Hunting for security improvements in Maritime Critical Infrastructure

The United States Coast Guard (USCG) is the leading government agency tasked with securing the Marine Transportation System (MTS).

Consisting of 95,000 miles of coastline, 361 ports and more than 25,000 miles of waterways, this logistical network enables the movement of people and goods to, from, and on the water forming a maritime supply chain that is the backbone of U.S. trade with the world.

As a nationwide system, marine transportation supports more than 30 million jobs and contributes over $5 trillion in economic activity annually making it a huge part of the critical Transportation Systems Sector.

In January this year, the Coast Guard updated maritime security regulations by establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and facilities subject to the Maritime Transportation Security Act of 2002.

Dubbed the 'Final Rule', these new requirements became effective on 16 July 2025 with organisations having six months to meet the compliance requirements, including submitting a Cybersecurity Plan to USCG for approval. Other requirements include:

• Training for all personnel on threat detection, reporting and OT security
• Addtional training for key personnel on IR and new threats
• All staff must be trained within 30 days of starting work, and this must be repeated annually
• A Cybersecurity Officer (CySO) must be appointed
• A Cybersecurity Assessment must be conducted within 24 months and then annually
• At least two cybersecurity drills must also be conducted every yea

Understanding the maritime cyber security challenge

Given the range of threats the sector faces across land-based ports and support facilities, sea-faring vessels and offshore platforms in the oil and gas industry, Coast Guard Cyber Command (CGCYBER) was established in 2013 to address key concerns.

What started as a 50-person unit has now grown significantly under the Coast Guard’s Office of Cyber Forces, part of U.S. Cyber Command, with Cyber Protection Teams conducting external, internal and OT security assessments and publishing a Top 12 Mitigations in their TLP: CLEAR report on the sector:

USCG and the Cybersecurity and Infrastructure Security Agency (CISA) also undertake threat hunting assessments to assist regulated entities understand their risk exposures and have just released a security assessment for one of these maritime organisations to help security defenders in other organisations identify similar vulnerabilities.

Whilst the proactive threat hunting team did not identify any evidence of malicious cyber activity, they did identify key cybersecurity risks:

• Insufficient logging
• Insecurely stored credentials
• Shared local administrator (admin) credentials across many workstations
• Unrestricted remote access for local admin accounts
• Insufficient network segmentation configuration between IT and operational technology (OT) assets
• Several device misconfigurations including production servers

Mitigating maritime security threats

The recommendations are both high level and detailed in nature:

• Implement Unique Credentials and Access Control Measures for Administrator Accounts
• Securely Store and Manage Credentials
• Establish Network Segmentation Between IT and OT Environments
• Prevent Unauthorized Access via Port 21
• Establish Secure Bastion Hosts for OT Network Access
• Implement Comprehensive Logging, Log Retention, and Analysis
• Securely Configure HTTPS Bindings and Local Sql Server Connection String
• Enforce Strong Password Policies

Validating agency security controls against MITRE ATT&CK then completes the required security assurance activities.

Whilst the contents of the report will not surprise security practitioners engaged in other critical industries, the willingness of CISA and USCG to share their insights from these assessments is a positive step to help the sector mature its current security posture.

As the Final Rule comes into force over 2026 and 2027, Overcyte will be reporting on the evolution of maritime cybersecurity and regulations impacting other transportation operators in the United States and beyond.