Research by Marlink shows that more than 40 percent of maritime operational systems are still running Windows 10, leaving a significant portion of the global fleet without ongoing security updates. In a domain where safety, continuity, and trust underpin every voyage, unsupported systems represent not simply an IT concern but a live operational risk.
The Cyber Threat to the Maritime Sector
The maritime environment compounds this exposure. Vessels and shore facilities often operate in bandwidth-constrained conditions, rely on vendor-locked configurations, and are designed for lifespans measured in decades. The result is an accumulation of legacy technology that cannot easily be patched, upgraded, or replaced. Without manufacturer support, every new vulnerability becomes a permanent one. Adversaries know this and they will be exploiting it.
The U.S. Coast Guard’s Cyber Trends and Insights in the Marine Environment (CTIME 2024) report makes it clear that state-sponsored actors and criminal groups are actively probing maritime systems, pre-positioning within networks, and targeting operational technology to cause disruption. From the 2017 NotPetya event that crippled Maersk to recent espionage activity attributed to Volt Typhoon, the lesson is the same; maritime operations are both visible and vulnerable.
The BIMCO Guidelines on Cyber Security Onboard Ships v3 (2018) reinforce this reality. Developed alongside the International Maritime Organization’s Resolution MSC.428(98), they urge companies to integrate cyber risk management directly into their Safety Management Systems. BIMCO’s guidance bridges the IT and OT divide, stressing that cyber safety incidents can stem from both malicious interference and poor maintenance such as failed software patching.
BIMCO’s risk-based approach mirrors the principles of the NIST Cybersecurity Framework and remains the de facto global reference for vessel operators seeking to embed cyber resilience into daily operations.
The Legacy Risk Beneath the Surface
Unsupported operating systems, as highlighted in IASME’s Cyber Baseline Standard v1.0 (2023), are explicitly non-compliant with baseline good practice. IASME’s framework, designed as a practical certification path for organisations of all sizes, sets clear expectations that critical assets must run supported software or have documented compensating controls. For maritime operators, that link is direct. A vessel relying on Windows 10 post-End of Life (EOL) may struggle to maintain IASME Cyber Essentials certification, retain insurance coverage, or demonstrate adequate controls under the UK’s Network and Information Systems Regulations.
This compliance dimension reinforces what Forbes described in its October 2025 analysis of Microsoft’s deadline as a “silent risk multiplier.” While some enterprises can purchase Extended Security Updates, many maritime systems, especially OEM-locked or embedded platforms, cannot. A navigation console or ECDIS terminal built on a Windows 10 image may have no viable upgrade path without manufacturer recertification. The operational implication is stark; either replace the equipment or isolate it so effectively that compromise cannot spread.
The SANS Institute’s 2024 white paper ‘General Quarters! Cybersecurity Challenges in the Maritime Industry’ expands on this tension. It notes that vessels designed for 25 years of service rarely receive wholesale technology refreshes, creating a mismatch between operational longevity and digital resilience. The same theme runs through Maritime Cybersecurity: A Guide for Leaders and Managers (Kessler and Shepard, 2020) which describes how a single infected vessel can bridge into port networks, triggering cascading disruption across logistics chains. In both cases, the warning is simple; digital seaworthiness is now inseparable from physical seaworthiness.
The IASME Maritime Cyber Baseline
From a governance perspective, the solution space is widening and alongside BIMCO and IMO guidance, the IASME Maritime Cyber Baseline which Bridewell is preparing to deliver introduces a UK-aligned assurance route tailored to maritime operators, ship managers, and service providers.
Developed with government support, it aligns to NCSC principles and IMO MSC-FAL.1/Circ.3, providing an attainable framework to evidence that appropriate technical and procedural controls are in place. The scheme enables organisations to demonstrate maturity, benchmark progress, and build confidence with charterers, insurers, and regulators alike.
The broader academic view, reflected in Understanding Maritime Security (Bueger & Edmunds, 2024), situates cyber risk within the evolving concept of maritime security itself; an ecosystem spanning state, private, and civil actors. It highlights how threats in the maritime domain are inherently interconnected: piracy, blue crime, and cyber intrusion are different expressions of the same fragility in global trade systems. Addressing these challenges demands coordination across governments, industry, and operators, a message that resonates directly with the need for collective action post-Windows 10 EOL.
How Can CISOs Reduce Cyber Exposure?
