Maritime OT cybersecurity
glossary.

A set of rules on a firewall or managed switch that defines which network traffic is permitted to pass between zones. An ACL typically specifies source IP, destination IP, protocol, and port. In maritime OT, ACLs form the “conduits” between security zones — every allowed communication flow must be explicitly listed. The default rule must be Deny All.

A shipboard transponder system that broadcasts vessel identity, position, course, and speed to other ships and shore stations. AIS is a Category II CBS under E26 and is a known attack vector — AIS spoofing can broadcast false position data. AIS receivers must be isolated from systems that could affect navigation decisions.

A centralised system that aggregates alarms from machinery, safety, and navigation systems across the vessel. The AMS is typically a Category II or III CBS — failure or compromise could mask critical equipment alarms. AMS systems must be included in the CBS inventory and protected within the appropriate security zone.

A documented register of all Computer Based Systems (CBS) onboard a vessel, including hardware, software, firmware versions, IP addresses, physical locations, and communication interfaces. The asset inventory is the first mandatory deliverable under IACS UR E26 §4.1.1 and IMO MSC-FAL.1/Circ.3. It is sometimes called the “CBS Register” or “Equipment List.”

The total number of entry points through which an attacker could attempt to access a system — including open network ports, running services, physical interfaces (USB, RJ45), wireless radios, and user accounts. Reducing the attack surface is a core principle of OT hardening: every unnecessary port, service, and account that is disabled removes a potential attack vector.

Industry guidelines published by the Baltic and International Maritime Council (BIMCO) in collaboration with other shipping associations. Version 4 is the current edition; version 5 is expected. Referenced by P&I clubs and vetting systems (TMSA, SIRE). Not legally mandatory but widely used as the industry baseline for fleet cyber security programmes. Aligns with the NIST Cybersecurity Framework and IMO MSC-FAL.1/Circ.3.

A commissioning and periodic trial that simulates total loss of main electrical power to verify that critical systems restart in the correct sequence and security controls (firewalls, IDS, authentication systems) remain operational during and after the power transition. Required under E26 as part of cyber resilience testing.

An emergency access procedure that bypasses normal authentication controls when the primary access mechanism fails — for example, if the authentication server is offline or an MFA token is lost at sea. Break-glass credentials are stored in a physically sealed envelope and must be changed immediately after use. Every break-glass event must be logged.

The fundamental unit of scope in IACS UR E26 and E27. A CBS is any programmable electronic system used in ship operations — including PLCs, HMIs, ECDIS, PMS, AMS, and network equipment. Every CBS must be listed in the asset inventory, assigned a criticality category, and placed within a security zone. The total set of CBS in scope defines the vessel’s cyber security boundary.

In the IACS/IEC 62443 framework, a conduit is the controlled communication path between two security zones. Every data flow crossing a zone boundary must pass through a conduit — typically implemented as a firewall rule set (ACL). If no conduit is defined between two zones, no traffic should flow between them. Conduits must be documented in the Zones and Conduits Diagram.

The primary technical document submitted to the Class society for E26 approval. The CSDD defines the vessel’s “trust boundary” — which CBS are in scope, how they are grouped into zones, what conduits exist between zones, and which systems have been excluded with documented justification. The CSDD is required by E26 §5.1.1 and must be submitted before vessel delivery.

The shore-based officer designated by the company responsible for the security of the vessel under the ISPS Code. In the context of cyber security, the CSO is typically the primary contact for reporting cyber incidents to shore. Under IMO MSC-FAL.1/Circ.3, the CSO is responsible for ensuring the company’s SMS includes cyber risk management.

The classification system used in IACS UR E22 and referenced in E26 to assign risk levels to CBS. Category III systems are those whose failure could lead to loss of life, loss of the vessel, or serious environmental damage (e.g. propulsion, steering, fire detection). Category II systems are important but not immediately safety-critical (e.g. CCTV, cargo management). Category III systems require the highest level of protection and must be in isolated zones.

