Navigating the Future of Maritime Cyber Security

The maritime domain is an increasingly busy and industrialised space. Over 80% of the volume of all global trade is conducted by sea. Maritime trade, and the ships and ports that enable it to take place, are the lifeblood of the global economy. Yet, the maritime sector also faces a series of threats and risks to its integrity and operations. These include established challenges of maritime crime – piracy, smuggling and so on – but also cyber threats too.

To develop shared understandings of the severity of cyber threats and identify joined-up responses six maritime nations have formed the International Partnership for Maritime Cyber Security (IPMCS). The Partnership comprises of Australia, Denmark, the Netherlands, Singapore, the United Kingdom, and the United States. The IPMCS meets since 2016 at regular intervals under rotating chairmanships and its meetings bring governmental regulators, law enforcement, industry as well as academics together.

As part of the United Kingdom’ 2024 chairmanship the UK’s Ministry of Transport organized a Global Maritime Transportation System Cyber Security Symposium (GMTSC24), which was held in London on 8-10 May 2024. This commentary reflects on the key insights of the event, which I had the pleasure to attend.

Image source

What are the threats?

A unifying thread at the symposium was that cyber-attack risks for the maritime sector are growing rapidly, with an significant escalation of hostile cyber activities in recent years.

Cyber-attacks on the maritime domain were discussed in relation to three main activity types. The first are attacks which aim to cause disruption, for example to commercial operations or to global manufacturing or supply chains, for strategic, extremist, criminal, or activist purposes.

Second, are those which exploit vulnerabilities in systems for the purposes of state or corporate espionage, or to create opportunities for criminality such as extortion, identifying ships for piracy attacks, or facilitating the movement of smuggled goods through ports.

A final category comprises the collateral damage caused by such attacks, such as the knock-on effects of disruption to a major port to wider supply chains, or the indirect impact on the maritime sector of a cyber-attack directed elsewhere.

To date, maritime cyber-attacks have fallen mostly into the second category, especially phishing or ransomware attacks aimed at extorting money from companies or their employees.

Image source (Photo: APM Terminals)

Three actors: States, criminals and extremists

There was considerable discussion of the nature of the cyber-attackers targeting the maritime sector. Three main hostile actor categories were identified.

The first are hostile states aiming to cause damage or disruption to their competitors and adversaries. Participants agreed that state cyber threats to the maritime sector have escalated significantly in recent years, in large part due to tensions with Russia over the Ukraine war, with China over the Taiwan Straits and South China Sea, and with Iran over the crisis in the Middle East.

Russia was considered the most active cyber aggressor, with highly developed offensive capabilities. Russian activities have been most frequently targeted at Ukraine, which has suffered repeated cyber-attacks on its energy infrastructure and elsewhere. However, there is also evidence that Russia has used cyber-attacks for espionage and information gathering activities against western targets, including maritime oil and gas facilities.

China too was identified as a ‘top tier’ cyber power, with an emphasis on commercial espionage and intellectual property theft. However, participants suggested the potential for more destructive attacks in future too. This is especially so given recent evidence of the ‘pre-positioning’ of dormant malware by Chinese hackers, potentially to facilitate future acts of sabotage. Because of the centrality of ports and shipping to US logistics in the Pacific and beyond, the maritime sector is likely a priority target for these and similar activities in future.

Image source

Though not as proficient or wide ranging as Russia and China, Iran’s offensive cyber capacities were also considered to be significant and growing. To date, these have been focused on the Israeli maritime sector, though have the potential to be used elsewhere too.

While the capabilities and resources of state actors make them a serious potential cyber threat, it was also acknowledged that by far the most frequent type of attacks on the sector are criminally motivated, with aim of extorting money from companies and their employees. Cyber criminals vary greatly in the sophistication and scale of their activities. However, even at the lower end, the sheer number of such activities targeting large and complex organisations such as ports mean they present a serious, ongoing, and growing risk.

Finally, there was concern over the rise of non-state political extremist groups are engaged in hacking activities and cyber-attacks, including potentially those targeted at the maritime sector. These may also be clandestinely state sponsored or supported, as is suspected to be the case with some Russian nationalist hacker networks. Even if states do not actively support such groups, many are tolerant of their activities or do not actively pursue them, meaning they can effectively operate with impunity.

What makes the maritime sector distinctive?

Participants from across the sector identified characteristics which shape its vulnerability to cyber-attacks. For a start, the sector is highly diverse. It incorporates shipping, port, and offshore energy activities and the various companies, services and supply chains that enable and sustain them.

While the largest shipping interests, such as MSC, Moeller-Maersk and CMA, are huge multinational conglomerates, the bulk of the sector is much smaller than this, with an estimated 70% of shipping companies worldwide for example running fewer than 15 vessels. Similarly, ports are distributed globally and vary significantly in their size, capacity, and cyber awareness and resilience.

Image source

Participants suggested that this diversity means that there is a significant ‘digital divide’ within the sector itself, with large ports and major shipping companies better prepared for cyber-attacks than their smaller counterparts elsewhere.

