519

1 INTRODUCTION

The maritime sector is a complex ecosystem, bringing

together stakeholders and organizations of different

sizes, maturity, complexity, and operational scope.

During the last decade, the maritime industry has

undergone a rapid evolution through the introduction

of new technology and the digitization of existing

services. While aiming to increase profit, these

changes can also introduce new risks. In particular,

the increased connectivity and the converging of

Information Technology (IT) and Operation

Technology (OT) systems will expose the maritime

operations to new threats that may have severe

financial and reputation repercussions. Further, the

threat environment against the maritime sector is

steadily becoming more hostile; cyber attacks are

becoming more frequent and organized criminal

networks and hostile nations are now targeting all

actors in the digital value chain [65], including

shipping companies, vessels, and their shore-side

facilities.

In this paper we present a retrospective analysis of

cyber security incidents from the last decade (2010-

2020). Our analysis includes 46 reported incidents that

have affected the stakeholders in the maritime sector

in significant ways. Our work provides an overview

attack points and shows a mapping between these and

the incidents. We have also created a threat

categorization based on the characteristics of the

incidents. While the main driver of our analysis was

to increase the awareness of cyber security threats

towards Norwegian maritime interests, the maritime

operations are international and malicious actors

know no borders. Hence, the results should be equally

relevant for the international maritime community.

The paper is organized as follows. In Section 2, we

give an overview over relevant background work on

threats and incidents in the maritime sector. Section 3

introduces the methodology that we have been

A Retrospective Analysis of Maritime Cyber Security

Incidents

P.H. Meland

, K. Bernsmed

, E. Wille

, Ø.J. Rødseth

& D.A. Nesheim

SINTEF Digital, Trondheim, Norway

SINTEF Ocean, Trondheim, Norway

ABSTRACT: The maritime industry is undergoing a rapid evolution through the introduction of new

technology and the digitization of existing services. At the same time, the digital attack surface is increasing,

and incidents can lead to severe consequences. This study analyses and gives an overview of 46 maritime cyber

security incidents from the last decade (2010-2020). We have collected information from open publications and

reports, as well as anonymized data from insurance claims. Each incident is linked to a taxonomy of attack

points related to onboard or off-ship systems, and the characteristics have been used to create a Top-10 list of

maritime cyber threats. The results show that the maritime sector typically has incidents with low frequency

and high impact, which makes them hard to predict and prepare for. We also infer that different types of

attackers use a variety of attack points and techniques, hence there is no single solution to this problem.

http://www.transnav.eu

the

International Journal

on Marine Navigation

and Safety of Sea Transportation

Volume 15

Number 3

September 2021

DOI: 10.12716/1001.15.03.04

520

applied when gathering the data for this paper. In

Section 4, we present the target description, which

includes an overview of the special characteristics of

maritime systems and a generalized representation of

the shipboard and off-ship systems with annotated

attack points. Section 5 contains an overview of

incidents, while Section 6 we build a categorization of

threats based on the incidents. Section 7 discuss the

trend related incidents and threats, and what we can

expect for the current and road ahead. Finally, in

Section 8 we conclude our work and point to future

opportunities.

2 BACKGROUND

Initial work on security threats to the maritime sector

were mainly focused on terrorism [29, 81]. In 2011,

ENISA released the report "Analysis of Cyber Security

Aspects in the Maritime Sector" [18], which

recognized the maritime sector as a critical

infrastructure. The report identified the very low

awareness of cyber security in the sector as being a

major challenge and suggested that the low number of

publicly known cyber security incidents could be the

reason. In 2015, a Norwegian report [39] on digital

vulnerabilities in the maritime sector was released. It

identified the top 10 challenge in the sector and

provided examples of both attacks and accidents that

had been possible because due to these. The same

year, the EU project MUNIN performed a risk

assessment of safety and cyber security threats [37], in

which jamming, spoofing and hacking of AIS, GPS

and ship communication equipment were considered

as the highest risks. Threats that are specific for

maritime digital communication were identified in the

Norwegian research project CySiMS [50]. Researchers

from the University of Plymouth have over several

years published papers related to vulnerabilities,

threats and attacks to the maritime sector (e.g. [34, 70,

71]). There are further examples of security research

on specific sub-systems or operations, e.g.

autonomous shipping [76], ports and port systems

[22] and IT/OT systems installed on vessels [13].

