The maritime sector doesn't just move cargo; it moves the global economy. Over ninety per cent of international trade crosses the ocean, from the raw materials that fuel industry to the energy resources that power nations. At the same time, it serves as an important strategic asset: transporting military assets, securing vital supply lines, and shaping the balance of geopolitical power.
That makes it a prime target, not just for cybercriminals seeking financial gain, but also for nation-state actors who want invisible, persistent access to the systems that control shipping routes, port operations, and vessel subsystems. The most dangerous adversaries don't want to shut you down today. They want to be inside your systems ready to act on their objectives when the moment demands it.
Yet many maritime organisations have designed their cyber defences around different scenario, focusing on preventing disruption, maintaining availability, and meeting safety and compliance requirements. That defensive model was adequate, but built for a threat landscape that has since been superseded by a far more complex reality. Today, the maritime sector sits at the intersection of escalating geopolitical tensions that have made maritime infrastructure a key hybrid warfare target and an increasing attack surface due to rapid digitalisation and (AI-driven) automation of ports, vessels and infrastructures.
The current threat landscape in the maritime sector
The maritime sector has seen a marked increase in cyber-attacks over the past three years. Between 2022 and 2025, reported incidents rose by approximately 150 per cent, with Europe experiencing a significant share of this activity 1,2. The threat actors targeting maritime organisations are diverse and increasingly sophisticated.
State-sponsored actors from particularly Russia and Iran (amongst others) have been observed conducting cyber-attacks against maritime infrastructures 3,4. These operations are often linked to the current increasing geopolitical tensions and hybrid warfare strategies. For example, an infamous Russian actor associated with military intelligence has targeted Western shipping and logistics networks, not only for espionage but also to maintain the capability for sabotage and disruption at will. Given the role certain ports have in Europe as key NATO logistics hub for military transports into the hinterland, this threat can have far reaching implications.
Recent examples that underpin the threat
Crimea, Black Sea (2021): the Automatic Identification System (AIS) data for the British destroyer HMS Defender and the Dutch frigate HNLMS Evertsen was faked to show them in a highly provocative stance near Russia’s Black Sea naval base in Sevastopol 7.
Black Sea (2023–2024): Russia’s ongoing location jamming and spoofing during the Ukraine war disrupted civilian shipping. Ukraine destroyed a Russian-held offshore platform allegedly used for GPS spoofing 6.
Strait of Hormuz (2025): Amid Israel–Iran conflict in 2025, GPS jamming affected 1,600 vessels daily. Two oil tankers collided during the disruption. Operators halted night transits, causing congestion in a key global shipping lane 8,9.
Nation state espionage on ports in at least thirteen countries (2025): CISA reported in a joint publication with intelligence agencies from many NATO countries that attacks attributable to the Russian GRU military unit are conducting espionage campaigns on maritime ports and transportation services 3.
Uptick in ransomware attacks (2025): a NATO policy brief reported a steep increase of ransomware attacks on critical European port infrastructures, including denial‑of‑service activism‑based attacks 10.
Financially motivated cybercriminals increasingly active
At the same time, financially motivated cybercriminals have intensified their focus on the sector. Based on PwC threat intelligence and sector reports 5,6 ransomware attacks now account for a thirty to 35 per cent of reported maritime cyber incidents, making them the most prevalent and financially damaging threat. These attacks often exploit weak points in IT systems to gain access to critical OT environments, encrypting data, and demanding payment to restore operations. The maritime sector’s reliance on just-in-time logistics and tight operational schedules makes it particularly vulnerable to such disruptions.
Attack techniques are also evolving. Location spoofing and jamming have been used to manipulate vessel navigation, posing direct risks to safety and cargo integrity. There is also a growing trend of attackers targeting the broader logistics ecosystem such as port authorities, customs systems, and third-party service providers to gain indirect access to primary maritime targets. This supply chain attack model targets the interconnected nature of maritime operations, where a vulnerability in one node could compromise the entire network.
The sector’s push toward digitalization, (AI) automation, and decarbonization has expanded cyber-attack surfaces. Smart ship technologies, remote monitoring systems, and automated ports create interconnected networks where each component presents opportunities, but also new risks and challenges.
