What should we take away from the 2025 USCG report?
The fifth edition of the U.S. Coast Guard’s CTIME report on maritime cybersecurity: expected findings, a few new elements, and the gaps with the European regulatory framework. Let’s unpack it together.
This article is also available in French.

On 10 June 2026, the cyber command (Coast Guard Cyber Command, CGCYBER) of the United States Coast Guard (USCG) published the fifth edition of its annual Cyber Trends and Insights in the Marine Environment (CTIME) report, dedicated to the cybersecurity of the U.S. Marine Transportation System (MTS). The document, marked TLP:CLEAR and freely distributable, covers calendar year 2025 and rests on observations from the Cyber Protection Teams (CPT) and the Maritime Cyber Readiness Branch (MCRB). Two methodological limits are worth keeping in mind before reading: the samples are small (42 reported incidents, 23 assessment missions, seven observations of AI platforms, three missions on port systems) and the scope remains largely self-declared, since CPT missions are carried out at partners’ request.
The scorecard, and figures that don’t come from the USCG
The report opens on a scorecard that mixes two sources of a different nature, something the reader has every interest in spotting right away. Part of the figures do come from CPT operations: 47% success rate at password cracking, 39% of missions where privileged service accounts were cracked, 53% of initial accesses obtained through phishing, 62% of missions including an OT (Operational Technology, industrial systems) perimeter, 273 known exploited vulnerabilities detected. But two headline figures are not drawn from USCG data: the average cost of a data breach, shown at 4.4 million dollars, and the 97% share associated with an AI-related security incident, both come from IBM’s Cost of a Data Breach 2025 report.
The nuance matters, especially for the second figure. In IBM’s report, that 97% does not designate the proportion of organisations that suffered an AI-related incident, but, among those that did, the share that lacked appropriate access controls for their AI systems. IBM also notes that organisations affected by an AI-related incident remain a minority, on the order of 13%. The CTIME scorecard takes the number while omitting that qualification, which can suggest a prevalence far higher than what was actually measured. As for the 4.4-million-dollar average cost, it is a global, all-sectors-combined average with no direct bearing on the maritime world. Both indicators retain some contextual value, but they say nothing about MTS incidents and deserve to be read for what they are. Especially when they come from a cybersecurity vendor (I have nothing against IBM, it’s just a matter of principle).
42 incidents: a lot, or very few?
The report counts 42 cyber incidents reported in 2025. The figure may seem high, but it takes on another meaning when set against the size of the ecosystem. The MTS represents, according to the report itself, a 4.7-trillion-dollar industry, and nearly 40% of the value of U.S. foreign trade transits by sea. Behind every port revolve hundreds of players: terminals, stevedores, freight forwarders, logisticians, road and rail carriers, IT providers, equipment suppliers. Against that density, 42 incidents do not describe the real state of the threat but what was reported to one specific channel, the National Response Center, and then qualified as such by the MCRB.
It also remains to be seen what counts as an incident. The final rule of 17 January 2025 gives a precise definition: 33 CFR 101.615 qualifies as a reportable cyber incident one that results in, or could reasonably result in, a substantial loss of confidentiality, integrity or availability of a covered information or OT system, a significant disruption of operations or of the supply of goods and services, an unauthorised disclosure or access to non-public personal data of a significant number of people, another disruption of critical infrastructure, or any incident liable to lead to a transportation security incident. But the count of 42 covers incidents reported to the MCRB across the whole of 2025, whereas this reporting only became mandatory on 16 July 2025: the figure therefore does not exactly match that definition. The scope also depends on what entities agree to declare and on their ability to detect an intrusion. A blocked phishing attempt, an account compromise with no impact, the encryption of a payroll server or an attack on a navigation system do not carry the same operational weight, and do not all necessarily enter the count. The number should thus be read as an indicator of information sharing, not as a measure of the sector’s real loss experience. That said, this kind of real-world password-testing exercise remains relevant. It brings back memories from a long time ago.
What shouldn’t surprise us
Most of the findings confirm previous editions. Phishing and social engineering remain the main initial-access vector: present in 43% of reported incidents against 25% the previous year, with growing sophistication and a rise in voice phishing (vishing), illustrated by a case attributed to the Scattered Spider group. On the technical-assessment side, the weaknesses found are the ones we know: insufficient segmentation between office and industrial networks, end-of-life systems (down to Windows Server 2008 machines), weak or reused passwords. The teams recovered 7,857 passwords out of 16,709 attempted, a 47% success rate, and some were only four characters long. The report says it itself: the detail of the techniques evolves, but their fundamentals have changed little in five years.
What stands out
Two elements stand apart from the usual findings. The first is the CPTs’ first observation of AI-based cybersecurity platforms, encountered on seven missions. The results are mixed: in one case, every action by the testers was detected and blocked in under thirty seconds, including payloads designed to evade antivirus; in others, the tool spotted nothing. With seven observations, no firm conclusion can be drawn, but the operational takeaway is clear: effectiveness depends on the tool’s configuration and on its training on the network, not on investment alone.
The second lies in the report’s tone. A technical USCG document devotes several passages to the 24.5-billion-dollar investment voted in July 2025, to the U.S. administration’s cyber strategy and to the institutional vocabulary of the moment. This political framing, more pronounced than in previous editions, is worth noting for a European reader.
Aboard a dark-fleet vessel

The most novel section describes operations conducted aboard dark-fleet vessels, those ships that operate at the margins of international rules to circumvent sanctions. From December 2025, as part of maritime interdiction operations conducted with law enforcement and the Department of War (the secondary name used by the U.S. Department of Defense since a September 2025 executive order), specialised teams, the Cyber Control Teams, were helicoptered aboard boarded vessels to take control of their digital terrain for the duration of the operation.

