All aboard and under attack: Strategic Navigation of Cyber Seas

A strategic review of cyber threats to the maritime sector

A strategic review of cyber threats to the maritime sector

The maritime sector in the UK is a cornerstone of the nation’s economy, connecting global trade routes, supporting critical supply chains, and facilitating defence and security operations. However, as the industry grows increasingly digitised, it is becoming a lucrative target for cybercriminals.

One in five shipping companies reported suffering some form of cyber attack in the past year[1]. Despite the high stakes, the UK maritime sector remains ill-prepared to counter these threats. This blog explores why this is the case, drawing on real-world examples and systemic vulnerabilities to emphasise the urgent need for a robust cybersecurity framework.

This article is a guest contribution from You Gotta Hack That, a UK-based cyber security consultancy specialising in penetration testing of industrial systems and connected devices. With deep expertise across operational technology, maritime environments, and hardware exploitation, YGHT helps organisations uncover and address real-world security vulnerabilities before adversaries do.

1. The Overlooked Second-Order Effects of Cyber Threats

Many maritime organisations understand the immediate risks associated with cyberattacks, such as disrupted operations or financial loss. However, they often overlook the second-order effects—the cascading consequences that can emerge from seemingly minor data breaches or system compromises. Attackers are becoming more data-aware, and able to piece together seemingly unrelated data points or breaches to inform future attacks. This can be seen in the rise of InfoStealer malware (which extracts saved credentials and other private information and sends them to an attacker). By collating these very small breaches into a centralised database or list, attackers are having drastically increased success in exploiting credential reuse against corporate VPNs or software as a service, taking advantage of employees saving work credentials into their home computers.

Let’s examine a fleet tracking system used by a maritime logistics company. If attackers gain access to this data or system, they can infer patterns of movement and identify schedule vulnerabilities, allowing them to plan physical attacks such as cargo theft or vessel hijackings. These risks extend beyond the financial to endanger personnel and cargo security. Similar types of cyber-assisted attacks have been seen in South Africa, with attackers making use of jammers to disrupt cash movement transport communications and prevent them calling for help. Currently this second-order thinking is rarely embedded in the maritime sector’s cybersecurity strategy.

This lack of foresight stems from a broader trend in cybersecurity across industries: the failure to connect data vulnerabilities to physical consequences, regulatory fines, stock market changes and reputation risk. In the maritime world, where cyber-physical systems such as autonomous vessels and port infrastructure are increasingly common, this disconnect has potential for severe consequences affecting both safety and availability.

2. Lessons from Automotive and Other Industries

The maritime sector’s slow adoption of cybersecurity practices mirrors the challenges faced by traditional automotive manufacturers. A notable example is the infamous Jeep Cherokee hack in 2015, where researchers demonstrated that they could remotely control a vehicle’s critical functions over the internet. Whilst upcoming EU changes around automotive security will improve security posture for new vehicles, existing cars will remain vulnerable to the ‘relay theft’ attack that exploits vulnerabilities in the implementation of keyless entry, allowing cars to be unlocked and the engine starts without needing physical access to the keys.

Despite the public exposure of such vulnerabilities, many manufacturers remain slow to implement rigorous cybersecurity measures. The maritime sector risks following a similar trajectory.

Most modern vessels are equipped with advanced digital systems, from navigation to engine management. These systems are often built with operational efficiency and safety in mind, but not necessarily with security as a priority. As a result, vulnerabilities—whether in legacy software or new technology integrations—can provide entry points for attackers. These entry points can be difficult to remediate whilst the vessel is in service, requiring expensive downtime, maintenance windows for software upgrades and even physical refits for architecture alterations. When considered in conjunction with the number of years a vessel will be in service for and maintenance cycles, this can introduce a significant window of vulnerability.

The lessons from other sectors underscore the importance of proactive rather than reactive approaches to cybersecurity. Competitions like the Zero Day Initiative (ZDI) and conventional Bug Bounty programmes have highlighted the importance of incentivising white-hat hackers to expose vulnerabilities before malicious actors do. Using schemes such as Lloyds Register ShipRight and the IASME Maritime Cyber Baseline as a reference can help reduce inherent cyber risk, and can often assist with compliance requirements from insurers. The maritime industry needs a similar initiative to stay ahead of emerging threats.

3. The Myth That Small Players Are Safe

A common misconception among smaller maritime operators is that their size makes them less attractive targets for cybercriminals. This belief is both dangerous and unfounded. Cyberattacks fall into two broad categories: targeted and opportunistic.

1.     Targeted attacks: these involve deliberate attempts to breach a specific organisation, often with a clear objective, such as disrupting supply chains or stealing sensitive data.

2.     Opportunistic attacks: these exploit vulnerabilities wherever they exist, regardless of the organisation’s size.

Even small players in the maritime sector can become victims of opportunistic attacks due to their online presence. Worse, they may serve as entry points for attackers aiming to infiltrate larger organisations. For instance, attackers targeting a countries Navy might exploit a small subcontractor with weaker defences to gain access to sensitive systems. This upstream supplier attack has already been seen in the UK, with a supplier of fencing to sensitive military sites being compromised by the LockBit ransomware gang and over 10GB of data exfiltrated.

The interconnected nature and complex supply chains of the maritime industry means that even seemingly insignificant breaches can have far-reaching consequences. Smaller operators must recognise their role in the larger ecosystem and invest in cybersecurity measures proportionate to the risks they face.

4. The Security Bell Curve: Why Resources and Focus Matter

In cybersecurity, there is a “sweet spot” of organisational maturity. Small businesses often lack the budget and expertise to address basic cybersecurity challenges. Conversely, large organisations may have too many assets and complex infrastructures to secure effectively. It’s medium-sized organisations that tend to strike the right balance between capability and problem set.

