For years, maritime cyber security has been a perimeter problem: firewalls at the edge, antivirus on endpoints, a locked-down satcom link. That model no longer holds. Recent threat intelligence from across the sector points to the same conclusion. Maritime cyber incidents are now overwhelmingly identity-centric and persistence-driven. Attackers are no longer forcing their way in. They are logging in, using valid credentials harvested through phishing, shared accounts, or poorly governed remote access.
More than 80% of alert activity in monitored maritime environments is concentrated in crew network zones. Identity, not the network edge, is now the primary attack surface at sea.
To unpack what this means for fleet IT managers, CISOs, and shipowners, we spoke to Geir Inge Jensen, Chief Information Security Officer at Dualog and ISO committee member for Ships and Marine Technology standardisation.
In 2025, stolen logins drove more maritime cyber attacks than malware. Is that what you’re seeing?
Broadly, yes. The shape of the threat has changed. Endpoints are better protected than five years ago, email filtering has matured, and most fleets now have some monitoring on operational systems. Identity hasn’t kept pace, so that’s where attackers have moved.
Most incidents we investigate don’t start with an exploit or a piece of malware. They start with valid credentials used by the wrong person. A reused password, a vendor account that should have been disabled six months ago, a shared “admin” login nobody can attribute to a specific human. Once an attacker has those, very little of the traditional defensive stack triggers. Nothing technically wrong is happening. Someone is just logging in.
The maritime twist is that ships have historically had weaker identity hygiene than the corporate networks ashore. Shared accounts on bridge systems, generic vendor logins, no MFA, no central directory.
Crew networks account for the majority of alert activity across monitored fleets. Why are they such a persistent weak point?
A few things compound. With LEO, crew networks at sea now look like hotel WiFi onshore: full internet, streaming, personal banking, messaging apps. Consumer-grade threats reach crew at the same rate they reach anyone ashore.
Segmentation is often weak. Even where crew and operational networks are separated logically, a compromised personal device is a foothold inside the vessel’s edge.
And crew rotate. New people join every few weeks, often using personal devices the shipowner has no visibility into. Awareness fades, credentials get reused. This isn’t a crew failure. Seafarers have a hard job. The right response is design, not blame.
Learn how to protect crew accounts with secure identities
IMO, IACS E26/E27, NIS2, USCG/MTSA, and insurance pressure all point the same way. How should companies prioritise?
The good news is they converge more than they diverge. Read side by side, they all want the same things: governance, asset inventory, access control, segmentation, monitoring, and a tested incident response.
My advice is to stop treating each framework as a separate project. Pick one as your spine, for most operators that’s IACS UR E26 for vessels combined with ISO 27001 ashore, and map everything else onto it. NIS2 sits naturally on top of ISO 27001 if you’re in scope.
If you have nothing today, start with identity, asset inventory, and segmentation, in that order. Avoid checkbox compliance.
Shipowners often assume vendors handle cyber security. Who actually owns identity management, and who should?
This is one of the most common misunderstandings I encounter. The shipyard hands over the keys and leaves. They aren’t going to operate your fleet identity for the next twenty-five years. Vendors look after their own services and their own access, not your users, policies, or audit trail.
What we see in practice is that for many fleets, nobody explicitly owns identity. A default admin password from commissioning, a shared crew account, a generic mailbox per vessel. That isn’t ownership, that’s drift.
The shipowner has to own it. The risk, regulatory obligation, and operational consequences all land there. Responsibility cannot be outsourced.
Watch our webinar on maritime identity management
What pushed Dualog to build Identity, and what couldn’t shipowners solve before?
We built Dualog Idenity because customers kept describing the same problem and existing tools didn’t fit. Mainstream identity products assume an always-on connection to a central directory. That assumption breaks at sea. Even with LEO, vessels have outages and congested links. Shipowners either deployed those tools and accepted authentication would fail when the link did, or they fell back to local accounts on each vessel, which reintroduces every problem we’ve been talking about.
The other gap was scope. Typical deployments cover shore staff well but stop at the vessel. Crew, vendors, and onboard systems often aren’t included. We built Identity to close that gap.
How does Dualog Identity address these gaps, and what changes for a fleet IT once it is in place?
Identity provides a single place to manage who has access to what across a fleet, designed for the connectivity reality of ships. It federates with the shipowner’s existing providers, so shore policies extend to sea. It supports MFA and keeps working when the link drops.
The practical change is visibility and control. You can see who accessed what, on which vessel, when. You deprovision a leaving crew member or finished vendor engagement once, centrally. Shared accounts can finally be retired. Vendor access can be time-bound. Audit trails exist by default rather than being reconstructed after the fact.
Watch how the Dualog Identity works for crew
The takeaway from Geir Inge is clear. Identity has moved from a back-office detail to the foundation of maritime cyber security. The frameworks are aligned, the threat data is consistent, and the insurance pressure is building. The question is no longer whether to act, but how soon.
Get a free trial of Dualog Identity and try it out across your fleet