[Spotlight Post] Not Every Ship Is the Same Target: Cyber Risk by Type and Size

💡 Maritime Cyber Threat Landscape Geopolitical Risk By Ship Type

Not Every Ship Is the Same Target: Cyber Risk by Type and Size

Tankers, container ships, LNG carriers and cruise ships face different threats — and vessel size and automation reshape the attack surface. A read through the lens of geopolitics.

Julius
Julius
Maritime Technical Consultant · Shipboard Cybersecurity & Compliance
- LinkedIn : linkedin.com/in/abysstoinfinity

“Maritime cybersecurity” is often treated as one homogeneous problem — as if every ship were exposed to the same threat in the same way. But a 70,000-tonne bulk carrier, a 170,000-cubic-metre LNG carrier, a cruise ship with thousands aboard, and an ageing tanker moving sanctioned cargo are, from a cyber standpoint, completely different vessels. This article reads that difference along two axes — ship type and size & automation — through a single lens: geopolitics.

Shadow Fleet & AIS Spoofing Container/Port Network Effect LNG & Energy Security Cruise: People & Data GPS Jamming by Sea Area IACS UR E26/E27

The scale of a cyber threat is not set by vulnerability alone. Roughly, it is set by vulnerability × target value. No matter how many holes a system has, without a reason to strike it is not a target; conversely, even a hardened system will draw a state-level actor if the target matters enough. Geopolitics is precisely the force that redefines that “target value.”

In fact, maritime cyber incidents in 2025 rose an estimated 103% year over year (CYTUR 2026 white paper; reported by Industrial Cyber and SAFETY4SEA), and much of that increase came not from ordinary crime but from events entangled with conflict, sanctions and energy security. One caveat before the numbers: maritime cyber incidents are structurally under-reported, so every figure here reflects a different compiler and baseline — read them as direction, not precision.

The same tanker earns a different threat rating depending on what it carries, for whom, and through which waters.

Axis 1 — The Threat Landscape by Ship Type

Tanker

The Front Line of Sanctions

“Both the actor behind the deception, and the target of it.”

Crude and product tankers are today the ship type where geopolitical cyber risk is most concentrated, because the cargo itself is the object of sanctions. The so-called “shadow fleet” carrying sanctions-evading volumes for Russia, Iran and Venezuela uses AIS spoofing as a routine tool. Per CSIS (“Ghost Busters”), Russia's shadow fleet alone moves ~3.7 million barrels a day — about 65% of Russia's seaborne crude — generating an estimated $87–100 billion a year. Tellingly, ~72% of that fleet is over 15 years old and ~60% carries no insurance: the exact point where the “ageing, low-automation vessel” problem collides with geopolitics.

Ship as actor: at least 14 US-sanctioned tankers (Dec 2025) faked port calls at Khor al Zubair, Iraq, via sophisticated AIS manipulation (Lloyd's List Intelligence); AIS signal gaps more than doubled in 2025 (Follow the Money).
Ship as target: hacktivist group Lab Dookhtegan disabled VSAT on 116 Iranian state-carrier ships (Mar 2025) and 64 more (Aug 2025) — the latter a supply-chain attack on provider Fanava's infrastructure, hitting dozens of vessels at once (Cydome, Industrial Cyber).
LNG / Energy

Where Energy Security Meets Physical Impact

“Geopolitical weight and destructive potential, in one hull.”

An LNG carrier's OT network uses equipment similar to an onshore regasification terminal, so it is exposed alongside those terminals to threats aimed at Industrial Control Systems (ICS). Classification society DNV has given LNG-carrier cybersecurity special attention, and the US Idaho National Laboratory (INL) analysed the LNG value chain (FSRUs, carriers, terminals) as a single attack surface. The existence of ICS/SCADA-targeting malware — INCONTROLLER (a.k.a. PIPEDREAM) — gave the concern substance, though it was disclosed as a toolset, not a confirmed attack on any specific LNG carrier. As Europe's substitute for Russian gas, LNG is a pivotal energy-map variable — and its transport chain a latent target for state-level sabotage.

Container

The Target Is the Network, Not the Ship

“One ship's cyber risk, measured as a network effect.”

A single container ship's political meaning is thin; its target value lies in the logistics network and port systems it plugs into. When ransomware encrypts Terminal Operating Systems (TOS), cargo handling stops and the jam spreads into a global bottleneck. The emblem is Maersk's 2017 NotPetya infection — a $200–300M hit (Maersk Q2 2017 disclosure) across Maersk Line and APM Terminals.

One risk model estimates that cyber-driven delays at just a few Tier 1 ports could remove 10–15% of global container-handling capacity — a shock comparable to the Suez Canal blockage (cited by CSIS; single-model basis).
Cruise / Passenger

From “Cargo” to “People & Data”

“A floating hotel and data centre — where safety meets security.”

Here the centre of target value shifts to thousands of passengers and their personal and payment data; the motive is mostly financial. Carnival Corporation suffered four cyber incidents between 2019 and 2021 (two ransomware) — an Aug 2020 attack encrypted and exfiltrated files, and a Mar 2021 breach hit ~5.9 million people across Carnival Cruise Line, Holland America Line, Princess Cruises and its medical operations. The NY DFS imposed a $5M penalty (missing multi-factor authentication among the violations), plus a separate $1.25M settlement with 45 state attorneys general. Geopolitically, the distinctive feature is high risk to human life: a large passenger ship in contested waters can become a symbolic or humanitarian target, blurring safety and security.