A hardware device that enforces one-way data flow between two networks. Data can only travel in one direction — typically from the OT network to the monitoring network — making it physically impossible for any traffic to enter the OT environment from outside. Data diodes provide the strongest possible zone boundary for critical systems and are referenced in E26 §4.2.3 for mission-critical zones.

The security principle that all network traffic is blocked by default, and only explicitly approved communication flows are permitted. The opposite of “Allow All.” In maritime OT, every firewall and ACL must implement Deny All as the final rule, with only the documented conduit traffic permitted above it. This is a mandatory principle under E26 and IEC 62443.

A network zone that acts as a buffer between two zones of different trust levels — typically between the OT network and the IT/satellite network. In maritime OT, the Industrial DMZ (iDMZ) is specifically designed to terminate all conduits so that no direct routing path exists between OT and IT. All traffic must be proxied or brokered through the iDMZ. Also called a “neutral zone” or “security air-lock.”

The certificate issued to a shipping company confirming that their Safety Management System (SMS) has been verified against the ISM Code. The DOC is held by the company (not the vessel). IMO Resolution MSC.428(98) requires that cyber risk management be incorporated into the SMS by the first annual DOC verification after 1 January 2021 — making the annual DOC audit the enforcement mechanism for IMO cyber compliance.

The shore-based manager with direct access to the highest level of management, responsible for ensuring the safe operation of each ship and providing a link between the company and those on board. Under the ISM Code, the DPA is responsible for the SMS. In practice, the DPA often has ultimate accountability for cyber risk management implementation across the fleet.

A firewall capability that examines the content of network packets — not just their headers — to detect malicious payloads, protocol violations, or unauthorised commands. In maritime OT, DPI firewalls can enforce protocol whitelisting (e.g. allowing only valid NMEA sentences or Modbus read commands) and block any unexpected protocol behaviour even within an approved conduit.

The primary navigation system on the bridge of modern vessels, displaying the vessel’s position on electronic charts. ECDIS is a Category III CBS — compromise could directly affect safe navigation. ECDIS systems are a frequent target because they run Windows operating systems, require regular chart updates (introducing removable media risk), and are often connected to the IT network for update delivery.

The centralised control point for machinery systems — propulsion, power generation, and auxiliary equipment. The ECR contains the highest concentration of Category III CBS on most vessels. Physical access to the ECR must be restricted and logged under E26 §4.4 secure space requirements. ECR workstations are primary targets for credential theft and malware installation via USB.

A security tool that monitors endpoint devices (workstations, servers) for malicious behaviour in real time and provides response capabilities — blocking, isolating, or alerting. In maritime OT, standard EDR agents can destabilise control system workstations. Application whitelisting-based EDR tools designed for OT environments are preferred over traditional antivirus or IT-oriented EDR solutions.

The officer onboard responsible for all electrical, electronic, and IT systems. Under IACS UR E26 and E27, the ETO is the primary implementor of cyber security controls — maintaining the asset inventory, managing access credentials, applying patches, executing incident response procedures, and managing OEM service access. TAGSIA’s playbooks are written specifically for the ETO to be able to execute without shore-side support.

A formal test conducted at the manufacturer’s facility before a system is shipped to the shipyard, verifying that the CBS meets its specified requirements — including cyber security capabilities under E27. For E26/E27 newbuilds, FATs must include verification of security capabilities. The ETO or lead inspector signs off on FAT results, which form part of the Class submission documentation.

Low-level software embedded in hardware devices — PLCs, sensors, network switches, and controllers. Firmware updates are one of the highest-risk activities in maritime OT because a failed update can render a critical system inoperative. Under E26/E27, firmware versions must be documented in the asset inventory, updates must be OEM-approved and tested before deployment, and a rollback procedure must exist.

