The 82% Problem: Why Your Crew Network Is the Real Maritime Cyber Frontline
What the 2026 Marlink Intelligence Report reveals about where maritime cyber attacks actually start — and why segmentation is no longer optional.
The number that should reframe maritime cyber strategy
Ask most people where maritime cyber attacks begin, and they’ll point to OT systems, bridge equipment, or direct targeting of vessel infrastructure. The data tells a very different story.
According to Marlink’s Cyber Intelligence Report for Maritime 2026, 82% of security alerts across monitored maritime environments originate in crew networks. A further 17% come from network support zones. Business and corporate networks, LAN/client environments, OT/ICS systems, and administrative management each account for less than 1%.
In a full year of monitoring across a globally distributed fleet of vessels and offshore assets, the place where almost every incident begins is the network your crew uses to check email, stream video, and call home. This isn’t a marginal finding. It’s a fundamental shift in where maritime cyber defence needs to focus — and most of the industry hasn’t adjusted yet.
Why crew networks became the front line
Three structural changes have converged to make crew connectivity the dominant attack surface:
LEO removed the bandwidth ceiling
For decades, maritime satellite connectivity was expensive, slow, and heavily metered. That created natural limits on what crew could do online. With Low Earth Orbit systems — Starlink being the obvious example — vessels now have land-equivalent bandwidth. Crew use their devices exactly as they would at home: streaming, social media, personal cloud services, app downloads, video calls.
Personal device use is now universal
Smartphones, tablets, and personal laptops connect to onboard Wi-Fi as a matter of course. These devices sit entirely outside the vessel operator’s IT governance. They arrive onboard with whatever security posture the crew member maintains — which is often limited — and go ashore periodically, where they can be infected on any network and brought back onboard.
The maritime industry has rightly prioritised crew mental health and connectivity to family. Crew welfare connectivity is now a contractual and regulatory expectation. But the implementation has generally focused on providing the bandwidth, not on securing the environment in which that bandwidth is used. The result is a large, active, unmanaged network environment on every modern vessel, directly connected to onboard infrastructure. From an attacker’s perspective, it’s a dream entry point.
How the attacks actually work
The Marlink report is clear about the pattern. Maritime cyber incidents in 2025 were overwhelmingly characterised by credential harvesting and session abuse rather than traditional malware outbreaks, remote access irregularities and suspicious VPN patterns as common investigation triggers, living-off-the-land techniques using tools already present on the system, and low-noise persistence — staying quiet, expanding privileges, avoiding detection.
The Marlink report found no confirmed large-scale traditional malware outbreaks during the reporting period. The era of obvious worm-style attacks is essentially over. Today’s intrusions work by looking like legitimate user activity — a legitimate-looking login, from a legitimate-looking account, doing slightly unusual things. That’s a much harder problem, and one that perimeter-based security cannot solve.
A real case: the compromised personal device
The Marlink report includes a case study that illustrates the dynamic precisely. A private yacht experienced a cyber incident after a crew member returned from rotation with a personal device containing what appeared to be a legitimate application. Once the device connected to the onboard Wi-Fi network, the application began communicating with external servers and propagated malware to additional onboard systems.
The incident was detected through monitoring after alert activity spiked. By the time the source device was isolated, multiple other systems onboard were already affected and required remediation.
What went wrong
- The attacker didn’t breach any vessel defence directly — the device walked onboard in a duffel bag
- The compromise spread because the network wasn’t adequately segmented between crew and operational environments
- Detection happened after propagation, not before — which is typical, not exceptional
What would have helped
- VLAN separation preventing the device reaching anything beyond the crew network
- Anomaly detection alerting on unusual outbound traffic before propagation
- A personal device policy with onboarding checks for returning crew
Why the <1% OT figure is misleading — and dangerous
Looking at the same data, an operator might see that OT/ICS environments accounted for less than 1% of alerts and conclude that OT systems are safe. The Marlink report warns explicitly against this interpretation.
