Looking for software development? We've movedGrassFed.dev

Connected Vessel Risk Review

Testing across onboard systems, physical access, and employee email produced clear guidance for addressing verified risks.

Connected Vessel Risk Review

Industries

Maritime

Services

Security Awareness Testing,
Vulnerability Assessment,
Penetration Testing

About the project

A maritime operator needed an independent view of a vessel's cyber and physical security. Business systems, operational technology, wireless connections, and equipment spaces shared one onboard environment, so a weakness in one layer could create risk in another.

The work had to fit a limited shipyard window and remain controlled around live, legacy systems. The goal was to examine realistic attack paths, assess phishing readiness, and give the operator practical steps for addressing verified weaknesses.

What we did

  • We designed a black-box assessment without supplied credentials or internal network details. A focused plan covered the vessel's information technology and operational technology networks, approved physical areas, and employee email defenses. Testing followed NIST technical assessment guidance and relevant IMO maritime cyber-risk guidance while staying within the agreed onboard window.
  • We mapped reachable systems and services, then used targeted scanning and controlled validation to investigate the most important exposures. The assessment confirmed weaknesses involving network access, wireless security, passwords, privileged accounts, outdated software, and separation between business and operational systems. High-impact testing was limited where exploitation could affect the vessel's live environment.
  • We reviewed physical protections in the approved equipment area and security settings on onboard workstations. Unsecured infrastructure, exposed credentials, and permissive device settings showed how physical access could weaken digital controls. We tied each observation to practical measures such as tighter equipment access, safer startup settings, and stronger account handling.
  • We ran a controlled spear-phishing exercise to assess both email filtering and employee response. The campaign showed that automated defenses did not stop every realistic attempt and that account safeguards needed improvement. The findings supported recommendations for multifactor authentication and focused awareness training.
  • We delivered a detailed findings package that connected technical, physical, and human risks with specific corrective actions. Recommendations covered network separation, software updates, password and administrative access controls, physical safeguards, multifactor authentication, and phishing readiness. This gave the operator a clear record of verified issues to guide remediation and future testing.

Technologies Used

Kali Linux Logo

Kali Linux

N map logo

N map

Tenable IO

Tenable IO

Metasploit logo

Metasploit

Wire Shark logo

Wire Shark

NIST

NIST

Testimonials

"Vigilus understood that our vessel was not just another corporate network. Their team adapted quickly to the onboard environment, identified practical risks, and gave us a clear path toward improving our maritime cybersecurity posture."

Testimonial 1

"The assessment was thorough, well-organized, and grounded in the realities of vessel operations. The findings report helped our team prioritize remediation work without losing sight of compliance and operational continuity."

Testimonial 2

"Vigilus brought the right mix of cybersecurity expertise and maritime awareness. Their work gave us confidence in our IMO 2021 compliance efforts and helped us better understand the risks across our IT and OT systems."

Testimonial 3

Browse more projects

Account-to-Server Takeover Test

Account-to-Server Takeover Test

Phishing-to-Privilege Test

Phishing-to-Privilege Test

Contact Us