The threat model has shifted, where the Maritime sector needs to realign
What makes the current threat landscape different is not only that attacks are increasing. It is that while the financially motivated attacks such as ransomware increase in volume and sophistication, nation-state actors are actively targeting the sector for strategic goals. This marks a fundamentally changed threat landscape and the need for a defensive model to combat those threats. The maritime sector's cybersecurity posture is historically shaped by a disruption-focused threat model with emphasis on safety and compliance. The challenge is that the sector needs to realign to change their defensive model to also take into account nation-state sponsored cyber attacks, increasing attack volume, and the expanding attack surface due digitalisation and automation.
The most pressing challenges
Although awareness in the sector has been increasing, several systemic challenges exist due the nature of the technology used in the sector and the adherence to the now obsolete threat model of disruption-focused defences. These challenges are particularly dangerous because they are sector-wide, predictable gaps that persistent adversaries know about and exploit.
1. Asset visibility and inventory management
A challenge in maritime organisations remains having a comprehensive and up-to-date inventory of their digital and operational assets. This includes bridge systems, engine control units, cargo handling systems, and crew networks. Without visibility, it is difficult to assess vulnerabilities, prioritise risks, or implement effective controls. In some cases, critical OT systems are not integrated into enterprise asset registers, potentially leading to blind spots in risk assessments and patch management.
2. Outdated network architectures
Many vessels and port facilities operate with flat network architectures, where IT and OT systems are interconnected without adequate segmentation. This often stems from outdated network architectural designs, which allows attackers who compromise a non-critical system (such as a crew entertainment network) to move laterally into critical systems like navigation or propulsion controls. These developments align with the broader findings from PwC’s Digital Trust Insights 2026, which highlight that many organisations are still adapting to a rapidly evolving threat landscape and face significant challenges in modernising their cybersecurity capabilities.
3. Limited integration and optics on security event data of vessels and OT systems
A persistent gap in maritime cybersecurity is the limited integration of operational technology (OT) systems into Security Operations Centres (SOCs). While SOCs are effective for IT monitoring, they often lack visibility into OT environments that control vessel and port operations. Legacy systems, proprietary protocols, and minimal logging make OT assets difficult to monitor. This means that a sophisticated adversary maintaining persistent access to vessel control systems or port OT environments would, in many organisations, generate no alert whatsoever.
What can be done to increase cybersecurity resilience
Closing this gap requires more than incremental improvement, it requires a shift in defensive philosophy. Maritime organisations must move from an availability-and-compliance model to one that includes detecting and responding to adversarial presence of high maturity. The following actions should be prioritised not as generic best practices, but as direct responses to the threat model the sector faces:
1. Establish comprehensive asset and risk management
Organisations could begin by conducting detailed asset discovery of all IT and OT assets, including legacy systems and third-party components. This information should feed into a unified asset management system that supports continuous risk assessment and prioritisation. Implementing a security management system that encompasses both IT and OT domains is essential. This system should align cyber risks with business impact, enabling informed decision-making. Frameworks like ISA/IEC 62443 help in laying these foundational aspects of OT security.
2. Design defensible network architectures
Network segmentation is critical to limiting the spread of cyber threats. Maritime organisations should implement zoned architectures that isolate critical OT systems. Secure-by-design principles should be applied to all new systems and retrofits, ensuring that security is embedded from the outset. This includes using modern encryption, multi-factor authentication, and secure remote access protocols.
3. Enhance monitoring and detection capabilities
Monitoring of OT environments requires specialised tools that understand industrial protocols and can detect anomalies in real time. These tools should be integrated with existing SOCs to provide a unified view of threats across IT and OT domains. Where in-house capabilities are limited, organisations could consider partnering with providers that offer OT-specific monitoring and threat intelligence.
4. Test and refine the effectiveness of your digital defences
Testing the effectiveness of security controls gives an understanding as to where additional measures need to be taken and if the environment is resilient against common attack tactics, techniques and procedures (TTPs) threat actors use. Perform security testing on vessels, port systems, management systems and backoffices. Prioritise defences against attack tactics that are the most prevalent for your specific environment. Roughly speaking, also considering the overall threat landscape, the ransomware threat and nation-state sponsored persistent attacks should be high on the agenda.
