519
1 INTRODUCTION
The maritime sector is a complex ecosystem, bringing
together stakeholders and organizations of different
sizes, maturity, complexity, and operational scope.
During the last decade, the maritime industry has
undergone a rapid evolution through the introduction
of new technology and the digitization of existing
services. While aiming to increase profit, these
changes can also introduce new risks. In particular,
the increased connectivity and the converging of
Information Technology (IT) and Operation
Technology (OT) systems will expose the maritime
operations to new threats that may have severe
financial and reputation repercussions. Further, the
threat environment against the maritime sector is
steadily becoming more hostile; cyber attacks are
becoming more frequent and organized criminal
networks and hostile nations are now targeting all
actors in the digital value chain [65], including
shipping companies, vessels, and their shore-side
facilities.
In this paper we present a retrospective analysis of
cyber security incidents from the last decade (2010-
2020). Our analysis includes 46 reported incidents that
have affected the stakeholders in the maritime sector
in significant ways. Our work provides an overview
attack points and shows a mapping between these and
the incidents. We have also created a threat
categorization based on the characteristics of the
incidents. While the main driver of our analysis was
to increase the awareness of cyber security threats
towards Norwegian maritime interests, the maritime
operations are international and malicious actors
know no borders. Hence, the results should be equally
relevant for the international maritime community.
The paper is organized as follows. In Section 2, we
give an overview over relevant background work on
threats and incidents in the maritime sector. Section 3
introduces the methodology that we have been
A Retrospective Analysis of Maritime Cyber Security
Incidents
P.H. Meland
1
, K. Bernsmed
1
, E. Wille
1
, Ø.J. Rødseth
2
& D.A. Nesheim
2
1
SINTEF Digital, Trondheim, Norway
2
SINTEF Ocean, Trondheim, Norway
ABSTRACT: The maritime industry is undergoing a rapid evolution through the introduction of new
technology and the digitization of existing services. At the same time, the digital attack surface is increasing,
and incidents can lead to severe consequences. This study analyses and gives an overview of 46 maritime cyber
security incidents from the last decade (2010-2020). We have collected information from open publications and
reports, as well as anonymized data from insurance claims. Each incident is linked to a taxonomy of attack
points related to onboard or off-ship systems, and the characteristics have been used to create a Top-10 list of
maritime cyber threats. The results show that the maritime sector typically has incidents with low frequency
and high impact, which makes them hard to predict and prepare for. We also infer that different types of
attackers use a variety of attack points and techniques, hence there is no single solution to this problem.
http://www.transnav.eu
the
International Journal
on Marine Navigation
and Safety of Sea Transportation
Volume 15
Number 3
September 2021
DOI: 10.12716/1001.15.03.04
520
applied when gathering the data for this paper. In
Section 4, we present the target description, which
includes an overview of the special characteristics of
maritime systems and a generalized representation of
the shipboard and off-ship systems with annotated
attack points. Section 5 contains an overview of
incidents, while Section 6 we build a categorization of
threats based on the incidents. Section 7 discuss the
trend related incidents and threats, and what we can
expect for the current and road ahead. Finally, in
Section 8 we conclude our work and point to future
opportunities.
2 BACKGROUND
Initial work on security threats to the maritime sector
were mainly focused on terrorism [29, 81]. In 2011,
ENISA released the report "Analysis of Cyber Security
Aspects in the Maritime Sector" [18], which
recognized the maritime sector as a critical
infrastructure. The report identified the very low
awareness of cyber security in the sector as being a
major challenge and suggested that the low number of
publicly known cyber security incidents could be the
reason. In 2015, a Norwegian report [39] on digital
vulnerabilities in the maritime sector was released. It
identified the top 10 challenge in the sector and
provided examples of both attacks and accidents that
had been possible because due to these. The same
year, the EU project MUNIN performed a risk
assessment of safety and cyber security threats [37], in
which jamming, spoofing and hacking of AIS, GPS
and ship communication equipment were considered
as the highest risks. Threats that are specific for
maritime digital communication were identified in the
Norwegian research project CySiMS [50]. Researchers
from the University of Plymouth have over several
years published papers related to vulnerabilities,
threats and attacks to the maritime sector (e.g. [34, 70,
71]). There are further examples of security research
on specific sub-systems or operations, e.g.
autonomous shipping [76], ports and port systems
[22] and IT/OT systems installed on vessels [13].
