The Maritime Market Is No Exception to AI Hacking (3/3) : When Algorithms Attack a Ship, What Are Our Weapons?
Part 1 covered what Claude Mythos is and how it autonomously discovers vulnerabilities and builds exploits. Part 2 dissected how that threat connects to vessel OT environments — the attack surfaces of ECDIS, propulsion control, and satellite gateways.
This Part 3 answers the practical question: what do we actually do? Terms like SFI, IACS, and SBOM are explained in context. No security background required.
Prologue
The threat is known. The attack surface is visible.
And yet many organizations stop at this point. Threat awareness becomes the end goal. Reports are written, briefings given, next inspection awaited.
That is not enough.
Strong cybersecurity fundamentals provide meaningful protection against AI-based attacks. Zero trust architecture, automated patching, strong access controls, anomaly detection — these work against AI-based attackers too. The problem is that most organizations have not built these fundamentals to the level required. (Bain & Company)
For maritime cybersecurity practitioners, this is good news. New tools or new budget are not the first priority. Reinterpreting existing frameworks for the Mythos era, then executing — that comes first. This article presents the specific methods.
1. The First Principle of Defense — Go Beyond CVE
As confirmed in Part 2, more than 99% of vulnerabilities Mythos discovered are not listed in any CVE database. This shakes the premise of existing vulnerability management. (ArmorCode)
The limitation in the Mythos era is clear: vulnerabilities not in CVE are more dangerous. No patch exists, they are below defenders’ radar, and only the attacker knows about them.
The direction of defense must change — from “eliminate known vulnerabilities” to “build a structure where vulnerabilities are hard to reach even if they exist, and damage is minimized even if they are reached.”
A structure where the next defense line holds even if one line is breached. Mythos may successfully gain entry — but gets blocked at the next stage. This principle sits at the core of the methodology that follows.
2. Methodology Block 1 — SFI-Based CBS Asset Classification
To start defense, we must first know what needs protecting. In the vessel environment, this begins with asset classification.
SFI (Ships Form Index) is an international standard code system that hierarchically classifies all vessel systems. For example: 7XX = navigation systems, 720 = ECDIS, 730 = AIS. Every ship system has a unique number.
CBS (Computer Based System), as defined in IACS UR E26, refers to all computer-based systems onboard — propulsion control computers, ECDIS hardware, cargo management software, satellite communications equipment.
Combining both produces a powerful tool: an SFI-coded CBS asset inventory — a hierarchical map of every cyber-relevant asset onboard. Each CBS node receives three parameters:
| SFI | System | CIA Priority | Patch Access | Network Exposure | Risk |
|---|---|---|---|---|---|
| 411 | Propulsion Control | Availability: CRITICAL | Drydock only | Via OT network | CRITICAL |
| 720 | ECDIS Navigation | Integrity: HIGH | Drydock only | Via IT + update port | HIGH |
| 746 | Satellite Comms (VSAT) | Confidentiality: HIGH | Remote-updateable | Internet-facing | HIGH |
| 520 | Cargo Mgmt System | Confidentiality: MED | Remote-updateable | Via IT network | MEDIUM |
| 820 | CCTV / IoT Sensors | Availability: LOW | Remote-updateable | Via IT network | ENTRY POINT |
CIA = Confidentiality / Integrity / Availability. Risk score = CIA priority × Patch accessibility × Network exposure.
This combination of three parameters produces a Risk Score — providing an evidence-based answer to “which system to defend first.”
3. Methodology Block 2 — Mythos-Era Reinterpretation of IACS E26/E27
IACS UR E26 and E27 are the most sophisticated vessel cybersecurity regulations to date. But their threat model belongs to the world before Mythos.
The goal is not to discard these regulations. It is to reinterpret each requirement from a Mythos-era perspective and operate accordingly.