For CISOs and fleet technical leads, the immediate task is clear.
- Map exposure - conduct a full inventory of all systems still running Windows 10, onboard and ashore.
- Assess criticality - determine which assets are safety-critical, mission-critical, or ancillary.
- Plan migration - move eligible systems to Windows 11 or approved alternatives.
- Contain legacy risk - for those that cannot be upgraded, implement strict network segmentation, hardened access control, application whitelisting, and removable-media discipline.
- Assure and evidence - use recognised frameworks such as BIMCO v3, IASME Baseline, CAF 4.0, and the Maritime Cyber Baseline to evidence residual risk management and continuous improvement.
Each of these actions reinforces the others. Together they demonstrate due diligence and strengthen operational resilience in line with both industry guidance and regulatory expectation.
The cost of inaction, by contrast, is rising. Every unsupported system becomes a permanent entry point. The USCG CTIME 2024 data show that malicious actors are actively exploiting known vulnerabilities in outdated software to pre-position within maritime networks. Once onboard, they can disrupt propulsion, falsify sensor data, or hold operators to ransom. Beyond immediate operational loss, the reputational damage from a preventable breach can jeopardise contracts and investor confidence.
Digital obsolescence has therefore become a board-level issue. As BIMCO v3 notes, effective cyber risk management must start at the senior-management level and be embedded into the Safety Management System. Executives should treat unsupported software as an unacceptable safety risk, no different from an expired safety certificate or a non-compliant fire system. The responsibility to act cannot be delegated solely to IT.
The Opportunity in Windows 10 EOL
The transition from Windows 10 is, however, an opportunity as well as a necessity. Migration planning provides the chance to modernise the defensive architecture of both vessel and shore environments: tightening administrative privilege, standardising secure configurations, improving telemetry, and embedding continuous monitoring. It also enables operators to reassess third-party dependencies and enforce stronger contractual obligations on vendors regarding patching and vulnerability disclosure.
Ultimately, resilience at sea will depend on partnership. As Windows 10 EOL exposes latent vulnerabilities, the industry’s collective response will determine whether the maritime sector moves forward or falls behind.
The call to action is immediate.
Audit every Windows 10 asset.
Prioritise migration.
Implement compensating controls where replacement is not yet viable.
Engage with credible cybersecurity partners who understand the operational and regulatory realities of the maritime domain.
Bridewell Maritime Cybersecurity stands ready to assist operators in navigating this transition, combining deep technical assurance, threat intelligence, and governance expertise with delivery capability across the forthcoming IASME Maritime Cyber Baseline. The risk is active, the deadline has passed, and the solution requires decisive leadership today.
References - APA 7th Edition
BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, IUMI, OCIMF, & World Shipping Council. (2018). The guidelines on cyber security onboard ships (Version 3). BIMCO.
Bueger, C., & Edmunds, T. (2024). Understanding maritime security (2nd ed.). Oxford University Press.
Doffman, Z. (2025, October). Microsoft Windows deadline: Surprise news for PC owners. Forbes. https://www.forbes.com/sites/zakdoffman/2025/10/26/microsoft-windows-deadline-surprise-news-for-pc-owners/
IASME Consortium Ltd. (2023). The IASME cyber baseline standard (Version 1.0). IASME.
IASME Consortium Ltd. (2024, October). Windows 10 update information – significant for your Cyber Essentials compliance. IASME.
Industrial Cyber Media. (2025, October). Marlink: Over 40% of maritime systems remain on Windows 10 ahead of end of support, heightening cyber risk. https://industrialcyber.co/industrial-cyber-attacks/marlink-over-40-of-maritime-systems-remain-on-windows-10-ahead-of-end-of-support-heightening-cyber-risk/
Kessler, G. C., & Shepard, S. D. (2020). Maritime cybersecurity: A guide for leaders and managers. Independently Published.
National Cyber Security Centre. (2025). Cyber Assessment Framework (Version 4.0). NCSC. https://www.ncsc.gov.uk/files/NCSC-Cyber-Assessment-Framework-4.0.pdf
SANS Institute (Ayala, M., Dely, J., & Plankey, S.). (2024, October). General quarters! Cybersecurity challenges in the maritime industry. SANS Institute.
U.S. Coast Guard Cyber Command. (2024). Cyber trends and insights in the marine environment (CTIME 2024). U.S. Department of Homeland Security.
Greig Ferguson
Senior Lead Consultant