A verified, pre-configured, and hardened master copy of an operating system or application installation for a specific CBS. In a ransomware scenario, the golden image allows the ETO to wipe a compromised system and restore it to a known-good state in under 30 minutes — without internet access or shore-side support. Golden images must be stored offline and verified periodically.

The process of reducing a system’s attack surface by disabling unnecessary services, closing unused ports, removing default accounts, and applying security configurations. In maritime OT, hardening must be done carefully — disabling a service that an OEM’s monitoring tool relies on can cause operational problems. Hardening actions must be documented and tested before deployment.

A touchscreen or desktop workstation that provides the operator interface to a control system — showing system status, alarms, and allowing parameter adjustments. HMIs are a primary attack target in maritime OT because they run Windows, are regularly accessed by crew and service engineers, have USB ports, and are connected to PLCs. Hardening an HMI is one of the most impactful single security actions on a vessel.

The organisation whose 12 member Class societies (DNV, LR, BV, ABS, ClassNK, RINA, and others) collectively set the technical standards for ship classification. IACS Unified Requirements (URs) become mandatory for all member societies. UR E26 and UR E27 are the two IACS cyber security standards that apply to vessels contracted from 1 July 2024.

A specialised network zone placed between the OT network and the IT/satellite network that terminates all conduits — ensuring zero direct routing path between OT and IT. The iDMZ acts as a “security air-lock”: data must be proxied or brokered through the iDMZ, preventing any direct attack path from the IT side to OT systems. Required for defense-in-depth under E26 §4.2.3.

A network device or software that monitors traffic for known attack signatures or anomalous behaviour. An IDS alerts on suspicious activity; an IPS actively blocks it. In maritime OT, passive IDS (detection only) is preferred over active IPS because an IPS that incorrectly blocks legitimate PLC traffic could cause a safety incident. IDS alerts must be reviewed by the ETO and correlated with the traffic baseline.

The United Nations agency responsible for the safety and security of international shipping. IMO Resolution MSC.428(98) — adopted 2017 — mandated that cyber risk management be incorporated into ships’ Safety Management Systems by January 2021. IMO does not enforce directly; enforcement is through flag state administrations and Port State Control.

The International Safety Management Code — an IMO standard requiring shipping companies to implement a Safety Management System (SMS) for the safe operation of ships. The ISM Code applies to most commercial vessels under SOLAS. IMO cyber requirements flow through the ISM Code — the requirement to address cyber risk in the SMS is enforced via annual ISM audits and Port State Control.

An authentication method requiring two or more verification factors — typically something you know (password), something you have (hardware token), or something you are (biometric). E26 §4.2.3 mandates MFA for all remote access to OT systems from untrusted networks. Maritime MFA implementation must account for offline scenarios (no internet, satellite outage) — hardware tokens (FIDO2, TOTP) are preferred over SMS-based solutions.

A formal procedure for controlling and documenting changes to hardware, software, or configuration of CBS. Under E26 §5.3.1, every change must be assessed for impact on the vessel’s cyber security profile before implementation. The MoC process ensures the asset inventory and CSDD remain accurate throughout the vessel’s operational life. All changes require approval and a tested rollback plan.

A serial communication protocol widely used in maritime OT to communicate between PLCs, sensors, and HMIs. Modbus has no built-in authentication or encryption — any device on the network can send commands. Modbus TCP (over Ethernet) is particularly risky as it extends the attack surface from a serial cable to the full IP network. Firewall rules must restrict Modbus traffic to authorised devices only.

A framework developed by the US National Institute of Standards and Technology organising cyber security activities into five functions: Identify, Protect, Detect, Respond, and Recover. IACS UR E26, IMO MSC-FAL.1/Circ.3, and BIMCO Guidelines all align with this five-function structure. TAGSIA’s five playbook phases map directly onto the NIST CSF.

