Coast Guard's New Cybersecurity Rules Offers Lessons for CISOs

CYBERSECURITY OPERATIONS CYBER RISK ICS/OT SECURITY VULNERABILITIES & THREATS NEWS Coast Guard's New Cybersecurity Rules Offers Lessons for CISOs The Maritime Transportation Security Act (MTSA) requires plans to protect OT systems, audits by independent third parties, and a hybrid OT-security role. Robert Lemos,Contributing Writer April 17, 2026 5 Min Read SOURCE: GREENOAK VIA SHUTTERSTOCK The US Coast Guard's first-ever mandatory cybersecurity framework for ports, vessels, and offshore facilities has taken effect, ending two decades of voluntary compliance and putting operators on a countdown with a 2027 deadline. The regulations affect any US-flagged vessel or maritime facility subject to the Maritime Transportation Security Act of 2002 and requires that they develop and maintain a cybersecurity plan, designate a cybersecurity officer (CySO), conduct annual assessments, and train any information- and operational-technology workers on their cybersecurity duties. The regulations resemble the requirements for other industries, such as the National Electric Reliability Council's Critical Infrastructure Protection (NERC-CIP) plan, which has improved cybersecurity across the power-generation and distribution ecosystem, says Elan Alvey, principal industrial consultant at Dragos, an industrial cybersecurity provider. Related:Full Sail University to Open IBM Cyber Defense Range Powered by AWS and Cloud Range on Campus "Regulation has helped — it's not the fix for everything, because threat groups are pretty sneaky," he says. "But, it gets rid of a lot of the low-hanging fruit that your opportunists, hackers, your ransomware folks, will see and say, 'Oh, it's open. Let's go [attack] it.'" The cybersecurity regulations come as the maritime transportation industry has suffered some major cyberattacks, including the NotPetya attack that halted shipping by AP Moller-Maersk and global positioning system attacks that caused ships to run aground. International standards already require similar cybersecurity measures for transoceanic shipping and foreign-flagged vessels. Other oil-and-gas producing nations, such as Norway, have made decisive moves to strengthen the cybersecurity of ships and offshore facilities. In 2025, the US Coast Guard expanded the requirements of the Maritime Transportation Security Act of 2002 to include mandatory reporting of cybersecurity incidents starting in July 2025, followed by cybersecurity training for all IT and OT workers on their roles and responsibilities under the law by January of this year. The rule mirrors how the post-9/11 MTSA reshaped physical port security, signaling that Washington aims to shore up maritime cybersecurity, Dragos's Alvey stated in an analysis. Loading... The next deadline is in July, when every US-flagged vessel or outer-continental shelf (OCS) facility — think oil rigs — need to have completed a cybersecurity assessment and have created a cybersecurity plan that enforces segmentation between IT and OT networks. A New Role: CySO Related:RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever The underlying principles of the MTSA is that ships, oil rigs, and other maritime facilities must enforce security and require that their suppliers and vendors do the same. Companies should expect similar requirements to expand to other industries, if they are not already in place, says Trey Ford, chief strategy and trust officer at Bugcrowd, a crowdsourced cybersecurity firm. "Large industrial suppliers should treat this as the leading indicator for what is coming across every regulated sector and start building accountability into their program design now, before the deadline forces it," he says. "The ICS/SCADA universe should pay attention — I trust regulators will be looking their direction soon." Among the most significant changes wrought by the new regulations is that every US-flagged vessel, facility, or outer continental shelf (OCS) facility must designate a cybersecurity officer (CySO) to take responsibility for the cybersecurity of both the IT and OT infrastructure, mirroring existing roles under the MTSA, such as the facility security officer. The scope of duties for the CySO is different than for a traditional chief information security officer, says Dragos's Alvey. "The CISO is [about] your technical, everyday IT information," he says. "To me, the cybersecurity officer is more of a regulatory officer, because they're in charge of ensuring that not only are you following the regulations, but if there were incidents or anything that's reportable, they're also in charge of that." Related:Human vs. AI: Debates Shape RSAC 2026 Cybersecurity Trends Biggest Challenge Dead Ahead The final stage of the MTSA cybersecurity rollout, which must be completed by July 16, 2027, is the most challenging: network segmentation. Even land-based companies have trouble with meeting that cybersecurity goal. In a 2025 survey, networking giant Cisco found that 94% of organizations encountered problems with segmentation due to the complexity of their environments, a lack of visibility, and difficulty identifying legitimate information flows. Unfortunately, there is no simple solution, Amer Akhter, senior director of product management for Cisco, stated in his review of the survey results. "There's no 'box' or single product that one can purchase. Nor is there a single approach that can be modeled as a best practice for every use case," he said. "Instead, organizations are having to rely on multiple segmentation methods. Unfortunately, this lack of clarity can add complexity to an already complex situation. The result? Many, too many, segmentation projects fail." Dragos's Alvey notes that companies are expected to complete network segmentation within roughly a year and a half, a timeline he views as tight given the multiple prerequisite steps involved (asset inventory, architectural design, etc.), and one likely to prompt pushback from regulated entities. "Just because you're compliant, doesn't mean you're secure," he says. And that is where the MTSA cybersecurity requirements can help prepare facilities and companies, Bugcrowd's Ford says. Beyond the defenses, the training, and the new roles, the requirements focus on what happens when there is an incident. Network segmentation helps slow down lateral movement by attackers, regular assessments can detect where defenses or visibility have failed, and requiring secure design from the start means that the organization is moving toward a destination. That's a lesson that every company should take to heart, Ford says. "The MTSA gets one foundational thing right that most enterprise programs still resist: the assumption of failure," he says. "It treats the question as not whether a system can be compromised, but whether you will know before an adversary acts on it." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBERSECURITY OPERATIONS Contrarians No More: AI Skepticism Is on the Rise by Rob Wright DEC 31, 2025 CYBERSECURITY OPERATIONS Prep is Underway, But 2026 FIFA World Cup Poses Significant Cyber Challenges by Robert Lemos, Contributing Writer SEP 26, 2025 CYBERSECURITY OPERATIONS Former CISA Head Slams Trump Admin Over 'Loyalty Mandate' by Alexander Culafi, Senior News Writer, Dark Reading APR 30, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE