Maritime Endpoint Protection: Ship Computer Antivirus

Why Ship Endpoint Protection Is Genuinely Hard

Endpoint protection is a solved problem in a modern office. Agents update their signatures and behavioural models continuously from the cloud, telemetry streams to a central console, and a misbehaving endpoint can be isolated remotely in seconds. None of those assumptions hold on a vessel. Many shipboard endpoints are air-gapped by design or connected only through a narrow, intermittent and expensive satellite link. A signature update that an office endpoint receives within minutes may reach a vessel weeks later, if at all, and a cloud-dependent agent that loses its connection may degrade to near-uselessness or, worse, start blocking legitimate activity.

The endpoints themselves are also different. A vessel hosts a mix of general-purpose IT, such as ship-office and crew computers, alongside operational-technology hosts that happen to run a general-purpose operating system underneath: ECDIS workstations, engine-monitoring PCs, cargo-control consoles and planned-maintenance terminals. The OT hosts are often certified equipment running a specific, vendor-locked configuration that cannot be changed without invalidating the certification or the vendor support. Installing a generic antivirus on an ECDIS is not a routine IT decision; it can break the certification, consume resources the navigation software needs, or quarantine a chart file the vessel depends on.

The result is that the office endpoint-protection playbook does not transfer to the vessel. A maritime endpoint strategy has to be designed for late updates, intermittent or absent connectivity, certified and resource-constrained OT hosts, and a crew that is not a full-time security team. The good news is that a well-designed layered approach can deliver strong protection within these constraints. It just does not look like the office one.

When Antivirus Becomes the Incident

There is a real and underappreciated risk that the endpoint-protection agent itself causes a safety or operational incident. On a safety-critical OT host, a scanner that consumes CPU or memory during a critical operation, that quarantines a file the application needs, or that triggers a reboot at the wrong moment can disrupt the very function it is supposed to protect. An antivirus update that introduces a false positive against a legitimate navigation or control file is not a theoretical concern; the wider IT industry has seen update-driven false positives take systems offline at scale.

For this reason, antivirus and any active endpoint agent on certified OT equipment must run only in a vendor-approved configuration. The equipment vendor, who is responsible for the certification and the support, specifies whether an agent is permitted, which product and version, what scanning scope and schedule are safe, and what exclusions are required so the agent never touches the files the application depends on. Running anything outside that approved configuration risks both the certification and the operational integrity of the system.

The practical implication is a clear split. General-purpose IT endpoints, such as ship-office and crew computers, can run a conventional endpoint-protection agent much as an office would, allowing for the update-latency constraints. Certified OT hosts run only what the vendor approves, and where the vendor does not approve an active scanner, the protection comes from compensating controls: strict segmentation, application allow-listing where supported, rigorous media control and integrity monitoring, rather than from a signature scanner that could do more harm than good.

USB and Removable Media: The Dominant Threat

On an isolated vessel, the network-borne infection vector that dominates office security is far less relevant, because the systems are not continuously networked to the internet. The dominant infection path instead is physical: USB sticks and removable media. Chart updates arrive on USB media, technicians bring laptops and drives aboard for maintenance, crew members plug personal devices into ship computers to charge them, and vendors connect equipment during port calls. Each of these is a path for malware to cross the air-gap that the vessel's isolation was supposed to provide.

Several of the most notable maritime malware incidents that have been publicly discussed involved malware reaching otherwise-isolated systems through removable media or a contractor's device, not through a network attack. The lesson is consistent: on an isolated vessel, media control is often more important than the antivirus engine itself, because the antivirus on a rarely-updated endpoint may not even recognise the malware, whereas disciplined media control prevents the malware from arriving in the first place.

Effective media control combines policy and technology. The policy restricts removable media to a controlled set of company-issued, clearly identified devices, prohibits personal media on operational systems, and requires that any media used for chart or software updates be scanned on a dedicated, well-maintained scanning station before use on an OT host. The technology enforces this through device-control software that blocks unauthorised media, a kiosk or scanning station that crew must use to check incoming media, and logging so that media use can be reviewed after the fact. For ECDIS specifically, restricting updates to a controlled subset of company sticks and verifying the chart-update digital signature end to end closes the most direct route to chart tampering.

