Cyber Threats in Maritime Ports: Safeguarding the Global Supply Chain from Emerging Risks

Background

The maritime ecosystem is under a growing cyber security threat, driven by financial incentives of opportunistic (less capable attackers looking for opportunities) or advanced cyber crime actors, as well as state-level threats targeting it as central critical infrastructure.

Disruptions in maritime activity can cause significant harm to basic human needs, national interests, and economic prospects. One of the challenges in this sector is the need for interoperability and global connectivity, bringing together activities of various players: global, national, commercial, and private entities.

Sea ports, as inevitable bottlenecks between continental and maritime domains, are critical hubs where business and operational continuity must be assured. The cyber security of sea ports is, therefore, both vital and challenging.

This paper surveys open-source data on cyber incidents and vulnerabilities at sea ports to draw conclusions about their cyber security.

Disclaimer: Gaps exist between published open-source data and the actual cyber security maturity of individual sea ports, which necessitates internal scanning to fully understand their cyber security status.

This publication is part of the TrendMicro - Rescana MaritimeOne project designed to develop specific cyber security solutions for sea ports.

Main Takeaways & Recommendations

Takeaway 1

The primary threat to sea ports comes from criminal Advanced Persistent Threats (APTs), launching combined data leakage and ransomware attacks. State actors are also prominent, aiming to disrupt port operations and send strategic messages.

Recommendation: Sea port cyber security must be vigilant against criminal attacks—both opportunistic and advanced actors—as these are more widespread. However, state actors pose a greater potential for physical damage, and their attacks should not be overlooked.

Takeaway 2

There is significant variance in cyber security maturity across sea ports, as seen in the differences in disruption scale and recovery time. Ports that have experienced attacks often have higher risk scores, contrary to intuition.

Recommendation: Cyber security maturity is influenced by local factors like regulations, management proactivity, expertise, and national guidance. These efforts must be enhanced to elevate the overall security of ports.

Takeaway 3

The main cyber threat profile (CTP) scenarios for sea ports include:

1. Disruption of facility access (e.g., Gate Operating Systems - GOS)

2. Terminal activity disruptions (e.g., Terminal Operating Systems - TOS)

3. Blocking or manipulating operational technology (OT) systems

4. Data leaks from sea port headquarters

5. Hazardous ship maneuvers caused by compromising PNT (Positioning, Navigation, Timing) systems.

Recommendation: Sea port cyber security should be comprehensive, covering GOS, TOS, organizational IT, OT systems, and vessels' PNT reliance in port vicinity.

Takeaway 4

Ransomware is the leading attack type in the maritime sector, perpetrated by criminal actors. It is expected to remain dominant, though other attack vectors, such as politically motivated attacks by state actors, account for around 70% of incidents.

Recommendation: While ransomware should be the highest priority, mitigation efforts should address other attack types, requiring a tailored threat analysis of the port and its ecosystem.

Takeaway 5

Key gaps in sea port cyber security include:

• Emails: Phishing remains a major vulnerability due to a lack of cybersecurity awareness.

• Patch Management: Unpatched vulnerabilities in internet-facing systems and OT devices.

• Identity Management: Multi-Factor Authentication (MFA) and strong password policies are often absent.

• Access Management: Lack of Least Privilege enforcement and privileged account management.

• Endpoint Security: Many ports lack Endpoint Detection and Response (EDR) capabilities.

• Third-Party Connectivity: Major attacks often originate through third-party suppliers.

• Network Segmentation: Essential to mitigate cyber attacks.

• DDoS Readiness: Risk scores indicate weak protection against DDoS attacks.

Recommendation: Comprehensive cyber security processes (‘Cyber Hygiene’) and integrated security solutions like MaritimeOne should be prioritized to address these critical gaps.

Takeaway 6

The rapid evolution of IT and OT technologies is increasing the cyber threat landscape. Predicted future trends include:

1. OT technology becoming a target

2. Expanding attack surface due to smart port technologies and IoT

3. Malicious actors leveraging AI capabilities for enhanced attacks.

Recommendation: Sea port cyber security strategies must anticipate these evolving threats and adjust their responses accordingly.

Sea Port Cyber Incidents

Since early 2021, 28 reported cyber attacks targeted sea ports, including 19 DDoS attacks, primarily perpetrated by Russian groups in retaliation against countries supporting Ukraine. Additional attacks targeted oil terminals and shipyards.

Insights:

• DDoS attacks aimed at disrupting port websites, varying in duration based on the port's mitigation capabilities.

• Ransomware remains a prevalent threat to ports, while no major OT disruption attack has been publicly reported.

• Cyber security capabilities significantly influence the scale of attack disruptions.

Cyber Security Incident Analysis

Public reports and national-level resources (USCG, CISA, ENISA) provide aggregated insights into maritime cyber incidents, confirming ransomware and phishing as top attack vectors.

Insights:

• 60% of attacks are financially motivated, with ransomware rising 80% between 2022 and 2023.

• Inadequate cybersecurity procedures, such as patch management and lack of MFA, are primary causes of cyber attacks.

Open Source Cyber Security Analysis

Using Rescana’s open-source scanning tool, we analyzed 20 sea ports globally, finding a general cyber security maturity score of 32, but with high variance. Ports that experienced cyber attacks had higher risk scores (40), indicating persistent security gaps.

Insights:

• Local factors like regulation, management, and national guidance play a crucial role in determining a port’s cyber security maturity.

• High-risk areas include email security, DDoS readiness, and unpatched vulnerabilities.

Conclusion

Sea ports are increasingly vulnerable to cyber attacks from state actors and criminal APTs, and future life-threatening and disruptive attacks are imminent. Though the aggregated cyber security maturity of sea ports is currently adequate, the large variance between ports highlights the need for individualized assessments and improvements.

Comprehensive cyber security processes and solutions like MaritimeOne are essential to address these evolving threats.