In 2017, the British Department of Transport

published an overview over motivations for attacking

ship systems, including potential threat actors [11].

The following year, ENISA published their report on

the cyber threat landscape, claiming that cyber

criminals and state-sponsored actors were taking over

the scene, monetization was becoming one of the main

drivers for cyber attacks [65]. Their standpoint has

recently been confirmed by the Norwegian Police

Security Service, who identifies state-sponsored

intelligence operations against the maritime industry

as a significant risk to Norway [56]. Further, the

Norwegian National Security Authority (NSM)

provides annual reports on the cyber threat picture

against Norway [52, 53], which includes ransomware,

digital intelligence operations and disturbance of

positioning services.

The abovementioned sources provide a thorough

analysis of cyber security vulnerabilities, threats and

risks relevant for maritime operations, but most of

them lack an anchoring in empirical evidence.

Nevertheless, they have been a useful basis for

analyzing, mapping and interpreting our results.

3 METHODOLOGY

To collect information about incidents, we have

screened scientific publications, public and

commercial reports, newspapers and other forms of

grey literature, using key words, such as "cyber

attack", "cyber incident", "cyber risk", "cyber threat",

"cyber security" and "maritime" in popular search

engines and indexing databases (Google, Google

Scholar, IEEE Xplore and SpringerLink). We also

searched in the Lloyd's List [42] database for cyber

security events. Furthermore, we applied a

snowballing technique [83], which means that we

screened our sources’ sources, to locate additional

relevant literature that did not show up in our initial

searches.

We did, whenever possible, strive to use several

independent sources to confirm the validity of each of

the reported incidents, and we revised our original

sources by reading reports that compiled several of

the previously reported incidents, such as Kapalidis

[55], Jones et al. [34], KNect365 [51], Singh [68] and

Cyberkeel [20]. The final selection of incidents that we

included in our analysis were based on the following

criteria:

− The incidents must have occurred during the last

decade (2010 to 2020)

− The incidents must have been caused by

"successful" attacks. We did not include mere

attack attempts, or unsuccessful attacks.

− The incidents must have been caused by a real

attack. We did not include any "white hat"

experiments, performed by, for example, students,

security companies or researchers.

− The incidents must have had a direct effect on any

of the core systems in the maritime ecosystem. We

did not include incidents that were only vaguely

related to shipping, for example attacks on

logistics companies or supply chains.

− The incidents must have had a significant impact

on the maritime industry. Hence, we did not

include any "minor" incidents (typically treated as

"noise" by the security community) in our analysis.

In addition to looking for incidents in public

literature, we collaborated with representatives from

the Intelligence and Operations Centre at The

Norwegian Shipowners' Mutual War Risk Insurance

Association and the Norwegian Maritime Cyber

Resilience Centre. They provided us with anonymized

event data, which resulted in the identification of

additional incidents. As far as we are aware, only a

few these incidents have been mentioned in open

reports.

3.1 Limitations

Shipping is a very diverse sector from small dry

bulkers carrying sand and gravel along the coast to

large container ships in intercontinental trade. It is

highly unlikely that this study has captured all the

different cyber incidents over the sector as most of the

521

quoted references tend to focus on larger ships and

operations. The sources are also biased in that they are

mostly from the western world, including a number

of Norwegian reports. The reader should keep this

bias in mind when reading this paper, but the authors

still believe that this is a representative report on the

general situation related to cyber incidents and threats

in the maritime sector.

4 TARGET DESCRIPTION

To systematically analyze the incidents, there is a

need to describe the scope and context of our study.

Here we provide an overview over the specific

characteristics of the maritime industry and models of

the onboard and off-ship systems.

4.1 The maritime threat profile

The maritime industry has some special characteristics

which result in a threat profile that differs

significantly from the more traditional land-based

systems:

1. It is a relative small industry, e.g. there are about 98

000 propelled seagoing merchant vessels of 100

gross tons and above operating internationally

[74]. This puts limits on the industry's ability to do

systematic analyses and to learn from others; hence

making it difficult to improve its cyber security

practices.

2. Ships are complex "sailing villages" with a wide

range of information and communication

technology (ICT) onboard. This ranges from office

systems, via life support systems and engine

automation, to navigation systems.

