In the cybersecurity session held at this year’s Inland Marine Expo in Nashville, Tenn., panelists discussed navigating Coast Guard regulations and addressed industry questions when it comes to vessel compliance. The session, titled “Clarity Over Complexity: A Practical Guide to U.S. Coast Guard Cybersecurity Compliance,” was moderated by Robert Blackman, senior manager of service business development for KVH Industries Inc.
Lt. William Quigley, vessel and offshore branch lead for the Office of Maritime Cybersecurity Policy, noted that the cybersecurity rules that have been published apply to any vessels with a security plan, though small companies can apply for a waiver after conducting a cybersecurity assessment (CSA). The waiver, which is approved at the headquarters level, according to Quigley, will allow such companies to be exempt from meeting requirements that aren’t applicable to their operations.
Quigley also recommended the website www.uscg.mil/MaritimeCyber/ as a resource for mariners to stay up to date with the most recent Coast Guard guidance regarding cybersecurity requirements and obtaining waivers.
“Our focus is definitely on the operational side,” Quigley said. “We’re trying to prevent transportation security incidents, so our focus is any sort of disruption to your operations, to your business, to the waterways that would be caused by a cyber incident. Our focus is really your operational technology, but that expands out to your IT (information technology), because a lot of times your IT and OT will be connected. You can have an IT issue that can spread over to an OT issue, and then affect your operations.”
Quigley said the Coast Guard will check that a vessel is compliant during the issuance or renewal of a certificate of inspection (COI), though visits could also be sporadic. Inspectors, who will have undergone thorough training, including 14 hours on maritime cybersecurity OT systems, will also ensure that annual exercises have been completed and that drills have been conducted twice a year.
“A drill is testing one part of your plan,” Quigley said. “So, maybe that’s just a phishing email test, or it’s just testing one part of the cybersecurity plan, whereas the exercise should be a total test of your plan in its entirety. You can coordinate that with your annual drills for physical security, but you can choose not to, too.”
Amanda Wallace, IT systems manager at Hines Furlong Line, Inc., posed the questions that many in the industry have been asking after cybersecurity regulations were published in January 2025. As an operator of river vessels with less risk for a cyberattack compared to blue-water vessels, Wallace asked Quigley how to best meet Coast Guard standards and achieve compliance.
“We want to be compliant,” Wallace said. “We want to be safe. We also have to be mindful of the bottom dollar. What we don’t want to do is sink a bunch of money into something when the risk is not really there to begin with.”
Quigley assured Wallace that while the regulations encapsulate the entire maritime industry, the Coast Guard understands that not every vessel will have the same risk for a cyber incident. He stressed that towboat operators should complete their cybersecurity assessments as thoroughly as possible so that they can obtain a waiver.
“As an agency, we understand that your inland towing vessel is very different from a cruise ship, and the connectivity level is going to be different,” Quigley said. “That is why we have the waivers process.”
When it comes to protecting systems from a cyberattack, many operators have chosen to air gap, or separate, technology from outside networks. Panelist Cliff Neve, vice president of maritime cybersecurity at MAD Security, suggested that operators continue to be diligent and not strictly rely on air gapping their systems. He suggested separating IT and OT networks to help reduce the risk of cyberattack.
“Reduce your attack surface as much as possible,” Neve said. “Segmentation is always your friend. The most likely attack vector is attacking an IT network and then pivoting to a connected OT network. So, segment those off, so that only very, very specific protocols, IP addresses, have access to and from those systems.”
Kristy Huang, global cybersecurity director at ABS Consulting, pointed out that conducting cybersecurity assessments can lead to a better understanding of a vessel’s IT and OT systems. The more thorough operators are in understanding their equipment, the more prepared they will be if an attack happens, and the easier it will be to acquire a waiver from the Coast Guard.
“You usually underestimate the number of things that are connected to a network,” Huang said. “That doesn’t necessarily make it a risk, but it makes it an unknown from an asset perspective. So, doing that risk assessment is very important in terms of putting together that cybersecurity plan, putting together your waivers. Look at that as your foundation for how to be compliant with this, make sure that risk assessment is thorough and defensible.”
Huang cautioned operators that third-party vendors who are hired to conduct assessments should not only be knowledgeable about IT, but OT operations as well. They should also be familiar with the maritime industry and the nuances that come with it in regard to cybersecurity. The alternative could result in an assessment that isn’t thorough or specific enough to the vessel, costing the company additional expense.
“There are a lot of people who see a new regulation come out and say, ‘Well, I do this in cyber, I can just do this, I can just go into this industry. Why don’t we just go ahead and update this, because there are only small tweaks?’” Huang said. “It is surprising to see the number of people who will try to do that, and then (ABS) gets called afterward.”
When asked what audience members should prioritize from the discussion, Quigley emphasized the value of applying for waivers and encouraged listeners to appeal an inspector’s decision if believed to be unfair.
“If you disagree with an inspector ever, appeal, appeal, appeal, appeal,” Quigley said. “These processes exist, and we have program offices to oversee this, and we want our inspectors to be fair across the board. So, don’t worry about retribution. We will make sure that does not happen.”
Wallace advised audience members that keeping a clear head and a simple approach is necessary to achieving compliance without unnecessary costs and headaches. She also encouraged listeners to network with other industry professionals when questions arise.
“Start with networking,” Wallace said. “Start with the tools that are free or no cost, that just take 10 bucks and a lunch with somebody, and see if you can network it and solve the problem as a group. I think if we are all being consistent in our approach to it, and everyone’s doing the same thing, it’s going to be kind of hard for an inspector or the Coast Guard to be like, well, you’re all wrong. So, I think there’s safety in numbers, there’s power in numbers, there’s more of us than there are of them. So, if we all get on the same page and approach it at the same time, then I think it’s easy to manage.”
Featured photo caption: Panelists at the “Clarity Over Complexity: A Practical Guide to U.S. Coast Guard Cybersecurity Compliance” session at the 2026 Inland Marine Expo discussed mitigating cybersecurity risks and achieving Coast Guard compliance. Pictured from left to right are Robert Blackman, senior manager of service business development at KVH Industries Inc.; Lt. William Quigley, vessel and offshore branch lead for the Office of Maritime Cybersecurity Policy; Amanda Wallace, IT systems manager at Hines Furlong Line, Inc.; Cliff Neve, vice president of maritime cybersecurity at MAD Security; and Kristy Huang, global cybersecurity director at ABS Consulting. (Photo courtesy of ECN Photography)