Security through seablindness?

The importance of ships and ports to day-to-day life is often hidden from view and receives little political or public attention: a widespread phenomenon which is often called ‘seablindness.’

Some participants suggested that this obscurity has shielded the sector from the worst attentions of malign cyber actors. Indeed, while maritime industries face multiple cyber incidents every day, to date these have tended to be small scale in nature or spillover effects from attacks elsewhere. It is notable for example that most of the malware found onboard ships has not been designed specifically to attack shipping systems.

However, this ‘security through obscurity’ means that with some exceptions the sector is relatively immature in terms of its resilience to cyber-attack, and often has weak cyber security preparedness.

This is a concern given the rapidly growing number of cyber-attacks on the sector. It has been estimated for example that cyber-attacks on major ports increased by 900% in the period between 2017-2023 to a figure of over 100 attacks per day.

A widening attack surface

A key theme of the symposium was the ongoing digital transformation of the maritime sector. Ports in particular are increasingly reliant on digital technologies and processes, which are managed through interconnected software and communication networks, database infrastructures, and IT systems.

The multinational nature of many maritime companies mean that these processes are often shared across multiple ports in different parts of the world. Ports also interconnect with numerous different suppliers and subcontractors who may work on site or in the wider supply chain. This further increases their potential cyber attack surface and adds significant complexity into cyber security responses.

Image source

Ships are different, in that for much of their time at sea they are often only minimally connected to wider IT networks. Even so, many systems and processes on board vessels have also become increasingly digitized and even automated. These include navigation systems, which often rely on GPS positioning through satellites, as well as tasks such as engine management and cargo processing.

Dilemmas and solutions

There was general agreement that the maritime sector faces a pressing need to build cyber security and resilience in the face of these threats and vulnerabilities. While larger shipping, port, and energy companies are developing robust cyber security procedures and safeguards, the smaller operators that comprise most of the industry are likely more exposed, often due to concerns about the cost of instituting robust countermeasures.  

For many smaller actors, the time and resource demands of staff training across a diverse, often high turnover, workforce and the opportunity costs of introducing new organisational systems, protocols and procedures, may be prohibitive. There was a view that some companies accepted exposure to cyber risks such as ransomware attacks as a cost of doing business they were willing to accept.

Improving regulation and reporting  

Resistance within parts of the sector to instituting more robust cyber security measures creates a dilemma for for governments. Ships and ports sustain vital national supply lines, while offshore energy providers provide critical capacity to national power grids. Cyber threats to commercial operators and systems thus have significant national security implications too.

There was discussion of how far states should regulate providers to ensure appropriate and standardised cyber security provisions for companies operating in their jurisdictions or ships visiting their ports. There were also calls for more open and transparent reporting of cyber incidents between state and industry to inform early warning notices and pre-emptive action.

For their part, industry participants emphasised the importance of autonomy for the sector and highlighted a general wariness about increased state regulation and reporting requirements. Such measures were often seen to impose additional cost burdens or commercial risks for companies already working to very tight margins.

Image source.

Burden sharing between stakeholders

Despite these areas of contention, there was agreement amongst all participants that meeting the maritime cyber security threat requires some form of burden sharing (of costs, risks, and responsibilities) between states and industry.

The relative immaturity of cyber security systems and processes in of large parts of the maritime sector mean that these relationships are currently in process of negotiation and experimentation. However, all participants recognised that sector’s time of ‘security through obscurity’ was rapidly coming to an end and that the frequency and severity of cyber-attacks will increase markedly in future.

In this context, government actors argued that the opportunity costs for the industry of not taking cyber security more seriously may soon change the risk calculations of even the smallest organisations.

Participants identified steps that states might take to allay some of the industry’s concerns. Examples included the creation of trusted and anonymous incident reporting systems to increase confidence in the security of information sharing processes and mechanisms.

Considerable value was also placed on the advice and guidelines available through various national and regional cyber security centres of excellence, like the UK’s National Cyber Security Centre (NCSC), representatives of which were present at the event.

Finally, there was discussion of examples of successful state-industry burden sharing elsewhere, for example in relation to critical infrastructure protection on land, or the collective response to piracy off the coast of Somalia in the early 2010s.

Both cases show the importance of a clear quid pro quo between public and private actors in encouraging an integrated response, with industry able to rely on a swift state response in return for increased regulation or reporting requirements.

International solutions

GMTSC24 and the IPMCS partnership are emblematic of the increasingly important role played by mini-lateral bodies in bringing together like-minded states to work around shared problems.

However, the globally distributed nature of the commercial maritime sector and the regulations it operates under means that the maritime cyber security challenge will ultimately have to be met in wider international standard setting bodies. Progress in the International Maritime Organization (IMO) is perhaps most important in this respect.

In the meantime, arrangements like the IPMCS partnership will continue to play a key role in supporting the development of a consensus and taking pragmatic steps forward to strengthen cyber-resilience in the sector going forward.