Maritime
Bridge tablets, engine-room handhelds, port-ops devices, crew-welfare phones — the network is intermittent and expensive, the radio environment is hostile, and a compromised device can affect navigation. HardenedOS gives you the OS-level guarantees that make IMO 2021 Resolution MSC.428(98) auditable rather than aspirational. Optionally, custom maritime intelligence apps share vessel positions and dispatch traffic over an end-to-end-encrypted XMPP chat backbone — no third-party data broker between your AIS receiver and your fleet.
The threat surface
The maritime threat model is built around three hard facts: networks are satcom and expensive, ports are hostile environments, and the radios are old. Each of these creates a class of attack that doesn't show up on shore.
Strait of Hormuz, South China Sea, Black Sea — well-documented spoofing zones. A compromised navigation tablet that trusts the GPS without sanity-checking against AIS, INS, and visual cues becomes a grounding event. HardenedOS can't make GPS trustworthy on its own, but it ensures the chartplotter app the bridge runs is the one your IT signed.
Crew shore-leave devices connect to free port Wi-Fi. Per-connection MAC randomization, DNS-leak prevention, VPN tunnel enforcement at the OS level. Apps don't get to bypass the company VPN onto a hostile network.
Background apps eating MB/sec on a $5,000/mo VSAT plan. Per-app network gating shuts down everything except the dispatch client + bridge tools while underway. The CFO loves this; pilot apps that thought network was a given still launch.
Stevedores, port officials, contractors plugging into bridge tablets to "transfer the manifest." USB data lines blocked at the OS level when the device is locked. Configurable per profile so the engine-room handheld can allow USB to a specific cable.
Cellular networks fall back to 2G in coastal zones — vulnerable to baseband attacks and IMSI catchers. LTE-only mode disables the fallback. Crew phones don't broadcast their identity to a fishing-boat-mounted Stingray.
Officers using personal phones for work because the issued device is "useless." HardenedOS at the Basic tier gives the user a clean phone they actually want to use; Corporate tier devices for ops; same OS image, same management surface, different policy bag.
How HardenedOS responds
Most operators run a mixed deployment: Corporate tier for bridge + engine room, Basic tier for crew welfare. Common policy bag adjustments via the /policies UI:
Background sync for non-essential apps blocked while the device is on a metered uplink. Detected per APN — the OS knows when it's roaming on satcom vs. on a friendly port Wi-Fi.
Bridge tablets that lose attestation (rooted, sideloaded, OS swap) get suspended on the management side. Operations sees them red on the dashboard within one heartbeat interval.
Whatever ECDIS / chartplotter / route-planner you've certified — pinned to its developer signing-cert SHA-256. The DPC verifies on install; a tampered binary doesn't run.
Same fleet, but a Basic-tier policy for off-duty devices. Personal install + permissions; no remote management of user data; reseller branding applied so the user knows it's still company-issued.
Crew unions are watching. No tier — including Corporate — can silently record audio, capture the screen, log keystrokes, or hide the management UI. The collective bargaining angle is solved at the OS level.
Field operations
The hardened device is half the picture. The other half is what runs on it. HardenedOS pairs with a white-label OMEMO / OTR-Forced XMPP chat platform — same vendor, same management panel — where AIS positions, sealed-bag manifests, dispatch traffic, and bridge chat all share one end-to-end encrypted channel. Position data never touches MarineTraffic, VesselFinder, or any cloud relay.
Vessel positions ride inside the encrypted group chat as structured cards — vessel name, lat/long, SOG, heading, status. Your fleet's positions never touch a third-party data broker. Pulled directly from your own AIS receiver, signed end-to-end between bridge, dispatch, and shore office.
Fleet, port-ops, ground teams, vessel-specific bridge channels — each gets an isolated encrypted XMPP room. Broadcast a position card or chart waypoint to multiple rooms in one tap. Rooms scoped by vessel, by port, by region; provisioned by your management panel.
XMPP's compact wire format keeps overhead minimal — runs cleanly over VSAT, Iridium, and Inmarsat where every byte and every millisecond costs money. Position cards survive 200ms+ latency. The same chat window works on a vessel underway or a manager on a phone in port.
Sealed-bag chain-of-custody, port-arrival forms, engine-fault telemetry, weather-routing notes — built as encrypted mini-apps that post structured cards into the same chat. The dispatcher sees the route, the bag scans, and the bridge chat in one timeline. No vendor extraction.
Chokepoint geofences (Strait of Hormuz, South China Sea, Suez approaches) trigger silent dispatch alerts when a vessel deviates. The crew's screen shows nothing — useful when the deviation is under coercion. Your shore office sees the alarm in the encrypted channel.
Ship the device, ship the chat — both white-labeled to your support brand, both managed from the same admin console. Provision the bridge tablet and the bridge chat room in one workflow. Roll branding updates across both at once.
Who deploys this
10–500 vessels, devices on the bridge + engine room + cabin. Procurement through a maritime IT integrator who white-labels HardenedOS to their support brand.
Mixed Corporate + Basic deployment. Officer / crew tablets on Corporate. Guest-facing devices stay separate (different vendor, no overlap). Crew comms on Basic with required messenger app.
Rig + service-vessel devices. Government tier policy is common — strict whitelist, hardware attestation on every heartbeat, mandatory biometric gate. Rotation crews swap devices on shift change; remote wipe ready when one walks off the rig.
We'll send a small batch under your branding. Bridge + engine room + crew welfare, one ship, one rotation. Your IT keeps the management panel; we run the cryptography and the update pipeline.