ABS Consulting’s Michael DeVolld warns that ransomware remains the biggest cyber threat to global shipping, as regulations tighten and operational technology becomes a prime target. Role-based training and stronger collaboration are key to resilience.
As shipping becomes more connected, the threat of cyber disruption grows. Maritime companies are integrating digital systems to improve visibility and efficiency, but attackers are finding more ways in. For an industry that runs on tight schedules and thin margins, cyber risk is now a matter of safety as much as business continuity.
“Whether we are looking at this challenge through an operational or organizational safety lens, cyber risk is a critical business risk. An incident will impact everyone,” said Michael DeVolld, Senior Director of Maritime Cybersecurity at ABS Consulting.
According to DeVolld, ransomware remains the primary threat. “While it’s true that digital ships feature more sophisticated and secure technologies, the cyber risk has not changed: ransomware continues to pose a major threat,” he said, pointing to recent disruptions across major ports in North America, Europe, Australia and Japan.
The growing integration between information technology and operational technology has widened the attack surface. Systems that control navigation, propulsion and cargo handling are increasingly connected to shoreside networks. “If an attacker slipped through weak remote access or an unpatched workstation, they could push legitimate-looking commands straight to safety-critical equipment and change a vessel’s behavior in real time should all other safety and human oversight processes fail,” DeVolld cautioned.
He urged the industry to treat cyber risk like any other safety-of-navigation hazard. That means implementing International Association of Classification Societies (IACS) /E27 requirements, applying International Electrotechnical Commission (IEC) 62443 controls, enforcing multi-factor authentication and maintaining rigorous patching.
New regulations are also raising the cybersecurity baseline. The U.S. Coast Guard’s final rule, effective July 2025, will require U.S.-flagged vessels and regulated facilities to implement cybersecurity plans, designate officers and establish detection and response procedures. In the European Union, the updated NIS2 Directive tightens reporting timelines and strengthens supply chain security.
To support compliance, ABS Consulting has launched role-based training programs for Facility Security Officers, Vessel Security Officers and other personnel. The courses cover threats, incident response and regulatory requirements under the Maritime Transportation Security Act.
“The goal we all share is to protect the industry as a whole, and especially to safeguard the world’s largest supply chain,” DeVolld said.
