You have just hired a managed security service provider (MSSP) – perhaps a managed endpoint detection and response (EDR). Or you’re building your own security operations centre (SOC). The main scope is the enterprise and office systems. 

You’re wondering whether you can just extend it to cover the fleet and vessel systems. 

Seems like a sensible thought. After all, how different can enterprise and fleet environments be?

Let’s explore the differences…

“You can’t protect what you don’t know”

A common mantra that implies you can’t protect cyber assets without an accurate and detailed asset inventory. Dale Peterson wrote a blog about this. 

Here’s a more useful twist:

It’s hard to protect what you don’t understand”

Fleet infrastructure doesn’t only look different. It sounds different. It runs differently. It is designed to overcome technical and operational challenges not observed in enterprise systems.

Crew behaviour can seem unusual. Life onboard a vessel fluctuates from being extremely busy to days of mind-numbing boredom. The crew prioritise getting a job done, by whatever means necessary. Then they get bored and seek sources of entertainment. They are generally not familiar with operating and managing anything other than fleet infrastructure.

This makes recognizing malicious activity tricky and not necessarily obvious. Remote connections, scanning activity, privileged access, non-standard software and unknown assets are all indicators seen in a cyber attack. These are equally activities we see crew performing, often legitimately (at least in their view).

These nuances of vessel operations give rise to the need for: 

  • a different type of data collection 
  • a different type of analysis
  • specialist technical knowledge of marine environments
  • understanding of the operational environment and constraints onboard

Effective security operations needs a common language between the crew and the SOC 

Over 75% of incidents require response actions that involve the crew. 

These findings were covered in a report we developed with HFW and Thetius – “Shifting tides, rising ransoms and critical decisions”.

This means SOC analysts need to communicate and work effectively with the crew. Using language they understand. Providing the right level of detail to help the crew understand why something is a risk, what could happen and how they help remediate it.

Side by side, here are 5 key areas of difference between enterprise and fleet SOCs. 

Areas of difference

Enterprise SOC Fleet SOC

Generally prioritises confidentiality, integrity and authentication. The focus tends to be on: 

  • Protecting data and applications from unauthorised access
  • Ensuring accuracy, consistency of data and reliability of systems.
  • Ensuring ability to confirm identity of a user. 

Prioritises availability. Everything else tends to be secondary.

Failover and redundant systems are difficult to implement and expensive to manage. The SOC’s priority is to minimise voyage and port turnaround delays and ensure crew safety.

Underlying systems monitored

More standardisation and control over the infrastructure:

  • Easier to upgrade and standardise
  • Possible to heavily rely on cloud services
  • More control over patching and vulnerability management
  • Global policies and controls are easier to implement and maintain
  • Network protocols are generally standardised
  • Generalist tooling is easier to implement

Legacy and bespoke systems are pervasive:

  • Purpose built  
  • Runs marine-specific applications and specialised software 
  • Connectivity limitations are common
  • Cannot be patched regularly
  • Specialist tooling may be required
Operational context

Easier to implement tight controls without constraining operations. 

Black- and white-listing approaches are workable. Anomalous deviations from black and white lists are valid suspicious behaviour worth investigating.

Flexibility is key to ensure crew and vessel visitors can get their jobs done within turnaround window. 

Vessel operations are 24x7x365. Visitors getting access to the network is common.

This changes the way anomaly detection needs to work. 

Security log sources

Useful logs are plentiful and easy to collect

  • Off-the-shelf security tools can be widely implemented and provide good coverage.
  • Easier to configure standardised systems and network protocols to generate security logs. 
  • A wide set of data sources are available, allowing for better correlation and false positive reduction.
  • Collection, streaming and centralisation of logs has limited constraints.

Meaningful logs are rare

  • Off-the-shelf security tools cannot be deployed across all vessel systems. 
  • Deployment of log collectors requires specialist knowledge and technical quirks.
  • Streaming and centralisation of logs is expensive on satcom. So prioritisation of the critical logs is key.
Investigation and response options Centralised SIEM approach works


  • SOC analyst can generally complete the entire investigation and response process without involving other business units.
  • SOC analyst has access to more information at the centre, in near real time. 
  • SOC analyst has access to a wider set of tooling from the centre, including remote access and remote querying tools. 

Decentralised approach unavoidable

  • 75% of events require crew involvement to investigate and triage. SOC analyst needs to handhold crew.
  • SOC analyst needs contextual knowledge of vessel applications and fleet operations. Or ability to quickly solicit this from crew.
  • Fewer data sources gives rise to need for more creative triaging techniques and correlation capabilities.
  • Connectivity blackouts are common. This requires creative caching techniques. Also, blackouts =/= cyber incident.

Given the differences, a dedicated fleet SOC works best. 

Failing this, is there a way to extend the enterprise SOC to effectively cover fleet systems and operations?

Tweaking the enterprise SOC to better cover the fleet

  • Where possible, dedicate specific individuals to specialise on fleet systems and operations within the SOC.
  • SOC analysts should familiarise themselves with vessel systems and applications, what they are used for and how they are designed to behave.
  • SOC analysts should understand the different policies and procedures used within fleet operations, why they are different and why they cannot be harmonised with policies for enterprise.
  • Define a different set of risk and criticality matrices based on fleet operations. Remember what is risky to onshore systems may not be the same for the fleet.
  • Redefine incident workflows to include the crew. 
  • Develop a training programme that ensures crew readiness to remediate cyber risks and respond to incidents. 

CyberOwl provides a managed fleet SOC. Find out how we have designed and run our SOC to maximise effectiveness for maritime fleet operations


Perhaps putting in place a SOC is not your main focus area. See other actions you can take to improve your vessel cyber risk management: 

Click here to register your interest for upcoming topics to help you improve the cyber resilience of your shipboard systems.