[Spotlight Post] Not Every Ship Is the Same Target: Cyber Risk by Type and Size
Not Every Ship Is the Same Target: Cyber Risk by Type and Size
Tankers, container ships, LNG carriers and cruise ships face different threats — and vessel size and automation reshape the attack surface. A read through the lens of geopolitics.
- LinkedIn : linkedin.com/in/abysstoinfinity
“Maritime cybersecurity” is often treated as one homogeneous problem — as if every ship were exposed to the same threat in the same way. But a 70,000-tonne bulk carrier, a 170,000-cubic-metre LNG carrier, a cruise ship with thousands aboard, and an ageing tanker moving sanctioned cargo are, from a cyber standpoint, completely different vessels. This article reads that difference along two axes — ship type and size & automation — through a single lens: geopolitics.
The scale of a cyber threat is not set by vulnerability alone. Roughly, it is set by vulnerability × target value. No matter how many holes a system has, without a reason to strike it is not a target; conversely, even a hardened system will draw a state-level actor if the target matters enough. Geopolitics is precisely the force that redefines that “target value.”
In fact, maritime cyber incidents in 2025 rose an estimated 103% year over year (CYTUR 2026 white paper; reported by Industrial Cyber and SAFETY4SEA), and much of that increase came not from ordinary crime but from events entangled with conflict, sanctions and energy security. One caveat before the numbers: maritime cyber incidents are structurally under-reported, so every figure here reflects a different compiler and baseline — read them as direction, not precision.
The same tanker earns a different threat rating depending on what it carries, for whom, and through which waters.
Axis 1 — The Threat Landscape by Ship Type
The Front Line of Sanctions
“Both the actor behind the deception, and the target of it.”
Crude and product tankers are today the ship type where geopolitical cyber risk is most concentrated, because the cargo itself is the object of sanctions. The so-called “shadow fleet” carrying sanctions-evading volumes for Russia, Iran and Venezuela uses AIS spoofing as a routine tool. Per CSIS (“Ghost Busters”), Russia's shadow fleet alone moves ~3.7 million barrels a day — about 65% of Russia's seaborne crude — generating an estimated $87–100 billion a year. Tellingly, ~72% of that fleet is over 15 years old and ~60% carries no insurance: the exact point where the “ageing, low-automation vessel” problem collides with geopolitics.
Where Energy Security Meets Physical Impact
“Geopolitical weight and destructive potential, in one hull.”
An LNG carrier's OT network uses equipment similar to an onshore regasification terminal, so it is exposed alongside those terminals to threats aimed at Industrial Control Systems (ICS). Classification society DNV has given LNG-carrier cybersecurity special attention, and the US Idaho National Laboratory (INL) analysed the LNG value chain (FSRUs, carriers, terminals) as a single attack surface. The existence of ICS/SCADA-targeting malware — INCONTROLLER (a.k.a. PIPEDREAM) — gave the concern substance, though it was disclosed as a toolset, not a confirmed attack on any specific LNG carrier. As Europe's substitute for Russian gas, LNG is a pivotal energy-map variable — and its transport chain a latent target for state-level sabotage.
The Target Is the Network, Not the Ship
“One ship's cyber risk, measured as a network effect.”
A single container ship's political meaning is thin; its target value lies in the logistics network and port systems it plugs into. When ransomware encrypts Terminal Operating Systems (TOS), cargo handling stops and the jam spreads into a global bottleneck. The emblem is Maersk's 2017 NotPetya infection — a $200–300M hit (Maersk Q2 2017 disclosure) across Maersk Line and APM Terminals.
From “Cargo” to “People & Data”
“A floating hotel and data centre — where safety meets security.”
Here the centre of target value shifts to thousands of passengers and their personal and payment data; the motive is mostly financial. Carnival Corporation suffered four cyber incidents between 2019 and 2021 (two ransomware) — an Aug 2020 attack encrypted and exfiltrated files, and a Mar 2021 breach hit ~5.9 million people across Carnival Cruise Line, Holland America Line, Princess Cruises and its medical operations. The NY DFS imposed a $5M penalty (missing multi-factor authentication among the violations), plus a separate $1.25M settlement with 45 state attorneys general. Geopolitically, the distinctive feature is high risk to human life: a large passenger ship in contested waters can become a symbolic or humanitarian target, blurring safety and security.
Low Value, but Exposed Anyway
With low political target value in isolation, bulk and general cargo ships are still exposed along two paths: indiscriminate opportunistic infection (phishing, ransomware), and, when transiting contested waters, the innocent-bystander effect of GPS jamming and spoofing. In May 2025 the container ship MSC Antonia ran aground near Jeddah in the Red Sea due to GPS jamming — proof that the sea area, not the cargo, can determine the threat:
Axis 2 — Size & Automation Reshape the Attack Surface
If ship type sets why a vessel becomes a target, size and automation set how vulnerable it is — and how recoverable it is when something goes wrong.
Cloud monitoring, remote maintenance
Wider attack surface — CYTUR flags “smart ships” under fire
No security updates or segmentation
Low resilience once breached
The shadow fleet seen earlier (72% over 15 years old) is exactly the worst-case combination of “ageing, low-automation” and “high-risk geopolitics.”
| Standard | Scope & Key Requirement |
|---|---|
| UR E26 | The ship as a whole — integrating OT/IT, with network segmentation separating OT from IT and crew internet. |
| UR E27 | Individual Computer-Based Systems (CBS) — authentication, access control, encryption, audit logging, security-update capability. |
Overlaying It All Through Geopolitics
Lay the two axes over geopolitics, and a map of “which ship becomes a target, and why” emerges.
10,000+ vessels hit by GNSS interference in Q2 2025 alone — an 8× jump over the prior quarter (GPSPATRON).
During the June 2025 “12-day war,” 900+ ships were jammed in the Strait of Hormuz — ~970/day mid-June (Windward).
Implications — Differentiate by Type and Route
Allocating the same cyber defence equally to every ship is inefficient. A limited budget should track the real target value created by ship type, size and route.
☑ Container / port-linked — TOS & logistics-IT backup/recovery, segment isolation, port-interoperability risk
☑ LNG / energy — OT/ICS security, boundary defence with onshore terminals, state-level scenarios
☑ Cruise / passenger — PII & payment protection, passenger-network isolation, safety+security response
“Maritime cybersecurity” is not a singular problem. It is a plurality of threat landscapes drawn by ship type, size and route.
And the force reshaping that terrain most powerfully is geopolitics. Defence begins with knowing exactly where your own ship stands on that map.
Sources
This article is analysis based on public statistics, reporting and classification-society material; it is not a legal determination about any specific operator or incident, nor investment advice. Figures may differ by each source's methodology.
Owner-side maritime cybersecurity advisor covering IACS UR E26/E27 compliance, zone and conduit design, and OT/IT security architecture for commercial vessels — working across LR, ClassNK, DNV, ABS, and BV newbuilding projects.
🌐 More Articles ↗⚓ Join the ShipPaulJobs Community
Join →
Comments
Post a Comment