Maritime USB and Removable Media Threat Prevention

Why USB Is Still the Number One Vessel Malware Path

Despite a decade of warnings, removable media remains the most common way malware reaches shipboard operational technology. The reason is structural, not careless. Bridge and engine systems are deliberately isolated from the public internet, but they still need files: electronic navigational chart (ENC) updates, ECDIS and radar software patches, engine performance configuration, planned maintenance data, vendor diagnostic tools, and the occasional crew media transfer. Almost all of that arrives on a USB stick or an external drive carried physically aboard.

This creates a paradox. The very isolation that is supposed to protect the system also removes the centralised patching, antivirus updates and network monitoring that an enterprise network provides. An isolated ECDIS workstation can run unpatched for years, and the one channel that does reach it, removable media, is exactly the channel an attacker targets. A single infected stick handed to the bridge during a chart update becomes the bridge of the air gap.

Real-world maritime malware cases reflect this. Vessels have arrived in port with bridge or administrative systems infected by commodity malware that originated on a crew member's personal drive or a vendor laptop's USB transfer. Some incidents were dormant infections that simply travelled with the media; others were active worms that spread once they reached a flat shipboard network.

Removable Media Threat Vectors on Vessels

Removable media threats on a vessel fall into several distinct categories, each requiring a different control. Treating them as one undifferentiated risk leads to controls that miss the real attack path.

• Infected chart and software update media: an ENC update stick or a vendor patch drive carrying malware alongside the legitimate update files, reaching the ECDIS or radar workstation directly
• Vendor diagnostic media: a service technician's USB drive or laptop-connected stick used during planned maintenance, often with administrative access to the very system being serviced
• Crew personal media: phones, music drives and personal sticks plugged into administrative or welfare systems that share a network with operational systems
• Auto-run and HID-spoofing attacks: malicious devices that present themselves as keyboards (BadUSB style) and inject commands the moment they are plugged in, bypassing file-scanning entirely
• Data exfiltration media: removable drives used to copy cargo plans, crew data or commercial documents off the vessel without trace
• Dormant cross-contamination: a clean-looking stick that picked up malware on a shore machine and carries it aboard weeks later

Layered Technical Controls

No single control stops removable media threats. A defensible programme layers several so that a failure in one is caught by another. The layers below are listed roughly in order of effectiveness per unit of effort.

Device whitelisting is the strongest control. Configure operational endpoints (ECDIS, radar PC, engine monitoring workstation) to accept only a known list of company-issued, registered devices identified by hardware serial. Any unregistered device is blocked at the port. This stops both file-borne malware on unknown sticks and HID-spoofing devices, because the device itself is never allowed to enumerate.

Scanning kiosks form the second layer. A standalone, hardened kiosk at the ship office or at the shore office, kept current with multiple antivirus engines, scans every inbound stick before it is allowed near an operational system. The workflow is simple: no media touches an operational endpoint until it has passed the kiosk and been re-written to a clean, company-issued transfer stick.

Endpoint controls form the third layer. Disable auto-run, restrict execution from removable drives, enforce read-only mounting where the workflow allows, and log every removable-media mount event for later review. File integrity verification is the fourth layer: for chart updates, enforce end-to-end S-63 signature verification so a tampered ENC is rejected even if the carrier media is trusted.

Media Handling Procedures and Crew Culture

Technology controls fail without a procedure the crew actually follows. A documented removable media handling procedure, embedded in the Safety Management System rather than kept in a separate binder, is what auditors look for and what crews execute under pressure.

A practical procedure defines: which devices are company-issued and registered, where the scanning kiosk is and who operates it, the rule that no personal media goes near operational systems, the requirement that vendor media is scanned and logged before any service work, and the colour-coding or physical labelling that distinguishes a clean transfer stick from an unverified one. Many operators use a simple two-colour scheme, one colour for verified company media that may touch operational systems, another for everything else.

Crew culture is the multiplier. The single most valuable behaviour is a crew member reporting that they plugged in an unknown stick, immediately, without fear of blame. A no-blame reporting culture turns a potential silent infection into a contained, logged event. Operators who punish the honest report instead get silence, and silence is how a dormant infection sails three more legs before anyone notices.

What IEC 62443 and IMO MSC.428(98) Expect

Removable media control is not an optional nicety, it is an expectation under the frameworks that govern maritime cyber. IMO Resolution MSC.428(98), in force since 1 January 2021, requires cyber risk to be managed within the ship Safety Management System under the ISM Code. Removable media is one of the most concrete, testable controls an auditor can examine, so it is scrutinised closely.

IEC 62443, the industrial automation and control systems security standard widely applied to maritime OT, addresses removable media directly through its system requirements (notably the requirements around portable and mobile device control, malware protection, and the use of an air gap supplemented by media scanning). Applying IEC 62443 to a vessel means treating bridge and engine systems as the most restrictive security zones, with removable media crossing into those zones only through a controlled, scanned conduit.

The ISPS Code, traditionally focused on physical port and ship security, increasingly carries a cyber dimension in national interpretations, and removable media handling is a natural point where physical and cyber security meet. A USB stick is both a physical object subject to access control and a cyber payload subject to scanning. The strongest maritime programmes treat it as both.

Rolling Out a Removable Media Programme Across a Fleet

For an operator with a mixed fleet, removable media control is one of the highest-return, lowest-cost cyber improvements available, but it has to be rolled out as a programme, not a memo. A typical rollout runs over a few months and moves from assessment to standardisation to verification.

The assessment phase inventories how media currently moves on a representative vessel per class: who brings sticks aboard, which systems they touch, where the vendor diagnostic path goes, and whether any operational endpoint already has device controls. This almost always reveals undocumented paths, a satcom vendor who plugs directly into a bridge switch, a chart update workflow that skips scanning, a welfare PC bridged to the office network.

The standardisation phase issues registered company media, deploys scanning kiosks, configures endpoint device controls where the equipment supports it, and writes the SMS procedure. The verification phase runs a walkthrough on each vessel class, briefs the crew, and folds removable media into the internal audit and drill programme so the control stays alive after the consultants leave. Codesecure delivers this as a managed programme with named consultants on the vessel and at the shore office.