can be modeled as a best practice for every use case,” he said. “Instead, organizations are having to rely on multiple segmentation methods. Unfortunately, this lack of clarity can add complexity to an already complex situation. The result? Many, too many, segmentation projects fail.”
Dragos’s Alvey notes that companies are expected to complete network segmentation within roughly a year and a half, a timeline he views as tight given the multiple prerequisite steps involved (asset inventory, architectural design, etc.), and one likely to prompt pushback from regulated entities.
“Just because you’re compliant, doesn’t mean you’re secure,” he says.
And that is where the MTSA cybersecurity requirements can help prepare facilities and companies, Bugcrowd’s Ford says. Beyond the defenses, the training, and the new roles, the requirements focus on what happens when there is an incident. Network segmentation helps slow down lateral movement by attackers, regular assessments can detect where defenses or visibility have failed, and requiring secure design from the start means that the organization is moving toward a destination.
That’s a lesson that every company should take to heart, Ford says.
“The MTSA gets one foundational thing right that most enterprise programs still resist: the assumption of failure,” he says. “It treats the question as not whether a system can be compromised, but whether you will know before an adversary acts on it.”
Don’t miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here’s Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