Unfortunately, many maritime operators fall at the extremes of this bell curve:

l  Small operators struggle to allocate resources and budget for cybersecurity, focusing instead on maintaining day-to-day operations and innovation[2].

l  Large operators, like multinational shipping companies, face the daunting task of protecting sprawling, interconnected networks and supply chains, combined with a desire to maintain agility.

The maritime sector must prioritise bridging this gap. For smaller operators, government incentives (such as the sector-specific NCSC Funded Cyber Essentials[3] programme) and accessible training programs can help raise baseline security standards as a starting point. This will raise the bar for attackers, but will not fully reduce the threat. Seemingly small improvements such as access to pre-hardened CIS benchmark operating system images[4] can have outsized effects. For larger entities, adopting scalable, infrastructure-as-code security solutions is crucial to managing their extensive digital footprints, combined with continuous external attack surface coverage. Controls such as those found in the SANS Top 5 Critical Controls[5] can also provide measurable guidance to securing OT networks, and any areas where IT and OT overlap.

5. Understanding Hacker Motivations

To effectively counter cyber threats, it is essential to understand the motivations behind them. Broadly, hackers fall into three categories:

1.     Nation-state actors: Motivated by geopolitical objectives, these attackers aim to disrupt critical infrastructure or gather intelligence. Chinese malware has been found on networks belonging to Western cargo shipping companies[6]. Both China and Russia have been linked to maritime-focused cyberattacks designed to weaken Western economies, collect strategic intelligence, industrial espionage or bolster their own military capabilities.

2.     Organised crime groups: These entities are financially motivated, targeting organisations for ransom or theft. Maritime companies are attractive to these groups due to the high value of their cargo and data[7]. This group also exploit vulnerabilities at scale, triaging whether the company and data is of interest or not later in the attack.

3.     Independent hackers: Often driven by ideology or curiosity, these actors may target maritime systems to expose vulnerabilities or test their skills. While their actions may not be financially motivated, the damage they cause can be significant.

Understanding these diverse motivations helps maritime operators anticipate potential threats and tailor their defences accordingly.

6. The Role of Cyber Essentials and Beyond

In the UK, initiatives like Cyber Essentials Plus aim to bring companies up to a minimum standard of cybersecurity. While valuable, these frameworks are not designed to defend against sophisticated or highly motivated attackers. The maritime sector’s reliance on basic measures leave it vulnerable to low to medium complexity threats. Frameworks such as the ISA/IEC 62443 and the associated certifications can make a real difference in improving resiliency.

To build resilience against emerging cyber threats, the industry must go beyond minimum standards. This involves:

1.     Investing in advanced threat detection and response systems: Early detection of anomalies through baselining OT communications can prevent attacks from escalating.

2.     Conducting regular vulnerability assessments and external attack surface scanning: Proactive identification and remediation of external weak points acting swiftly to remediate them before an adversary can exploit them.

3.     Training employees: Human error remains one of the most significant cybersecurity risks. Comprehensive training and education programs can help mitigate this.

7. The Asymmetric Nature of Cyber Attacks

One of the most daunting aspects of cybersecurity is its asymmetry. For attackers, launching a cyberattack can be inexpensive and low-risk. For defenders, however, protecting systems against a myriad of potential threats is costly and resource-intensive. The attacker only has to “win” once, whilst the defender has to “win” every time.

This asymmetry is particularly pronounced in the maritime sector, where the cost of defending against cyberattacks—from securing shipboard systems to protecting global supply chains—is substantial. The sector must adopt innovative approaches, such as leveraging artificial intelligence to detect anomalies and automate threat detection and response, to address this imbalance. Modern security technologies can make use of detection-as-code methodologies, allowing for automated threat feeds to react quickly as threats become discovered.

Conclusion: Building Resilience in the Face of Emerging Threats

The UK maritime sector’s unpreparedness for cyber threats is not a matter of negligence but of underestimation. As the industry becomes more digitised, the stakes of inaction grow higher. To safeguard the sector’s critical role in the food and energy security and wider economy, maritime operators must:

1. Recognize the full scope of cyber risks, including second-order effects.

2. Learn from other industries that have faced similar challenges. Many industries with extensive OT environments or regulation have already been through the cybersecurity maturity process, and maritime organisations should seek to learn from them, rather than reinventing the wheel.

3. Begin to address the unique vulnerabilities of both small and large operators through baseline frameworks and modern software and network practices.

Want to stay ahead of the next wave of maritime cyber threats?

At You Gotta Hack That, we help maritime operators, logistics providers, and port authorities assess and strengthen their defences against emerging cyber risks.

- Get in touch to discuss how we can help secure your digital infrastructure, or

- Listen to the You Gotta Hack That podcast where we dive deep into real-world case studies, threat trends, and hacking critical environments and technology.

[1]https://www.ncsc.gov.uk/information/funded-cyber-essentials-programme

[2]https://www.cisecurity.org/cis-hardened-images

[3]https://www.dragos.com/blog/the-sans-ics-five-critical-controls-a-practical-framework-for-ot-cybersecurity/ [4]https://maritime-executive.com/article/chinese-spy-malware-found-in-european-shipping-companies-systems

[5]https://pearl.plymouth.ac.uk/cgi/viewcontent.cgi?article=2525&context=secam-research

[6]https://www.cisecurity.org/cis-hardened-images

[7]https://www.dragos.com/blog/the-sans-ics-five-critical-controls-a-practical-framework-for-ot-cybersecurity/