3. Ships will normally have a lifetime of 25-35 years

and software upgrades are done on individual

equipment using different time intervals. This

means that most ships have a very mixed set of

equipment, both for administrative functions and

general information technology (IT) and for

operational technology (OT).

4. It is a highly cost sensitive market, due to strong

international competition, resulting in a large share

of stakeholders not giving cybersecurity the

required priority.

5. The ships are under international regulation, which

have tended to focus on minimum technical

requirements to ensure a level economic playing

field.

These issues result in a complex, but highly

inhomogeneous and sometimes poorly maintained

ICT system. From a cyber security point of view, this

may be an advantage, as the reconnaissance of the

target system and the selection of a possible attack

vector becomes more complicated. However, as

digitalization in the maritime sector increases and

more ships become connected to the Internet, it also

means that a larger attack surface will be exposed.

Shipping will hence become a more tempting target,

for commercially motivated attacker, for state

terrorism interested in damaging import- and export

facilities, and for the more "adventurous" hackers.

The next two subsections describe models of

onboard and off-ship systems with potential attack

points. The taxonomy of identifiers should be seen as

preliminary, and not all of these attack points have

been mapped to actual incidents. However, they are

still relevant for potential threats and future mapping

of new incidents.

4.2 Onboard systems

Figure 1 shows a generalized representation of

onboard systems with attack points classified as S1 to

S7. S1 represents attacks on operational technology,

usually located in a controlled environment. This may

also include attacks via moveable external memory

systems (MEMS or "memory sticks") which sometimes

are used for updates to software or, e.g., electronic

charts. S2 represents attacks on administrative

systems onboard. S3 and S4 are attacks on mobile

data/satellite communication or VHF radio digital

communication respectively, S5 represents attacks on

Global Maritime Distress and Safety Systems

(GMDSS), S6 on Global Navigation Satellite Systems

(GNSS) and S7 on peripheral devices to controlled

systems. S0 is used for other onboard attacks.

Figure 1. Attack points onboard the ship

Note that the topologies on different ships vary

wildly and particularly older ships may have much

less system separation in place.

4.3 Off-ship systems

The other group of attack points are communication

links from ship to shore and the corresponding shore

systems. These are illustrated in Figure 2.

Figure 2. Attack points onshore and between ship-and-

shore

522

The first group belongs to public infrastructure.

The most relevant here are the VHF voice and data

transmission infrastructure, including automatic

identification system (AIS) services (L1); the vessel

traffic services, maritime rescue and GMDSS services

(L2); various information services to ship, including

meteorological data, recommended routes and notices

to mariners (L3); and digitalized aids to navigation

(L4). Other attack points in this group are labelled

with L0.

The next group are the authorities and class

societies. M1 is related to ship and crew certificates,

e.g., from flag state; M2 is services and documents

issued by class societies; and M3 is authority services

related to arrival and departure clearance, e.g.,

maritime single windows (MSW), passenger

clearance, phytosanitary services etc. M0 is used for

other attacks points in this group.

Port operations are services to ships, e.g., tugs,

linesmen, etc. (H1); H2 labels attacks on internal

communication and data exchange inside ports and

terminals; and H3 labels attacks on port operations

data systems such as harbor master's systems etc. H4

labels attack on cargo data systems in the port. This

can also include port community systems (PCS). H0 is

used for other attack points for port services.

Finally, private services are grouped into ship

operators (P1). This includes owner, manager, charter

etc.; P2 codes for technical services from yards, spare

part or consumable suppliers; and P3 for other

services such as weather routing, route optimization

etc. P0 represents other services.

5 KNOWN INCIDENTS

Below we describe the incidents we have identified

based on the methodology and criteria described in

Section 3, are shown below. Each incident is given a

unique identifier, which is presented in bold text

together with the relevant year(s) and attack point

referring to identifiers from the previous section.

− A1 - Year: 2010, Attack point: S1

A drilling rig is infected by malware on its way

from the construction site in South Korea to South

America. Critical control systems are infected,

requiring 19 days of downtime to clear the issue.

Such shutdowns are estimated to cost 700 000 USD

per day. Sources: [20, 66].

− A2 - Year: 2010–2011, Attack point: P1

A Greek shipping company is hacked via its

headquarters’ WiFi network. For the next two

years, information regarding vessels and sailing

routes is exfiltrated and used by the attackers to

plan physical pirate attacks in Gulf of Aden.

