Maritime cyber incidents surged 103% in 2025, rising from 408 recorded events in 2024 to 828-with attacks no longer confined to corporate IT networks but actively targeting the operational technology (OT) systems that control vessels and ports. The driver behind this acceleration is not simply the rise of sophisticated threat actors. It is the rapid adoption of satellite-enabled connectivity that has dissolved the physical isolation once serving as a de facto security boundary for shipboard OT and industrial control systems (ICS).
As carriers, port authorities, and container lines accelerate VSAT deployments to support real-time logistics, predictive maintenance, and remote fleet management, the attack surface has expanded across multiple jurisdictions simultaneously-creating attribution challenges and incident response gaps no single operator can resolve alone.
Satellite Connectivity: From Operational Asset to Primary Attack Vector
According to CYTUR's 2026 Maritime Cyber Threat White Paper, the rapid adoption of higher-bandwidth satellite communications systems has expanded the available attack surface, enabling attackers to more easily transmit fabricated commands or forge vessel data. This represents a structural shift in maritime OT risk: connectivity once limited by bandwidth constraints now delivers persistent, high-speed links directly to shipboard control networks.
As vessels grow more reliant on VSAT links for real-time monitoring, predictive maintenance, and fleet management, communication infrastructure itself has become a primary target. Weaknesses in satellite communication management software can create a single point of failure, enabling attackers to disrupt communications across multiple vessels simultaneously.
Several specific hardware vulnerabilities compound this exposure. Three known flaws-CVE-2022-22707, CVE-2019-11072, and CVE-2018-19052-affect COBHAM SAILOR 900 VSAT systems, potentially compromising satellite communications at sea. These legacy vulnerabilities remain unpatched across large segments of the in-service fleet, illustrating the persistent lag between vulnerability disclosure and maritime remediation cycles.
The VSAT Supply Chain Attack: A Case Study
In two separate waves in March and August 2025, the threat group Lab Dookhtegan targeted VSAT systems aboard Iranian vessels, paralyzing communications across approximately 180 ships and severing ship-to-shore operational reporting. Attackers exploited weak credential management and outdated firmware to infiltrate systems through the supply chain, ultimately destroying system components and severing links between ships and onshore facilities.
The tactic of disabling an entire fleet by infiltrating a single satellite provider, as seen in the Lab Dookhtegan case, is likely to become more common. Rather than targeting individual vessels, threat actors are shifting toward high-node choke points-satellite providers, OEM equipment manufacturers, and telecommunications infrastructure-that cascade disruption across entire fleets.
GPS Spoofing and the Physical Consequences of OT Compromise
Satellite-linked threats extend beyond VSAT. GPS and GNSS spoofing has evolved from an intelligence-collection nuisance into a mechanism capable of triggering physical maritime disasters. The grounding of the MSC Antonia in the Red Sea in May 2025 underscored the severity of this threat, with more than 1,000 vessels per day reportedly affected by signal interference in the region.
These attacks manipulate a vessel's systems to show the ship within a specific country's territorial waters, even when it is navigating in international waters-a tactic strategically employed to create a pretext for forcibly halting or seizing the vessel.
Compromised OT systems can manipulate chart data, distort positioning information, or interfere with propulsion and stability controls-scenarios that move beyond financial loss into physical maritime risk. At the OT level, a GPS spoofing campaign against an Electronic Chart Display and Information System (ECDIS) is not merely a navigation event; it is a potential cyber-physical safety incident.
The Cross-Border Attribution and Response Problem
The maritime sector's global operating model creates a fundamental governance gap. A vessel flying one country's flag, transiting a second country's territorial waters, calling at a port in a third country, and relying on a satellite provider registered in a fourth country can experience a cyberattack originating in a fifth jurisdiction entirely.
Regulatory variability and fragmented international cooperation continue to hinder coordinated responses to cross-border threats. Implementation of standards from the IMO, IACS, and NIST-though essential-often encounters practical barriers related to technology heterogeneity, legacy system constraints, and jurisdictional ambiguities.
Enhanced information-sharing mechanisms among maritime authorities, intelligence agencies, and cybersecurity entities would significantly improve attribution capabilities and strengthen enforcement outcomes. Standardized protocols for cross-border digital evidence collection and preservation would help overcome the jurisdictional barriers that currently impede effective responses to maritime cyber threats.
At the port level, maritime port cybersecurity requires immediate policy intervention to establish sector-specific intelligence-sharing networks, coordination mechanisms, and resilience standards. The NATO CCDCOE's 2025 survey of maritime port infrastructure found that nearly all surveyed countries had experienced cyberattacks within the past five years, with access control systems and vessel traffic management systems among the most frequently targeted assets.
The Regulatory Landscape: Convergence Under Pressure
Regulatory frameworks are converging-but at different speeds across jurisdictions, creating compliance fragmentation that mirrors the operational threat landscape.
IACS UR E26 & E27 - Compliance in Force: IACS Unified Requirements UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of On-Board Systems and Equipment) are mandatory for vessels with construction contracts signed on or after July 1, 2024. CYTUR defines 2026 as the "first year of practical verification," as compliance shifts from design-stage documentation to operational enforcement. The rules require cybersecurity safeguards embedded at the ship design and construction stage, and vessels contracted after July 2024 are now approaching delivery-meaning compliance will be tested during sea trials and classification inspections.
USCG Final Rule: The United States Coast Guard issued a final rule detailing cyber standards for U.S. ports, which took effect in July 2025-a direct response to a pattern of cyberattacks on port systems.
IMO Guidelines Revision: On 4 April 2025, the IMO published an updated version of its Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3/Rev.3), intended to assist commercial shipping in addressing cyber risk and protecting vessels from cyberattack.