5. Secure the supply chain
Given the interconnected nature of maritime operations, organisations must assess and manage the cybersecurity posture of their suppliers, contractors, and partners. This includes conducting third-party risk assessments, incorporating cybersecurity requirements into contracts, and participating in industry information-sharing initiatives. Collaborative efforts with port authorities, regulatory bodies, and industry groups can help raise the overall security baseline and improve collective resilience.
From operational concern to strategic imperative
Over the past decade, the maritime sector has taken important first steps by embedding cybersecurity into its operational processes, aligning with existing safety protocols and regulations. But the threat landscape has shifted. Maritime infrastructure is increasingly targeted in the context of hybrid warfare, and the adversaries that matter most are the ones who want to remain undetected inside operational systems, ready to act when geopolitical circumstances call for it.
That changes the question maritime boards and executive teams should be asking. It's no longer just "are we compliant to security frameworks?", it is "do we have the visibility to detect a sophisticated, persistent actor operating within our environment?" Many organisations in this sector are not yet equipped to answer that with confidence. The organisations that recognise this shift and adapt their defences accordingly won't just be better protected, they will be better positioned to operate in a world where maritime infrastructure is not just an economic asset, but a strategic one.
Stay up to date with the developments in cybersecurity
Sign up for our newsletter
Contact the authors
References
[1] Staunch Technologies, “Maritime Cyber Incidents 2025: A Rising Tide of Digital Threats,” 29 Aug. 2025. [Online]. Available: https://staunchtec.com/maritime-cyber-incidents-digital-threats-2025
[2] ThreatScene, “Rogue Waters: Why Maritime Cyber Attacks Are Surging in 2025,” 27 May 2025. [Online]. Available: https://threatscene.com/blog-update/rogue-waters-why-maritime-cyber-attacks-are-surging-in-2025/
[3] U.S. Cybersecurity and Infrastructure Security Agency (CISA), “Russian GRU Targeting Western Logistics Chains,” May 21, 2025. [Online]. Available: https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF
[4] France Cyber Maritime, “Maritime Cyber Threat Overview 2023,” Nov. 2024. [Online]. Available: https://www.france-cyber-maritime.eu/wp-content/uploads/2024/11/Rapport_menace_2023_NUMERIQUE_BD.pdf
[5] European Union Agency for Cybersecurity (ENISA), “ENISA Threat Landscape for Transport Sector,” Mar. 2023. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-transport-sector
[6] M. Badea, O. Bucovețchi, A. V. Gheorghe, M. Hnatiuc, and G. Raicu, “Maritime Industry Cybersecurity Threats in 2025: Advanced Persistent Threats (APTs), Hacktivism and Vulnerabilities,” Logistics, vol. 9, no. 4, Art. no. 178, Dec. 2025. [Online]. Available: https://www.mdpi.com/2305-6290/9/4/178
[7] H. I. Sutton, “Positions of Two NATO Ships Were Falsified Near Russian Black Sea Naval Base,” U.S. Naval Institute News, 21 Jun. 2021. [Online]. Available: https://news.usni.org/2021/06/21/positions-of-two-nato-ships-were-falsified-near-russian-black-sea-naval-base
[8] Cydome, “Oil Tanker Collision off Oman Highlights Risks of Maritime GPS Interference Causing AIS Anomalies”, Jun. 2025. [ Online]. Available: https://cydome.io/tankers-collide-in-the-gulf-analysts-suspect-gps-jamming/
[9] The Marine Executive, "Constant GPS Jamming Disrupts Navigation in Strait of Hormuz," The Maritime Executive, June 26, 2025. [Online]. Available: https://maritime-executive.com/article/constant-gps-jamming-disrupts-navigation-in-strait-of-hormuz
[10] NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), “Policy Brief: Addressing State-Linked Cyber Threats to Critical Maritime Port Infrastructure,” Jul. 2025. [Online]. Available: https://ccdcoe.org/uploads/2025/07/CCDCOE_Policy_Brief.pdf