Low detection rates in OT environments should not be interpreted as low risk — they reflect monitoring constraints and architectural complexity, not an absence of threats.
— Marlink Cyber Intelligence Report for Maritime 2026Many OT systems weren’t designed to produce security telemetry. The sensors aren’t there. The logging isn’t there. The low detection rate measures what’s being seen, not what’s happening.
Attacks enter through crew networks → move laterally through poorly segmented business systems → reach operational environments where visibility drops to near zero. That’s not a reassuring pattern. It’s the definition of an exposure gap.
Segmentation is no longer a nice-to-have
The single most effective control against this attack pattern is proper network segmentation. Crew networks should not be able to reach business systems. Business systems should not be able to reach operational systems. Where connections are required — and some are — they should be controlled, monitored, and minimised to specific purposes.
This is exactly what IACS Unified Requirements E26 and E27 address for newbuild vessels contracted after 1 July 2024. E26 in particular requires network segregation as a core design principle — not an optional overlay. The regulation acknowledges what the operational data confirms: the integrity of OT systems depends on controlling what can reach them.
For pre-July-2024 tonnage, segmentation has to be retrofitted — often into architectures that weren’t designed for it. That’s harder, but it’s not optional. The 82% figure is the reason why.
Practical controls by role
ETOs and onboard IT
- Audit current network architecture: can a device on the crew Wi-Fi reach anything in the business or operational domains? If yes, that’s the problem
- Implement VLAN separation with firewall rules between crew, business, and operational networks
- Ensure crew network traffic is monitored for volumetric and behavioural anomalies
- Control or disable removable media paths between crew and operational systems
Chief Engineers
- Identify every device with legitimate reasons to cross segmentation boundaries (engineer laptops, vendor equipment) — ensure those are the only authorised paths
- Verify that engine, navigation, and control systems are not accessible from crew network segments
- Maintain a current inventory of OT-connected devices and their patch status
DPAs and safety management
- Review SMS documentation for cyber risk coverage — specifically crew network segregation requirements
- Ensure incident response procedures include scenarios starting from crew network compromise
- Include personal device policy in cyber awareness training and verify it’s actually followed onboard
Technical Managers
- Establish fleet-wide segmentation standards — not per-vessel decisions made individually
- Include segmentation verification in vetting and pre-delivery inspections
- Review vendor access arrangements: how does vendor equipment connect, and what can it reach?
- Document segmentation architecture to support classification audits and Port State Control inspections
The strategic shift
The maritime industry has historically treated cyber security as something that happens to IT systems and extends, reluctantly, to OT. The 2025 data inverts that logic entirely.
The entry point is the crew network. The lateral movement happens through business systems. The ultimate exposure is the OT environment. If your cyber strategy still starts with OT and works outward, you’re defending the last line while the attacker walks through the front gate.
The strategy needs to start at the crew network and work inward — recognising that segmentation is the primary control, visibility is the secondary control, and OT-specific hardening is necessary but insufficient on its own.
If a compromised personal device connected to your crew Wi-Fi today, how far could it actually reach?
— The question every vessel operator should be able to answerIf the answer is “we’re not sure,” that’s where the work starts. If the answer is “further than we’d like,” that’s where the playbooks come in.
Where to go next
Tagsia.com maintains structured operational playbooks mapped directly to IACS UR E26 and E27 requirements, with specific coverage of network segmentation, access control, and the separation of crew, business, and operational domains.
If you’re assessing your current fleet’s segmentation posture, retrofitting legacy vessels, or building cyber-secure-by-design architecture into newbuild specifications, the playbooks give you section-by-section operational guidance — not generic compliance framing.
Explore the IACS UR E26 network segmentation playbooks →Source: This briefing draws on findings from Marlink’s Cyber Intelligence Report for Maritime 2026. For the full report, visit marlink.com/solutions/cyber-security. Tagsia.com is an independent maritime OT cybersecurity platform and is not affiliated with Marlink.