EU NIS2: Maritime operators with EU exposure must also prepare to align with the NIS2 Directive to meet rising expectations for cyber resilience and accountability.
As requirements such as IACS UR E26 and E27 become fully enforceable, vessels and equipment manufacturers that fail to meet certification standards may face consequences including loss of sailing credentials or denial of port entry.
What the Incident Data Reveals About Shipboard OT Exposure
The attack surface is not uniform across the vessel. At the core of maritime infrastructure are OT layers spanning multiple levels: the upper level on the bridge manages propulsion, engines, and steering; the lower level in the engine room handles machinery; and mid-level systems, including SCADA for cargo operations, monitor pressure, ballast tank levels, and specialized maritime functions. IIoT devices permeate all levels, enabling real-time monitoring but expanding the attack surface.
Key incident patterns from 2025 data:
| Attack Type | Primary OT Target | Entry Vector |
|---|---|---|
| VSAT supply chain compromise | Ship-to-shore communications | Satellite provider / firmware |
| GPS/GNSS spoofing | ECDIS navigation systems | Unauthenticated signal broadcast |
| Remote Access Trojan (RAT) | Bridge workstations | Insider / USB media |
| Terminal Operating System ransomware | Port cargo handling systems | Network edge devices |
| IT-to-OT lateral movement | Propulsion & engineering SCADA | Converged IT/OT network |
OT protection remains largely neglected, but a series of high-profile incidents in 2025 has increased awareness, prompting more maritime companies to adopt stricter OT controls. Network edge devices-including routers, firewalls, VPNs, and remote connection tools-continue to be the most frequently exploited targets.
This aligns with observations across the broader industrial sector: as covered in rising ICS incident trends driving intelligence-led OT security strategies, threat actors consistently exploit the boundary between IT management networks and OT control systems. In maritime environments, the satellite communications gateway functions as the highest-risk convergence point-the digital equivalent of a ship's gangway left unguarded.
A Multi-Layer Defense Architecture for Maritime OT
Addressing the satellite-expanded attack surface requires defense in depth across three domains: the vessel, the port, and the communications layer. The following steps reflect current industry guidance from IMO, BIMCO, IACS, and USCG frameworks.
1. Segment shipboard networks using zone-and-conduit architecture Apply ISA/IEC 62443 segmentation to isolate navigation (ECDIS, AIS, GPS), propulsion and engine-room SCADA, cargo handling systems, and crew IT networks into separate security zones. Enforce a DMZ between the VSAT gateway and OT layers. Preventing lateral movement from a compromised VSAT link to bridge control systems is the single most impactful segmentation control available.
2. Harden VSAT terminals and GPS receivers Eliminate default credentials, enforce firmware patching schedules on VSAT management software, and audit supplier change management processes. Deploy multi-constellation GNSS receivers with signal authentication where available. Maintain offline back-navigation capabilities-including radar dead-reckoning and backup chart systems-as fallback against spoofing events. As discussed in OT network segmentation for visibility and risk containment, asset discovery must precede any effective segmentation program.
3. Build a maritime OT monitoring capability Incident response must be tailored for maritime operations, with protocols that incorporate OT expertise, cross-functional response teams, and regular drills simulating ransomware and APT-style attacks. Protocol-aware sensors deployed at Purdue Model Levels 0-2 provide early warning of anomalies in engineering and navigation systems before they escalate. Fleet-level telemetry, aggregated through a maritime-specific Security Operations Center (SOC), delivers the cross-vessel visibility required to detect supply chain-style attacks targeting multiple ships.
4. Pre-negotiate cross-jurisdictional response roles Before an incident occurs, operators should establish documented notification agreements with flag-state maritime authorities, port-state control agencies, and national CERTs relevant to regular trade routes. Playbooks must specify who holds authority to declare an OT incident, who leads containment decisions, and what evidence-preservation obligations apply under each jurisdiction's law.
5. Apply zero-trust access controls Access controls must eliminate default credentials, enforce multi-factor authentication, and implement privileged access management (PAM) for high-value systems. This applies equally to shore-based fleet managers connecting via satellite links and to vendor remote-access sessions for engine-room or cargo system maintenance.
6. Validate recovery assets before they are needed Regular penetration testing, annual vulnerability assessments, and satellite communication audits are critical to maintaining resilience-particularly when human factors such as crew behavior and unauthorized device use are considered. Offline golden images, PLC configuration backups, and ECDIS chart archives stored in air-gapped locations must be validated through actual recovery drills, not assumed to be functional.
Outlook: Collaboration as a Security Control
The IMO Secretary-General highlighted that emerging technologies such as AI-driven surveillance and satellite monitoring systems provide tools to anticipate and deter threats, while underscoring that the digitalization of shipping and the move toward autonomous vessels increases the need for robust cybersecurity governance.
The industry bodies and shipping lines that have moved furthest on maritime OT security share one characteristic: they treat threat intelligence sharing as a security control, not a compliance exercise. Participation in BIMCO's Cyber Security Working Group, integration of Maritime Cyber Attack Database (MCAD) feeds into SIEM platforms, and bilateral information-sharing agreements with satellite providers and port authorities are increasingly cited by incident responders as the difference between rapid containment and extended disruption.
As Yong-hyun Cho, CEO of CYTUR, stated: "The incident data from 2024 and 2025 proves that maritime cybersecurity is no longer an 'option' but a matter directly linked to a vessel's 'right to operate.'"
For carriers, port operators, and satellite providers, the practical implication is clear: the cross-border nature of maritime operations demands cross-border security governance-standardized baselines, pre-agreed response authorities, and shared situational awareness-not as aspirational objectives, but as operational prerequisites for vessels transiting multiple jurisdictions within a single voyage.