In 2017, the British Department of Transport
published an overview over motivations for attacking
ship systems, including potential threat actors [11].
The following year, ENISA published their report on
the cyber threat landscape, claiming that cyber
criminals and state-sponsored actors were taking over
the scene, monetization was becoming one of the main
drivers for cyber attacks [65]. Their standpoint has
recently been confirmed by the Norwegian Police
Security Service, who identifies state-sponsored
intelligence operations against the maritime industry
as a significant risk to Norway [56]. Further, the
Norwegian National Security Authority (NSM)
provides annual reports on the cyber threat picture
against Norway [52, 53], which includes ransomware,
digital intelligence operations and disturbance of
positioning services.
The abovementioned sources provide a thorough
analysis of cyber security vulnerabilities, threats and
risks relevant for maritime operations, but most of
them lack an anchoring in empirical evidence.
Nevertheless, they have been a useful basis for
analyzing, mapping and interpreting our results.
3 METHODOLOGY
To collect information about incidents, we have
screened scientific publications, public and
commercial reports, newspapers and other forms of
grey literature, using key words, such as "cyber
attack", "cyber incident", "cyber risk", "cyber threat",
"cyber security" and "maritime" in popular search
engines and indexing databases (Google, Google
Scholar, IEEE Xplore and SpringerLink). We also
searched in the Lloyd's List [42] database for cyber
security events. Furthermore, we applied a
snowballing technique [83], which means that we
screened our sources’ sources, to locate additional
relevant literature that did not show up in our initial
searches.
We did, whenever possible, strive to use several
independent sources to confirm the validity of each of
the reported incidents, and we revised our original
sources by reading reports that compiled several of
the previously reported incidents, such as Kapalidis
[55], Jones et al. [34], KNect365 [51], Singh [68] and
Cyberkeel [20]. The final selection of incidents that we
included in our analysis were based on the following
criteria:
The incidents must have occurred during the last
decade (2010 to 2020)
The incidents must have been caused by
"successful" attacks. We did not include mere
attack attempts, or unsuccessful attacks.
The incidents must have been caused by a real
attack. We did not include any "white hat"
experiments, performed by, for example, students,
security companies or researchers.
The incidents must have had a direct effect on any
of the core systems in the maritime ecosystem. We
did not include incidents that were only vaguely
related to shipping, for example attacks on
logistics companies or supply chains.
The incidents must have had a significant impact
on the maritime industry. Hence, we did not
include any "minor" incidents (typically treated as
"noise" by the security community) in our analysis.
In addition to looking for incidents in public
literature, we collaborated with representatives from
the Intelligence and Operations Centre at The
Norwegian Shipowners' Mutual War Risk Insurance
Association and the Norwegian Maritime Cyber
Resilience Centre. They provided us with anonymized
event data, which resulted in the identification of
additional incidents. As far as we are aware, only a
few these incidents have been mentioned in open
reports.
3.1 Limitations
Shipping is a very diverse sector from small dry
bulkers carrying sand and gravel along the coast to
large container ships in intercontinental trade. It is
highly unlikely that this study has captured all the
different cyber incidents over the sector as most of the
521
quoted references tend to focus on larger ships and
operations. The sources are also biased in that they are
mostly from the western world, including a number
of Norwegian reports. The reader should keep this
bias in mind when reading this paper, but the authors
still believe that this is a representative report on the
general situation related to cyber incidents and threats
in the maritime sector.
4 TARGET DESCRIPTION
To systematically analyze the incidents, there is a
need to describe the scope and context of our study.
Here we provide an overview over the specific
characteristics of the maritime industry and models of
the onboard and off-ship systems.
4.1 The maritime threat profile
The maritime industry has some special characteristics
which result in a threat profile that differs
significantly from the more traditional land-based
systems:
1. It is a relative small industry, e.g. there are about 98
000 propelled seagoing merchant vessels of 100
gross tons and above operating internationally
[74]. This puts limits on the industry's ability to do
systematic analyses and to learn from others; hence
making it difficult to improve its cyber security
practices.
2. Ships are complex "sailing villages" with a wide
range of information and communication
technology (ICT) onboard. This ranges from office
systems, via life support systems and engine
automation, to navigation systems.
