Outpacing evolution of the cyber threat: ClassNK
Continuous updating is key in ensuring that the Cyber Security Management System for Ships maintains its effectiveness as a practical framework for managing, mitigating, and reducing cyber security risks, says ClassNK.
Physical strikes on commercial shipping in early 2026 highlight the clear and present dangers facing seafarers and seagoing assets, but the last year has also reinforced the global industry’s growing exposure to cyberattacks.
Maritime cybersecurity specialist Cydome reported a 150% increase in maritime OT cyber incidents last year, with 87% of incidents involving ransomware. Meanwhile cybersecurity firm Crowdstrike points to global industries experiencing an 89% increase in attacks by AI-enabled adversaries, where the assault on systems is automatically repeated to maximize opportunities for success.
At the same time, GPS spoofing and jamming techniques are now tools used not only by smugglers, pirates and terrorists, but also by nation states in conflict.
With ships more connected and digitally integrated than ever, the priority is to ensure positioning information can be trusted and explained as the data source underpinning safety and regulatory requirements, sanctions-related due diligence, insurance response, and reputational risk - not just navigation.
The growing use of IoT-based tools and the advance of autonomous operations also make it vital to provide structured and proactive cybersecurity management that protects a ship’s entire attack surface, from onboard networks to navigation and engine control systems, and shore connectivity.
Continuity of protection, consistency of approach and vigilance remain key to upholding the principles of cybersecurity - to identify, protect, detect, respond and recover. In addition, though, the rapid spread and evolution of threats demands that all defenses are constantly refreshed.
The imperative is especially clear at a time when the global fleet is ageing. Latest figures from UNCTAD identify 112,500 vessels in global fleet in January 2025. Weighted for gross tonnage, the average age of ships increased by 3.2% during 2024, to 12.6 years. By vessel number, the average was 22.2 years - 1.8% older than in 2024, across a global fleet which had already aged on average by three years between 2013-2023.
Some portion of these ageing ships will continue to prolong the life of OT systems which were not designed for the digital era, using legacy software that it may no longer be feasible to patch.
Indeed, while those managing older assets sometimes interpret the absence of calls for help as a sign all is well, the reality may be that crew face the extra burden of trying to make obsolete systems work which could not even detect a cyberattack, let alone respond to one.
Third-party certification that assesses shipowner cyber vulnerabilities and provides the formal process to deliver verified resilience has been increasingly critical for owners to ensure they have effective defenses against rising maritime cyber security threats.
In line with provisions for cyber risk assessment adopted by the IMO, ClassNK published comprehensive guidelines for cybersecurity certification in 2019 to mitigate cyber risks in both IT and OT, based on a combination of physical, technical and organizational controls. The layered approach demands clarity not only about what needs to be done, but also about who needs to do it.
The Society subsequently offered extensive guidance on the IACS unified requirements E26 and E27 on cyber resilience for ship systems and ships. Furthermore, it has developed the 𝗖𝘆𝗯𝗲𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗦𝘆𝘀𝘁𝗲𝗺 𝗳𝗼𝗿 𝗦𝗵𝗶𝗽𝘀 (𝗖𝗦𝗠𝗦) as a practical framework for managing, mitigating, and reducing shipboard cyber security risks.
Continuously under review and subject to update, the CSMS process involves evaluating people and process controls, with certification based on an audit of a company’s cyber security policy, procedures and emergency response, and a full risk assessment of shipboard networks. CSMS certification verifies that management systems themselves are in place to ensure there is organizational readiness across the company, as well as onboard ship.
ClassNK’s Guidelines for Designing Cyber Security Onboard Ships focus on secure network building, but the multi-layered approach to cyber resilience that takes account of the phases of a ship’s life – from the ‘secure-by-design’ ship to secure operation and software development.
For newbuilds, the focus is on embedding security into the vessel’s DNA before it leaves the dock, by verifying secure network design and mitigating risks using engineering standards. In this case, ClassNK provides ‘CybR-G’ Notation, which indicates that the ship’s cyber security control measures have been verified from the design stage onwards, through document review, construction and testing, and on to delivery and the maintenance audit.
In operations, where the focus is on shipboard inventory and the network architecture, it is critical to verify that the documentation offered matches expectations. Making sure rogue devices are not connected and restricting USB use are widely accepted as best practice, but experience of shipboard network security also highlights checking that firewalls are properly configured and backup files are complete is also vital.
IMO updated its Guidelines on Maritime Cyber Risk Management in 2024, but the speed at which technology is advancing and fast-changing geopolitical events make it critical that cyber security services used by shipping keep pace with evolving threats.
This year, ClassNK is redoubling its vigilance on updating its cyber certification to verify that any given client’s CSMS functions effectively across the organization and onboard ship. Here, recent events are reinforcing the critical nature of verifying the availability of the onboard IT/OT systems which contribute to ships’ safe navigation.
ClassNK’s cyber specialists are constantly analyzing latest cyber security reports and working with external experts to adjust its advice on best practice for onboard cyber security as new threats emerge. It is also continuing to share practical research and regulatory insights that support real-world ship design and operation and will soon update its ClassNK Security Series with a new set of Guidelines for Cyber Secure Marine Equipment.
Experience shows that cyber security isn’t just a code; it’s a culture. However, the right tools must also be in place to uphold their cyber resilience and empower crew with the clear protocols they require to practice a cycle for continuous improvement.