Skip to main content

Cybersecurity for Cargo Fleet Operations

Onboard Visibility, Endpoint Protection, and Regulatory Compliance

Cargo vessel fleet

Background

Cargo vessels are some of the most complex operational environments in terms of the technology installed on board. Over the lifetime of a ship, systems are added, replaced, and upgraded by different vendors — navigation equipment from one manufacturer, propulsion controls from another, CCTV surveillance from a third, and communication systems from yet another. Each vendor installs their equipment, configures their networks, and provides their own remote maintenance access.

The result is an environment where no single person has a complete understanding of every system on board. There is no unified inventory of all computers, controllers, and network devices. There is no clear map of how these systems communicate with each other. And there is no consistent record of what software is running, what version it is, or whether it contains known vulnerabilities.

For decades, this was accepted as normal. Cybersecurity at sea was not a regulatory requirement, and the perceived risk was low. That has fundamentally changed with the introduction of IACS Unified Requirements UR E26 and UR E27, which are mandatory for all ships contracted for construction on or after 1 July 2024. Shipping companies must now demonstrate comprehensive cybersecurity controls — and that starts with knowing what is on board.

Vessel Profile

  • Cargo vessel fleet with multiple ships operating internationally
  • Diverse onboard systems from numerous equipment vendors accumulated over years of operation
  • CCTV monitoring servers critical for vessel security and port compliance
  • Multiple remote access paths for vendor maintenance of specialist equipment
  • No dedicated cybersecurity capability on board or ashore for OT systems
  • Requirement to comply with IACS UR E26 and UR E27 for newbuilds and increasingly for existing fleet

The Challenge

A cybersecurity assessment of the vessel environment revealed challenges common across the cargo shipping industry:

  • No unified asset inventory — equipment from multiple vendors had been installed over years with no central record of all systems, their configurations, or their network connections. Each vendor knew their own systems but nobody had a complete picture of the vessel as a whole
  • Multi-vendor complexity — different systems used different operating systems, different network configurations, and different remote access methods. Integrating these into a coherent security posture had never been attempted
  • Critical systems unprotected — CCTV monitoring servers, essential for vessel security and port authority compliance, ran on Windows computers with no endpoint protection, no application control, and no monitoring of changes or access
  • Remote access without oversight — equipment vendors connected remotely to their systems for maintenance and diagnostics. These sessions were not monitored, not logged, and not restricted to approved operations
  • No continuous monitoring — vessel operators had no real-time awareness of what was happening on the onboard network. Anomalous connections, unauthorised changes, or new devices appearing would go undetected
  • Regulatory pressure — IACS UR E26 requires documented asset inventories, network architecture, and security zone definitions. UR E27 requires vendors to demonstrate the cyber resilience of their equipment. Compliance requires technical capabilities that did not exist on the vessels

The Solution — First Watch On Board

First Watch is deployed on board as a compact, virtualised solution that works within the constraints of vessel infrastructure.

Deployment Architecture

The onboard installation consists of:

  • First Watch Controller and PLC Guard as a single virtual machine — deployed on the vessel's existing KVM virtualisation infrastructure, eliminating the need for additional hardware
  • PLC Guard operating in IDS (monitoring) mode — connected to a monitoring VLAN to observe all network traffic on the vessel's operational networks
  • ControlGuard agent on the CCTV monitoring server — providing endpoint protection for the most critical Windows-based system on board

This architecture is deliberately lightweight. It uses existing onboard compute resources, requires minimal network changes, and can be deployed remotely with support from the vessel's IT integrator.