3. Ships will normally have a lifetime of 25-35 years
and software upgrades are done on individual
equipment using different time intervals. This
means that most ships have a very mixed set of
equipment, both for administrative functions and
general information technology (IT) and for
operational technology (OT).
4. It is a highly cost sensitive market, due to strong
international competition, resulting in a large share
of stakeholders not giving cybersecurity the
required priority.
5. The ships are under international regulation, which
have tended to focus on minimum technical
requirements to ensure a level economic playing
field.
These issues result in a complex, but highly
inhomogeneous and sometimes poorly maintained
ICT system. From a cyber security point of view, this
may be an advantage, as the reconnaissance of the
target system and the selection of a possible attack
vector becomes more complicated. However, as
digitalization in the maritime sector increases and
more ships become connected to the Internet, it also
means that a larger attack surface will be exposed.
Shipping will hence become a more tempting target,
for commercially motivated attacker, for state
terrorism interested in damaging import- and export
facilities, and for the more "adventurous" hackers.
The next two subsections describe models of
onboard and off-ship systems with potential attack
points. The taxonomy of identifiers should be seen as
preliminary, and not all of these attack points have
been mapped to actual incidents. However, they are
still relevant for potential threats and future mapping
of new incidents.
4.2 Onboard systems
Figure 1 shows a generalized representation of
onboard systems with attack points classified as S1 to
S7. S1 represents attacks on operational technology,
usually located in a controlled environment. This may
also include attacks via moveable external memory
systems (MEMS or "memory sticks") which sometimes
are used for updates to software or, e.g., electronic
charts. S2 represents attacks on administrative
systems onboard. S3 and S4 are attacks on mobile
data/satellite communication or VHF radio digital
communication respectively, S5 represents attacks on
Global Maritime Distress and Safety Systems
(GMDSS), S6 on Global Navigation Satellite Systems
(GNSS) and S7 on peripheral devices to controlled
systems. S0 is used for other onboard attacks.
Figure 1. Attack points onboard the ship
Note that the topologies on different ships vary
wildly and particularly older ships may have much
less system separation in place.
4.3 Off-ship systems
The other group of attack points are communication
links from ship to shore and the corresponding shore
systems. These are illustrated in Figure 2.
Figure 2. Attack points onshore and between ship-and-
shore
522
The first group belongs to public infrastructure.
The most relevant here are the VHF voice and data
transmission infrastructure, including automatic
identification system (AIS) services (L1); the vessel
traffic services, maritime rescue and GMDSS services
(L2); various information services to ship, including
meteorological data, recommended routes and notices
to mariners (L3); and digitalized aids to navigation
(L4). Other attack points in this group are labelled
with L0.
The next group are the authorities and class
societies. M1 is related to ship and crew certificates,
e.g., from flag state; M2 is services and documents
issued by class societies; and M3 is authority services
related to arrival and departure clearance, e.g.,
maritime single windows (MSW), passenger
clearance, phytosanitary services etc. M0 is used for
other attacks points in this group.
Port operations are services to ships, e.g., tugs,
linesmen, etc. (H1); H2 labels attacks on internal
communication and data exchange inside ports and
terminals; and H3 labels attacks on port operations
data systems such as harbor master's systems etc. H4
labels attack on cargo data systems in the port. This
can also include port community systems (PCS). H0 is
used for other attack points for port services.
Finally, private services are grouped into ship
operators (P1). This includes owner, manager, charter
etc.; P2 codes for technical services from yards, spare
part or consumable suppliers; and P3 for other
services such as weather routing, route optimization
etc. P0 represents other services.
5 KNOWN INCIDENTS
Below we describe the incidents we have identified
based on the methodology and criteria described in
Section 3, are shown below. Each incident is given a
unique identifier, which is presented in bold text
together with the relevant year(s) and attack point
referring to identifiers from the previous section.
A1 - Year: 2010, Attack point: S1
A drilling rig is infected by malware on its way
from the construction site in South Korea to South
America. Critical control systems are infected,
requiring 19 days of downtime to clear the issue.
Such shutdowns are estimated to cost 700 000 USD
per day. Sources: [20, 66].