Communication standards used by navigation equipment on vessels. NMEA 0183 is a serial protocol for point-to-point navigation data (GPS, AIS, depth, wind). NMEA 2000 is a bus-based network standard for multiple devices. Neither protocol has built-in security. NMEA data injection attacks can feed false position, heading, or environmental data to bridge systems. Firewall rules must validate NMEA traffic sources.

A protocol for synchronising clocks across networked devices. In maritime OT, NTP synchronisation is essential for audit log integrity — if devices have different clocks, security events cannot be correlated during incident investigation. E26 §4.4 and E27 §4.3 require that all CBS maintain synchronised time. The trusted NTP source must be internal to the vessel to avoid dependence on the satellite link.

The manufacturer of a shipboard system or component. Under IACS UR E27, OEMs must demonstrate that their equipment meets defined security capabilities before it can be installed on an E26 vessel. OEM remote access for maintenance is one of the highest cyber risk vectors — access must be session-based, logged, authorised per visit, and terminated when the session ends.

Hardware and software that monitors and controls physical processes — as opposed to IT, which processes information. In maritime, OT includes propulsion control, power management, steering, navigation, and cargo systems. OT security differs fundamentally from IT security: availability is paramount, patching is complex, systems cannot be rebooted during operations, and standard IT security tools can cause physical harm if they disrupt a control system.

An industrial computer used to automate machinery processes — controlling pumps, valves, compressors, and other equipment based on sensor inputs and programmed logic. PLCs are Category III CBS on most vessels. Many PLCs have no authentication and run proprietary protocols (Modbus, PROFIBUS, DNP3) that predate modern security practices. PLC firmware modification is one of the most serious attack types (similar to the Stuxnet attack on industrial systems).

The control system managing electrical power generation and distribution across the vessel — controlling generators, load sharing, blackout prevention, and power restoration. PMS is a Category III CBS: compromise or disruption could cause a blackout, loss of propulsion, or uncontrolled load shedding. PMS systems must be isolated in the highest-security zone with strict conduit controls.

The authority of a port state to inspect foreign vessels in its ports to verify compliance with international regulations. PSC officers from MOU regimes (Paris MOU, Tokyo MOU, etc.) can inspect vessels for compliance with SOLAS, ISM Code, and MARPOL. Failure to demonstrate cyber risk management in the SMS is an ISM deficiency that can result in detention. PSC cyber inspections are increasing in frequency.

An access control model where permissions are assigned to roles rather than to individual users. Users are assigned to roles, inheriting only the permissions needed for their job function. Under E27 §4.2.1, every CBS must implement RBAC with least privilege enforcement — no user should have more access than required for their specific tasks. An ETO should have different permissions from an operator or an OEM service engineer.

Any hardware device that appears on the OT network without authorisation — a laptop plugged into a switch, an undocumented wireless access point, or a service engineer’s device that was not removed after a maintenance visit. Rogue devices represent one of the most common real-world attack vectors in maritime OT. The detection system must compare live network devices against the golden asset inventory and alert on any unrecognised device.

The vessel’s primary internet and communication connection to shore. SATCOM is the highest-risk entry point for external threats — it connects the vessel to the internet and is the path through which OEM remote access, chart updates, and email are delivered. The SATCOM terminal must be placed in the iDMZ with no direct routing to the OT network. SATCOM links must be logged and monitored.

A logical or physical grouping of CBS with similar security requirements, isolated from other groups by firewall-enforced conduits. In maritime OT, the standard three-zone model consists of Zone 1 (mission-critical OT: propulsion, navigation), Zone 2 (ship operations/business IT: admin, cargo, crew), and Zone 3 (remote access/DMZ: SATCOM, OEM connections). All CBS must be assigned to a zone.

The documented management system required by the ISM Code, covering all aspects of the safe operation of ships — including emergency procedures, maintenance, training, and reporting. Under IMO MSC.428(98), cyber risk management must be incorporated into the SMS. For most companies, this means adding a cyber annex covering the five NIST functions (Identify, Protect, Detect, Respond, Recover).