The inspection of these vessels yields concrete observations. AIS spoofing relied on marine-instrument testing software, run from a laptop and connected to the AIS system’s data port through a custom-soldered cable; that software is normally used to generate NMEA-0183 sentences simulating GPS, AIS and RADAR. Several AIS transponders equipped a single ship, letting it change the broadcast name at will, and the teams recovered guides detailing other methods to inject false positions. On most workstations were installed remote-access tools (AnyDesk, TeamViewer, ScreenConnect) running persistently and unmonitored, hence usable remotely with no one aboard; administrators even tried to wipe data remotely during the operation. The crews relied on pirated software downloaded from a Russian-language maritime torrent forum, on illegal Windows activation tools (Ratiborus KMS) kept alive by scheduled tasks, and on pirated ECDIS and route managers. One workstation was infected with the Lumma Stealer infostealer. Finally, while the navigation and engine-control systems were isolated, that isolation was occasionally broken by USB update keys or by laptops plugged directly into the ECDIS. These findings are solid, but they are set within a law-enforcement and foreign-policy narrative that must be read as such.
The gaps with the European framework
This is perhaps where the report is most instructive for a European reader, by contrast. In the United States, the final rule of 33 CFR Part 101 Subpart F, which entered into force in July 2025 under the MTSA (Maritime Transportation Security Act), places U.S.-flagged vessels, port facilities and offshore facilities under a single cybersecurity regime: designation of a cybersecurity officer, a cybersecurity plan, drills, record-keeping, mandatory incident reporting since 16 July 2025, with a first assessment and plan to be submitted by 16 July 2027. Foreign-flagged vessels are excluded and fall, as in Europe, under port State control on entry. A single regulator, the Coast Guard, thus covers a large share of both ship and shore.
The European framework is organised differently, and it remains partly under construction. The NIS2 directive plans to cover shore-based maritime players (port managing bodies and their port facilities, entities operating equipment in ports, inland-waterway transport companies and vessel traffic service operators), but it explicitly excludes the vessels themselves operated by those companies. Above all, it has not to date been transposed into French law, so its obligations would only apply once that transposition is complete. Cybersecurity on board, for its part, falls under another set: IMO Resolution MSC.428(98) (folded into the ISM Code since the first Document of Compliance audit after 1 January 2021), flag-State and classification-society oversight, the ISPS Code, and port State control (Paris MoU) for vessels calling at port. These are therefore inspection and safety-management levers, not a dedicated cyber regulation comparable to Subpart F.
The gap is not limited to the texts. It is also budgetary, human and organisational. CGCYBER relies on permanent Cyber Protection Teams, deployable on demand, able to carry out assessments, hunt and incident response, and now to board boarded vessels. That operational capability has no direct equivalent on the European side - at least not to our public knowledge. In France, an intervention of this kind would fall to ANSSI, an agency of exceptional expertise but without any truly dedicated maritime or port competence (with all due respect to them). At EU level, EMSA’s (European Maritime Safety Agency) mandate was revised in 2025 to cover cyber resilience and hybrid threats, with reinforced human and financial means, and the agency already runs workshops, table-top exercises, a focus on on-board cybersecurity oversight and a working group dedicated to AIS spoofing. But these activities fall under support and coordination, not deployable response teams. That is the missing link: dedicated, deployable maritime cyber experts, pooled at European scale and backed for instance by EMSA, able to concretely support a port, a shipowner or an authority during an incident.
Putting it in perspective
Beyond the figures, the value of CTIME 2025 lies in what it reminds us of in terms of already-identified priorities and in what it sheds light on regarding European gaps. The measures that reduce risk are known and stable from one year to the next: network segmentation, identity and password hygiene, properly deployed multi-factor authentication, patch management, phishing resistance and encryption of communications. On the shore side, they overlap with what ANSSI’s guides, the EBIOS Risk Manager method, the SGDSN’s II 230 and the work of France Cyber Maritime already carry, and with what NIS2 could reinforce once transposed.
On the ports side, this step up therefore remains to come in France, where transposition is still awaited and where field-assessment capability lags behind the U.S. model. The comparison also points to two more structural worksites: the coverage of on-board cybersecurity, which Europe leaves to the IMO, to flags, to classification societies and to port State control, with no dedicated European cyber regulation for the ship, and operational capability, where the USCG fields deployable teams. EMSA’s revised mandate and its working group on AIS spoofing open a path that would remain to be extended by dedicated, deployable maritime cyber experts, pooled at European level. It is on this condition, more than on the adoption of new standards, that maritime Europe would turn already-available recommendations into effective resilience in the years to come.
Source: U.S. Coast Guard Cyber Command, 2025 Cyber Trends and Insights in the Marine Environment (CTIME), TLP:CLEAR, June 2026 (PDF). Illustrations: U.S. Coast Guard.
Olivier JACQ, President and founder of CYBERMOOV Consulting.