A2 - Year: 20102011, Attack point: P1
A Greek shipping company is hacked via its
headquarters’ WiFi network. For the next two
years, information regarding vessels and sailing
routes is exfiltrated and used by the attackers to
plan physical pirate attacks in Gulf of Aden.
Source [55].
A3 - Year: 2011-2013, Attack point: H4
The cargo tracking system at Port of Antwerp was
infected to enable smuggling of drugs and
weapons ("concealed" as bananas from South
America). The smuggling operation went on for
two years before being detected. The same port
was subject to the same attack again in 2018.
Sources: [39, 51, 55, 78].
A4 - Year: 2011-2013, Attack point: P2
A threat actor made known by Kaspersky [27] as
"Icefog" conducts targeted cyber espionage attacks
against various sensitive organizations in South
Korea and Japan, including maritime and ship-
building groups. The attacks rely on spear-
phishing and the exploitation of known
vulnerabilities. Source: [27].
A5 - Year:2011, Attack point: P1
A cyber attack against the Iranian shipping
company IRISL (Islamic Republic of Iran Shipping
Lines) damaged all the data related to rates,
loading, cargo number, date, and place. The attack
also crippled the company’s internal
communication network and caused severe
financial losses and loss of cargo. Sources: [20, 73].
A6 - Year: 2012, Attack point: S3
Iranian officials report a cyber attack on
communication networks on an offshore platform
in the Persian Gulf. Source: [68].
A7 - Year: 2012, Attack point: H4
The cargo handling system used by the Australian
Customs and Border Protection Service was
infected, enabling the attackers to see if their
shipments were flagged as suspicious. In such
cases, the smuggled goods were never picked up.
Source: [20].
A8 - Year: 2012, Attack point: M1
Chinese hackers are accused of a targeted attack
against the Danish Maritime Authority, in which
documents and information regarding network
topology were stolen. The attack was initiated via
email, through a virus infected PDF attachment.
Sources: [20, 38].
A9 - Year: 2013, Attack point: S1
Crew onboard a drilling rig in the Gulf of Mexico
accidentally connect virus infected PCs and USB
devices to a local network on the rig. This enables
the virus to infect the network and disturb the
communication between the dynamic positioning
system and the thrusters. As a result, drilling
operation is halted. Sources: [5, 35, 51].
A10 - Year: 2014, Attack point: P1
Hackers intercept and alter emails with account
numbers for money transfers, causing severe
financial losses. The attacks target transactions
between shipping lines and bunker suppliers and
between shipping lines and shipyards. Source:
[20].
A11 - Year: 2012-2014, Attack point: S4
A report from Windward [82] shows that between
2012 and 2014, 1% of all ships provide fake
identification information (IMO numbers) in their
AIS transmissions. In addition, more than 25% of
vessels disable their AIS ("going dark") at least 10%
of the time. Such techniques are often used in
connection with smuggling, terrorism, human
trafficking, illegal fishing or military conflicts.
Source: [82]
A12 - Year: 2016, Attack point: S6
In South Korea, 280 ships have to return to port
after experiencing problems with their navigation
systems. North Korea has been blamed for the
incident, but evidence is lacking. Source: [55].
A13 - Year: 2014-2017, Attack point: S4
An analysis from the Norwegian Coastal
Administration on historical AIS data from 2014-
2017 shows that civilian Russian vessels perform
523
regular stops along the Norwegian coast, which
are not natural for their primary objectives. These
irregularities tend to coincide in time and space
with NATO operations, training or drills, and
there is reason to suspect that the behavior of these
vessels is linked to electronic espionage. Similar
activity has been observed in the South China Sea
and in the Black Sea. Sources: [62, 79].
A14 - Year: 2017, Attack point: P3
British ship broker Clarksons is hacked and the
attackers demand a ransom for stolen data. Some
sensitive information was stolen and the stock
value decreased by 5% immediately after the
incident (some sources claim a smaller stock value
reduction). Sources: [3, 16, 51, 55].
A15 - Year:2017, Attack point: P1
Shipping giant Maersk's operations are severely
crippled by the NotPetya ransomware, which was
spread via an update patch for the tax accounting
software MeDoc (widely used among tax
accountants in Ukraine). The virus exploits
vulnerabilities in Microsoft Windows and is based
on EternalBlue; a cyber attack software developed
by US NSA. The incident is seen as the most
devastating cyber attack in history, causing
problems for almost one fifth of global shipping
operations, including 76 ports. Maersk has
estimated their economic losses to near 300 million
USD in the form of reduced income as a result of
the incident. More than 4000 servers, 45 000 PCs
and 2500 applications had to be reinstalled.
