Overview

The U.S. Coast Guard has made it clear: cybersecurity is now part of every Coast Guard–regulated security plan. Facilities and vessels operating under the Maritime Transportation Security Act (MTSA) must evaluate cyber vulnerabilities, include cyber measures in their Facility or Vessel Security Plans (FSP/VSP), train personnel, and conduct cyber-related drills.

With cyber incidents increasing across the maritime industry, these requirements are no longer theoretical—they’re operational realities.

Below is a breakdown of what the Coast Guard expects, what companies must implement, and how crews can quickly recognize cyber threats that could impact operations, equipment, and safety.

The Coast Guard’s Cybersecurity Requirements for MTSA-Regulated Companies

The Coast Guard has issued multiple MTSA advisories stating that cyber vulnerabilities fall under the same regulatory authority as physical security vulnerabilities. Any system that affects navigation, cargo handling, access control, communications, or vessel/terminal operations must be protected.

Cyber Vulnerabilities Must Be Part of Your FSA/VSA

Companies must evaluate cyber risk across:

• GPS, AIS, ECDIS, and navigation systems

• PLCs, winches, cranes, hoists, and other control systems

• Terminal dispatch and logistics platforms

• Access control systems like badges, gates, and CCTV

• Maintenance, tracking, and fleet management software

• Communication networks, servers, and operational databases

If the system can move a vessel, lift a load, open a gate, or trigger an alarm, it is considered a security-critical asset.

Cybersecurity Measures Must Be Incorporated Into Security Plans

MTSA security plans must now include:

• Policies for network protection and system access

• USB and removable media controls

• Rules for personal devices

• Procedures for reporting cyber incidents

• Physical security for server and control rooms

• Segregation of operational systems and crew Wi-Fi

• Cyber incident response steps and documentation procedures

If it impacts your operation, it must be documented in your plan.

Cybersecurity Training Is Now a Requirement

Personnel covered under MTSA must receive cybersecurity training that enables them to:

• Recognize cyber threats

• Identify suspicious system behavior

• Follow reporting protocols

• Avoid actions that destroy evidence (like shutting down machines)

• Understand their role in cyber incident response

Training must be consistent, documented, and aligned with your security plan.

Cyber Drills and Exercises Must Include Cyber Scenarios

Under MTSA:

• Quarterly drills must include cyber-related elements

• Annual full-scale exercises must incorporate a cyber event

Examples include:

• Ransomware affecting dispatch

• Suspicious foreign login attempts

• GPS/AIS spoofing

• Unauthorized access to operational systems

• Malware disrupting crane or PLC controls

If your drills don’t include cyber, they no longer meet Coast Guard expectations.

Recognizing Cyber Threats: A Quick Guide for Your Crews

Crews can identify early cyber incidents by watching for:

• GPS or AIS showing the wrong position

• Control systems (cranes, winches, engines) lagging or behaving unpredictably

• Files encrypted, renamed, or disappearing

• Pop-ups requesting passwords or payment

• Unknown USB devices plugged into computers

• Antivirus suddenly disabled

• New programs or icons no one installed

• Logins during off-hours or from foreign IP addresses

• Large uploads to unfamiliar cloud services

These are warning signs that require immediate reporting.

What Your Team Should Do if They Suspect a Cyber Incident

Do NOT:

• Shut down the computer

• Delete files

• Attempt to “fix” the issue

• Plug in personal devices

Do:

• Disconnect the device from the network (not from power)

• Take photos or screenshots of what they see

• Notify the Security Officer, Dispatch, or IT immediately

• Document the event in your existing safety/security system

Correct reporting protects your operation and preserves vital evidence.

What This Means for Our Industry

For terminals, shipyards, and vessel operators, cybersecurity requirements affect:

• Security audits

• Crew training schedules

• Annual MTSA exercises

• Gate, access, and control system management

• Dispatch and operational continuity

• Vessel compliance during Coast Guard inspections

Cyber incidents can directly interrupt operations, impact credentialing, delay vessel movements, and compromise safety-sensitive equipment.

Proactive planning—not reactive troubleshooting—is the key to staying compliant.

TBS Safety works with companies across the U.S. to integrate these cybersecurity elements directly into their existing systems, helping teams remain compliant without slowing operations.

Frequently Asked Questions About Cybersecurity Requirements

Do MTSA-regulated vessels and facilities have to include cybersecurity in their security plans?

Yes. The Coast Guard requires cyber vulnerabilities to be assessed and addressed in every FSP/VSP.

Do companies have to conduct cyber-related drills?

Yes. Cyber scenarios must be included in quarterly drills and annual exercises.

Who must receive cybersecurity training?

Personnel with access to operational systems or responsibilities under the security plan must be trained in cyber awareness and reporting.

Does the Coast Guard require documentation of cyber incidents?

Yes. Cyber incidents must be reported and documented using the same processes as physical security events.

Do operational systems like cranes, engines, and PLCs count as “cyber assets”?

Yes. Any system that can affect operations, equipment movement, or access control is considered cyber-relevant.

Why This Matters for Maritime & Industrial Companies

Cyber incidents aren’t just IT issues—they are operational safety issues capable of:

• Shutting down terminals

• Disrupting navigation

• Damaging equipment

• Delaying cargo

• Impacting Subchapter M and MTSA compliance

• Affecting audits and inspections

• Stalling vessel movements

Companies must be able to demonstrate compliance during Coast Guard inspections and audits.