Source [55].

− A3 - Year: 2011-2013, Attack point: H4

The cargo tracking system at Port of Antwerp was

infected to enable smuggling of drugs and

weapons ("concealed" as bananas from South

America). The smuggling operation went on for

two years before being detected. The same port

was subject to the same attack again in 2018.

Sources: [39, 51, 55, 78].

− A4 - Year: 2011-2013, Attack point: P2

A threat actor made known by Kaspersky [27] as

"Icefog" conducts targeted cyber espionage attacks

against various sensitive organizations in South

Korea and Japan, including maritime and ship-

building groups. The attacks rely on spear-

phishing and the exploitation of known

vulnerabilities. Source: [27].

− A5 - Year:2011, Attack point: P1

A cyber attack against the Iranian shipping

company IRISL (Islamic Republic of Iran Shipping

Lines) damaged all the data related to rates,

loading, cargo number, date, and place. The attack

also crippled the company’s internal

communication network and caused severe

financial losses and loss of cargo. Sources: [20, 73].

− A6 - Year: 2012, Attack point: S3

Iranian officials report a cyber attack on

communication networks on an offshore platform

in the Persian Gulf. Source: [68].

− A7 - Year: 2012, Attack point: H4

The cargo handling system used by the Australian

Customs and Border Protection Service was

infected, enabling the attackers to see if their

shipments were flagged as suspicious. In such

cases, the smuggled goods were never picked up.

Source: [20].

− A8 - Year: 2012, Attack point: M1

Chinese hackers are accused of a targeted attack

against the Danish Maritime Authority, in which

documents and information regarding network

topology were stolen. The attack was initiated via

email, through a virus infected PDF attachment.

Sources: [20, 38].

− A9 - Year: 2013, Attack point: S1

Crew onboard a drilling rig in the Gulf of Mexico

accidentally connect virus infected PCs and USB

devices to a local network on the rig. This enables

the virus to infect the network and disturb the

communication between the dynamic positioning

system and the thrusters. As a result, drilling

operation is halted. Sources: [5, 35, 51].

− A10 - Year: 2014, Attack point: P1

Hackers intercept and alter emails with account

numbers for money transfers, causing severe

financial losses. The attacks target transactions

between shipping lines and bunker suppliers and

between shipping lines and shipyards. Source:

[20].

− A11 - Year: 2012-2014, Attack point: S4

A report from Windward [82] shows that between

2012 and 2014, 1% of all ships provide fake

identification information (IMO numbers) in their

AIS transmissions. In addition, more than 25% of

vessels disable their AIS ("going dark") at least 10%

of the time. Such techniques are often used in

connection with smuggling, terrorism, human

trafficking, illegal fishing or military conflicts.

Source: [82]

− A12 - Year: 2016, Attack point: S6

In South Korea, 280 ships have to return to port

after experiencing problems with their navigation

systems. North Korea has been blamed for the

incident, but evidence is lacking. Source: [55].

− A13 - Year: 2014-2017, Attack point: S4

An analysis from the Norwegian Coastal

Administration on historical AIS data from 2014-

2017 shows that civilian Russian vessels perform

523

regular stops along the Norwegian coast, which

are not natural for their primary objectives. These

irregularities tend to coincide in time and space

with NATO operations, training or drills, and

there is reason to suspect that the behavior of these

vessels is linked to electronic espionage. Similar

activity has been observed in the South China Sea

and in the Black Sea. Sources: [62, 79].

− A14 - Year: 2017, Attack point: P3

British ship broker Clarksons is hacked and the

attackers demand a ransom for stolen data. Some

sensitive information was stolen and the stock

value decreased by 5% immediately after the

incident (some sources claim a smaller stock value

reduction). Sources: [3, 16, 51, 55].

− A15 - Year:2017, Attack point: P1

Shipping giant Maersk's operations are severely

crippled by the NotPetya ransomware, which was

spread via an update patch for the tax accounting

software MeDoc (widely used among tax

accountants in Ukraine). The virus exploits

vulnerabilities in Microsoft Windows and is based

on EternalBlue; a cyber attack software developed

by US NSA. The incident is seen as the most

devastating cyber attack in history, causing

problems for almost one fifth of global shipping

operations, including 76 ports. Maersk has

estimated their economic losses to near 300 million

USD in the form of reduced income as a result of

the incident. More than 4000 servers, 45 000 PCs

and 2500 applications had to be reinstalled.