Sources: [15, 28, 46, 51, 68].
A16 - Year: 2017, Attack point: S6
At least 20 ships in the Black Sea near
Novorossiysk reported that their navigation
systems were showing a position which was 32 km
away from their actual positions. These
observations were likely caused by GNSS
spoofing. Source: [55].
A17 - Year: 2018, Attack point: S6
A ship is exposed to GPS spoofing in the Black Sea
(in the same area as the incident above). The ship is
at sea, but the geolocation system onboard claims
that the ship is on land. During the course of 3
days this happens 4 times, with a duration of up to
30 minutes. Source: [75].
A18 - Year: 2018, Attack point: P3
Chinese hackers are accused of stealing
information from subcontractors of the US Navy.
In addition, it is presumed that 27 American
universities have been attacked, in an attempt to
steal research data related to maritime technology.
Sources: [43, 76].
A19 - Year: 2018, Attack point: H4
Port of Barcelona reports a cyber attack, which
turns out to be an infection of the Ryuk
ransomware. The infection only affected internal
IT systems, and not ship traffic. Sources: [17, 59].
A20 - Year: 2018, Attack point: H4
Port of San Diego reports severe disruptions in its
IT systems. This is another Ryuk ransomware
infection, and the consequences are limited to local
functions at the port. The incident occurred only 5
days after the above event in Barcelona, but it is
unclear whether these events were related.
Sources: [17, 59].
A21 - Year: 2018, Attack point: P2
Iranian hackers are blamed for stealing ship
designs and information about personnel from the
Australian shipbuilder Austal. Austal delivers
naval vessels to both Australia and the US. The
stolen information was later offered for sale on the
dark web. The hackers also attempted to extort
money from Austal. Source: [58].
A22 - Year: 2017-2018, Attack point: P1
A Nigerian hacker group nicked "Gold Galleon"
allegedly stole hundreds of thousands USD
through compromising and spoofing business
emails in maritime shipping businesses. The
hackers have mainly targeted Japanese and South
Korean companies, but companies from other
countries have also been attacked. Sources: [58, 63].
A23 - Year: 2018, Attack point: P1
COSCO Shipping Lines were hit by a cyber attack
which caused severe disruptions in their US office
networks. Email and network telephone
communication was unavailable for 5 days.
According to internal emails, the incident was a
ransomware infection. Sources: [15, 32].
A24 - Year: 2018, Attack point: P3
Italian oilfield services company Saipem detects a
cyber attack against their Middle East servers.
About 400 servers were hit in the attack, and the
servers in Saudi Arabia and UAE were hit
especially hard. The company had backups of the
affected data, thereby avoiding permanent loss of
data. No data was believed stolen. Source: [48].
A25 - Year: 2019, Attack point: S1
A large ship on its way to New York gets its
onboard control system network infected with
malware, resulting in limited functionality. Source:
[41].
A26 - Year: 2018-2019, Attack point: S6
GPS jamming is observed on multiple occasions
through 2018-2019 in northern Norway. The
disruption has infected marine traffic to some
extent, but severe consequences were fortunately
avoided. Source: [53].
A27 - Year: 2019, Attack point: H3
An undisclosed American port is infected by the
Ryuk ransomware. The infection came through a
phishing email attachment and caused CCTV
cameras, access control systems and critical process
monitoring to become unavailable. Source: [17].
A28 - Year: 2019, Attack point: P3
British marine services provider James Fisher and
Sons is infected by ransomware and is forced to
shut down its digital systems. Share value drops
7% after the incident. Source: [25].
A29 - Year: 2019, Attack point: S1
A natural gas compression facility at an
undisclosed US pipeline operator is infected with
ransomware (presumably Ryuk) and has to shut
down for two days. The attack came via phishing
email and impacted both IT and OT systems.
Sources: [12, 21].
A30 - Year: 2019, Attack point: S2
A tanker near the port of Naantali in Finland gets
its administration server infected by ransomware.
The backup disk is also wiped. Remote Desktop
Protocol (RDP), a USB device or an email
attachment are identified as probable attack
vectors. The same vessel is infected again 4 months
later near the same port. Source: [75].