• Restrict media to company-issued, identified devices; prohibit personal media on operational systems
• Scan all incoming media on a dedicated, well-maintained scanning station before use on any OT host
• Enforce device control in software so unauthorised media is blocked, not merely discouraged
• Verify chart-update signatures end to end on ECDIS, not just the local distributor signature
• Log media use so it can be reviewed after an incident or during an audit
• Brief technicians and vendors on media policy before they bring devices aboard

Layered Defence for Offline Endpoints

Because signature-based antivirus is weakest exactly where the vessel needs it most, on rarely-updated, isolated endpoints, the maritime endpoint strategy leans on controls that do not depend on fresh signatures or constant connectivity. The most powerful of these is application allow-listing, which inverts the antivirus model. Instead of trying to recognise every bad file, allow-listing permits only the known-good applications the system needs to run and blocks everything else by default. On a stable OT host that runs a fixed set of applications, allow-listing is extremely effective and is largely immune to the signature-update problem, because it does not need to recognise the malware to block it.

Segmentation is the second pillar. An endpoint that an attacker cannot reach is an endpoint that is much harder to compromise, and even a compromised endpoint that cannot communicate with other zones is far less dangerous. Placing OT endpoints in restrictive zones, denying them unnecessary network reach, and gating any cross-zone access through firewalls limits both the initial compromise and the lateral movement that turns one infected machine into a fleet incident.

Integrity monitoring is the third. Rather than asking whether a file is malicious, integrity monitoring asks whether a critical system file or configuration has changed when it should not have. On a system whose legitimate software changes only at well-defined maintenance windows, an unexpected change is a strong signal worth investigating. Together, application allow-listing, segmentation and integrity monitoring give an offline endpoint a robust defence that does not depend on the daily signature update the vessel cannot reliably receive, with conventional antivirus added on the general-purpose IT endpoints where it can be kept current enough to be useful.

An Update Strategy That Survives Bad Connectivity

Even the controls that do not depend on daily signatures still need periodic updates: operating-system patches, application updates, allow-list adjustments when legitimate software changes, and antivirus definitions for the IT endpoints. The challenge is delivering these reliably to a vessel whose connectivity ranges from intermittent satcom to genuine air-gap. An update strategy that assumes office-grade connectivity will simply fail, leaving endpoints to drift further out of date until they are a liability.

A workable maritime update strategy is staged and deliberate. Updates are collected, tested and packaged ashore, then delivered to the vessel through whatever channel is available: pushed over the satcom or 5G link where bandwidth and risk allow, or carried aboard on controlled, scanned media where the systems are air-gapped. Critically, OT updates are validated against the vendor's approved configuration before deployment and applied during planned maintenance windows, never ad hoc, because an update that breaks a navigation or control system at sea is its own incident.

The whole process must be documented, because an auditor will ask how the vessel keeps its protective controls current given its connectivity. A shipowner who can show a defined update pipeline, a record of what was applied to which vessel and when, and a validation step against vendor configurations for OT hosts has answered the question. One who cannot has a finding. Codesecure helps shipowners design endpoint-update pipelines that are realistic for their connectivity profile and that produce the evidence trail the audit requires.

Endpoint Controls Under IMO 2021

Endpoint protection sits squarely within the Protect function of the IMO framework and is a core control area in the BIMCO Guidelines. Under IMO Resolution MSC.428(98), the shipowner must demonstrate, within the Safety Management System, that the protective measures applied to vessel computers are appropriate to the risk, are kept current, and are managed through a documented process. The endpoint strategy is not assessed in isolation; it is read together with the asset inventory, the risk assessment and the media-handling procedures.

What an auditor wants to see is coherent and specific: an inventory that distinguishes IT endpoints from certified OT hosts, a documented protective configuration for each class, evidence that OT-host protection runs only in vendor-approved configurations, a media-control policy with enforcement and logging, an update pipeline suited to the vessel's connectivity, and integrity or allow-listing controls where signature antivirus is weak. The chief engineer and master being able to describe the USB media procedure from memory is, in practice, one of the most telling indicators an auditor uses, because it shows the policy is lived rather than merely written.

Codesecure designs and assesses maritime endpoint-protection programmes that fit the operational reality of the fleet and produce the IMO 2021 and BIMCO evidence the audit requires. The deliverable covers the IT and OT endpoint split, the media-control regime, the layered offline defences, the update pipeline and the documentation, integrated into the Safety Management System rather than bolted on as a separate IT artefact.