Sources: [15, 28, 46, 51, 68].

− A16 - Year: 2017, Attack point: S6

At least 20 ships in the Black Sea near

Novorossiysk reported that their navigation

systems were showing a position which was 32 km

away from their actual positions. These

observations were likely caused by GNSS

spoofing. Source: [55].

− A17 - Year: 2018, Attack point: S6

A ship is exposed to GPS spoofing in the Black Sea

(in the same area as the incident above). The ship is

at sea, but the geolocation system onboard claims

that the ship is on land. During the course of 3

days this happens 4 times, with a duration of up to

30 minutes. Source: [75].

− A18 - Year: 2018, Attack point: P3

Chinese hackers are accused of stealing

information from subcontractors of the US Navy.

In addition, it is presumed that 27 American

universities have been attacked, in an attempt to

steal research data related to maritime technology.

Sources: [43, 76].

− A19 - Year: 2018, Attack point: H4

Port of Barcelona reports a cyber attack, which

turns out to be an infection of the Ryuk

ransomware. The infection only affected internal

IT systems, and not ship traffic. Sources: [17, 59].

− A20 - Year: 2018, Attack point: H4

Port of San Diego reports severe disruptions in its

IT systems. This is another Ryuk ransomware

infection, and the consequences are limited to local

functions at the port. The incident occurred only 5

days after the above event in Barcelona, but it is

unclear whether these events were related.

Sources: [17, 59].

− A21 - Year: 2018, Attack point: P2

Iranian hackers are blamed for stealing ship

designs and information about personnel from the

Australian shipbuilder Austal. Austal delivers

naval vessels to both Australia and the US. The

stolen information was later offered for sale on the

dark web. The hackers also attempted to extort

money from Austal. Source: [58].

− A22 - Year: 2017-2018, Attack point: P1

A Nigerian hacker group nicked "Gold Galleon"

allegedly stole hundreds of thousands USD

through compromising and spoofing business

emails in maritime shipping businesses. The

hackers have mainly targeted Japanese and South

Korean companies, but companies from other

countries have also been attacked. Sources: [58, 63].

− A23 - Year: 2018, Attack point: P1

COSCO Shipping Lines were hit by a cyber attack

which caused severe disruptions in their US office

networks. Email and network telephone

communication was unavailable for 5 days.

According to internal emails, the incident was a

ransomware infection. Sources: [15, 32].

− A24 - Year: 2018, Attack point: P3

Italian oilfield services company Saipem detects a

cyber attack against their Middle East servers.

About 400 servers were hit in the attack, and the

servers in Saudi Arabia and UAE were hit

especially hard. The company had backups of the

affected data, thereby avoiding permanent loss of

data. No data was believed stolen. Source: [48].

− A25 - Year: 2019, Attack point: S1

A large ship on its way to New York gets its

onboard control system network infected with

malware, resulting in limited functionality. Source:

[41].

− A26 - Year: 2018-2019, Attack point: S6

GPS jamming is observed on multiple occasions

through 2018-2019 in northern Norway. The

disruption has infected marine traffic to some

extent, but severe consequences were fortunately

avoided. Source: [53].

− A27 - Year: 2019, Attack point: H3

An undisclosed American port is infected by the

Ryuk ransomware. The infection came through a

phishing email attachment and caused CCTV

cameras, access control systems and critical process

monitoring to become unavailable. Source: [17].

− A28 - Year: 2019, Attack point: P3

British marine services provider James Fisher and

Sons is infected by ransomware and is forced to

shut down its digital systems. Share value drops

7% after the incident. Source: [25].

− A29 - Year: 2019, Attack point: S1

A natural gas compression facility at an

undisclosed US pipeline operator is infected with

ransomware (presumably Ryuk) and has to shut

down for two days. The attack came via phishing

email and impacted both IT and OT systems.

Sources: [12, 21].

− A30 - Year: 2019, Attack point: S2

A tanker near the port of Naantali in Finland gets

its administration server infected by ransomware.

The backup disk is also wiped. Remote Desktop

Protocol (RDP), a USB device or an email

attachment are identified as probable attack

vectors. The same vessel is infected again 4 months

later near the same port. Source: [75].

