OT vs IT Security on Ships: Why an ECDIS Is Not Just Another Endpoint

What actually makes an ECDIS "OT" and not "IT"?#

The split between information technology and operational technology is not about where a box sits — it's about what happens when it fails. An OT system failure is not a data breach – it is a physical event. A compromised or crashed control system can cause equipment damage, environmental release, grid instability, or threats to human safety. An ECDIS sits squarely in that category: it informs how a watch officer steers, and on paperless-navigation vessels it is the primary chart.

The priority order is the clearest way to see the difference. The main priority of OT includes availability, safety, reliability, and then integrity, and confidentiality of digital data, whereas IT security focuses on confidentiality, integrity, and availability of digital data in that specific order. A leaked spreadsheet is an IT problem. An ECDIS that won't boot while you're transiting a TSS is a safety problem.

That distinction drives every control decision downstream — patching, scanning, monitoring, and incident response all behave differently on the bridge than on the office LAN.

Why can't you treat the ECDIS like a corporate laptop?#

Because the standard IT toolkit can actively cause the failure you're trying to prevent. There are four constraints that don't apply to a laptop.

Patching. A security patch that requires a reboot is routine in IT. In OT, it can mean shutting down a power grid. On a ship, an ECDIS reboot mid-passage is not an option, and the software is updated through the manufacturer's type-approved process — not your Patch Tuesday.

Scanning. Active vulnerability scanning is normal on a corporate network and dangerous on OT. As the NIST OT security guide (SP 800-82 Rev. 3) warns, indiscriminate use of IT security practices in OT may cause availability and timing disruptions. A network scan that would be routine on your corporate LAN can crash a resource-constrained PLC or force it into fail-safe shutdown. The same logic applies to bridge equipment.

Lifecycle. Shipboard OT often stays in service for the 20-to-30-year life of the vessel itself, against a typical corporate IT refresh of 3 to 5 years. A bridge system installed at build in 2005 may still be running in 2030. This means vessels carry large populations of legacy equipment that cannot be patched, cannot run modern endpoint agents, and were designed before cybersecurity was an operational consideration. This is exactly why some ECDIS units have shipped on outdated, unsupported operating systems.

Consequence. The critical distinction is consequence. An IT breach costs you data and money. An OT breach can cost lives.

This isn't theoretical. In incidents collected in the BIMCO-led industry guidelines, the cause of one fleet's ECDIS failure was attributed to outdated operating systems; during a previous port call a manufacturer's technician performed a navigation software update, but the outdated operating systems were incapable of running the software and crashed. In another widely reported case, a new-build dry bulk ship was delayed from sailing for several days because its ECDIS was infected by a virus — and the ship was designed for paperless navigation and was not carrying paper charts.

How does malware actually get onto a bridge system?#

Not usually through a sophisticated remote exploit. It comes through the same routine that keeps the charts current. ECDIS units are updated regularly via USB drives carrying chart data from hydrographic offices. An infected chart update drive bypasses the crew entirely as a threat vector because the update process is routine and trusted. Infections of ECDIS systems have in documented cases forced vessels to revert to paper charts, creating significant navigational risk.

The risk multiplies when networks aren't separated. Consumer malware does not discriminate between a personal laptop and an engine room terminal if they share a network. The risk is compounded on vessels where IT and OT networks are not properly segregated. A crew member moving films to a personal drive and a chart update on a service laptop can end up on the same flat network as navigation OT.

The threat picture is also shifting from opportunistic to targeted. According to a 2025 analysis by Cyble reported in Industrial Cyber, at least a dozen APT groups have targeted the maritime industry over the last year, including a South Asian group that hit maritime facilities in the UAE and elsewhere — and one alarming discovery was malware found directly on cargo ship systems, with one attack vector being USB-based initial infection. For Gulf operators, the regional naming there is the point: this is not somebody else's problem.

What do the regulations now require of OT specifically?#

The rulebook has caught up with the OT/IT distinction. Three regimes matter for Gulf fleets, depending on flag and trade.

IMO MSC.428(98) is the baseline for almost every vessel. The resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company's Document of Compliance after 1 January 2021. In practice that means companies need to assess risks arising from the use of IT and OT on board ships and establish appropriate safeguards against cyber incidents. Note IT and OT are named separately.

IACS UR E26 and E27 are the substantive OT requirements for newbuilds. UR E26 applies to ships as a whole, while UR E27 applies to on-board systems and equipment. The aim of these URs is to establish minimum requirements for the cyber resilience of newly built vessels. They became mandatory for vessels with design and build contracts signed after 1 July 2024. Crucially, E26 centres on OT and safety-essential systems, bringing IT into scope where it connects to or can affect them — covering their secure integration into the vessel's network across design, construction, commissioning, and the operational life of the ship. The asset inventory these rules demand includes PMS, ECDIS, propulsion controls, fire detection, cargo management, and any other safety-critical OT system.

USCG MTS rule applies if you trade to the US or operate US-flagged tonnage. On 16 July 2025, the USCG's final rule, Cybersecurity in the Marine Transportation System, codified at 33 CFR 101.600 et seq., went into effect — and as of that date all regulated entities are required to report certain cyber incidents to the National Response Center. The phased deadlines run further out: by 12 January 2026 all personnel must complete the specified training, and by 16 July 2027 owners and operators must designate the Cybersecurity Officer, conduct the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval.

These dates move — the USCG itself solicited comment on a possible delay for US-flagged vessels. Verify the current schedule with your flag state and class before you plan around it. For a consolidated view of how these regimes stack for Gulf operators, see our 2026 maritime compliance guide.

Regime	Applies to	OT scope	Key dates
IMO MSC.428(98)	Vessels under the ISM Code	Cyber risk for IT and OT in the SMS	From first DOC audit after 1 Jan 2021
IACS UR E26/E27	Newbuilds contracted on/after 1 Jul 2024	Ship-level (E26) and per-system (E27) OT resilience	Mandatory 1 Jul 2024
USCG MTS rule	US-flagged vessels, OCS & MTSA facilities	Plan, CySO, assessment, incident reporting	Effective 16 Jul 2025; phased to 2027

What does sound bridge-OT security actually look like?#

The controls follow from the constraints. You secure ECDIS by reducing what can reach it, not by piling IT agents onto it.

On segregation and removable media specifically, the long-standing BIMCO guidance reported by Riviera is still the right baseline: ECDIS should not be connected to the internet but placed on a dedicated secure VLAN for automatic updates, or use a standalone, segregated and firewall-protected unit from ENC subscription providers. And where there is a secondary ECDIS there should be a delay between updates in case malware is embedded in a patch; ECDIS computers should be locked in a cabinet, USB ports blocked to bridge teams, and endpoint protection installed.

The recurring theme across documented incidents is mundane: a flat network, an unsupported OS, or an unscanned drive. None of those is fixed by a better antivirus signature. They're fixed by treating the ECDIS as what it is — a safety-critical OT system that demands a different mindset from the laptop on the chief officer's desk.

If you're mapping your fleet's bridge and engine-room OT against IACS E26/E27, the USCG rule, or your flag state's expectations, Solas Security can run an OT-aware gap assessment built around Gulf trade realities. Book a consultation.