The U.S. Coast Guard Cyber Command published its fourth annual Cyber Trends and Insights in the Marine Environment (CTIME) report, reaffirming its commitment to securing the Marine Transportation System (MTS) against evolving cyber threats. As operational technology (OT) and IT systems grow increasingly interconnected across the maritime domain, the risk of cyberattacks continues to rise. Clearly, adopting new technologies continues to drive operational efficiencies while creating new vulnerabilities and attack vectors.
Through close collaboration with industry partners, the Coast Guard shares best practices and actionable insights to strengthen cyber resilience. The 2024 CTIME report builds on findings from engagements conducted throughout the year by Coast Guard Cyber Protection Teams (CPTs) and the Maritime Cyber Readiness Branch, offering a clear snapshot of current threats and vulnerabilities shaping the MTS landscape. The Coast Guard Cyber Command (CGCYBER) is committed to partnering with industry to address this evolving threat landscape and protect the MTS in cyberspace.
“We have generally observed an improving baseline cybersecurity posture across the MTS, with better password policies, growing adoption of multi-factor authentication, and better built-in tools to combat phishing,” Jason P. Tama, U.S. Coast Guard Commander, Coast Guard Cyber Command, wrote in the CTIME report. “However, we have also observed adversaries adjust their tactics to find new initial attack vectors, such as focusing on stolen credentials and exploitable public-facing vulnerabilities.”
He added, “We have seen technological advancements in satellite networks enabling ships to always remain connected to their enterprise networks and improve their operational efficiency. Unfortunately, this constant connection has also enabled malware to rapidly spread from a company’s corporate network to their ships while underway.”
Last year, CGCYBER completed 42 missions alongside industry partners, gathering critical data that forms the foundation of this report. By cross-referencing mission findings with incident reports received by the Maritime Cyber Readiness Branch (MCRB), the report delivers a thorough analysis of the evolving cyber threat landscape in the maritime sector. In 2024, MCRB and local Coast Guard units responded to 36 reported cyber incidents, while requests for CPTs’ incident response support surged to unprecedented levels, underscoring the increasing complexity and frequency of cyber challenges facing the MTS.
The CTIME report highlights several key trends shaping the maritime cyber landscape. Supply chain risks and other vulnerabilities were identified in ship-to-shore cranes manufactured in China, raising concerns about potential foreign exploitation. The increasing connectivity and proliferation of networked technologies aboard vessels have introduced new cyber risks, expanding the digital attack surface within maritime operations.
Additionally, there was a noticeable uptick in cyber incidents and Coast Guard Cyber Protection Team missions involving cloud-based systems and services, underscoring the growing reliance on and exposure to cloud infrastructure. While similar vulnerabilities were noted in previous CTIME reports, the overall baseline cybersecurity posture across the MTS has improved, reflecting continued progress in cyber resilience and defense readiness.
Supply-chain risks and cybersecurity vulnerabilities have been observed in ship-to-shore cranes manufactured in China. While the configuration and operational use of these cranes vary across facilities, the U.S. Coast Guard’s assessments have uncovered several recurring weaknesses. In response, the Coast Guard has outlined a series of best practices aimed at mitigating the most common and concerning vulnerabilities, underscoring the importance of proactive defense measures in critical maritime infrastructure.
The CTIME report cited improved connectivity and the widespread use of networked technologies aboard vessels are introducing new cyber risks. With advances in satellite communications and tighter integration between ships and corporate enterprise networks, vessels are now more connected than ever before. While this connectivity offers operational efficiencies, it also exposes ships to threats that previously remained isolated from shore-based systems. Cyberattacks targeting a company’s enterprise network are increasingly likely to affect onboard IT systems, potentially disrupting core vessel operations.
The Coast Guard also noted a rise in cyber incidents and CPT missions involving cloud-based systems and services. As cloud computing becomes the norm within the MTS, many organizations continue to misinterpret their security responsibilities. A persistent misconception is that cloud service providers bear full responsibility for securing data and systems. In reality, companies still retain significant accountability, and failure to recognize this shared responsibility model has contributed to increased vulnerabilities and incidents.
Although many of the vulnerabilities observed in 2024 echo those found in previous CTIME reports, there has been a notable improvement in the overall cybersecurity posture across the MTS. The broader implementation of multi-factor authentication and stronger defenses against phishing attacks have played a key role in this progress. However, the Coast Guard emphasized that maintaining effective cybersecurity requires continuous vigilance, regular updates, and a long-term commitment to improving defenses across the maritime domain.
In 2024, CGCYBER carried out 24 rigorous assessment missions. During these exercises, CPTs simulate realistic cyberattacks using known tactics to test organizations’ defenses and expose potential business risks. Fifteen of these assessments targeted purely IT and business systems, while nine expanded their scope to include OT.
Throughout OT assessments, the CTIME report noted that the CPTs found many of the vulnerabilities seen in IT environments. The most common issue was the use of default credentials, highlighting a critical need for stronger cyber hygiene in OT networks. Additionally, most OT systems relied on unsupported software and legacy hardware, often harboring known exploited vulnerabilities (KEVs), which significantly elevate risk.
More than half of the organizations with OT network segments held inaccurate assumptions about their network segmentation. Many believed their OT networks were isolated from the internet or unreachable from IT networks. However, assessments frequently proved otherwise, revealing exposure that went unrecognized. These misconceptions underscore the urgency for robust cybersecurity practices on OT networks, which are typically less monitored and far less isolated than owners assume.
In 2024, the CTIME report detailed the first ransomware incident involving shipboard networks in the encryption phase. Attackers gained initial access through a password-guessing attack targeting a VPN account with a common username and weak password. They then moved laterally, exploiting unpatched backup servers with remote code execution (RCE) vulnerabilities to escalate access, exfiltrate data, and deploy ransomware across the network.
As the affected vessels were logically connected to the corporate network, shipboard servers were also encrypted. A CPT was deployed to identify the attack path, provide hardening recommendations, and validate IT/OT segmentation onboard. Strong IT/OT segmentation prevented operational disruption of the vessels. The incident highlights the critical importance of proper IT/OT segmentation and a comprehensive cybersecurity strategy that safeguards all network segments.
In its conclusion, the CTIME report detailed that the key findings were similar to previous years, but baseline cybersecurity defenses have improved.
“This year, CGCYBER CPTs reported fewer cracked passwords, fewer clicks and collected credentials on phishing campaigns, and less detection of default credentials. This may indicate companies are becoming more resilient to phishing and other common cyber exploits,” it added. “However, businesses should continue to strengthen cybersecurity measures and regularly assess and update them to stay ahead of emerging threats.”
Last month, the U.S. Coast Guard’s Office of Commercial Vessel Compliance released the U.S. Port State Control Annual Report for 2024, summarizing the enforcement of international conventions on foreign vessels trading in U.S. ports. The report noted that cybersecurity remains a focus of current and evolving efforts for everyone who is part of and interacts with the MTS.