− A31 - Year: 2019, Attack point: S2

Two ships with the same owner are infected by the

524

ransomware Hermes 2.1. The infection came as a

macro-enabled Word document attached to an

email, and multiple workstations on the

administrative networks were affected. Source:

[75].

− A32 - Year: 2020, Attack point: S2

A vessel anchored near Tynemouth, UK, has its

ship server and multiple PC clients infected with

the Ryuk ransomware. Two specialists from the IT

service provider were sent onboard and found that

all data were encrypted and lost. A full reinstall

was necessary to restore the systems. Source: [75].

− A33 - Year: 2020, Attack point: S2

Three ships sailing under American flag have their

administrative systems infected by the

ransomware Sodinokibi. This virus also threatens

to leak information ("ransomtheft"), in addition to

encrypting data. Source: [75].

− A34 - Year: 2020, Attack point: P1

The shipping company MSC falls victim to a

ransomware virus and their headquarters in

Geneva are shut down for five days. Sources: [30,

46].

− A35 - Year: 2020, Attack point: H3

Israel is blamed for hacking the Iranian port of

Shahid Rajaee, causing all transportation and flow

of goods to halt for a long time. The attack is

claimed to have been retaliation after an attack on

an Israeli water distribution system. Sources: [30,

80].

− A36 - Year: 2020, Attack point: P2

Norwegian shipbuilder Vard is hit by a

ransomware attack which causes severe

operational disruption. Many of the employees are

informed that the disruptions may lead to

temporary job loss because of halted shipbuilding.

Source: [26, 61].

− A37 - Year: 2019-2020, Attack point: P1

Cruise operator Carnival Corporation & plc is hit

by ransomware virus twice in two years, and

personal information and credit card details for

customers and employees have likely been stolen.

Details regarding the type of virus and attack

vector have not been made public, but the

company states that they may receive

compensation claims from the affected parties.

Source: [44].

− A38 - Year: 2020, Attack point: M1

Transport Malta (Maltese transport authority)

suffers a cyber attack that shuts down its online

systems for five days. Sources: [1, 7].

− A39 - Year: 2020, Attack point: P1

Greek shipping company Diana Shipping falls

victim to the Egregor ransomware. Little

information is known about this incident. Source:

[4, 40].

− A40 - Year: 2020, Attack point: P1

The French container carrier company CMA CGM

is hit by the Ragnar Locker ransomware. Several of

its Chinese offices were affected, and some of its

online services had to be shut down, including

online booking. Source: [19, 67].

− A41 - Year: 2020, Attack point: M1

UN shipping agency IMO has its website and

intranet disabled by a cyber attack. To prevent

further damage, several other key systems are shut

down. The attack is described as "sophisticated",

further details have not been provided. Sources:

[36, 54].

− A42 - Year: 2020, Attack point: P1

British ferry firm Red Funnel is hit by a cyber

attack, causing severe disruption in their IT

systems. Among other things, the booking systems

were unavailable for several days, forcing

customers to arrive well in advance of sailings to

buy tickets on-site. Sources: [9, 72].

− A43 - Year: 2020, Attack point: P1

US transportation and shipping company Matson

reports system outage due to a cyber attack. The

attack does not stop cargo operations, but some

transactions are delayed since affected functions

need to be replaced by manual processes. Source:

[49].

− A44 - Year: 2020, Attack point: H4

Port of Kennewick has its IT systems crippled by

ransomware. The hackers demanded a ransom of

200 000 USD, which was not paid. Systems were

unavailable for several days, as they had to be

reestablished from offline backups. Sources: [14,

47].

− A45 - Year: 2020, Attack point: P1

Norwegian cruise operator Hurtigruten suffers a

severe ransomware attack, which has a severe

impact on its IT infrastructure. Multiple key

systems are unavailable for several days. Passenger

data, such as passport information, were exposed

and might have been stolen. Sources: [10, 45, 60].

− A46 - Year: 2020, Attack point: P1

German cruise operator AIDA has its headquarters

in Rostock hit by DoppelPaymer ransomware. The

attack causes severe IT issues, forcing AIDA to

cancel several cruises. Source: [77].