Bulk / General Cargo

Low Value, but Exposed Anyway

With low political target value in isolation, bulk and general cargo ships are still exposed along two paths: indiscriminate opportunistic infection (phishing, ransomware), and, when transiting contested waters, the innocent-bystander effect of GPS jamming and spoofing. In May 2025 the container ship MSC Antonia ran aground near Jeddah in the Red Sea due to GPS jamming — proof that the sea area, not the cargo, can determine the threat:

Transit contested waters GPS jamming / spoofing False position Grounding

Axis 2 — Size & Automation Reshape the Attack Surface

If ship type sets why a vessel becomes a target, size and automation set how vulnerable it is — and how recoverable it is when something goes wrong.

Big / Smart / Newbuild
Connected OT, ICS, satcom
Cloud monitoring, remote maintenance
Wider attack surface — CYTUR flags “smart ships” under fire
Old / Low-Automation
Narrow connected surface — harder to breach remotely
No security updates or segmentation
Low resilience once breached

The shadow fleet seen earlier (72% over 15 years old) is exactly the worst-case combination of “ageing, low-automation” and “high-risk geopolitics.”

Regulation, too, targets newbuilds first. IACS UR E26 and E27 are mandatory for vessels contracted for construction on or after 1 July 2024.
Standard Scope & Key Requirement
UR E26 The ship as a whole — integrating OT/IT, with network segmentation separating OT from IT and crew internet.
UR E27 Individual Computer-Based Systems (CBS) — authentication, access control, encryption, audit logging, security-update capability.

Overlaying It All Through Geopolitics

Lay the two axes over geopolitics, and a map of “which ship becomes a target, and why” emerges.

Sanctions evasion — Tankers / Shadow Fleet
Both the actor behind AIS manipulation and the target of state-level and hacktivist attacks. The most politically charged type.
Energy security — LNG / Energy Carriers
A latent target for supply-chain sabotage, with physical destructive potential layered on top.
Strategic logistics — Container / Ports
The target value is economic shock through network paralysis.
Life & symbolism — Cruise / Passenger
Financial data motive plus humanitarian risk in contested waters.
Sea-area exposure — All Ship Types
GPS jamming/spoofing imposes threat by “where you transit,” regardless of cargo.

10,000+ vessels hit by GNSS interference in Q2 2025 alone — an 8× jump over the prior quarter (GPSPATRON).

During the June 2025 “12-day war,” 900+ ships were jammed in the Strait of Hormuz — ~970/day mid-June (Windward).

Implications — Differentiate by Type and Route

Allocating the same cyber defence equally to every ship is inefficient. A limited budget should track the real target value created by ship type, size and route.

Tankers / sanctions-linked — AIS integrity, VSAT supply-chain security, provider-dependency review
Container / port-linked — TOS & logistics-IT backup/recovery, segment isolation, port-interoperability risk
LNG / energy — OT/ICS security, boundary defence with onshore terminals, state-level scenarios
Cruise / passenger — PII & payment protection, passenger-network isolation, safety+security response
All types — GNSS-disruption readiness in contested waters (inertial nav, multi-constellation, manual procedures) + baseline hygiene per IACS UR E26/E27.

“Maritime cybersecurity” is not a singular problem. It is a plurality of threat landscapes drawn by ship type, size and route.

And the force reshaping that terrain most powerfully is geopolitics. Defence begins with knowing exactly where your own ship stands on that map.

Sources

·CSIS (“Ghost Busters”) — shadow fleet 3.7M b/d · 65% · $87–100B; 72% over 15 yrs · 60% uninsured; Tier 1 ports 10–15% capacity-loss model
·Lloyd's List Intelligence — 14 sanctioned tankers faking Khor al Zubair calls (Dec 2025); Follow the Money — AIS gaps 2× in 2025
·Cydome / Industrial Cyber — Lab Dookhtegan 116 (Mar) · 64 (Aug, 39+25); Fanava supply-chain compromise
·DNV — LNG-carrier cybersecurity; INL — LNG value chain · INCONTROLLER (PIPEDREAM)
·NY DFS · Cybersecurity Dive · The Register — Carnival 2019–2021, 4 incidents · 5.9M people · $5M penalty; CNBC — Maersk NotPetya $200–300M (2017)
·GPSPATRON — Q2 2025 GNSS 10,000+ · 8×; CNBC · Windward — Hormuz 900+ · ~970/day
·IACS UR E26/E27 (Speedcast · Pen Test Partners · DNV) — mandatory for newbuilds contracted on/after 1 Jul 2024

This article is analysis based on public statistics, reporting and classification-society material; it is not a legal determination about any specific operator or incident, nor investment advice. Figures may differ by each source's methodology.

#MaritimeCybersecurity #ShadowFleet #GPSjamming #OTsecurity #LNG #IACS #GeopoliticalRisk
Julius
Julius
Maritime Technical Consultant · Shipboard Cybersecurity & Compliance

Owner-side maritime cybersecurity advisor covering IACS UR E26/E27 compliance, zone and conduit design, and OT/IT security architecture for commercial vessels — working across LR, ClassNK, DNV, ABS, and BV newbuilding projects.

🌐 More Articles ↗

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments