Following the release of a recent ABS paper addressing cybersecurity concerns in the cruise industry, we are pleased to present an interview with Michael DeVolld, Director of Maritime Cybersecurity at ABS Consulting. In the discussion, DeVolld emphasizes that cybersecurity is no longer just an IT issue — it is fundamentally a safety issue.
“When crew members see cyber readiness evaluated and rewarded in the same way as other safety behaviors, the culture quickly adapts,” he explains. With this in mind, DeVolld recommends treating every new technology as a safety-critical system that requires change management. Cyber risk can no longer be isolated; engineers, bridge officers, and CIOs face shared exposure and must align their defenses accordingly.
SAFETY4SEA: What do you see as the most urgent cybersecurity risks facing the cruise industry today?
Michael DeVolld: Digitalization has enlarged the attack surface, but the most urgent risk remains the failure to execute basic cyber-hygiene at scale. Unpatched software, weak segmentation and the absence of reliable, offline-tested backups still open the door for ransomware—now the dominant threat vector and a direct danger to guest safety, brand reputation and balance sheets. Recent USCG data show fewer reported incidents yet dramatically higher financial impact per event, confirming that a single successful breach can stall operations “city-wide” aboard a modern cruise ship. Until every vessel treats patching, network hardening and verified restore-from-backup drills as critical-safety functions, the industry’s exposure will continue to outpace its technology gains.
S4S: How has the growing convergence of IT and OT systems changed the threat landscape onboard vessels?
M.DV.: IT/OT convergence has enabled real-time fuel optimization, remote support and richer guest services—all essential for decarbonization and customer experience—but it also dissolves the old air-gap. A phishing email to a shoreside maintenance team can now provide a pivot path to propulsion control or HVAC automation. Attackers exploit that seam, moving laterally from corporate IT into safety-critical OT that was never designed for Internet-speed threats. The practical outcome is that cyber risk is no longer compartmentalized; engineers, bridge officers and CIOs share the same exposure and must coordinate defenses accordingly.
S4S: In the recent ABS white paper, you advocate for aligning cybersecurity with operational readiness. How does this framework differ from a traditional compliance-driven cybersecurity approach?
M.DV.: Compliance starts with “What do the rules say I must do?” Operational readiness starts with “What must stay running to keep people safe and ships moving?” The readiness model maps cyber controls directly to mission-critical outcomes—navigation, power, guest services, environmental protection—and prioritizes investments by impact, not checkbox. Frameworks such as IEC 62443, ISO 27001 or NIST CSF still guide the work, but they are applied through an OT-focused risk lens supported by continuous monitoring and ongoing assessments. The result is a living program that matures with the vessel, rather than a static binder waiting for the next audit.
S4S: You also emphasize that cybersecurity is not just an IT issue but a safety issue. How can viewing cybersecurity through a safety lens change the way we respond to threats and shape our overall mindset?
M.DV.: Treating cyber as safety reframes every decision: an unpatched navigation system becomes the equivalent of a failed steering gear, and a poorly secured remote-access link is no different from a physical security violation such as an unlocked restricted space. That shift drives three practical changes:
- Integration into the Safety Management System (SMS)—cyber risks are logged, drilled and mitigated alongside fire, flooding and pollution hazards.
- Operational ownership—bridge teams, engineers and shoreside operations staff own the first line of defense rather than outsourcing it to IT alone.
- Incident tempo—response time is measured in minutes, not days, because passenger safety and environmental protection depend on it. Seeing cyber through this lens accelerates both decision-making and resource allocation.
S4S: How can cruise lines instill a culture of cyber readiness across all ranks—from bridge crew to shoreside IT staff?
M.DV.: Start with leadership: captains and executives must speak about cyber risk in the same breath as operational safety. Then embed three habits:
- Role-based training that is practical (e.g., ECDIS anomalies for deck officers, PLC lockout for electricians).
- Clear, consequence-free reporting channels so crew can flag suspicious activity without fear.
- Metrics and feedback loops—daily cyber housekeeping checks, drill debriefs and KPIs visible on the bridge and in the SOC.
When crew see cyber readiness assessed and rewarded like any other safety behavior, the culture follows quickly.
S4S: What role do simulation-based training or incident response drills play in improving human readiness for cyber incidents?
M.DV.: Simulations convert abstract threats into muscle memory. Table-tops that walk a bridge team through GPS spoofing, or live-fire drills that isolate and recover a compromised propulsion PLC, expose procedural gaps before an attacker does. They also knit together ship and shore teams, mirroring how a real incident unfolds. The upcoming USCG rule hard-codes annual drills, but forward-leaning operators are already integrating cyber scenarios into quarterly safety exercises, ensuring that detection, decision and recovery times meet the same performance targets as fire or abandon-ship drills.
S4S: Which types of cyberattacks are most concerning for maritime OT environments right now—ransomware, spoofing, insider threats?
M.DV.: Ransomware remains the headline risk because it halts voyage operations and hotel services simultaneously. GPS spoofing is rising fast, weaponized by AI-enabled signal synthesis that could potentially redirect a vessel without breaching its network. Insider threats—often inadvertent—amplify both risks when privileged crew log in from personal devices or contractors shortcut access controls. The common denominator is lateral movement from IT to OT; good segmentation and continuous OT network monitoring are therefore the first line of defense against all three categories.
S4S: How should operators balance emerging technologies (e.g., AI-driven operations) with the increasing cyber risks they may introduce?
M.DV.: Treat every new technology as a change-managed safety-critical system. Before deployment, conduct a cyber hazard analysis, define fail-safe states and update the asset inventory. During operation, feed telemetry into a SOC capable of detecting abnormal OT behavior. AI can enhance security—predictive maintenance, anomaly detection—provided it is trained on clean data and bounded by clear human-in-the-loop controls. In short, innovation is welcome, but it must ride on a governance process that measures cyber risk with the same rigor applied to fuel economy or emissions.
S4S: Looking ahead, what major cybersecurity challenges or innovations do you foresee for the maritime sector over the next five years?
M.DV.: We’re likely to see three converging forces:
- Regulatory escalation—NIS2 in Europe and the USCG final rule will push mandatory OT controls and incident reporting worldwide.
- Autonomous and remotely operated vessels—greater reliance on satellite links and shoreside command centers will make communications integrity the new soft underbelly.
- AI—both offence and defense—attackers will automate reconnaissance and spoofing, while defenders counter with behavior-based analytics embedded in digital twins of shipboard OT.
Success will hinge on developing secure architectures afloat, extending supply-chain assurance beyond the shipyard and upskilling crews to operate in this heightened threat environment.
S4S: If you could give cruise operators one key takeaway from the white paper, what would it be?
M.DV.: Operational readiness is the bridge between cybersecurity theory and safer, more profitable voyages. Make cyber risk part of the daily safety conversation—plan, drill, measure and improve it just as you do fire safety or environmental compliance—and you will protect guests, crews and schedules in one stroke.
The views presented hereabove are only those of the author and do not necessarily reflect those of SAFETY4SEA and are for information sharing and discussion purposes only.
