NORMA Cyber's Annual Threat Assessment 2026, launched at the NORMA Cyber Spring Conference in Oslo on 24 March, included a case from December 2025 that deserves more attention than it has received. A hardware implant was discovered aboard a passenger vessel: a Raspberry Pi Zero equipped with a cellular modem, physically connected to the vessel's office network.

The device created a persistent backchannel that bypassed standard security controls. It enabled remote access, credential theft, and network reconnaissance — independently of the ship's authorised connectivity. The cellular component meant that threat actors could maintain communication regardless of the vessel's internet status, limited only by cellular coverage.

The ATA assessment notes that crew were likely involved in deploying the implant. As we have covered in previous issues, insider threats are one of the recurring themes of maritime cyber incidents. This case illustrates the physical dimension of that risk: a device that costs under $20, available from consumer electronics retailers, inserted into a network and not detected until it had been operational for an undetermined period.

The NORMA Cyber ATA 2026 identifies hardware-enabled attacks and insider threats as one of two main OT themes for the year. Their assessment is blunt: "Physical access to network infrastructure remains one of the most effective ways to bypass cybersecurity controls."

Why this matters: Cyber controls that focus exclusively on network perimeters and software vulnerabilities are insufficient when an adversary — or a crew member — can walk up to a network switch with a device in their pocket. USB port lockdowns and network access controls matter. So does physical security culture onboard.

One thing to do: Review whether your vessel's network cabinets, switch rooms, and server spaces are physically secured and logged for access. Unauthorised physical connections should be in scope for your vessel's cyber risk assessment.

At 05:45 on Tuesday 24 March 2026, the Port Authority of Vigo detected a cyber intrusion. The incident was confirmed as a ransomware attack. The authority immediately isolated servers from external networks and took the public website offline to contain the spread.

The attackers' objective was described by Port Authority president Jesús Vázquez Almuíña as economic ransom — "rescate económico" — rather than the disruption of operations. Physical port operations continued throughout: cargo handling, ship movements, and port access were not interrupted. The impact landed on the administrative and border inspection layer. Container inspections at the Port Inspection Facility were recorded on paper. Email was used as a workaround for internal communication.

As of 27 March, the IT team was still engaged in what sources described as a 72-hour effort to cleanse and reconnect systems. The website was gradually restored by that date. No sensitive data compromise was confirmed. Data losses were limited to files that staff were actively working on at the moment of isolation. No ransomware group had publicly claimed the attack as of reporting.

Why this matters: The Vigo incident is a useful case study in resilience. Physical port operations continued because the critical systems — berth allocation, crane operations, vessel traffic — were either not affected or had sufficient manual fallback. The lesson is not that ransomware is manageable. It is that organisations with documented paper-based fallback procedures have more options when digital systems go down.

One thing to do: Identify the two or three administrative processes in your organisation that would be most painful to run on paper. Document the manual procedure now, before you need it.

The 50th session of the IMO Facilitation Committee (FAL 50), held in London from 23 to 27 March 2026, produced two outcomes relevant to maritime cyber practitioners.

First, FAL 50 adopted revised cyber guidelines in the form of MSC-FAL.1/Circ.3/Rev.2, a joint circular updating existing guidance on maritime cyber risk management.

Second, and more significantly for the longer term, FAL 50 initiated formal work on a goals-based, non-mandatory Maritime Cyber Code. The target for completion is 2028. A correspondence group has been established to develop the work between sessions, and an intersessional Working Group is planned for 2027.

The Code is being designed with flexibility in mind — structured so that states can layer regional or national requirements on top of a common baseline. This approach follows the pattern set by other IMO instruments that establish goals rather than prescribing specific technical solutions, leaving implementation detail to administrations and industry.

The broader context: MSC 110 had already concluded that a non-mandatory code should precede any SOLAS-level mandatory provisions. FAL 50 has now formally started that work.

Why this matters: A 2028 Maritime Cyber Code will not solve the threat landscape of 2026. But it establishes the regulatory direction of travel. Organisations that build their cyber programmes around goals-based frameworks now — rather than waiting for mandatory requirements — will find the transition easier and will have more influence over what the Code ultimately says.

One thing to do: Follow the IMO correspondence group's output through Lloyd's Register, Nautical Institute, and BIMCO summaries. The draft Code will be shaped in the next 18 months.

Full conference calendar → mc3.maritime-ogmios.tech