The Maritime OT Threat Landscape

Cyberattacks targeting maritime infrastructure more than doubled in 2025, with analysts documenting 828 incidents across port-linked systems and vessels — up from 408 in 2024. The surge is driven by two converging trends: the digitisation and network connectivity of systems that were historically air-gapped or physically isolated, and heightened geopolitical tension that has elevated maritime infrastructure to a strategic disruption target for state-aligned threat actors.

Maritime OT environments present a distinct security profile from other critical infrastructure sectors. They combine:

  • IT/OT convergence at sea: modern vessels run Electronic Chart Display and Information Systems (ECDIS), Automatic Identification Systems (AIS), Global Maritime Distress and Safety Systems (GMDSS), and bridge management systems that are increasingly networked and satellite-connected
  • Shore-side operational dependency: port terminals run Terminal Management Systems (TMS), automated crane and yard handling systems, and gate processing systems that directly control physical cargo flow
  • Extended supply chain exposure: a single vessel call involves agents, shipping lines, port authorities, customs, freight forwarders, and container tracking systems — each representing a potential access pathway

Regulatory Framework

IMO Resolution MSC-FAL.1/Circ.3 and the 2021 Mandate

The International Maritime Organization’s guidelines on maritime cyber risk management (MSC-FAL.1/Circ.3) require that cyber risk management be incorporated into ship Safety Management Systems (SMS) under the International Safety Management (ISM) Code. Since January 1, 2021, ships subject to ISM Code requirements must have cyber risk management integrated into their SMS documentation, with verification by classification societies during annual and renewal audits.

In practice, this mandate has driven significant variation in compliance quality. Many operators have added generic cyber risk sections to their SMS without conducting the asset inventory, vulnerability assessment, and incident response planning that meaningful compliance requires.

IACS UR E26 and E27 (Effective July 2024)

The International Association of Classification Societies (IACS) unified requirements E26 (Cyber resilience of ships) and E27 (Cyber resilience of onboard systems and equipment) entered force for newbuilds with contracts signed on or after July 1, 2024. These requirements are the most technically prescriptive maritime cybersecurity standards in force:

UR E26 addresses vessel-level requirements: network segmentation between OT and IT systems, incident response plan existence and testing, access control to critical systems, software update management, and vulnerability management for OT equipment.

UR E27 addresses equipment-level requirements from vendors: equipment manufacturers supplying ECDIS, AIS, propulsion controls, and other OT systems to IACS-classed vessels must design products to defined cybersecurity requirements covering authentication, encryption, update mechanisms, and vulnerability disclosure.

For existing vessels and older equipment, IACS E26/E27 compliance is not retroactive, meaning a significant proportion of operating fleet remains subject only to the less prescriptive IMO 2021 requirements.

US USCG Maritime Cyber Strategy

The US Coast Guard’s 2024 Maritime Cyber Strategy and subsequent CG-5P policy letters require owners and operators of US-flagged vessels and OCS facilities to report cyber incidents to the National Response Center. The USCG has developed inspection procedures for maritime cyber compliance, with enforcement beginning in 2025. Separately, CISA’s maritime sector-specific guidance includes the Port Cybersecurity Recommended Actions document providing baseline controls for port operators.


OT Architecture: Where the Risk Lives

Vessel Control Systems

The primary OT attack surfaces on commercial vessels are:

ECDIS (Electronic Chart Display and Information System): The digital chart and navigation system that has replaced paper charts on most commercial vessels. ECDIS units run on embedded Windows or Linux platforms, accept chart updates via USB and removable media, and on newer vessels, receive updates via ship-to-shore data links. ECDIS compromise can affect navigation decisions. Malware introduced via chart update USB drives has been documented in real incidents.

AIS (Automatic Identification System): Transmits vessel identity, position, speed, and heading to other vessels and shore stations. AIS data is largely unauthenticated, creating vulnerability to spoofing — broadcasting false position data to create phantom vessels or mask a vessel’s actual position. AIS spoofing has been documented in Black Sea and Persian Gulf incidents. False AIS targets can trigger collision avoidance system alerts and create congestion in vessel traffic services.

GNSS/GPS: GPS spoofing — transmitting counterfeit GPS signals to override genuine signals — has been observed affecting vessel navigation in geopolitical conflict zones. Affected vessels report position errors of hundreds of kilometres or circular position anomalies. The Black Sea has been a documented spoofing environment since 2017; the Persian Gulf and Eastern Mediterranean have seen active spoofing campaigns aligned with Iranian and Russian maritime operations.

Propulsion and Engineering Control Systems: Engine management, ballast water control, and fuel systems on modern vessels use industrial control protocols (MODBUS, PROFIBUS, proprietary vendor protocols) on OT networks. On older vessels these systems are isolated; on newer vessels with integrated bridge systems, connections between navigation and engineering networks create lateral movement pathways.

