Key Takeaways
- One antivirus policy does not fit a terminal. TOS servers, gate workstations and cargo-handling OT each need a different endpoint protection approach.
- OT endpoints often cannot run standard antivirus. Vendor support constraints and real-time control requirements push them toward application whitelisting instead of signature scanning.
- Application whitelisting beats blacklisting for OT. Allowing only known-good executables suits stable cargo-handling systems that rarely change.
- EDR fits IT and TOS endpoints where vendors support it, adding behavioural detection beyond signatures.
- Removable media and patch discipline matter as much as the antivirus itself, because the malware usually arrives through USB or an unpatched service.
Why Terminal Endpoints Are Not Office PCs
Endpoint protection in a port is often approached as if a terminal were an office: roll out one antivirus agent to everything and move on. That approach breaks cargo handling. A terminal is a mix of endpoint types with sharply different tolerances, and forcing a single aggressive antivirus policy across all of them risks quarantining a file the TOS needs, pegging the CPU on a real-time control workstation, or voiding the support contract on a vendor-managed cargo-handling system.
The endpoint estate in a terminal spans at least four categories: TOS application and database servers, gate and administrative workstations, operator consoles for cranes and equipment, and the cargo-handling OT itself, the PLCs, HMIs and control PCs that actually move containers and bulk. Each category tolerates a different protection approach. The TOS server can usually take a modern endpoint agent. The cargo-handling control PC frequently cannot, because the OEM supports only a specific configuration and real-time operation leaves no headroom for on-access scanning.
Getting this wrong has operational consequences, not just security ones. An antivirus agent that quarantines a legitimate TOS integration component can stop yard moves. A signature update that conflicts with a vendor-locked control PC can halt a crane. The goal is protection that fits each endpoint type, applied with knowledge of what each system tolerates, so the protection never becomes the outage.
Matching Protection to Endpoint Type
The foundation of a workable terminal endpoint programme is mapping each endpoint type to the protection approach it can safely run. The matrix below reflects what we recommend across most terminals, adjusted per OEM constraint.
- TOS application and database servers: modern endpoint detection and response (EDR) with behavioural detection, where the TOS vendor supports it, plus tight change control
- Gate and administrative workstations: standard managed antivirus or EDR, the same as a hardened corporate fleet, with removable media controls
- Operator consoles: lightweight protection or application whitelisting, depending on real-time constraints and vendor support
- Cargo-handling OT (PLCs, HMIs, control PCs): application whitelisting rather than signature antivirus, because the configuration is OEM-locked and real-time operation leaves no scanning headroom
- Legacy and unsupported endpoints: compensating controls, network isolation, strict media control, monitoring, where no agent can safely run at all
Need a Maritime Cyber Assessment?
Codesecure runs IMO MSC.428(98) and IEC 62443 aligned cyber risk assessments and OT penetration tests for shipowners, managers, ports and terminals. ISO/IEC 27001:2022 certified, named consultants with OSCP, CEH and CISSP credentials, fixed-price proposals and free retest within 90 days.
See Maritime Services →Application Whitelisting for Cargo-Handling OT
For cargo-handling OT, application whitelisting is usually the right control, and it is fundamentally better suited to the environment than signature-based antivirus. Whitelisting allows only known-good executables to run and blocks everything else by default. Signature antivirus does the opposite: it allows everything except known-bad files, which means it depends on constant signature updates and offers no protection against novel malware.
Cargo-handling OT is an ideal whitelisting candidate because it is stable. A crane control PC or a bulk-handling HMI runs a fixed set of vendor software that changes only at planned upgrades. Once the known-good set is captured, whitelisting locks the endpoint to exactly that set with minimal operational friction and no dependence on internet-delivered signature updates, which an isolated OT endpoint cannot reliably receive anyway.
The trade-off is change management. Every legitimate software change, an OEM patch, a configuration tool, a new integration component, must be added to the whitelist through a controlled process. This is a feature, not a bug: it forces the discipline that an OT environment should have anyway, and it means an unexpected new executable is blocked and flagged rather than silently allowed. We deploy whitelisting in a learning mode first to capture the legitimate baseline, then switch to enforcement once the baseline is verified.
EDR for TOS and IT Endpoints
On the IT side of the terminal, the TOS servers, gate and administrative workstations, and corporate endpoints, modern endpoint detection and response is the stronger choice where vendors support it. EDR goes beyond signature matching to behavioural detection: it watches for the patterns of an attack, suspicious process chains, credential dumping, lateral-movement attempts, ransomware-style mass file encryption, and can detect and contain threats that no signature would catch.
For the TOS specifically, EDR earns its place because the TOS is the highest-value IT target in the terminal and a frequent ransomware objective. Behavioural detection that flags the early stages of a ransomware deployment, before the encryption spreads to the yard-move database, can be the difference between an alert and a multi-day terminal closure. The deployment must respect the TOS vendor's supported configuration, so we validate compatibility before rollout and keep tight change control afterward.
Gate and administrative workstations are protected like a hardened corporate fleet: managed EDR or antivirus, removable media controls, least-privilege accounts and prompt patching. These endpoints are often the initial foothold in a terminal intrusion, a phished gate clerk, a compromised admin workstation, so protecting them well closes the most common entry path before it reaches the TOS or the OT zone.
