While the maritime industry has made great strides to improve cyber risk management to date, significant gaps remain. In the first part of this series, we look at the state of cyber risk across the maritime industry, and the evolving responsibilities, risks and liabilities that come with it.
In recent years, seven of the world’s top ten container carriers have publicly acknowledged they have been victims of cyber attacks, with all of the leading four carriers being among the victims.
Despite this growing cyber security threat, the industry’s understanding of cyber attacks and where they come from remains relatively poor. So too is the industry’s understanding of its responsibilities, risks and liabilities. The situation will be improved by forging new connections where today we see disconnects. But in order to build those connections effectively we must understand the landscape of threats that we are trying to defend against.
There are a range of drivers that could motivate attackers. These vary from the benign, such as intellectually curious whitehat hackers with a desire to improve security; to the hostile, such as the desire to inflict physical damage on infrastructure, cargo, or people. The range of actors that might target the industry can vary from highly sophisticated state sponsored teams and organised crime gangs to activists and individual opportunists who have spotted a vulnerability. But for the majority of sophisticated attacks, there is financial motivation at play. Cybercriminals can monetise their operation by selling extracted data or extorting their victims. Hackers are known to act on bounties posted by nation-states or organised crime groups and cyber crime can be a lucrative career for those with the right skills.
ORGANISED CRIME AND OPPORTUNISTS
Worldwide criminal syndicates are increasingly using cyber crime as a source of revenue. Whether by direct extortion, theft or trafficking, the sources of wealth that hackers can extract through digital means is diverse and creative.
In 2011, hackers gained access to the Port of Antwerp’s terminal operating system. The compromised database contained precise locational information of each container within the facility. In tandem with the cyber breach, drug traffickers smuggled a steady flow of narcotics in and out of the port for at least two years. Packed within otherwise legitimate containers loaded with timber and bananas were large hidden volumes of cocaine and heroin. The information stolen from the port’s operating system allowed the mafioso to break into the secure facility and pinpoint their contraband amongst the thousands of nondescript containers for retrieval. The operation was so effective and discreet that the cargo’s lawful owners took no notice as their merchandise was left untouched. Authorities remained unaware until the criminals became overzealous and began removing entire containers from the facility, eventually leading to the operation being uncovered.
In 2016, a group of hackers broke into the content management system of a major container carrier’s website, giving them access to the cargo manifests for merchant ships operating globally. In turn, the manifests were sold on the dark web directly into the hands of Somali piracy syndicates. A spate of coordinated attacks ensued where these seafaring criminals targeted specific ships with the highest value cargo onboard. Once on the vessel, the pirates could quickly locate and empty only the relevant containers carrying precious cargo before fleeing. These attacks went on for months before the company eventually identified the pattern and secured the vulnerability.
Though smuggling drugs and stealing cargo can be lucrative, these operations have an inherently poor risk-reward ratio. In contrast, criminals can extort money with minimal risk and significantly greater reward through software categorised as ransomware. Ransomware exploits are comparatively simple to execute and can be either a bespoke design for a unique target or a software package bought on the dark web in the form of ransomware-as-a-service.
This code can infiltrate and encrypt critical computer networks, locking rightful users out of the system until a fee has been paid in exchange for its release. While this type of attack has been around for many years, the recent prominence of cryptocurrencies has afforded criminal operators anonymous payment methods, making it an increasingly popular form of cyber crime. As in other industries, ransomware attacks have now become a common occurrence in shipping.
This last year Swire Pacific Offshore, who operate a fleet of 50 vessels, became yet another victim of a ransomware attack. Fortunately, the ships were not materially affected, although it was a significant loss to the company and its employees. With varying uncertainty as to the extent of the fallout, analysts believe that stolen data included employee passports, emails, payroll, and banking information. While such personal details have a direct, monetary value on the dark web they could also indirectly enable greater impacts through more targeted future extortion, blackmail and socially engineered attacks on critical systems aboard.
The ransomware threat continues to evolve. In 2021, ransomware threat actors focused their tactics in two areas that should be particularly worrying for the maritime industry. The first shift in tactics relates to targeting systems that incorporate operational technology, causing physical and occasionally safety critical equipment to fail.
