Updated March 2026 · Non-technical primer
Cyber risk on vessels is not only “hackers in hoodies.” It is mistyped firewall rules, unpatched VPN appliances, crew USB sticks, and phishing that harvests credentials for your shore billing system. IMO 2021 resolutions and national cyber strategies pushed accountability upstream— which means operations leaders need a shared vocabulary with IT, not a wall of acronyms.
This primer is for masters, fleet superintendents, and Salesforce admins who need alignment before deeper technical workshops. It is not a substitute for classification society cyber notation or flag-specific drills.
Separate IT networks from OT responsibilities
Information technology (email, ERP, crewing portals) and operational technology (ECDIS interfaces, alarm systems) have different risk profiles and change windows. Map who approves patches on each side. If the same person wears both hats on a small vessel, document compensating controls (vendor remote support windows, spare equipment).
Identity is the new perimeter
Strong passwords are insufficient alone. Push phishing-resistant MFA for shore staff and anyone with access to vessel data in cloud systems. Salesforce supports modern SSO patterns—use them instead of shared service accounts that cannot be attributed during an incident.
Logging and evidence matter after incidents
Retain logs long enough to support investigations, but not so long that storage costs balloon without policy. Define what ships must cache locally versus what uploads nightly. When something fails, timestamps and user IDs should answer “who touched this config?” without guessing.
Tabletop exercises beat policy PDFs
Run a two-hour scenario: ransomware locks shore email during PSC prep. Who decides whether to delay sailing? Who contacts class and flag? Where are offline backups for critical certificates? Document gaps and feed them into Salesforce tasks so they are tracked like any other deficiency.
Where Shipyard Intel fits
We do not replace your firewall vendor. We help ensure operational and compliance records in Salesforce follow least-privilege access, integrate cleanly with your identity provider, and surface cyber-adjacent tasks (patch windows, training expiries) alongside traditional maritime work.
Related: compliance programs on Salesforce, Salesforce maritime operations.
Supply chain and spare parts integrity
Counterfeit or mislabeled critical spares are a physical safety issue and a cyber-adjacent integrity issue when ordering systems are compromised. Validate vendor domains, use purchase order matching, and treat unusual payment reroute emails as incidents—not annoyances. Your ERP and maritime platforms should share vendor master data to reduce duplicate trust decisions.