NIS2 for the maritime sector

Ship management systems, dynamic positioning (DP) systems, load computers and port management systems fall under NIS2 and IMO MSC-FAL.1/Circ.3 guidelines. OT cybersecurity here is a fleet-wide issue.

In scope

OT systems that fall under NIS2

IAS (Integrated Automation Systems, Kongsberg, Wärtsilä)
DP systems (Kongsberg K-Pos, Marine Technologies)
ECDIS and navigation OT
Load computers and stability monitoring
Port infrastructure: crane controllers, lock systems
GMDSS communication systems
Sector risks

What NIS2 means for your OT

DP system vulnerability

Dynamic positioning systems are safety-critical. Cyber attacks on GNSS input or thruster control have immediate physical effects on the vessel.

Satellite connections as attack path

VSAT and 4G/5G connections at sea are broad attack vectors. Ship networks are rarely segmented. ECDIS and CCTV are often on the same network.

Port infrastructure and IACS

IACS UR E26 (ship systems) and E27 (ship equipment) are mandatory for newbuilds. NIS2 adds demonstrability requirements for port operators and shipping companies.

Our approach

Three steps to NIS2 compliance

01

Ship network segmentation

Separation of navigation OT (ECDIS, DP, IAS) from IT network (VSAT, crew wifi, CCTV) via hardware firewall. In line with IMO MSC-FAL.1/Circ.3.

02

Secure remote access on board

Ship-based jump server for maintenance by OEM and shipping company. Session logging, MFA and time limits, even at low bandwidth via VSAT.

03

IACS UR E26/E27 alignment

Gap analysis based on IACS Unified Requirements E26/E27, combined with NIS2 article 21 requirements for a combined evidence package for flag state and regulator.

Also relevant
Machine refit in Maritime & offshore

OT security and machine refit often go hand in hand. A refit to a modern PLC also improves your NIS2 posture.

View refit page

Start your NIS2 assessment for Maritime & offshore

A gap analysis starts with a technical intake specific to your sector and OT landscape.