Asset Discovery and Inventory

From the moment PLC Guard begins monitoring network traffic, the platform automatically discovers and catalogues every device communicating on the monitored networks:

  • Complete device inventory — every computer, controller, camera, switch, and networked device is identified with its IP address, MAC address, vendor, and communication patterns
  • Software inventory — for Windows-based systems with ControlGuard installed, a detailed inventory of all installed software, versions, and installation dates is maintained
  • Vulnerability matching — known software vulnerabilities from public databases are automatically matched against the software inventory, highlighting exposure on each system
  • Living documentation — unlike a one-off survey, the inventory updates continuously. New devices appearing on the network are detected immediately. Changes to existing systems are tracked over time

This provides the comprehensive asset register that IACS UR E26 requires — maintained automatically rather than through manual surveys that become outdated the moment they are completed.

CCTV Server Protection

The CCTV monitoring server is often the most exposed Windows system on a vessel. It runs continuously, connects to camera networks across the ship, and is essential for both security operations and port compliance. ControlGuard protects it through:

  • Application whitelisting — only approved software is permitted to execute on the server. Ransomware, malware, and unauthorised applications are blocked before they can run
  • Change detection — any modification to installed software, system configuration, or running services is detected and reported
  • Access monitoring — logins, privilege escalations, and remote access sessions to the CCTV server are logged with full attribution

Network Traffic Monitoring

PLC Guard in IDS mode provides continuous visibility into vessel network communications:

  • Traffic analysis — all communications on monitored VLANs are observed, classified, and logged
  • Anomaly detection — unexpected communication patterns, new connections, or unusual traffic volumes trigger alarms
  • Vendor session visibility — when equipment vendors connect remotely for maintenance, the platform records the session and the traffic it generates

Centralised Fleet Visibility

For fleet operators managing multiple vessels, the platform supports remote access to onboard Controllers — allowing shore-based teams to monitor the cybersecurity status of each vessel from a central location. Alarms from onboard systems can be forwarded to shore-side monitoring, providing fleet-wide awareness without requiring cybersecurity expertise on every ship.

IACS UR E26 and UR E27 Compliance

The IACS unified requirements represent the most significant regulatory change for maritime cybersecurity. First Watch directly supports compliance with both requirements:

UR E26 — Cyber Resilience of Ships

  • Asset inventory — automated discovery and continuous maintenance of the complete onboard asset register
  • Network architecture documentation — visibility into communication flows and network topology
  • Security zones — understanding of which systems communicate across zone boundaries
  • Monitoring and detection — continuous network monitoring with alarm generation for security events
  • Incident response support — time-stamped, attributed event logs that support investigation

UR E27 — Cyber Resilience of On-board Systems and Equipment

  • Software inventory and vulnerability assessment — detailed records of installed software and known vulnerabilities for each protected system
  • Change detection — continuous tracking of hardware, software, and configuration changes
  • Access control evidence — documented records of who accessed which systems and what actions were taken

The platform generates this evidence continuously and automatically, providing classification societies and flag state inspectors with current, verifiable documentation rather than static reports that may not reflect the actual state of the vessel.

Benefits

For Fleet Operators

  • First complete asset inventory — for many vessels, this is the first time anyone has a comprehensive view of every system on board
  • Regulatory compliance foundation — the technical capabilities required by UR E26 and UR E27 are delivered as a platform, not a consulting exercise
  • Multi-vendor visibility — a single view across all vendor systems, regardless of manufacturer or vintage
  • Remote fleet monitoring — shore-based teams can monitor vessel cybersecurity status without boarding

For Vessel Operations

  • Zero disruption to vessel operations — monitoring is passive, endpoint protection is transparent to operators
  • Lightweight deployment — runs as a virtual machine on existing infrastructure with minimal network changes
  • CCTV protection — the most critical onboard Windows system is secured with application whitelisting and continuous monitoring
  • Vendor accountability — every remote maintenance session is logged and attributed

Bringing cybersecurity to cargo vessels is no longer optional — it is a regulatory requirement and an operational necessity. First Watch provides shipping companies with the visibility, protection, and compliance evidence they need to meet IACS requirements and protect their vessels from cyber threats that are increasingly targeting the maritime sector.

For more information or to discuss a deployment for your fleet, please contact us.