Maturity Index

for the Japan Maritime Industry

No plan/budget.

Draft roadmap exists; pending approval.

Multi-year roadmap with milestones for bridge systems, SATCOM, port gates; capex/opex allocated.

Execution tracked; roadmap updated quarterly with lessons from pilots and audits.

Approved roadmap; funding line items; milestone burndown.

Approve roadmap; tie to dry-dock/maintenance windows.

Quantum risk not considered.

Acknowledged, but tracked separately from cyber risk.

Incorporated into ERM/CRR alongside ransomware/OT risk; risk owners assigned.

Periodic effectiveness reviews; risk appetite & timelines adjusted.

Risk register entries for HNDL, PQC migration, SATCOM exposure.

Merge quantum risks into existing ERM and KRIs.

No formal policies.

Basic informal practices (e.g., ad-hoc key storage).

Documented cryptographic & key-management policies; data classification incl. long-shelf-life data.

Policies reviewed with PQC/crypto-agility clauses; change control in place.

Approved policies; policy review logs; exceptions tracking.

Formalize policies; set annual review cycle with PQC updates.

No assessment.

Preliminary scoping on a subset (e.g., AIS/VSAT).

Org-wide risk assessment using data value/shelf-life, crypto dependencies, criticality.

Continuous reassessment aligned to NIST/ETSI updates & business changes.

Completed study; heat-map of crown jewels (ECDIS, GMDSS, port SCADA).

Expand pilot assessment to all fleets/ports; formalize in risk register.

No inventory.

Partial list of systems/keys/certs.

Comprehensive CBOM (algorithms, keys, protocols, libraries, HSM/PKI) for vessels, ports, cloud.

Automated discovery; inventory kept current; drives migration plan.

% coverage; discovery tool output; CBOM freshness.

Deploy automated discovery; reconcile with CMDB & fleet configs.

No awareness.

Initial briefings to execs/crews.

Role-based program (bridge officers, OT engineers, SOC) aligned to strategy.

Effectiveness measured; content updated with latest PQC/IMO guidance.

Completion & quiz scores; incident drill outcomes.

Launch targeted awareness tracks per audience.

Needed skills unknown.

Key skills identified (PQC, crypto-agility, SATCOM security).

Competency matrix per role; training plan & certifications.

Matrix maintained; hiring/upskilling aligned to roadmap & audits.

Role→skill mapping; % roles upskilled.

Publish matrix; fund training & labs.

Not assessed.

High-risk vendors identified; questionnaires started.

Risk-based evaluation incl. data access & crypto posture; CBOMs & PQC roadmaps requested.

Integrated into vendor governance; PQC/crypto-agility clauses in RFPs & MSAs.

% strategic vendors with CBOM/PQC plans; contract clauses present.

Update procurement templates with PQC/CBOM requirements.

No engagement.

Stakeholders mapped (e.g., ISACs, standards bodies).

Active participation & knowledge sharing; lessons from pilots.

Thought leadership; contributions to industry guidance.

Event participation; publications; working-group roles.

Join sector ISACs/standards roundtables; present pilot findings.

Not monitored.

Tracks NIST PQC, ETSI QSC, IMO cyber.

Promotes adoption internally/with partners.

Recognized adopter; shares implementation lessons.

Standards watchlist; adoption roadmap.

Build/adopt standards watchlist tied to roadmap.

No initiatives.

Exploring university/industry tie-ups.

Active collaborations (internships, labs on PQC/OT security).

Co-sponsoring impactful programs; tracked outcomes.

# interns; conversion rates; co-authored work.

Launch an academia partnership focused on PQC for OT/SCADA.

No PQC or crypto-agility pilots.

Early PoCs on PQC/hybrid for AIS/GPS/VSAT or port SCADA.

Use-case-driven pilots aligned to roadmap; performance/latency baselined.

Operational adoption; monitoring & optimization in production.

Pilot reports; latency KPIs across VSAT and gateway hops.

Select 2–3 high-impact use cases (ECDIS auth, SATCOM tunnel, port gate PLC) and launch PoCs.

Not considered.

Concept acknowledged; options explored.

Approach documented (modular crypto APIs, hybrid classical+PQC, re-keying).

Agility implemented; updated with NIST/ETSI/CNSA changes.

Architecture docs; code scans; config drift metrics.

Define agility patterns and embed in build/patch pipelines.

Rely on RSA/ECC & aging PKI; manual keys; flat networks.

Pilots of CNSA-aligned PQC tunnels; initial network segmentation.

Drop-in cryptographic upgrade for ship/port links; AI-enabled anomaly detection; zero-trust controls.

Fleet-wide/port-wide rollout with centralized orchestration & self-healing; continuous compliance to IMO/ISO.

% links protected; time-to-rekey; false-positive rate.

Start with bridge systems, port command centers, satellite gateways using drop-in PQC appliances proven in maritime.

No recognition of AIS spoofing/HNDL exposure.

Incident briefs circulated; basic mitigations planned.

Controls tuned for AIS/GPS integrity; HNDL risk prioritized in risk register.

Drills & monitoring confirm resilience against spoofing and decrypt-later threats.

Post-incident actions; drill results; audit findings.

Use Eclipse AIS incident as a driver for exec buy-in and schedule near-term mitigations.