6 CYBER THREAT CATEGORIZATION

A threat is the potential cause of an unwanted

incident, which can result in harm [33]. Based on the

known incidents and related work, we have

established a Top-10 list of maritime cyber threats.

The categories are defined by similar characteristics

among the incidents and are ranked based on

frequency and severity. For each category we have

described typical attack vectors and targets. Some

incidents have been associated to more than one

category, which is natural for attacks that consists of

several stages and can affect more than one target.

Hence, the categories are not mutually exclusive and

can overlap for a single incident.

6.1 Exposed shipping company/carrier IT-systems

The IT-systems of shipping companies and carriers

have had a burst of associated cyber incidents in the

last year and can be linked to 25% of the total

incidents for the last decade. We register that the most

common attack vector is ransomware, usually in the

form of email attachments or links. Just as in many

other sectors, there is an increasing trend of

ransomtheft viruses, that combine outages and

information theft. There are also many examples of

economic fraud from social engineering attacks.

525

Incidents: A2, A5, A10, A15, A22, A23, A34, A37,

A39, A40, A42, A43, A45, A46

6.2 Exposed IT-systems belonging to sub-contractors,

shipyards, on-shore installations, service providers,

regulators and research facilities

The IT- and administrative systems of various onshore

stakeholders supporting maritime operations have a

similar threat picture as shipping companies.

The incidents typically involve theft of business-

critical information, as well as more random cases of

extortion. From the incidents we see that social

manipulation, hacking and ransomware are

commonly used attack vectors.

Incidents: A8, A14, A18, A21, A24, A28, A29, A36,

A38, A41

6.3 Exposed port IT-systems

Ports have been popular targets and have a reputation

of being poorly protected against cyber attacks.

Outages are expensive, which makes them attractive

for extortionists. Furthermore, information theft and

manipulation have been used for smuggling

operations. Some incidents only report that the port

has been "hacked", and in conflict areas we can

suspect that state-sponsored actors/cyber warriors are

to blame.

Incidents: A3, A7, A15, A19, A20, A27, A35, A44

6.4 Espionage on maritime operations

In this category we find incidents characterized by

extensive and targeted attacks related to espionage,

tapping and surveillance of maritime operations.

Mentioned attack vectors tend to be spear-phishing or

general hacking, as well as communication tapping.

Incidents: A4, A7, A8, A13, A18, A21

6.5 Exposed IT- systems onboard ships/offshore

installations

There have been several incidents where IT systems

onboard ships have been struck by ransomware, but

we suspect that these have been more coincidental

than targeted. Typical attack vectors have been email

attachments and links, and ship servers and clients

have been rendered useless. There has been limited

forensic evidence left afterwards as all data are

usually wiped clean.

Incidents: A30, A31, A32, A33

6.6 Manipulation of GNSS-signals used by ships

This category is mainly related to jamming or

spoofing of GPS/GNSS-signals that ships use for

navigational purposes. State-sponsored actors tend to

be put under suspicion for these events, and the

consequences have been more of a disturbing than

critical nature. This kind of threat typically manifests

itself in geopolitical conflict areas, such as the Black

Sea.

Incidents: A12, A16, A17, A26

6.7 Exposed OT-systems onboard ships/offshore

installations

OT-systems are usually separated from other systems

and have therefore been less exposed. Still, we can

find examples of such incidents and the consequences

have been critical. The attacks have typically entered

the system via infected USB units or computers

unintentionally connected to the wrong network.

Examples of such systems are ECDIS (during map

updates) and propulsion control systems.

Incidents: A1, A9, A25, A29

6.8 Exposed communication systems

There have been a few examples of attacks against

communications systems for land-based operations

and offshore installations. Ship communications have

not been so much affected, however, with many

different and necessary communication systems

onboard, they are still potential victims. The incidents

show that the consequences tend to be loss of

availability caused by generic hacking or ransomware.

Incidents: A5, A6, A13, A23

6.9 Economic fraud

These incidents tend to be caused by targeted and

specialized attacks, where counterfeit emails or

hacked user accounts are used as attack vectors to

initiate or manipulate economic transactions. For

instance, account information is altered, or fake

invoices are sent.

Incidents: A10, A22

6.10 Misuse of AIS and positioning data

There are several known events where AIS-systems

onboard ships have been unlawfully manipulated or

deactivated. These are usually related to smuggling

operations, trafficking