Executive Summary
The world's largest cruise operator, with 94 vessels, 9 brands, and more than 150,000 employees across roughly 150 countries, faced an urgent cybersecurity challenge. Dozens of third-party vendors required both remote and on-vessel access to critical operational technology systems including bridge navigation, engin ustry experiencing a 150% surge in OT cyberattacks.
After four cybersecurity incidents in recent years, including ransomware and phishing breaches resulting in $6.25 million in regulatory penalties, the operator needed a fundamentally different approach. The organization deployed Xona across all 94 vessels and shoreside sites, achieving 100% elimination of direct endpoint-to-asset connectivity. The result is zero direct network access: users interact with OT systems in real time, but their endpoints are never connected to the OT network. Deployment took under one hour per site, with some installations completed in as little as 20 minutes.
The Challenge
The operator's fleet depended on dozens of third-party vendors and OEM contractors for critical system support, requiring access to bridge navigation systems, engine automation, propulsion controls, HVAC, safety and fire suppression systems, and hotel management platforms.
The existing remote access infrastructure had fundamental shortcomings:
-
Stalled deployment: After 18 months and $765,000 ($425,000 licensing plus $340,000 professional services, an 80% cost overrun), only 12 of 42 facilities were operational.
-
Broad network access via VPN. Legacy VPN solutions granted vendors access to wide network segments rather than specific assets, meaning a compromised credential could reach systems far beyond authorized scope.
-
No session recording or real-time audit. When vendors connected to vessel OT systems, there was no capability to record sessions, monitor activity in real time, or provide forensic evidence after the fact.
-
Shared credentials. Vendor teams commonly shared login credentials, making it impossible to attribute actions to specific individuals.
-
No instant termination capability. If a security incident occurred during a vendor session, there was no mechanism to immediately disconnect that session.
-
Satellite bandwidth constraints. Vessels at sea rely on satellite links with limited bandwidth and variable latency. Traditional remote access tools performed poorly in these conditions.
The Xona Solution
The operator selected Xona, a purpose-built zero-trust secure access platform designed specifically for operational technology environments. OT protocols are terminated at the gateway inside the vessel's trusted network; only encrypted pixel streams are delivered to the vendor's browser over HTTPS port 443. The vendor's endpoint never touches the OT asset. No malware, ransomware, or lateral movement can traverse a pixel stream.
Uniquely, the Xona platform supports secure access for vendors physically aboard a vessel as well as those connecting remotely. Every session, whether local or remote, is authenticated, authorized, recorded, and auditable. A centralized management console enables the operator's security team to define access policies and monitor sessions across the entire 94-vessel fleet from cybersecurity operations centers in two global locations.
Xona's PNG-based pixel streaming is optimized for low-bandwidth, high-latency links, precisely the conditions encountered on vessels using satellite connectivity. Vendors report responsive, usable sessions even over constrained links.
The Results:
Protocol isolation ensures that vendor endpoints cannot access the vessel network, making ransomware, malware, and unauthorized lateral movement architecturally impossible. Every vendor interaction with vessel OT systems is now recorded, timestamped, and attributable to a named individual.
With reliable, secure remote access now available even over satellite links, vendors resolve many issues remotely that previously required expensive on-site visits at costs exceeding $2,000 per visit. Vendors can now connect to vessel systems within minutes rather than scheduling travel, directly improving operational safety and continuity for time-critical equipment issues.
The operator met all requirements of the USCG Cybersecurity Rule, IMO MSC.428(98), IACS UR E26/E27, and IEC 62443. With the USCG's cyber incident reporting requirements effective July 2025 and full cybersecurity plan submissions due by July 2027, the operator is well ahead of compliance timelines.
"The ability to support both secure remote and local access has been transformative. We can now confidently grant vendors and our team access to the systems they need without introducing unnecessary risk."
Program Manager, Maritime Cyber Security
