Stephen McCombie: Cyber threats to the global maritime transportation system

With the global rise in attacks by cyber threat actors, we now see the deliberate targeting of critical infrastructure. This has been particularly evident in the lead-up and conduct of Russia’s invasion of Ukraine where both sides in that conflict have significant capability and have used it. This proliferation is concerning due to the potential for a serious impact on the global economy and security. This is particularly evident within the Global Maritime Transportation System (GMTS). The GMTS is a system of systems that includes not just vessels but also waterways, ports, and land-side connections, moving people and goods to and from the water. The role of GMTS in the global economy is significant with over 80% of the world’s cargo transported by ship at the same time fleets are ageing and their technology is ageing with them.

In a 2019 report ‘Shen attack: Cyber risk in Asia Pacific ports’ – produced by the University of Cambridge Centre for Risk Studies, researchers described a hypothetical cyber-attack across the Asia Pacific against 15 ports using malware that jumped from ships to ports. They projected the loss could go as high as USD$110 billion. While we have not seen a cyber-attack of that size the well-known case of Maersk which lost over USD$300 million in 2017 in the NotPetya malware attack is a noteworthy example.

To get some context of what a major cyber-attack on the GMTS might look like we can look at non-cyber incidents which actually could be easily caused by a cyber-attack. For example, in 2021 the MV Evergiven blocked the Suez Canal and caused major disruption. The incident caused losses of some USD$9 billion per day during the blockage. Similarly, in 2024 the MV Dali collided with the Francis Scott Key Bridge in Baltimore collapsing it and killing 6 workers. Greater loss of life was prevented due to quick action by port authorities. The collapse blocked the harbour and caused significant second-order impacts. Bruce Carnegie-Brown the chair of Lloyd’s of London said it was “potentially the largest-ever marine insured loss” as high as USD$4 billion. Such incidents could easily be caused by a cyber-attack. The aim of such an attack might be a part of a great power conflict (i.e., USA/China), a regional conflict (i.e., Israel/Iran), or cybercriminals demanding ransom or shorting the stock market.

As an initiative to enhance awareness of these cyber threats a publicly available Maritime Cyber Attack Database (MCAD) has been developed by our Maritime IT Security research group at NHL Stenden. MCAD spans from 2001 to 2023 (currently collecting 2024) and includes over 290 discrete maritime cybersecurity incidents. These incidents involve 54 countries and over 50 vessels, in addition to various GMTS-associated entities such as ports, shipping companies etc. The attribution of these incidents points to a range of known nation-state and criminal threat actors. Before 2016, threat actors originating in Asia (primarily China and North Korea) were responsible for the majority of incidents studied, while from 2016 onward, Russian threat actors assumed an outsize role. The frequency of cybersecurity incidents targeting the GMTS has steadily increased since 2001 and then significantly increased in 2022 and 2023. Ransomware also increased significantly in those years and comprises over half (53%) of incidents.

Apart from traditional cyber-attacks such as destructive malware and ransomware, the maritime sector is uniquely vulnerable to attacks on its navigation systems. The jamming and spoofing (sending of erroneous locations) of global navigation satellite systems (GNSS), such as the commonly used GPS and the Automatic Identification System (AIS) used in the maritime sector, is now widespread. In 2019 a GPS spoofing attack was used by the Iranian Revolutionary Guard to lure a British ship the Stena Impero into Iranian waters so they could board it. M16 and GCHQ were reportedly investigating if Russia may have provided technical assistance in this incident. In 2021 two NATO warships visiting the Ukrainian port of Odessa had their Automatic Identification System (AIS) signals spoofed showing them travelling from Odessa into the Russian Navy base at Sebastopol. In fact, they never left the wharf in Odessa, but it is believed Russian military Intelligence (GRU) sent these false signals as a provocation. This was not an isolated incident with other NATO ships similarly having their AIS signals spoofed in the Baltic and Atlantic in 2020 and 2021.

While generic cyber hygiene (i.e. desktop protection, network security and patching) is important, good threat intelligence is needed. With that knowledge, organisations can ensure they a prepared for likely attacks and ultimately the inevitable breaches that will occur. This can be achieved with a combination of threat-focused defensive and monitoring measures with regular and comprehensive cyber exercises.