The most high profile case in 2021 relates to the attack on the Colonial Pipeline, a major system of petroleum infrastructure that runs from Houston to New York. About 45% of all fuel consumed on the United State’s East Coast arrives via this pipeline. In 2021, Russian-linked hackers executed a ransomware attack that shut down the pipeline’s operations. With the system down and in critical condition, the owners had no choice but to pay out the US$4.4 million in Bitcoin that the hackers demanded in exchange for restoring operational control. Secondly, but equally concerning, ransomware threat actors are increasingly targeting supply chain organisations to subsequently compromise and extort their customers. Supply chain attacks tripled in 2021. This includes very high profile attacks on SolarWinds and Kaseya, vendors of software that are commonly used either directly by ship owners and operators, or other organisations within the maritime supply chain.
THE IMPACT OF NATION STATES
While criminals carry out a significant proportion of attacks, nation states have the ability to carry out a significantly more dangerous type of attack. At the time of writing, the world is dealing with the fall out of Russia’s full-scale invasion of Ukraine. A number of successful cyber attacks have been launched throughout January and February 2022, targeted specifically at Ukrainian organisations. Of the incidents that have been discovered and reported by the global community of cyber defenders at the time of writing, the most concerning relate to a new destructive, “wiper” malware employed on attacks on Ukrainian organisations and attributed to Russian state actors.
Unlike ransomware that is designed to encrypt systems, then decrypt them once a ransom is paid, wiper malware is designed to destroy networks and files forever and, sometimes, indiscriminately.
COLLATERAL DAMAGE
If the use of “wiper” malware against Ukraine sounds familiar then it’s of course because perhaps the most infamous cyber attack on the maritime industry was the NotPetya attack of 2017, also “wiper” malware and also targeting Ukraine. Although the maritime sector was not a direct target, the attack was indiscriminate and brought down digital infrastructure across the globe. NotPetya took down the IT of Maersk Line, FedEx, and US food manufacturer Mondelez International and critical infrastructure such as power plants in the US and throughout Europe as well as several hospitals. It took several days for Maersk Line to rebuild their network, which they estimated to cost between US$200 million and US$300 million in lost revenue. FedEx estimated the attack cost them US$400 million. Mondelez International made a claim of US$100 million, but their insurer denied it on the grounds that the event was an act of war. Mondelez subsequently brought their insurer, Zurich, to court. At the time of writing, the case is still pending. The ensuing case will likely have a significant impact on the future of cyber insurance.
Though industry players will inevitably become deliberate targets, a substantial proportion of cyber attacks that hit the maritime industry are not necessarily directly targeted to do so. For maritime industry stakeholders, it is crucially important to understand how to protect operations from both targeted attacks and virulent shrapnel arriving from the otherwise unsuspected external digital ecosystem.
Understanding what makes the industry uniquely vulnerable is critical to overcoming the small shortcomings in security protocol that can result in staggering losses.
SPOOFING POSITIONING SYSTEMS
Global Navigation Satellite Systems (GNSS) are central to the proper functioning of equipment throughout a ship’s navigational systems. But GPS is particularly vulnerable to external influences because the receiver interacts with low-energy signals from space and these weak signals can be easily overpowered with false information. This process is known as spoofing, and has become a serious issue worldwide. Disruption to a small area is simple to execute as amateurs can purchase the equipment required for basic attacks for less than US$100. With the resources of a nation state, a sophisticated spoof on an entire region or sea is not just a possibility, it is a reality.
There is a steadily growing list of large-scale occurrences of GPS spoofing. In 2017, a Russian military exercise was clearly interfering with the positioning systems of over 50 commercial vessels. Fortunately, it caused minimal trouble as the inconsistencies were so great that many ships’ digital charts displayed their location far inland near a regional airport. The positioning problem was obvious to those involved onboard and officers proceeded with due caution. However, when the spoofing is subtle, the ship’s navigation team may not realise they are under attack, resulting in far more severe consequences.
