NIS2 for the maritime sector
Ship management systems, dynamic positioning (DP) systems, load computers and port management systems fall under NIS2 and IMO MSC-FAL.1/Circ.3 guidelines. OT cybersecurity here is a fleet-wide issue.
OT systems that fall under NIS2
What NIS2 means for your OT
DP system vulnerability
Dynamic positioning systems are safety-critical. Cyber attacks on GNSS input or thruster control have immediate physical effects on the vessel.
Satellite connections as attack path
VSAT and 4G/5G connections at sea are broad attack vectors. Ship networks are rarely segmented. ECDIS and CCTV are often on the same network.
Port infrastructure and IACS
IACS UR E26 (ship systems) and E27 (ship equipment) are mandatory for newbuilds. NIS2 adds demonstrability requirements for port operators and shipping companies.
Three steps to NIS2 compliance
Ship network segmentation
Separation of navigation OT (ECDIS, DP, IAS) from IT network (VSAT, crew wifi, CCTV) via hardware firewall. In line with IMO MSC-FAL.1/Circ.3.
Secure remote access on board
Ship-based jump server for maintenance by OEM and shipping company. Session logging, MFA and time limits, even at low bandwidth via VSAT.
IACS UR E26/E27 alignment
Gap analysis based on IACS Unified Requirements E26/E27, combined with NIS2 article 21 requirements for a combined evidence package for flag state and regulator.
OT security and machine refit often go hand in hand. A refit to a modern PLC also improves your NIS2 posture.
Start your NIS2 assessment for Maritime & offshore
A gap analysis starts with a technical intake specific to your sector and OT landscape.