SBOM and CBOM: An SBOM (Software Bill of Materials) is an inventory of all software components in a system. IACS E27 requires managing known vulnerabilities through this list. However, CVE-unregistered vulnerabilities cannot be identified by SBOM alone. Adding a CBOM (Cryptography Bill of Materials) — an inventory of all cryptographic components — enables proactive preparation for future quantum computing threats as well.
| Regulation Requirement | Mythos-Era Gap | Supplementary Action |
|---|---|---|
| SBOM tracking (E27) | CVE-unregistered threats invisible | + CBOM + AI-assisted runtime scanning |
| Known vulnerability patching | 99%+ of Mythos-era threats below radar | Continuous AI-assisted scanning before drydock |
| Network segmentation | IT→OT boundary may be insufficient | Zero trust + VLAN micro-segmentation |
| Type Approval / Annual Survey | Static snapshot, operational state missed | AI scan results integrated into survey docs |
4. Methodology Block 3 — 5-Step Defense Execution Framework
The diagnostic tools above integrate into actionable steps — a sequence maritime cybersecurity practitioners can apply in the field.
Maintain SFI-coded CBS inventory in current state. Explicitly identify all IT–OT interface nodes: satellite comms gateway, remote monitoring servers, USB connection ports.
Assign risk scores to each CBS. Prioritize Mythos’s preferred entry points: remotely accessible services, legacy operating systems, IT–OT bridge nodes.
Current frontier models (Opus level) show meaningful performance in code review and vulnerability pattern recognition. Use for pre-drydock diagnosis. Project Glasswing partners with Mythos Preview access can run autonomous vulnerability searches at attacker-equivalent scale. (CSA Lab Space)
For legacy CBS that cannot be patched pending drydock, network isolation is the realistic alternative. Redesign VLANs to place the CBS in a separate segment; build detection for abnormal traffic to that segment. Block access instead of patching.
Integrate AI scan results and the updated SFI asset inventory into IACS E27 Annual Survey submission documents. Class surveyors’ records must reflect Mythos-era threat perspective — contributing to the eventual evolution of Classification Society requirements.
5. Three Core Defense Principles
Compressing the full methodology into three principles for maritime practitioners:
Vulnerabilities not in CVE are more dangerous. The goal is not eliminating a vulnerability list — it is building a structure where vulnerabilities are hard to reach even if they exist. Network segmentation, access controls, least privilege — these defense lines exist before CVE.
Not all CBS must wait for drydock. Software CBS that can be updated remotely should follow enterprise-level patch cycles. Hardware CBS with low patch accessibility — replace with compensating controls.
Attackers use AI to find vulnerabilities — defenders must use the same AI tools. Scanning your own systems before attackers, systematically and at scale, is the core defense logic of the AI hacking era. (Bain & Company)
6. “Strong Fundamentals Can Hold Even Against Mythos”
The most important finding of this series, placed last.
AISI’s evaluation results are clear. Mythos Preview can autonomously attack weakly defended small networks. But it could not make the same determination for well-defended environments with active defenders, defense tools, and penalties for triggering security alerts. (UK AISI)
Strong cybersecurity fundamentals provide substantial protection against AI-based attacks. Regular security updates, strong access controls, security configuration management, comprehensive logging — these protect against AI-assisted attacks regardless of the attacker’s capability level. (Bain & Company)
In the vessel environment: SFI-based asset inventory. Risk score-based prioritization. Patching not dependent on drydock. Network isolation for legacy CBS. AI scan results integrated into Annual Survey documents. Working systems, not reports.
Epilogue — Closing the Series
This series began with a single question: Is the maritime market an exception to AI hacking?
The answer is clear: No.
Ships run on code. Inside that code are vulnerabilities undiscovered for 17 or 27 years. Mythos finds them for $50. And attackers don’t read CVE lists.
But this is not a declaration of defeat. Defense is possible. That defense must be working systems, not reports.
Organize assets with SFI codes. Set priorities with risk scores. Patch without waiting for drydock. Isolate legacy systems. Put AI scan results into annual class submissions. That is what can be started right now.
“The IACS framework tells you what to build. Mythos tells you whether it will hold. The gap between those two questions is where maritime cybersecurity needs to operate right now. Every ship already has a compliance posture. The question is whether it has a resilience posture.”
Working systems, not reports. That is the standard for the Mythos era.
A market-moving innovation leader connecting data, AI, and cybersecurity with the maritime industry.
LinkedIn ↗
Comments
Post a Comment