The Strait of Hormuz is a notoriously difficult stretch of water to navigate. Ships transiting the Strait have to make a difficult turn in crowded water that is shared between Iran and Oman. On the 19th of July 2019, the UK-flagged vessel Stena Impero transited the strait en route to pick up cargo in the Persian Gulf. The ship’s regular course keeps it well within the Oman waters, away from the border with Iran. But on this occasion, the ship’s crew experienced unusual deviations from their voyage plan and had to continuously adjust the vessel’s course to stay on their intended track line.
Though not confirmed by Iranian or UK authorities, experts widely believe that the ship’s GPS was spoofed to force it to cross into Iranian waters unintentionally. Raw Automatic Identification System (AIS) data captured from the vessel by Lloyd’s List Intelligence show that the GPS was reporting position data inconsistent with the vessel’s true course and speed.
Though it is not clear whether the ship actually crossed into Iranian waters, it was boarded by Iran’s Revolutionary Guard and detained for two months as part of an escalating diplomatic crisis between Iran and western governments.
TARGETING CHOKE POINTS
40% of the world’s oil supply passes through the Strait of Hormuz, making it a crucial choke point in the global supply chain. But Hormuz is only one of a small number of critical waterways that can be manipulated to disrupt world trade. The straits of Dover, Malacca, and Bosporus are equally important narrow channels that occur naturally around the world. Further, man made waterways such as the Panama and Suez canals are vital routes for maritime trade.

The grounding of the Ever Given in the Suez Canal was not caused by a cyber attack but it stands as an example of the fallout of such an event. For six days, the ship remained wedged into the sides of the Suez Canal. It is estimated to have cost the global economy between US$6 billion and US$10 billion per day in lost trade. Should malicious actors need an example of the power and simplicity of putting the rudder in a hacked steering system hardover, they need look no further than the headlines in the news.
Whether through spoofing GPS, or hijacking a ship’s control system, the ability of a nation state to manipulate the movement of maritime vessels can cause billions of dollars of disruption, shock the global supply chain, increase the cost of goods, and even instigate international conflict. The Ever Given and the Stena Impero are just two illustrations of hackers’ potential power to manipulate maritime assets. Fortunately, direct attacks by nation states are rare; the industry is far more likely to suffer an attack from an unintentional insider.
THE UNINTENTIONAL INSIDER
Of all the threats to the industry, perhaps the highest frequency of them all comes from the insider.Insider threat comes from a person who has been given authorised access to or knowledge of an organisation. The threat can be either intentional or unintentional. The actor could be an employee, contractor, vendor or simply a visitor to the ship.
In many ways, insider threat is the most unpredictable. Insiders know the weaknesses of the organisation’s cyber security and the location and nature of the sensitive data and systems they can abuse. Most of the time they may be circumventing controls with good intentions but this doesn’t mean the consequences will be good. If an insider chooses to deliberately breach a system for ill effect, they can be very targeted and accurate with their actions and intent. Because they know the systems, the potentially harmful activities of insiders can be harder to detect than those of external actors.
“over 95% of the cyber incidents on vessels it monitored during 2021 could be linked back to the unintentional insider.”
According to data from CyberOwl, over 95% of the cyber incidents on vessels it monitored during 2021 could be linked back to the unintentional insider. This demonstrates the pervasiveness of the problem.
The vast majority of this relates to actions that explicitly contravene the cyber security policies of the organisation, which is often directly referenced within the Safety Management System. Over 60% of computers monitored by CyberOwl have various unofficial or crew-installed software, and 30% of computers make frequent use of the local administrator account giving the user full rights to the machine. The team frequently detects network configuration changes, such as connecting a computer to 4G tethering to download files or software.
Download the full report here
CYBER SECURITY MANAGEMENT SERIES
In the last few years, the maritime industry has made great progress in improving its approach to cyber risk management, but significant gaps remain. This report developed in collaboration with CyberOwl and HFW explores the gaps that exist between the industry’s perceptions of cyber security and reality, taking into account the views of more than 200 stakeholders from across the industry, including cyber security experts, seafarers, shoreside managers, industry suppliers, and C-suite leaders.
Over the coming weeks, we will be sharing a series of articles on the state of cyber risk management in the maritime industry, and we will also uncover the great disconnects that exist across the industry where expectations and reality don’t match up, cyber risk management efforts are lacking, or risks that are unique to maritime exist.

Download your copy for free @ THE GREAT DISCONNECT