Port Terminal Systems

Terminal Management Systems (TMS): Shore-based software platforms that manage vessel berth allocation, container tracking, crane assignment, gate processing, and yard management. TMS platforms from vendors including NAVIS, Tideworks, and CATOS run on Windows Server infrastructure and are increasingly cloud-accessible for remote management. TMS compromise in 2017 (NotPetya/Maersk), 2021 (Transnet South Africa), and subsequent incidents demonstrated that TMS outages create rapid port throughput collapse.

Automated Stacking Cranes and RTGs: Rubber-tyre gantry cranes in automated container terminals receive movement commands over OT networks. Unauthorised crane control commands represent both a physical safety risk and a cargo integrity risk.

Gate Processing Systems: OCR-based container scanning, truck appointment systems, and access control systems at terminal gates. Compromise can be used to manipulate cargo release authorisations — a documented tactic in cargo theft operations.


Threat Actors Targeting Maritime Infrastructure

Nation-State Pre-Positioning

Volt Typhoon’s documented pre-positioning in US critical infrastructure explicitly includes maritime and port infrastructure as a target category. The group’s objective — maintaining persistent access for potential disruption in the event of armed conflict — makes maritime logistics infrastructure a priority given its role in military supply chain and civilian import dependency.

Iranian-linked actors have been documented exploiting maritime infrastructure in the context of sanctions evasion monitoring, vessel tracking manipulation, and retaliatory disruption operations. The Iranian attack on Shapir’s maritime logistics operations and historical attacks on Saudi Aramco’s port infrastructure illustrate the sector-specific interest.

Ransomware Groups

Ransomware groups target port operators and shipping companies for the same reason they target other critical infrastructure: operational pressure creates willingness to pay. The 2021 ransomware attack on Transnet, South Africa’s national port operator, shut down container terminal operations at Durban, Cape Town, and Port Elizabeth for several days, creating queues of hundreds of vessels offshore.

Cargo Theft and Fraud

Criminal actors targeting port gate processing and TMS systems for cargo theft represent a financially motivated threat distinct from strategic disruption. Manipulation of terminal systems to authorise unauthorised cargo releases has been observed in multiple European ports, typically involving corruption of port employees with system access alongside technical compromise.


Vessel Operators

  1. USB and removable media controls: The ECDIS chart update vector is the most documented malware entry point on vessels. Implement USB whitelisting and mandate that chart updates from external sources be scanned on an isolated scanning station before connection to the ECDIS.

  2. Network segmentation — navigation vs. engineering: Separate ECDIS/AIS/bridge systems from engineering control networks and from the vessel’s crew internet access network. These should be physically or VLAN-separated with no uncontrolled cross-segment paths.

  3. GNSS anomaly detection: Deploy GNSS position monitoring that cross-references GPS position with AIS-reported position, inertial navigation data, and celestial fixes. Position discrepancies exceeding defined thresholds should trigger manual verification procedures. Bridge teams should be trained to recognise GPS spoofing indicators.

  4. Incident response plans specific to maritime scenarios: Generic IT incident response plans are insufficient for maritime environments. IRP should address: ECDIS failure and reversion to paper charts, loss of AIS, GPS spoofing protocols, and communication procedures when satellite data links are compromised.

Port Operators

  1. TMS network isolation: Terminal management systems should be segregated from administrative IT networks and should not have direct internet access. Remote management access should be through a jump server with MFA and session logging.

  2. OT asset inventory: Many port operators cannot accurately enumerate their OT assets, particularly older crane PLC systems and legacy gate systems. A current asset inventory is the prerequisite for vulnerability management.

  3. Supply chain vendor access: Terminal software vendors, crane maintenance firms, and OT integrators often retain remote access to port systems. These connections should be inventoried, require MFA, operate over dedicated jump hosts, and be time-limited or session-monitored.

  4. IACS E26/E27 gap assessment for new vessel procurement: Port operators specifying vessel requirements should include IACS E26/E27 compliance as a procurement requirement and request evidence of equipment-level UR E27 compliance from vessel owners.


Sector Assessment

The maritime sector’s OT cybersecurity posture is improving, driven by IMO mandates and IACS unified requirements, but the improvement is uneven. Newbuilds contracted after July 2024 are subject to materially stronger requirements than the operating fleet. The legacy fleet — vessels built before the IACS E26/E27 era — represents a vulnerability population that will remain in service for 20–30 years without mandatory retrofit requirements.

The combination of geopolitical motivation, financial incentive for ransomware groups, and systemic under-investment in maritime OT security makes this sector a high-priority threat environment. Organisations with maritime supply chain dependencies should include port operator and shipping line cybersecurity posture as a third-party risk assessment item, particularly for critical import routes.

Tags
maritimeport-securityshippingIMOIACSAISECDISGMDSSOT-securityGPS-spoofingvessel-controlterminal-management-system