TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security North Korea Uses ClickFix to Target macOS Users' Data North Korea Uses ClickFix to Target macOS Users' Data by Alexander Culafi Apr 16, 2026 3 Min Read Application Security Critical MCP Integration Flaw Puts NGINX at Risk Critical MCP Integration Flaw Puts NGINX at Risk by Jai Vijayan Apr 15, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cybersecurity Operations Cyber Risk ICS/OT Security Vulnerabilities & Threats News Coast Guard's New Cybersecurity Rules Offers Lessons for CISOs The Maritime Transportation Security Act (MTSA) requires plans to protect OT systems, audits by independent third parties, and a hybrid OT-security role. Robert Lemos , Contributing Writer April 17, 2026 5 Min Read Source: GreenOak via Shutterstock The US Coast Guard's first-ever mandatory cybersecurity framework for ports, vessels, and offshore facilities has taken effect, ending two decades of voluntary compliance and putting operators on a countdown with a 2027 deadline. The regulations affect any US-flagged vessel or maritime facility subject to the Maritime Transportation Security Act of 2002 and requires that they develop and maintain a cybersecurity plan, designate a cybersecurity officer (CySO), conduct annual assessments, and train any information- and operational-technology workers on their cybersecurity duties. The regulations resemble the requirements for other industries, such as the National Electric Reliability Council's Critical Infrastructure Protection (NERC-CIP) plan, which has improved cybersecurity across the power-generation and distribution ecosystem, says Elan Alvey, principal industrial consultant at Dragos, an industrial cybersecurity provider. Related: Full Sail University to Open IBM Cyber Defense Range Powered by AWS and Cloud Range on Campus "Regulation has helped — it's not the fix for everything, because threat groups are pretty sneaky," he says. "But, it gets rid of a lot of the low-hanging fruit that your opportunists, hackers, your ransomware folks, will see and say, 'Oh, it's open. Let's go [attack] it.'" The cybersecurity regulations come as the maritime transportation industry has suffered some major cyberattacks, including the NotPetya attack that halted shipping by AP Moller-Maersk and global positioning system attacks that caused ships to run aground. International standards already require similar cybersecurity measures for transoceanic shipping and foreign-flagged vessels. Other oil-and-gas producing nations, such as Norway , have made decisive moves to strengthen the cybersecurity of ships and offshore facilities. In 2025, the US Coast Guard expanded the requirements of the Maritime Transportation Security Act of 2002 to include mandatory reporting of cybersecurity incidents starting in July 2025, followed by cybersecurity training for all IT and OT workers on their roles and responsibilities under the law by January of this year. The rule mirrors how the post-9/11 MTSA reshaped physical port security, signaling that Washington aims to shore up maritime cybersecurity, Dragos's Alvey stated in an analysis . The next deadline is in July, when every US-flagged vessel or outer-continental shelf (OCS) facility — think oil rigs — need to have completed a cybersecurity assessment and have created a cybersecurity plan that enforces segmentation between IT and OT networks. A New Role: CySO Related: RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever The underlying principles of the MTSA is that ships, oil rigs, and other maritime facilities must enforce security and require that their suppliers and vendors do the same. Companies should expect similar requirements to expand to other industries, if they are not already in place, says Trey Ford, chief strategy and trust officer at Bugcrowd, a crowdsourced cybersecurity firm. "Large industrial suppliers should treat this as the leading indicator for what is coming across every regulated sector and start building accountability into their program design now, before the deadline forces it," he says. "The ICS/SCADA universe should pay attention — I trust regulators will be looking their direction soon." Among the most significant changes wrought by the new regulations is that every US-flagged vessel, facility, or outer continental shelf (OCS) facility must designate a cybersecurity officer (CySO) to take responsibility for the cybersecurity of both the IT and OT infrastructure, mirroring existing roles under the MTSA, such as the facility security officer. The scope of duties for the CySO is different than for a traditional chief information security officer, says Dragos's Alvey. "The CISO is [about] your technical, everyday IT information," he says. "To me, the cybersecurity officer is more of a regulatory officer, because they're in charge of ensuring that not only are you following the regulations, but if there were incidents or anything that's reportable, they're also in charge of that." Related: Human vs. AI: Debates Shape RSAC 2026 Cybersecurity Trends Biggest Challenge Dead Ahead The final stage of the MTSA cybersecurity rollout, which must be completed by July 16, 2027, is the most challenging: network segmentation. Even land-based companies have trouble with meeting that cybersecurity goal. In a 2025 survey, networking giant Cisco found that 94% of organizations encountered problems with segmentation due to the complexity of their environments, a lack of visibility, and difficulty identifying legitimate information flows. Unfortunately, there is no simple solution, Amer Akhter, senior director of product management for Cisco, stated in his review of the survey results. "There's no 'box' or single product that one can purchase. Nor is there a single approach that can be modeled as a best practice for every use case," he said. "Instead, organizations are having to rely on multiple segmentation methods. Unfortunately, this lack of clarity can add complexity to an already complex situation. The result? Many, too many, segmentation projects fail." Dragos's Alvey notes that companies are expected to complete network segmentation within roughly a year and a half, a timeline he views as tight given the multiple prerequisite steps involved (asset inventory, architectural design, etc.), and one likely to prompt pushback from regulated entities. "Just because you're compliant, doesn't mean you're secure," he says. And that is where the MTSA cybersecurity requirements can help prepare facilities and companies, Bugcrowd's Ford says. Beyond the defenses, the training, and the new roles, the requirements focus on what happens when there is an incident. Network segmentation helps slow down lateral movement by attackers, regular assessments can detect where defenses or visibility have failed, and requiring secure design from the start means that the organization is moving toward a destination. That's a lesson that every company should take to heart, Ford says. "The MTSA gets one foundational thing right that most enterprise programs still resist: the assumption of failure," he says. "It treats the question as not whether a system can be compromised, but whether you will know before an adversary acts on it." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why , where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. See more from Robert Lemos Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Imple