Removable Media and Patch Discipline
Antivirus is only one part of endpoint protection, and often not the part the malware actually exploits. In a terminal, malware most commonly arrives through removable media, a USB stick used for a TOS update, a vendor diagnostic drive, a gate-clerk's personal device, or through an unpatched, internet-exposed service. The endpoint protection programme has to address those entry paths directly, not assume the antivirus will catch whatever gets in.
Removable media control belongs alongside the antivirus: device whitelisting on operational endpoints so only registered company media is accepted, a scanning kiosk that inspects inbound media before it touches a terminal system, and a documented handling procedure that vendor and crew media follow. On the cargo-handling OT, where signature antivirus cannot run, removable media control is even more important because it closes the channel that whitelisting alone does not address, a malicious but whitelisted-format file.
Patch discipline is the other half. IT and TOS endpoints follow a managed patch programme with a documented exception process for anything that cannot be patched promptly. Cargo-handling OT is patched on the OEM's cadence during planned downtime, with compensating controls, isolation, whitelisting, monitoring, covering the window between a vulnerability disclosure and the vendor's patch. The combination of fitted antivirus, removable media control and disciplined patching is what actually protects cargo handling, no single layer does it alone.
Flag State Audit or Customer Questionnaire?
Whether you need cyber evidence for a flag state, a P&I club query, a charterer security questionnaire or an ISPS Code review, our maritime cyber lead is available for a 30-minute free scoping call.
Talk to a Maritime Lead →Rolling Out Endpoint Protection Across a Terminal
A terminal endpoint protection rollout works as a phased programme, not a single deployment. The assessment phase inventories every endpoint, classifies it by type and tolerance, confirms each OEM's supported security configuration, and identifies the legacy systems that cannot run any agent and need compensating controls instead. This inventory almost always finds endpoints nobody on the IT team knew were there, an unmanaged operator console, a forgotten control PC bridged to the corporate network.
The design phase sets the protection matrix: EDR for TOS and IT, application whitelisting for cargo-handling OT, compensating controls for the unsupportable legacy systems, removable media control everywhere, and a patch programme split by IT cadence and OT cadence. The rollout phase deploys in waves, starting with the highest-value and best-supported endpoints (TOS, gate, admin) and moving carefully into the OT estate with whitelisting in learning mode before enforcement.
The verification phase confirms that protection is live and operations are unaffected, then folds endpoint health into ongoing monitoring so a disabled agent or a drifted whitelist is detected rather than discovered during an incident. Codesecure delivers this as a managed programme aligned with IEC 62443 malware-protection requirements and ISO/IEC 27001:2022 controls, with named consultants who understand both the security and the cargo-handling operational constraints.
Frequently Asked Questions
Can we install the same antivirus on our cranes and our office PCs?
No, and trying to is a common cause of operational incidents. Cargo-handling OT, crane control PCs, bulk-handling HMIs, is usually OEM-locked and real-time constrained, so a standard signature antivirus can void vendor support or peg the CPU and halt the equipment. The right control for those endpoints is application whitelisting. Office and TOS endpoints take EDR or managed antivirus. The protection has to be matched to the endpoint type.
Why application whitelisting instead of antivirus for OT?
Because cargo-handling OT is stable and isolated. Whitelisting allows only known-good executables and blocks everything else, which suits a system that runs a fixed vendor software set and rarely changes. It needs no internet-delivered signature updates, which an isolated OT endpoint cannot reliably receive anyway, and it blocks novel malware that signatures would miss. Signature antivirus is the wrong fit for a locked-down, real-time control endpoint.
Will endpoint protection slow down our terminal operating system?
Not if it is deployed correctly. Modern EDR has low overhead and we validate compatibility against the TOS vendor's supported configuration before rollout, with tight change control afterward. The risk to avoid is an aggressive on-access scanning policy that quarantines a legitimate TOS component, which we prevent through proper exclusions and testing in a staging environment first. Done right, the protection is invisible to operations.
What about legacy systems that cannot run any agent?
They get compensating controls instead of an agent: network isolation in a tightly controlled zone, strict removable media control, least-privilege access and passive monitoring so any anomaly is detected. This is a standard IEC 62443 approach for unsupportable legacy OT, you protect the environment around the endpoint when you cannot protect the endpoint itself. Many terminals have several such systems and they need a deliberate plan, not neglect.
How does removable media control fit with antivirus?
They are complementary layers. Antivirus and EDR protect against malware once it is on the endpoint, removable media control reduces how much malware reaches the endpoint in the first place. Since USB and removable media are the most common malware path in terminals, especially on OT endpoints where signature antivirus cannot run, removable media control is essential alongside the antivirus, not optional. Endpoint protection is a programme combining both.
Can Codesecure roll this out across our whole terminal?
Yes. Codesecure delivers phased terminal endpoint protection programmes: endpoint inventory and classification, OEM-supported configuration confirmation, the protection matrix (EDR, whitelisting, compensating controls), removable media control, a split IT/OT patch programme, and folding endpoint health into ongoing monitoring. Delivery is aligned with IEC 62443 and ISO/IEC 27001:2022, with named consultants who understand cargo-handling operational constraints.
Protect Cargo Handling Without Stopping It
Codesecure designs and rolls out terminal endpoint protection programmes matched to TOS, gate and cargo-handling OT, across India, Singapore, UAE and the wider Middle East. ISO/IEC 27001:2022 certified delivery, IEC 62443 aligned, named consultants, fixed-price proposals.