A centralised shore-based team monitoring security events from vessels and responding to incidents. In maritime OT, SOC coverage is limited by satellite bandwidth and latency — a SOC cannot respond in real time to a shipboard incident. The ETO must be able to execute the first 15 minutes of incident response autonomously. SOC involvement typically begins after initial containment.

The International Convention for the Safety of Life at Sea — the primary international treaty governing maritime safety. Most commercial vessels on international voyages are subject to SOLAS. The ISM Code (and therefore the IMO cyber security requirement) is mandated under SOLAS Chapter IX. IACS UR E26 and E27 apply to vessels under SOLAS that are contracted after 1 July 2024.

The term used by DNV and some other Class societies to describe the defined scope of a cyber security assessment — equivalent to the CBS boundary in E26/E27. The SuC defines what is “inside” the security assessment and what is “outside.” For E26 compliance, the SuC is documented in the CSDD. For E27, the SuC is defined in the system scope submission to Class.

A standard protocol for transmitting log messages from network devices (firewalls, switches, workstations) to a centralised log server. In maritime OT, centralised syslog is essential because individual devices have limited storage — a firewall may overwrite logs after 500 entries. A syslog server aggregates all events into a tamper-resistant audit trail sufficient for post-incident forensics and Class evidence.

A documented record of the normal communication patterns on the OT network — which devices talk to which, which protocols are used, and the typical volume and timing of traffic. The baseline is established during a 72-hour observation window and is used to create firewall rules (conduits) and configure anomaly detection alerts. Any deviation from the baseline is a potential indicator of compromise.

A battery backup system that keeps critical equipment powered during main power transitions. In maritime OT, the cyber security infrastructure (firewalls, IDS, managed switches, authentication servers) must remain operational during a blackout to maintain protection. A hard reboot of a security device can corrupt its database and leave the vessel blind. Security infrastructure must be on UPS-protected circuits.

Policies and technical controls governing the use of USB drives and other removable media on OT systems. USB ports are called the “digital gangway” — the primary physical malware delivery vector on vessels. Controls include port disabling (hardware or software), media scanning before connection, authorisation-only access via a formal USB control procedure, and logging of all media use. E26 §5.3 requires documented removable media controls.

A logical network segment created on a managed switch using 802.1Q tagging — separating traffic without requiring separate physical cabling. VLANs are the primary tool for implementing zone isolation on existing vessels where new physical cabling is impractical. A VLAN alone is not sufficient security — a managed switch and a firewall are required to enforce the ACL between VLANs and prevent lateral movement.

An encrypted tunnel for remote access over the internet. Traditional “always-on” VPNs are high-risk in maritime OT because they create a permanent connection from the internet directly into the vessel’s network. E26 §4.2.3 requires that remote access be session-based — not always-on. ZTNA (Zero Trust Network Access) is the preferred replacement for VPN in maritime OT.

Controls governing the use of wireless communication on OT systems. Wi-Fi and Bluetooth extend the attack surface beyond physical ports — an attacker within range can attempt to connect without physical access to the vessel. E26 §4.1 requires that all wireless OT conduits use industry-standard encryption and that no bridge between wireless and wired OT networks is permitted without firewall enforcement.

A mandatory technical drawing submitted to Class as part of the CSDD, showing all security zones on the vessel, all CBS within each zone, and all conduits (data flows) between zones with their enforcement mechanism (firewall, ACL, data diode). The Zones and Conduits Diagram is the primary reference document for a Class surveyor inspecting an E26 vessel.

A security model for remote access that grants access only to specific resources on a per-session, per-user, per-device basis — rather than placing a remote user “inside” the network as a VPN does. ZTNA is the gold standard for OEM remote access in maritime OT: the vendor is granted access only to the specific system they need, for the duration of the session, with full session logging. No persistent tunnel exists between sessions.