A31 - Year: 2019, Attack point: S2
Two ships with the same owner are infected by the
524
ransomware Hermes 2.1. The infection came as a
macro-enabled Word document attached to an
email, and multiple workstations on the
administrative networks were affected. Source:
[75].
A32 - Year: 2020, Attack point: S2
A vessel anchored near Tynemouth, UK, has its
ship server and multiple PC clients infected with
the Ryuk ransomware. Two specialists from the IT
service provider were sent onboard and found that
all data were encrypted and lost. A full reinstall
was necessary to restore the systems. Source: [75].
A33 - Year: 2020, Attack point: S2
Three ships sailing under American flag have their
administrative systems infected by the
ransomware Sodinokibi. This virus also threatens
to leak information ("ransomtheft"), in addition to
encrypting data. Source: [75].
A34 - Year: 2020, Attack point: P1
The shipping company MSC falls victim to a
ransomware virus and their headquarters in
Geneva are shut down for five days. Sources: [30,
46].
A35 - Year: 2020, Attack point: H3
Israel is blamed for hacking the Iranian port of
Shahid Rajaee, causing all transportation and flow
of goods to halt for a long time. The attack is
claimed to have been retaliation after an attack on
an Israeli water distribution system. Sources: [30,
80].
A36 - Year: 2020, Attack point: P2
Norwegian shipbuilder Vard is hit by a
ransomware attack which causes severe
operational disruption. Many of the employees are
informed that the disruptions may lead to
temporary job loss because of halted shipbuilding.
Source: [26, 61].
A37 - Year: 2019-2020, Attack point: P1
Cruise operator Carnival Corporation & plc is hit
by ransomware virus twice in two years, and
personal information and credit card details for
customers and employees have likely been stolen.
Details regarding the type of virus and attack
vector have not been made public, but the
company states that they may receive
compensation claims from the affected parties.
Source: [44].
A38 - Year: 2020, Attack point: M1
Transport Malta (Maltese transport authority)
suffers a cyber attack that shuts down its online
systems for five days. Sources: [1, 7].
A39 - Year: 2020, Attack point: P1
Greek shipping company Diana Shipping falls
victim to the Egregor ransomware. Little
information is known about this incident. Source:
[4, 40].
A40 - Year: 2020, Attack point: P1
The French container carrier company CMA CGM
is hit by the Ragnar Locker ransomware. Several of
its Chinese offices were affected, and some of its
online services had to be shut down, including
online booking. Source: [19, 67].
A41 - Year: 2020, Attack point: M1
UN shipping agency IMO has its website and
intranet disabled by a cyber attack. To prevent
further damage, several other key systems are shut
down. The attack is described as "sophisticated",
further details have not been provided. Sources:
[36, 54].
A42 - Year: 2020, Attack point: P1
British ferry firm Red Funnel is hit by a cyber
attack, causing severe disruption in their IT
systems. Among other things, the booking systems
were unavailable for several days, forcing
customers to arrive well in advance of sailings to
buy tickets on-site. Sources: [9, 72].
A43 - Year: 2020, Attack point: P1
US transportation and shipping company Matson
reports system outage due to a cyber attack. The
attack does not stop cargo operations, but some
transactions are delayed since affected functions
need to be replaced by manual processes. Source:
[49].
A44 - Year: 2020, Attack point: H4
Port of Kennewick has its IT systems crippled by
ransomware. The hackers demanded a ransom of
200 000 USD, which was not paid. Systems were
unavailable for several days, as they had to be
reestablished from offline backups. Sources: [14,
47].
A45 - Year: 2020, Attack point: P1
Norwegian cruise operator Hurtigruten suffers a
severe ransomware attack, which has a severe
impact on its IT infrastructure. Multiple key
systems are unavailable for several days. Passenger
data, such as passport information, were exposed
and might have been stolen. Sources: [10, 45, 60].
A46 - Year: 2020, Attack point: P1
German cruise operator AIDA has its headquarters
in Rostock hit by DoppelPaymer ransomware. The
attack causes severe IT issues, forcing AIDA to
cancel several cruises. Source: [77].
