Vessel Malware Protection: Air-Gapped System Security

The Air-Gap Myth on Vessels

The term air-gapped describes a system that is physically isolated from any untrusted network, with no data path in or out except by deliberate, controlled transfer. It is a strong security model when it is real. The problem on vessels is that it almost never is, and the belief that it is creates a dangerous complacency. Bridge and engine operational technology is frequently described as air-gapped by shipowners and crews, and just as frequently bridged in daily operation.

Consider what crosses the supposed gap on a normal voyage. Chart updates arrive on USB media or optical disc and are loaded into the ECDIS. Software patches and configuration changes are applied from a technician's laptop. Vendor diagnostics connect equipment to a service computer. Performance data is extracted to portable media to be carried ashore. Each of these is a deliberate transfer across the gap, and each is an opportunity for malware to cross in either direction. A gap that is bridged daily is not an air gap; it is an unmonitored network connection that happens to be intermittent and physical rather than continuous and electronic.

The consequence of the myth is that the systems most loudly described as isolated are often the least defended, precisely because their notional isolation is treated as sufficient protection. The ECDIS host runs an out-of-support operating system because nobody patches an air-gapped machine. There is no media scanning because nothing connects to the internet. There is no device control because the gap is supposed to do that job. Then a USB stick with unrelated malware on it gets plugged in to load a chart update, and the unprotected, unpatched, isolated system is exactly the soft target the attacker needed.

How Malware Actually Reaches Isolated Systems

Malware does not need an internet connection to reach a vessel's OT. It needs a courier, and a vessel provides several. Understanding the real infection paths is the prerequisite for defending against them, because each path needs a different control.

The principal infection paths onto supposedly air-gapped vessel systems:

• Chart and update media: USB drives and discs carrying ENC updates or software patches, which may also carry unrelated malware picked up at the distributor, the office, or a previous port
• Vendor and technician laptops: service machines that connect to equipment for diagnostics and configuration, having previously touched many other vessels and shore networks
• Crew personal devices: phones and USB sticks brought aboard for charging or file transfer that find their way onto operational workstations
• Shore data extraction media: drives used to pull performance or voyage data off the vessel and carry it ashore, then reused
• Shared media between vessels: a single USB stick that circulates across a fleet, becoming a vector that moves infection from ship to ship

The Vendor Laptop Problem

Among all the courier paths, the vendor service laptop deserves special attention, because it combines high access with high circulation. A technician servicing a particular make of engine, ECDIS, satcom terminal or cargo system carries a laptop loaded with diagnostic and configuration software, connects it directly to safety-critical equipment, and often does so with elevated privileges that the equipment grants to the vendor tool. That same laptop visited another operator's vessel last week and a different vessel the week before.

This makes the vendor laptop one of the most effective malware bridges in the maritime ecosystem. If the laptop is compromised, it carries the infection directly into the most sensitive systems on every vessel it visits, crossing every air gap by invitation. The vessel's crew typically has little visibility into the state of the vendor's machine and little authority to inspect or restrict it, because the vendor is there to do essential work under a service contract.

Defending against the vendor laptop requires policy and technical controls together. The vessel should require that vendor machines used on board meet a defined security baseline, be scanned before connection, and connect only through controlled means with the connection logged and ideally session-recorded. Where the vessel has an OT-side device control regime, the vendor laptop is subject to it like any other device. The change-management process should gate the visit so that an unsupervised vendor cannot simply connect new equipment or a new machine without assessment. None of this is hostile to the vendor relationship; it is the basic hygiene that any operator bridging a gap to a high-access external device should insist on.

Controlling Removable Media

Since removable media is the dominant infection path, a removable media control regime is the highest-value single intervention for vessel malware protection. The goal is to ensure that anything crossing the gap on portable media is scanned, authorised and tracked, rather than plugged in freely.

A practical regime has several layers. First, restrict which media can be used: company-issued, uniquely identified USB devices only, with personal and unknown media prohibited on operational systems. Second, establish a media scanning step: a dedicated, well-maintained scanning station (often called a kiosk) where any media is checked for malware before it is allowed onto an operational workstation. Many fleets place such a kiosk at the office and require update media to be scanned before it is sent to the vessel, and place a second check point on board. Third, apply device control on the operational endpoints themselves so that only authorised media types and devices can mount, blocking the casual insertion of an unknown stick.

The scanning station deserves emphasis because it is where the gap is actually defended. A chart update arrives, goes onto the scanning kiosk, is verified clean (and, for charts, verified for its digital signature), and only then is loaded into the ECDIS. This single discipline catches the most common infection scenario, the update stick that also carries unrelated malware, before it reaches the safety-critical system. The kiosk must itself be maintained, kept current, and not become a neglected box that gives false comfort.

Hardening the Operational Technology Itself

Controlling the couriers reduces the chance of malware arriving, but a robust defence also hardens the OT so that malware which does arrive cannot easily run or spread. This is the part most neglected on systems mistakenly trusted as air-gapped, and it is where defence in depth earns its name.

The key endpoint controls for vessel OT, applied within whatever the equipment vendor supports, include: application allow-listing so that only known, approved software can execute, which is highly effective on OT because the set of legitimate applications is small and stable; operating system hardening to the vendor's reference configuration, with unnecessary services disabled; keeping the system on a vendor-supported version and applying patches through the controlled media process where the equipment manufacturer issues them; least-privilege accounts so that a compromised user session has limited reach; and disabling autorun and similar conveniences that turn an inserted device into automatic code execution.

Integrity monitoring closes the loop. Because vessel OT changes rarely and predictably, a baseline of expected files, configurations and behaviours can be established, and deviation from that baseline is a strong signal of compromise. Integrity checks on safety-critical systems, fed where possible into the vessel's monitoring and the ship-to-shore SIEM, mean that if malware does cross the gap and alter the system, the change is noticed rather than silently tolerated. This detection layer is what turns a bridged air gap from an undefended liability into a monitored, defensible boundary.

Applying IEC 62443 to the Bridged Gap

The right conceptual model for vessel malware protection is not the air gap, which the operational reality keeps bridging, but the zones-and-conduits model from IEC 62443. Instead of pretending the OT is isolated, IEC 62443 treats it as a protected zone, identifies every conduit through which data or devices can enter (including the human-and-USB conduit and the vendor-laptop conduit), and applies controls to each conduit explicitly.

Under this model, the bridge OT and engine OT are high-security zones. The conduits into them are enumerated honestly: the chart update path, the vendor diagnostic path, the data extraction path, the cross-zone network connections. Each conduit gets a control: media scanning and device control for the portable-media conduits, vendor baseline and session control for the diagnostic conduit, firewalling and monitoring for the network conduits. The security level assigned to the zone states how strongly it must be defended, which in turn justifies the rigour of the conduit controls. This is a defensible engineering posture in a way that air-gapped, as an unverified assertion, never is.

Codesecure helps shipowners replace the air-gap myth with a real, IEC 62443-aligned defence: enumerating the actual conduits onto OT, deploying removable-media control and scanning, setting vendor-laptop requirements, hardening the OT endpoints with allow-listing and integrity monitoring, and feeding the detection signals into the vessel's monitoring and the ship-to-shore SIEM. The objective is honest isolation, a gap that is genuinely controlled because it is treated as something to be bridged carefully, not as a guarantee that quietly fails.