6 CYBER THREAT CATEGORIZATION
A threat is the potential cause of an unwanted
incident, which can result in harm [33]. Based on the
known incidents and related work, we have
established a Top-10 list of maritime cyber threats.
The categories are defined by similar characteristics
among the incidents and are ranked based on
frequency and severity. For each category we have
described typical attack vectors and targets. Some
incidents have been associated to more than one
category, which is natural for attacks that consists of
several stages and can affect more than one target.
Hence, the categories are not mutually exclusive and
can overlap for a single incident.
6.1 Exposed shipping company/carrier IT-systems
The IT-systems of shipping companies and carriers
have had a burst of associated cyber incidents in the
last year and can be linked to 25% of the total
incidents for the last decade. We register that the most
common attack vector is ransomware, usually in the
form of email attachments or links. Just as in many
other sectors, there is an increasing trend of
ransomtheft viruses, that combine outages and
information theft. There are also many examples of
economic fraud from social engineering attacks.
525
Incidents: A2, A5, A10, A15, A22, A23, A34, A37,
A39, A40, A42, A43, A45, A46
6.2 Exposed IT-systems belonging to sub-contractors,
shipyards, on-shore installations, service providers,
regulators and research facilities
The IT- and administrative systems of various onshore
stakeholders supporting maritime operations have a
similar threat picture as shipping companies.
The incidents typically involve theft of business-
critical information, as well as more random cases of
extortion. From the incidents we see that social
manipulation, hacking and ransomware are
commonly used attack vectors.
Incidents: A8, A14, A18, A21, A24, A28, A29, A36,
A38, A41
6.3 Exposed port IT-systems
Ports have been popular targets and have a reputation
of being poorly protected against cyber attacks.
Outages are expensive, which makes them attractive
for extortionists. Furthermore, information theft and
manipulation have been used for smuggling
operations. Some incidents only report that the port
has been "hacked", and in conflict areas we can
suspect that state-sponsored actors/cyber warriors are
to blame.
Incidents: A3, A7, A15, A19, A20, A27, A35, A44
6.4 Espionage on maritime operations
In this category we find incidents characterized by
extensive and targeted attacks related to espionage,
tapping and surveillance of maritime operations.
Mentioned attack vectors tend to be spear-phishing or
general hacking, as well as communication tapping.
Incidents: A4, A7, A8, A13, A18, A21
6.5 Exposed IT- systems onboard ships/offshore
installations
There have been several incidents where IT systems
onboard ships have been struck by ransomware, but
we suspect that these have been more coincidental
than targeted. Typical attack vectors have been email
attachments and links, and ship servers and clients
have been rendered useless. There has been limited
forensic evidence left afterwards as all data are
usually wiped clean.
Incidents: A30, A31, A32, A33
6.6 Manipulation of GNSS-signals used by ships
This category is mainly related to jamming or
spoofing of GPS/GNSS-signals that ships use for
navigational purposes. State-sponsored actors tend to
be put under suspicion for these events, and the
consequences have been more of a disturbing than
critical nature. This kind of threat typically manifests
itself in geopolitical conflict areas, such as the Black
Sea.
Incidents: A12, A16, A17, A26
6.7 Exposed OT-systems onboard ships/offshore
installations
OT-systems are usually separated from other systems
and have therefore been less exposed. Still, we can
find examples of such incidents and the consequences
have been critical. The attacks have typically entered
the system via infected USB units or computers
unintentionally connected to the wrong network.
Examples of such systems are ECDIS (during map
updates) and propulsion control systems.
Incidents: A1, A9, A25, A29
6.8 Exposed communication systems
There have been a few examples of attacks against
communications systems for land-based operations
and offshore installations. Ship communications have
not been so much affected, however, with many
different and necessary communication systems
onboard, they are still potential victims. The incidents
show that the consequences tend to be loss of
availability caused by generic hacking or ransomware.
Incidents: A5, A6, A13, A23
6.9 Economic fraud
These incidents tend to be caused by targeted and
specialized attacks, where counterfeit emails or
hacked user accounts are used as attack vectors to
initiate or manipulate economic transactions. For
instance, account information is altered, or fake
invoices are sent.
Incidents: A10, A22
6.10 Misuse of AIS and positioning data
There are several known events where AIS-systems
onboard ships have been unlawfully manipulated or
deactivated. These are usually related to smuggling
operations, trafficking